Windows Analysis Report
41e0000.dll

Overview

General Information

Sample Name:	41e0000.dll
Analysis ID:	556767
MD5:	da4fab67f5cdf49208bb9065d7b7d1e7
SHA1:	d7a399ace98716325d336e10b71049ed2bb7cc97
SHA256:	73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
Tags:	dllGozi
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking system information)

Sigma detected: Suspicious Call by Ordinal

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Tries to load missing DLLs

Found evasive API chain checking for process token information

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 41e0000.dll

Malware Configuration Extractor: Ursnif {"RSA Public Key": "L5XnpbZDZwjvtdXTG9D+0vpQ0WIQnm12WOsOMOY8C0yZ7uOO/eBAY3rRXOCK/HxUxcqHiLwWMv8OvVRdmADoR5C7qw+W+cmADKOssMx4QiixdssL8i0K6IvsmBdkFnvRkNvUbwafGiXZrtbBpLj4f/dJ3w7XW3RjSkw+RqYMas1hhtruQoCk1je7YCKOglQr3mfAbgpC1wKDrJsVlm3Ee2FRygxJ/unIJjuf4cZ9D6dS7R4sAgvdtyH3+wA2XLiQ8coXu/ZgQWI5JUyTlSoIq9Jrn3krKqyPoEdC9NZR55AzbtfTqGZcRBQ1iIaAbKbolS/V8PvDuVzyEAYl31lkv8FesJrfZhohJsac0CyUvKU=", "c2_domain": ["museumistat.bar", "nnnnnn.bar", "nnnnnn.casa"], "botnet": "7576", "server": "50", "serpent_key": "WTkaI9ByCrqqeRAr", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Multi AV Scanner detection for submitted file

Source: 41e0000.dll

ReversingLabs: Detection: 46%

Antivirus / Scanner detection for submitted sample

Source: 41e0000.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://www.nnnnnn.casa/drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/CJUEexxeLegN/asUAVrcr8Os/6Heu8XQ9NwKS3r/RsXyOEKXh6_2Fk8FF_2Be/55GNIEO4rqxc9s7n/ukqCx_2FTaQH3qL/wkmTl5GH5xOHOuPfEe/BWDc8XF7Q/Aj_2BpbOenr9CVTaE_2B/XdQQRARWLLAVNpj0F5Y/DhKfHWf2CN42/6CU_2FsM/oq0.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/aO1m2qbhzR/PyScSysfUMu7pQ56N/VjOvZCjAa_2F/1mYmXVIR1Zt/ZytsC9Ykmf_2Fu/iu9BdbHsH649dhw5xv4AE/uvJRR2pHSfmCL3mX/qVeQLGXMe6qLR0u/Wt56BLAa0ngbKPNWJl/aK0_2FM_2/B_2FgePTZg5J6aAm67BS/UxRCj8tcca1XehAjtUd/YhkFvH3YtE1Pt1_2BwmyD7/71NTX8ZhkOA2A/ekCIE_2B/Axlx1Zu2c2Fm5fnQIZEKkDy/m.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/dre	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/MeZUUlMrrzCrTTo/WRQsq4b7fIDR_2F2ui/K6Zod5HZQ/pReKsZQJuAIiqXNhcotr/27SAvb0lLGD4m4MtFqv/lionnkJutjVCo9Od2amHc6/vcomrgcHuTiyu/619f5X9g/OqezXl3127vZEQSYuxkxeXa/jXToImScJb/S5cz6j_2Fse9g4BcM/g7zL04pozIiS/_2B_2FN5VMo/ZAlJdIbg2SlHI1/d8no93Q9ma7mUN4PubD3o/tloZKX2Kmj/q.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8dX3i_2/BKHu1GhglPcxgFFzOwll/mE2uKWB4mhjJIhyxTbk/_2F4mS5i039Fc7Qu_2Bekr/iQMweYWStlPtj/o4jxWrxk/qxdFPQJxNpwFwYEvbalIklB/QVqGaFPam2/C2rQw2gzAO6yhP_2F/dkOEushjYAis/iro3PbyNh/HGAz2Q_2F/i0Bn.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8z66/	Avira URL Cloud: Label: malware
Source: http://museumistat.bar/drew/4iG_2BGMJbK_2Fz5Q7E/OfnzhNXmjy08XAO4hBOEsU/_2FWo4bkEDMbg/aulR18j2/5zekh_	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8dX3i_2/BKHu1GhglPcxgFFzOwll/mE2uKWB4mhjJIhyxTbk/_2F4mS5i039Fc7Qu_2Bekr/iQMweYWStlPtj/o4jxWrxk/qxdFPQJxNpwFwYEvbalIklB/QVqGaFPam2/C2rQw2gzAO6yhP_2F/dkOEushjYAis/iro3PbyNh/HGAz2Q_2F/i0Bn.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPpM4WA8X4iaERBU/M_2BNnZd3vNVKd3D/snYYJ6wnfiJDJcL/92irgYdy9jdt7bObTQ/XthL2dpz7/ChmMUV7DDxy9eem0RAqA/QIh0WdqUZEhxu0X9j_2/F2lcfFWCQ7qV66laejvuEP/BvotBkMbOhSl5/Azm9mu3j/3M1GGyFrveB8gl1/M.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/MeZUUlMrrzCrTTo/WRQsq4b7fIDR_2F2ui/K6Zod5HZQ/pReKsZQJuAIiqXNhcotr/27SAvb0lLGD4m4MtFqv/lionnkJutjVCo9Od2amHc6/vcomrgcHuTiyu/619f5X9g/OqezXl3127vZEQSYuxkxeXa/jXToImScJb/S5cz6j_2Fse9g4BcM/g7zL04pozIiS/_2B_2FN5VMo/ZAlJdIbg2SlHI1/d8no93Q9ma7mUN4PubD3o/tloZKX2Kmj/q.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar	Avira URL Cloud: Label: malware
Source: http://museumistat.bar	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/nnnnnn.casa5	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/2dHt0g0ZxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t63S3GMZiTKRdq/jvCj1	Avira URL Cloud: Label: malware
Source: http://museumistat.bar/drew/ammuwrNq_/2BqepYvRFV9AqHabqa_2/F1YKJqeJLi3jEjiQLE2/U5afXyZSkYxg9zlQghLCU	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughe	Avira URL Cloud: Label: malware
Source: http://museumistat.bar/drew/XMU8iofODBy1lrN0vdkRj/PLODd_2Bhig1hkqI/Wigiwyx9ltM_2Fd/r36Wr8ytAbQS3wDa6	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk	Avira URL Cloud: Label: malware
Source: http://museumistat.bar/	Avira URL Cloud: Label: malware
Source: http://museumistat.bar/drew/tizLy41OuYHIsTgBNj/0Uu4NPNlH/3sO8ziJptuwkpagoG2Xn/2Wzxx3rAW_2F6s4Zntp/4O	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPpM4WA8X4iaERBU/M_2BNnZd3vNVKd3D/snYYJ6wnfiJDJcL/92irgYdy9jdt7bObTQ/XthL2dpz7/ChmMUV7DDxy9eem0RAqA/QIh0WdqUZEhxu0X9j_2/F2lcfFWCQ7qV66laejvuEP/BvotBkMbOhSl5/Azm9mu3j/3M1GGyFrveB8gl1/M.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8d	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzS	Avira URL Cloud: Label: malware
Source: http://museumistat.bar/icies	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/g	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/f	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/wl	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS/sNuzGwvgFbGuiX/cYwNdjWOtQd_2Fg50Gq6_/2FjOiJCVbSj9xwyh/G_2BXTVzOZQxb5p/q_2BNRYwk1baG5TnLz/jbdiar_2B/vITHroP6B_2F_2BAIZUm/KtOtUG2G23eAdJDsUmd/Q0nO6sNJelOrTMnHEyXMkV/0ho4YTGcPihXz/P5SVPgNqDh/MwH.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXK	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/CJUEexxeLegN/asUAVrcr8Os/6Heu8XQ9NwKS3r/RsXyOEKXh6_2Fk8FF_2Be/55GNIEO4rqxc9s7n/ukqCx_2FTaQH3qL/wkmTl5GH5xOHOuPfEe/BWDc8XF7Q/Aj_2BpbOenr9CVTaE_2B/XdQQRARWLLAVNpj0F5Y/DhKfHWf2CN42/6CU_2FsM/oq0.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/aO1m2qbhzR/PyScSysfUMu7pQ56N/VjOvZCjAa_2F/1mYmXVIR1Zt/ZytsC9Ykmf_2Fu/iu9BdbHsH649dhw5xv4AE/uvJRR2pHSfmCL3mX/qVeQLGXMe6qLR0u/Wt56BLAa0ngbKPNWJl/aK0_2FM_2/B_2FgePTZg5J6aAm67BS/UxRCj8tcca1XehAjtUd/YhkFvH3YtE1Pt1_2BwmyD7/71NTX8ZhkOA2A/ekCIE_2B/Axlx1Zu2c2Fm5fnQIZEKkDy/m.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPp	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS/sNuzGwvgFbGuiX/cYwNdjWOtQd_2Fg50Gq6_/2FjOiJCVbSj9xwyh/G_2BXTVzOZQxb5p/q_2BNRYwk1baG5TnLz/jbdiar_2B/vITHroP6B_2F_2BAIZUm/KtOtUG2G23eAdJDsUmd/Q0nO6sNJelOrTMnHEyXMkV/0ho4YTGcPihXz/P5SVPgNqDh/MwH.jlk	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: nnnnnn.bar	Virustotal: Detection: 6%	Perma Link
Source: nnnnnn.casa	Virustotal: Detection: 5%	Perma Link
Source: museumistat.bar	Virustotal: Detection: 11%	Perma Link
Source: www.nnnnnn.casa	Virustotal: Detection: 7%	Perma Link

Machine Learning detection for sample

Source: 41e0000.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 5.2.rundll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 4.2.rundll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.regsvr32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B74872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	0_2_00B74872
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	4_2_046E4872
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C74872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,	5_2_00C74872

Compliance

Uses 32bit PE files

Source: 41e0000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49777 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49777 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49779 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49779 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49780 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49780 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49781 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49781 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49784 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49784 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49786 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49786 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49828 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49831 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49833 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49836 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49836 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49837 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49840 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49840 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49838 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49839 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49839 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49842 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49843 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49843 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49844 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49844 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49846 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49846 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49848 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49849 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49850 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49852 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49853 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49853 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49855 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49855 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49857 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49859 -> 198.54.117.218:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49865 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49865 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49868 -> 198.54.117.218:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49868 -> 198.54.117.218:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49871 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49872 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49873 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49873 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49874 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49874 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49875 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49875 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49876 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49876 -> 198.54.117.216:80

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.217 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.218 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: museumistat.bar
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.nnnnnn.casa
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 162.255.119.177 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: nnnnnn.casa
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.nnnnnn.bar
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: nnnnnn.bar
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.64.119.233 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: msapplication.xml0.14.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb7861f03,0x01d80e3f</date><accdate>0xb7ba9365,0x01d80e3f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.14.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbb57a28b,0x01d80e3f</date><accdate>0xbba3ee59,0x01d80e3f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.14.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbcea8f74,0x01d80e3f</date><accdate>0xbd642904,0x01d80e3f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: rundll32.exe, 00000005.00000003.445989314.0000000000B13000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.300466996.0000000000B22000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.490164133.0000000000B23000.00000004.00000001.sdmp	String found in binary or memory: http://museumistat.bar
Source: regsvr32.exe, 00000003.00000002.783677906.0000000002D79000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.777130443.0000000002D79000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605295288.0000000002D79000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.783462582.0000000002D48000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://museumistat.bar/
Source: regsvr32.exe, 00000003.00000002.783462582.0000000002D48000.00000004.00000020.sdmp	String found in binary or memory: http://museumistat.bar/drew/4iG_2BGMJbK_2Fz5Q7E/OfnzhNXmjy08XAO4hBOEsU/_2FWo4bkEDMbg/aulR18j2/5zekh_
Source: ~DF46B8E1B94B04B19A.TMP.34.dr, {1187F3F8-7A33-11EC-90E5-ECF4BB570DC9}.dat.34.dr	String found in binary or memory: http://museumistat.bar/drew/XMU8iofODBy1lrN0vdkRj/PLODd_2Bhig1hkqI/Wigiwyx9ltM_2Fd/r36Wr8ytAbQS3wDa6
Source: ~DF39FCB87D136FE619.TMP.14.dr, {DF65E4B8-7A32-11EC-90E5-ECF4BB570DC9}.dat.14.dr	String found in binary or memory: http://museumistat.bar/drew/ammuwrNq_/2BqepYvRFV9AqHabqa_2/F1YKJqeJLi3jEjiQLE2/U5afXyZSkYxg9zlQghLCU
Source: regsvr32.exe, 00000003.00000003.460394467.0000000002D7C000.00000004.00000001.sdmp, ~DF0DFA2E9BDD010B64.TMP.28.dr, {0D9E988A-7A33-11EC-90E5-ECF4BB570DC9}.dat.28.dr, {0D9E988C-7A33-11EC-90E5-ECF4BB570DC9}.dat.28.dr, ~DFF8FC7C7342251397.TMP.28.dr	String found in binary or memory: http://museumistat.bar/drew/jDwFdEqJ/e48LyDsSt1xLSBAUeszs4Wk/a4WMv6xPKv/K45qV_2BrlBb8GeVJ/xA726fz2EH
Source: {0789B96E-7A33-11EC-90E5-ECF4BB570DC9}.dat.28.dr, ~DF516DF10BC96611FB.TMP.28.dr	String found in binary or memory: http://museumistat.bar/drew/stiLnI_2FIOaNz22iC/XhTXRubVp/vO3TKKbHtD6iLkyJCmMU/4kOpofPxPR7lhueSnFw/gd
Source: rundll32.exe, 00000005.00000002.781904835.0000000000B11000.00000004.00000020.sdmp	String found in binary or memory: http://museumistat.bar/drew/tizLy41OuYHIsTgBNj/0Uu4NPNlH/3sO8ziJptuwkpagoG2Xn/2Wzxx3rAW_2F6s4Zntp/4O
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://museumistat.bar/icies
Source: regsvr32.exe, 00000003.00000002.783242972.0000000002D0A000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://nnnnnn.bar
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781904835.0000000000B11000.00000004.00000020.sdmp	String found in binary or memory: http://nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8
Source: rundll32.exe, 00000005.00000002.785176954.00000000044CB000.00000004.00000010.sdmp	String found in binary or memory: http://nnnnnn.bar/drew/2dHt0g0ZxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t63S3GMZiTKRdq/jvCj1
Source: {18677AFC-7A33-11EC-90E5-ECF4BB570DC9}.dat.37.dr, ~DFF9AFC0207BE9256F.TMP.37.dr	String found in binary or memory: http://nnnnnn.bar/drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp, {18677AF8-7A33-11EC-90E5-ECF4BB570DC9}.dat.37.dr, ~DFBFD7520757EE7FA8.TMP.37.dr	String found in binary or memory: http://nnnnnn.bar/drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPp
Source: regsvr32.exe, 00000003.00000002.783242972.0000000002D0A000.00000004.00000020.sdmp, ~DFF5EADCEC42896510.TMP.37.dr, {18677AFA-7A33-11EC-90E5-ECF4BB570DC9}.dat.37.dr	String found in binary or memory: http://nnnnnn.bar/drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0
Source: {2030A8D5-7A33-11EC-90E5-ECF4BB570DC9}.dat.42.dr, ~DF9357A3070BEC43BD.TMP.42.dr	String found in binary or memory: http://nnnnnn.bar/drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughe
Source: regsvr32.exe, 00000003.00000002.783242972.0000000002D0A000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000002.783677906.0000000002D79000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.777130443.0000000002D79000.00000004.00000001.sdmp	String found in binary or memory: http://nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS
Source: regsvr32.exe, 00000003.00000003.460284277.0000000002D7C000.00000004.00000001.sdmp	String found in binary or memory: http://nnnnnn.casa
Source: rundll32.exe, 00000005.00000003.562206472.0000000000B14000.00000004.00000001.sdmp	String found in binary or memory: http://nnnnnn.casa/dre
Source: {FCCA6071-7A32-11EC-90E5-ECF4BB570DC9}.dat.23.dr, ~DFD008A2FC4BAFFBB5.TMP.23.dr	String found in binary or memory: http://nnnnnn.casa/drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8d
Source: {FCCA6075-7A32-11EC-90E5-ECF4BB570DC9}.dat.23.dr, ~DF0FA6B24B5E37207F.TMP.23.dr	String found in binary or memory: http://nnnnnn.casa/drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzS
Source: regsvr32.exe, 00000003.00000003.777130443.0000000002D79000.00000004.00000001.sdmp	String found in binary or memory: http://nnnnnn.casa/drew/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8z66/
Source: {FCCA6073-7A32-11EC-90E5-ECF4BB570DC9}.dat.23.dr	String found in binary or memory: http://nnnnnn.casa/drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/
Source: rundll32.exe, 00000005.00000003.562280336.0000000000B23000.00000004.00000001.sdmp	String found in binary or memory: http://nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/
Source: msapplication.xml.14.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.14.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.14.dr	String found in binary or memory: http://www.live.com/
Source: regsvr32.exe, 00000003.00000002.783643487.0000000002D6A000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000002.783462582.0000000002D48000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.bar/
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781904835.0000000000B11000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2
Source: regsvr32.exe, 00000003.00000002.783582569.0000000002D61000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000002.783677906.0000000002D79000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000002.783462582.0000000002D48000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXK
Source: rundll32.exe, 00000005.00000002.781731263.0000000000B00000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.bar/f
Source: rundll32.exe, 00000005.00000002.781731263.0000000000B00000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.bar/g
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.bar/wl
Source: regsvr32.exe, 00000003.00000002.783677906.0000000002D79000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.777130443.0000000002D79000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605295288.0000000002D79000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/
Source: regsvr32.exe, 00000003.00000003.605357025.0000000002D97000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.783677906.0000000002D79000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.777130443.0000000002D79000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.783462582.0000000002D48000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/drew/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781904835.0000000000B11000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr
Source: rundll32.exe, 00000005.00000002.781511015.0000000000AAA000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/nnnnnn.casa5
Source: regsvr32.exe, 00000003.00000003.559541248.0000000002D7B000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.558838390.0000000002D79000.00000004.00000001.sdmp	String found in binary or memory: http://www.nnnnnn.casaw/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8z66/
Source: msapplication.xml3.14.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.14.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.14.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.14.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.14.dr	String found in binary or memory: http://www.youtube.com/

Source: Yara match	File source: 00000003.00000003.307551422.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307614167.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300679083.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.785600191.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307578726.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.544816748.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.785050851.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307644069.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321771738.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.605390761.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321906680.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300868443.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.782849052.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307704201.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300896192.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321827168.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305308572.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300782095.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321800955.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321850861.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305489439.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321871746.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300925678.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305473167.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.784577185.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300831034.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.465850136.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307685619.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305361386.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.451028558.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307667358.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.307723093.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321736735.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.321892748.0000000004C78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300637854.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305444039.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305503274.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305414104.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.300915509.0000000005048000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.305391227.00000000016E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1860, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002244	0_2_10002244
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B74EF3	0_2_00B74EF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B76C62	0_2_00B76C62
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B781DC	0_2_00B781DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E6C62	4_2_046E6C62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E4EF3	4_2_046E4EF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E81DC	4_2_046E81DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C74EF3	5_2_00C74EF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C76C62	5_2_00C76C62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C781DC	5_2_00C781DC

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100012BE NtMapViewOfSection,	0_2_100012BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001F61 GetProcAddress,NtCreateSection,memset,	0_2_10001F61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001077 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_10001077
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002465 NtQueryVirtualMemory,	0_2_10002465
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B777BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00B777BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B78401 NtQueryVirtualMemory,	0_2_00B78401
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_046E77BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E8401 NtQueryVirtualMemory,	4_2_046E8401
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C777BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_00C777BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C78401 NtQueryVirtualMemory,	5_2_00C78401

Source: global traffic	HTTP traffic detected: GET /drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/CJUEexxeLegN/asUAVrcr8Os/6Heu8XQ9NwKS3r/RsXyOEKXh6_2Fk8FF_2Be/55GNIEO4rqxc9s7n/ukqCx_2FTaQH3qL/wkmTl5GH5xOHOuPfEe/BWDc8XF7Q/Aj_2BpbOenr9CVTaE_2B/XdQQRARWLLAVNpj0F5Y/DhKfHWf2CN42/6CU_2FsM/oq0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/CJUEexxeLegN/asUAVrcr8Os/6Heu8XQ9NwKS3r/RsXyOEKXh6_2Fk8FF_2Be/55GNIEO4rqxc9s7n/ukqCx_2FTaQH3qL/wkmTl5GH5xOHOuPfEe/BWDc8XF7Q/Aj_2BpbOenr9CVTaE_2B/XdQQRARWLLAVNpj0F5Y/DhKfHWf2CN42/6CU_2FsM/oq0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPpM4WA8X4iaERBU/M_2BNnZd3vNVKd3D/snYYJ6wnfiJDJcL/92irgYdy9jdt7bObTQ/XthL2dpz7/ChmMUV7DDxy9eem0RAqA/QIh0WdqUZEhxu0X9j_2/F2lcfFWCQ7qV66laejvuEP/BvotBkMbOhSl5/Azm9mu3j/3M1GGyFrveB8gl1/M.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPpM4WA8X4iaERBU/M_2BNnZd3vNVKd3D/snYYJ6wnfiJDJcL/92irgYdy9jdt7bObTQ/XthL2dpz7/ChmMUV7DDxy9eem0RAqA/QIh0WdqUZEhxu0X9j_2/F2lcfFWCQ7qV66laejvuEP/BvotBkMbOhSl5/Azm9mu3j/3M1GGyFrveB8gl1/M.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8z66/KTISrjoFRwGk/8f5Gk94fzsF/M9kxRuEmDiLC4g/C5CJDIhm32RcEsrXpX1cl/nhp48i6KKa2Q6Lfc/czZpTR7aDJA6t9d/77J9nH6eS_2BFp56QM/mTLCmOjMG/MA276CfB7XMe3BWYe2He/jQHDpUYGJBhhozuIZzR/2y_2F3GFZEVf/J.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/MeZUUlMrrzCrTTo/WRQsq4b7fIDR_2F2ui/K6Zod5HZQ/pReKsZQJuAIiqXNhcotr/27SAvb0lLGD4m4MtFqv/lionnkJutjVCo9Od2amHc6/vcomrgcHuTiyu/619f5X9g/OqezXl3127vZEQSYuxkxeXa/jXToImScJb/S5cz6j_2Fse9g4BcM/g7zL04pozIiS/_2B_2FN5VMo/ZAlJdIbg2SlHI1/d8no93Q9ma7mUN4PubD3o/tloZKX2Kmj/q.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/eLhw7nu1K6FTq/stO2JZ1h/n1J6MMYac0r5XgMvFx5tBMd/79pB3BpRVf/FsRkAxNC5o0VI8z66/KTISrjoFRwGk/8f5Gk94fzsF/M9kxRuEmDiLC4g/C5CJDIhm32RcEsrXpX1cl/nhp48i6KKa2Q6Lfc/czZpTR7aDJA6t9d/77J9nH6eS_2BFp56QM/mTLCmOjMG/MA276CfB7XMe3BWYe2He/jQHDpUYGJBhhozuIZzR/2y_2F3GFZEVf/J.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/MeZUUlMrrzCrTTo/WRQsq4b7fIDR_2F2ui/K6Zod5HZQ/pReKsZQJuAIiqXNhcotr/27SAvb0lLGD4m4MtFqv/lionnkJutjVCo9Od2amHc6/vcomrgcHuTiyu/619f5X9g/OqezXl3127vZEQSYuxkxeXa/jXToImScJb/S5cz6j_2Fse9g4BcM/g7zL04pozIiS/_2B_2FN5VMo/ZAlJdIbg2SlHI1/d8no93Q9ma7mUN4PubD3o/tloZKX2Kmj/q.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/aO1m2qbhzR/PyScSysfUMu7pQ56N/VjOvZCjAa_2F/1mYmXVIR1Zt/ZytsC9Ykmf_2Fu/iu9BdbHsH649dhw5xv4AE/uvJRR2pHSfmCL3mX/qVeQLGXMe6qLR0u/Wt56BLAa0ngbKPNWJl/aK0_2FM_2/B_2FgePTZg5J6aAm67BS/UxRCj8tcca1XehAjtUd/YhkFvH3YtE1Pt1_2BwmyD7/71NTX8ZhkOA2A/ekCIE_2B/Axlx1Zu2c2Fm5fnQIZEKkDy/m.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/aO1m2qbhzR/PyScSysfUMu7pQ56N/VjOvZCjAa_2F/1mYmXVIR1Zt/ZytsC9Ykmf_2Fu/iu9BdbHsH649dhw5xv4AE/uvJRR2pHSfmCL3mX/qVeQLGXMe6qLR0u/Wt56BLAa0ngbKPNWJl/aK0_2FM_2/B_2FgePTZg5J6aAm67BS/UxRCj8tcca1XehAjtUd/YhkFvH3YtE1Pt1_2BwmyD7/71NTX8ZhkOA2A/ekCIE_2B/Axlx1Zu2c2Fm5fnQIZEKkDy/m.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8dX3i_2/BKHu1GhglPcxgFFzOwll/mE2uKWB4mhjJIhyxTbk/_2F4mS5i039Fc7Qu_2Bekr/iQMweYWStlPtj/o4jxWrxk/qxdFPQJxNpwFwYEvbalIklB/QVqGaFPam2/C2rQw2gzAO6yhP_2F/dkOEushjYAis/iro3PbyNh/HGAz2Q_2F/i0Bn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8dX3i_2/BKHu1GhglPcxgFFzOwll/mE2uKWB4mhjJIhyxTbk/_2F4mS5i039Fc7Qu_2Bekr/iQMweYWStlPtj/o4jxWrxk/qxdFPQJxNpwFwYEvbalIklB/QVqGaFPam2/C2rQw2gzAO6yhP_2F/dkOEushjYAis/iro3PbyNh/HGAz2Q_2F/i0Bn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS/sNuzGwvgFbGuiX/cYwNdjWOtQd_2Fg50Gq6_/2FjOiJCVbSj9xwyh/G_2BXTVzOZQxb5p/q_2BNRYwk1baG5TnLz/jbdiar_2B/vITHroP6B_2F_2BAIZUm/KtOtUG2G23eAdJDsUmd/Q0nO6sNJelOrTMnHEyXMkV/0ho4YTGcPihXz/P5SVPgNqDh/MwH.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/VXPbNYFiF/Jx16a15jtbt4W7OEVSsQ/0Hchzr0JHqLXy5sSr3M/b_2FYv5OG1u0ccVDBhhzY1/uOFYOSZBHxbao/_2BXd3TX/Npdl9BTS8FA7o_2BWqGmh8W/GcITN_2B9v/zQpOaIZ_2FyM_2FHD/HIrNyvAnOpvv/7fGmjVEMNNv/tsw6xWgAX1_2FQ/_2B4GrQQmQexhaks5LfBR/44D9BrVgAaGviQmA/WTPToDpdiNvkPou/yqUxTArWqVDFn_2Fve/_2Bpr1G.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/VXPbNYFiF/Jx16a15jtbt4W7OEVSsQ/0Hchzr0JHqLXy5sSr3M/b_2FYv5OG1u0ccVDBhhzY1/uOFYOSZBHxbao/_2BXd3TX/Npdl9BTS8FA7o_2BWqGmh8W/GcITN_2B9v/zQpOaIZ_2FyM_2FHD/HIrNyvAnOpvv/7fGmjVEMNNv/tsw6xWgAX1_2FQ/_2B4GrQQmQexhaks5LfBR/44D9BrVgAaGviQmA/WTPToDpdiNvkPou/yqUxTArWqVDFn_2Fve/_2Bpr1G.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.bar

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\41e0000.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\41e0000.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\41e0000.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\41e0000.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\41e0000.dll,DllRegisterServer
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6712 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:17414 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:17424 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:82948 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5396 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5696 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5696 CREDAT:82948 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5696 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6300 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\41e0000.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\41e0000.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\41e0000.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\41e0000.dll",#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6712 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:17414 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:17424 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:82948 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5396 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5696 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5696 CREDAT:82948 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5696 CREDAT:17422 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6300 CREDAT:17410 /prefetch:2

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002233 push ecx; ret	0_2_10002243
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100021E0 push ecx; ret	0_2_100021E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B77DE0 push ecx; ret	0_2_00B77DE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00B781CB push ecx; ret	0_2_00B781DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E7DE0 push ecx; ret	4_2_046E7DE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_046E81CB push ecx; ret	4_2_046E81DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C781CB push ecx; ret	5_2_00C781DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00C77DE0 push ecx; ret	5_2_00C77DE9

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: regsvr32.exe, 00000003.00000002.783677906.0000000002D79000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.777130443.0000000002D79000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605295288.0000000002D79000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.783462582.0000000002D48000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.782056278.0000000000B23000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.781731263.0000000000B00000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000003.594707637.0000000000B1A000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.562280336.0000000000B23000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.766366477.0000000000B23000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000002.781731263.0000000000B00000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW'
Source: rundll32.exe, 00000005.00000003.545416357.0000000000B23000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: regsvr32.exe, 00000003.00000003.559541248.0000000002D7B000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.558838390.0000000002D79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: loaddll32.exe, 00000000.00000002.783123426.0000000001A90000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.783996204.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.783663512.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.784934992.0000000003040000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.783123426.0000000001A90000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.783996204.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.783663512.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.784934992.0000000003040000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.783123426.0000000001A90000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.783996204.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.783663512.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.784934992.0000000003040000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.783123426.0000000001A90000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.783996204.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.783663512.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.784934992.0000000003040000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.783123426.0000000001A90000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.783996204.0000000003190000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.783663512.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.784934992.0000000003040000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.217	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.218	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.210	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.211	unknown	United States	22612	NAMECHEAP-NETUS	true
192.64.119.233	nnnnnn.casa	United States	22612	NAMECHEAP-NETUS	true
162.255.119.177	nnnnnn.bar	United States	22612	NAMECHEAP-NETUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.216	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false

Name	Malicious	Antivirus Detection	Reputation
http://www.nnnnnn.casa/drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/CJUEexxeLegN/asUAVrcr8Os/6Heu8XQ9NwKS3r/RsXyOEKXh6_2Fk8FF_2Be/55GNIEO4rqxc9s7n/ukqCx_2FTaQH3qL/wkmTl5GH5xOHOuPfEe/BWDc8XF7Q/Aj_2BpbOenr9CVTaE_2B/XdQQRARWLLAVNpj0F5Y/DhKfHWf2CN42/6CU_2FsM/oq0.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/aO1m2qbhzR/PyScSysfUMu7pQ56N/VjOvZCjAa_2F/1mYmXVIR1Zt/ZytsC9Ykmf_2Fu/iu9BdbHsH649dhw5xv4AE/uvJRR2pHSfmCL3mX/qVeQLGXMe6qLR0u/Wt56BLAa0ngbKPNWJl/aK0_2FM_2/B_2FgePTZg5J6aAm67BS/UxRCj8tcca1XehAjtUd/YhkFvH3YtE1Pt1_2BwmyD7/71NTX8ZhkOA2A/ekCIE_2B/Axlx1Zu2c2Fm5fnQIZEKkDy/m.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/MeZUUlMrrzCrTTo/WRQsq4b7fIDR_2F2ui/K6Zod5HZQ/pReKsZQJuAIiqXNhcotr/27SAvb0lLGD4m4MtFqv/lionnkJutjVCo9Od2amHc6/vcomrgcHuTiyu/619f5X9g/OqezXl3127vZEQSYuxkxeXa/jXToImScJb/S5cz6j_2Fse9g4BcM/g7zL04pozIiS/_2B_2FN5VMo/ZAlJdIbg2SlHI1/d8no93Q9ma7mUN4PubD3o/tloZKX2Kmj/q.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8dX3i_2/BKHu1GhglPcxgFFzOwll/mE2uKWB4mhjJIhyxTbk/_2F4mS5i039Fc7Qu_2Bekr/iQMweYWStlPtj/o4jxWrxk/qxdFPQJxNpwFwYEvbalIklB/QVqGaFPam2/C2rQw2gzAO6yhP_2F/dkOEushjYAis/iro3PbyNh/HGAz2Q_2F/i0Bn.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/2dHt0g0ZqxBpcdpMURTYE/SQxrvbTaCVQCWrs7/t263S3GMZiTKRdq/jvCj142v8i06uAQqd2/qg8dX3i_2/BKHu1GhglPcxgFFzOwll/mE2uKWB4mhjJIhyxTbk/_2F4mS5i039Fc7Qu_2Bekr/iQMweYWStlPtj/o4jxWrxk/qxdFPQJxNpwFwYEvbalIklB/QVqGaFPam2/C2rQw2gzAO6yhP_2F/dkOEushjYAis/iro3PbyNh/HGAz2Q_2F/i0Bn.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPpM4WA8X4iaERBU/M_2BNnZd3vNVKd3D/snYYJ6wnfiJDJcL/92irgYdy9jdt7bObTQ/XthL2dpz7/ChmMUV7DDxy9eem0RAqA/QIh0WdqUZEhxu0X9j_2/F2lcfFWCQ7qV66laejvuEP/BvotBkMbOhSl5/Azm9mu3j/3M1GGyFrveB8gl1/M.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/MeZUUlMrrzCrTTo/WRQsq4b7fIDR_2F2ui/K6Zod5HZQ/pReKsZQJuAIiqXNhcotr/27SAvb0lLGD4m4MtFqv/lionnkJutjVCo9Od2amHc6/vcomrgcHuTiyu/619f5X9g/OqezXl3127vZEQSYuxkxeXa/jXToImScJb/S5cz6j_2Fse9g4BcM/g7zL04pozIiS/_2B_2FN5VMo/ZAlJdIbg2SlHI1/d8no93Q9ma7mUN4PubD3o/tloZKX2Kmj/q.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/dRBCohQjpH2R4ZrxcN/VH3wq9yT2/VmLml8GJ5aPaDzoCDj8x/EmzpTBuP5mftF8uNtQM/TnqYzSdCW3EjFkfnBVLNrh/u6iSfeXnIxEc4/iOpnKu8_/2B6ER0J96Uzbim1bUMtmrJq/DMYICZNGt5/BH1k0iCPsGbgr2jmq/LZISYUDUDQ3s/sBmfD_2B_2F/KeRIfCDg82xxJ1/5QkNXVsBvP5NPb2r4nyOG/rCLwK7C8JPaslI4x/C4pqB4g_2/B.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/0j7ZvX6Yf_2Ff4PZOIhk8/4LwtJMzbxxuFilPr/sSF9SqjkHo3YN93/N6KmwTforklWI7En4U/8dXb3jJiK/zds9L6K3nZZ7oSB_2FRe/J_2F81pI4nTjSy_2FLT/d8Gf2VlN_2BGJ3KTHQhxNU/PK1lsXUZsV6B7/COUqQ3wX/120xfpxJZhcCTcDgyQOQ47a/2BRczUrfQU/ppPj1HI3Q0OhFDCjv/4_2Br67LS5pR/l5aWeKuI6uG/ni53ezQ1izt/Yu.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/ryTDvI_2B04X_/2F0aCkH0/_2BDKJR7A0jigzDfk2oUtkS/TzWw2n73nE/Dg4sUCgqU_2FAr5Pj/SDWuXQsskkRv/UNsc0mp28hP/x_2B_2FFq_2BHQ/F27_2FxKayrB3Cjy97Qhx/v8nlOT4QFPkzm4Ie/eAXoVlzzaxz8tgI/QR3P1Uk2I7ZbwimQXR/OfOcdTcUh/zjDQ5XVxR1cI0bdt8PDF/mZjcYY9L2vv_2BELjHj/Y7ijGd_2F3psmxh_2FsXvv/mj29lZ4n/h.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/BVo0JfnyET/LCuKNvyhPvtrfvUnc/mObdgwXcgrZe/zSKG23eDqpN/HkpkBNiTxuWbBP/jak_2BPpM4WA8X4iaERBU/M_2BNnZd3vNVKd3D/snYYJ6wnfiJDJcL/92irgYdy9jdt7bObTQ/XthL2dpz7/ChmMUV7DDxy9eem0RAqA/QIh0WdqUZEhxu0X9j_2/F2lcfFWCQ7qV66laejvuEP/BvotBkMbOhSl5/Azm9mu3j/3M1GGyFrveB8gl1/M.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/b2eob5aE7jJqRFK/rA9TqIOSBzTkqwZ1zv/iNhLsTUKi/a_2FZiiuvYhXdLNrvbCh/8PEJcafughemPo02ekn/fOGpqXigagMOIeoi2whU2K/VcKgvpNbHoVGC/D5UC9izH/aHNIhYwGohjos0FQ6xviFWf/oAZv_2Bi_2/FQiT5Hhg78q185o5l/RS9K9tlnC9cl/irJKo_2Bc3F/Cv7H0DN6I4ItJ9/fG_2BK5HpVFIp2pJnaZ2D/aV8ATJwwcAP/_2Bs.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS/sNuzGwvgFbGuiX/cYwNdjWOtQd_2Fg50Gq6_/2FjOiJCVbSj9xwyh/G_2BXTVzOZQxb5p/q_2BNRYwk1baG5TnLz/jbdiar_2B/vITHroP6B_2F_2BAIZUm/KtOtUG2G23eAdJDsUmd/Q0nO6sNJelOrTMnHEyXMkV/0ho4YTGcPihXz/P5SVPgNqDh/MwH.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/gKT0MlKWG38_2/BMau4Oul/cEXy48BAqFiRWaKy3Hmuv38/3RbGiyCyh2/l1GuJ4tJh6rYVcx3P/CJUEexxeLegN/asUAVrcr8Os/6Heu8XQ9NwKS3r/RsXyOEKXh6_2Fk8FF_2Be/55GNIEO4rqxc9s7n/ukqCx_2FTaQH3qL/wkmTl5GH5xOHOuPfEe/BWDc8XF7Q/Aj_2BpbOenr9CVTaE_2B/XdQQRARWLLAVNpj0F5Y/DhKfHWf2CN42/6CU_2FsM/oq0.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/6ktn4xRUX5JQALxIWi_2FJ/ICUDlvTaNKSMK/d1ei2DU0/YfFfMIO56w8ZRW_2Fc4zkGn/yDjRWn9P_2/BB0g0D98WIpaFL2hK/UQH6jhZN2tpm/ORHiRY8gQ2t/UYqiaMMUPs7I05/R0awjzx8aAAERc7YB4ys0/Q5QjXt_2F1mCoLne/245MRunYvrY5c2x/MdnxTtnmOaN2uVZew3/1GHuZOvuL/Rb_2Bfqw7L_2BYB_2FWD/UIZ_2FNd7aPjE9V_2B_/2BC4BHu.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/aO1m2qbhzR/PyScSysfUMu7pQ56N/VjOvZCjAa_2F/1mYmXVIR1Zt/ZytsC9Ykmf_2Fu/iu9BdbHsH649dhw5xv4AE/uvJRR2pHSfmCL3mX/qVeQLGXMe6qLR0u/Wt56BLAa0ngbKPNWJl/aK0_2FM_2/B_2FgePTZg5J6aAm67BS/UxRCj8tcca1XehAjtUd/YhkFvH3YtE1Pt1_2BwmyD7/71NTX8ZhkOA2A/ekCIE_2B/Axlx1Zu2c2Fm5fnQIZEKkDy/m.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/aOCcLYeYaTiAEXOHR/rDcm23Ra7HRA/Ll0tIfgTYdg/Ovc937_2BZJhqR/_2B9nyoyx5GXZFgCkf0O8/4fSjQKFRypPXeHUM/2VwdsjoRmoerb1g/N6r4i0t9F_2FA66_2F/CrVcoXDX5/D2kSFR1VHNVLT3GtdrVC/2IzirCs34EDnFYvNPWY/fYM6gayTm5L9yWZL2Vx5Nc/R0anH3ZYvesfP/30v94E34/TL40v70SibYCobhKHsZEJ7c/OLRlO.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/zBWev8_2BKC0Kv4cFyjxa4K/cXf7Mx9Yu7/tb380Z5Te_2FUr5sc/S5LVwKU9d2Ii/UAurGXKRWnS/sNuzGwvgFbGuiX/cYwNdjWOtQd_2Fg50Gq6_/2FjOiJCVbSj9xwyh/G_2BXTVzOZQxb5p/q_2BNRYwk1baG5TnLz/jbdiar_2B/vITHroP6B_2F_2BAIZUm/KtOtUG2G23eAdJDsUmd/Q0nO6sNJelOrTMnHEyXMkV/0ho4YTGcPihXz/P5SVPgNqDh/MwH.jlk	true	Avira URL Cloud: malware	unknown

ID:	556767
Product:	CloudBasic
Start time:	12:51:09
Start date:	20.01.2022
Sample:	41e0000.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	da4fab67f5cdf49208bb9065d7b7d1e7
SHA1:	d7a399ace98716325d336e10b71049ed2bb7cc97
SHA256:	73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report 41e0000.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
41e0000.dll

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0789B96C-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	9550A02F7E90498E7F8D2EA0E2A4CF54	91FC518D9A421E202F9E1A984EE397A469F7E575	9FB0F3108A75B3530985C00A7657190F36DFE4B971F6C4127FFA8BB457765A1C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1187F3F6-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	36E1CCC381091E152D713A36C60CFB50	DBA970466DA05DDE7997367F39D2A6B47F72B801	715A72FBA581E0B49FABDBA92CC65D3F74941A454443B4D8BB03915FC288E51B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{18677AF6-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	7B1B6253715B17673AD5B9C88F62B481	10C1EEA441BD0BFDEBB7EF891C46BB18FF7058D8	3872B147AB09D2B458521CA09BE871E68E41488B32D6FDD59D9794F7A4D12F5E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2030A8D3-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	62AB73C414C5343D371D012E780FB84F	DF4621D821C81DB5A82084ECD15D4FD54800EA9A	83826A455480892083F3791633D39F8C4D84BA6A7825062C5ADC19B4CAE12C08
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF65E4B6-7A32-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	5BC35B8E6CC509034A450ACAF3E41FCD	9F148C7397875F8FFB186BF20AE83B4C859154B5	45BFD499A240EFC962DD3342F319F16C75EA65597B13AE9B78F1528B40A595A3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FCCA606F-7A32-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	DC7E32C90EBE7527EFE8B12862C95F8E	A29619E1174288FCBDB5833B29C96DB26005FBA1	72E6CE361C848445D544F6F5E75B07CBA9E38C22D19CA4909928DD399BC5D1CF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0789B96E-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	C8FA6ADD44E3FAD0FA1C302E5FCEBF03	ECDD4574EEE8036C2497E07C6E1E3AA20DCD163E	47B54113263C6A891C449F1D491ED0B5293AE56ECFA15F2981721D90F0A62133
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0D9E988A-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	4221674C9376B80C1D73BF7DD0086CA3	DCAC4CD593857A268DCB1E9F219467831C670AAD	35527292D8E3880FDE59A6C3EC0254F8C032D033B9F8D169A99315F98FAB6961
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0D9E988C-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	3124C80CAD55A840BE789810BA2740C0	21408E92D531865FC7B98A0073E21C3DA29A9F70	01339EF98A751198759A36EA48487FB90F9665A0BB44F8A07847F497CCC5227E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1187F3F8-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	DE4E0F83979F6499C8907EE48138848F	00355823A3DBEAB6A2362D2E466E08D467FD6278	0816F05EB4B397246F65E87E1C762C55C969DBC3E00DB9DF9AB768B257FD53D8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{18677AF8-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	E8C5241F718474FDEDE2E675D13D7011	7189238487D6B4C1E3D5E1B1AE5CA1A57CA62E09	7A4C3D8B8C28F975DAF47B92D92D9067A198DC1B399E0FF67EA9D7C534F35298
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{18677AFA-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	3FA28EE005BC81FED00628DBB5ED319E	4CD77DE55053BF193690A511263607A32B6B3752	139E74A76F82383F2BD9DF2F28BCF7F5EF7440BBF391A39F59A654C4D60111A7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{18677AFC-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	233D879189C1243E63843CCEB46BB2A0	F8442EBAF926F7B1F2769ED8EBD9540E80D5DAF5	3C2EF925EDB10CA9BDE5FE8C906AFD2FBD688FA2FDBBE399075E5A56BC9AEFC9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2030A8D5-7A33-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	F02745502E1EE7A742F558806FC4A689	E466C55BED57F3F402F588BED74FFB16F2E25C37	93DFE8A37DE3913AF867D3E22A76461D63DAC516CA86A88DB21D0957BEBC6BDA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DF65E4B8-7A32-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	5CB4AF399B685B68D1EB3856FEE4F88C	FC17379F1E7BD3EC59CCBEFDEE0586FA8B64CCE1	12F56AFE5D56EFBD05C1C86D43E3C90C055F09D5A2367042D2ED832E5548AE8F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FCCA6071-7A32-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	47541EF664CCDF56D4CF83A9E1784B1C	E58D5CD47AF31052CF09C14E985937B0FB193E0C	6D82F49AE2E2FBEBE2612D80F4CEF20192260859C748C0425F0A7F6228283A62
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FCCA6073-7A32-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	1C78277988DB392377A2126F943C3951	7865A0C36A9E840AF6A82053BC92678E1CA839F8	7A97D31395BF678B07C4A434B71F79BE8CB57737B48F95C1ECA1AF8C54067BD6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FCCA6075-7A32-11EC-90E5-ECF4BB570DC9}.dat	Composite Document File V2 Document, Cannot read section info	F6F97B67783B2A2AD5192C67740C82D1	2F5BC85559883B4349877E73EF073846A0FEAA73	CBC5D07E783383A43ED18B43120C0FCC0E72A01AB5F8FC1B65E87F9683FE684F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A14FE28B8FE1D34909BF9284E5BEBED5	3F7123D25C475F459DE91609D0277EBE516EA7A4	C1795939CEB65DCA9EB51E23A77BB4D18B506CE55B3C0E86E03BBB42EC226EEF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C8651873A836CAD0CDAFA1D2AC250BE1	BAC938599F768CFC3D2276635CFEA63B5852AA7C	0946FD710DEFE1E09C630B9F44124AF87084995CF3ED395EE0DF4ABE097CB0B9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A5D6F17662F3560061C20C2CB7585825	F1D14AE9B3E08458B575D69CC4A1D878BB264331	2591B1CF490F85502FED843A2F0DC409310C3B8EEBAD9507CB4CF7E2CA600745
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2CEAC7FF78C618D1EA06CBFEB4E65F39	2364A0579A0D8F68629E184061F0C8BA2799B989	8F31AC1BADC7648E072ABA73D0B9C126434E48D9DF17DEC7A117473C90091F1E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4CDFEF856270FC34220CD1B2AE01AB2B	402C03D133E1796FFF3224E16FBF25D50714CC26	38B9A3A9391C01E92E361FE044F5335563F6CAB913422537A31A9E7E9ED2D67D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2DC096AF851686EA1E905EFC080BD308	DAA6015383C37BF2D92F0E8F62857CA5DD3BC1CB	722B6787297518CE4C736D87FCD86B75AC2A2F260AC5987684B4966FA90DF4BF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	072AA1C11372A32488518D2BBEF00BA9	7DC9E97D381EDBCA76570ABD5D951DF7FC460C9B	FB67999D065B36D446106F7AA4462E1CDDA4660AF52B3D4B94696BCB8EBA272D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BE1F2BD6232B9C402FAF7A1CE5C2E3D4	7A1B185DE102FBDDF2F69D91125670674D5685DD	BF617E6AEEE3F4C23AF0F2D08EDE41AA2E000B6491C55725668A04628D0A8C35
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BEE2CD5B4B9A773C852549D1B320CDEA	44DA3DF1A571B2DBDE3F59BF218F778E18A94EBC	9862663124A21B189EC8D66AC6D4BE1B955DB0151F39EEDB2B8E677FF0FDC158
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\dnserror[2]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\down[2]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\httpErrorPagesScripts[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\NewErrorPageTemplate[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\down[2]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\httpErrorPagesScripts[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dnserror[2]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\errorPageStrings[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\errorPageStrings[3]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	6565E3AB7E9A2C9FAF4A04FE35869F64	57949567BE268E241EAEA163DB7F3734F4B4B45A	5BC43DFAC633BD4E4ABFB442553F674D632AF96FE3CEF43F6AA4F9F2C181AB9A
C:\Users\user\AppData\Local\Temp\~DF0DFA2E9BDD010B64.TMP	data	BC0F617DFC48B3FD368E0C3404B54F55	02260483744DD9D9A3835448CEF1AEE2942F065D	4C90D97A30B0E2330F579792CA20DA931F6408B11963343D7151278EC9982B78
C:\Users\user\AppData\Local\Temp\~DF0FA6B24B5E37207F.TMP	data	308C485A7DD357BCB7EABBC205EF683E	139083C9DAE87CEE59CE8298AD0C3B84987B8787	8BA67408133B2C7995923863796EE88C6849FE6ACB99F9AC98E02C37359D8E8E
C:\Users\user\AppData\Local\Temp\~DF315CA12AF44BEC6B.TMP	data	6F1988E3B3F58801B5A5D4B1A465D6D8	B5146815AC346869C881B4DF55ECF35BFE4DEDC7	496617CCAFFAE822AF85253D14E91DC49A3E4C6DD6FDED7D100B92F3BBCBBB8C
C:\Users\user\AppData\Local\Temp\~DF39FCB87D136FE619.TMP	data	A16F3227AEA9F0685A5F1452BB8538FC	42C2445FB4F49E8E0D7B4C8E367A22B19D734694	0A7BE4D74F731FE3720EAB175B4CDBBC9E9E220DBDBC97457D8B794F2474B108
C:\Users\user\AppData\Local\Temp\~DF46B8E1B94B04B19A.TMP	data	F8B579322618584DC17217C8419E14BA	9E6ABB00C2815B884AE37363CFC2E226D8B4160D	D098E06BC6A84A21A21CE79660FCEE62D17CBF765220DCA7F76A44B7201D1AD8
C:\Users\user\AppData\Local\Temp\~DF48BD7061296EE036.TMP	data	CB5974F36896B84487354822A466B49D	F44610B22B174F308EBF2F7B6EF22B63F820BB5B	0C7E2AE11F68E3554706288801D66111217E5037506C3A19CB691EECC135F5F9
C:\Users\user\AppData\Local\Temp\~DF4FE5A93EA29006C1.TMP	data	36864FC5C846E5FF9B4702E01B370B26	1275ECA058F2E9F5E6C22CB7AA25D4D655B4BAF3	72028D2C2CA30DD9F75F1F46785F6421BF63BC647E638B7C8DFFD93E74E018D0
C:\Users\user\AppData\Local\Temp\~DF516DF10BC96611FB.TMP	data	362D35E4F1C0D9BBD5E4BC80750A9AF6	245BDCCD19A1BBD339B4A8C972FFA25AD64FCCB5	4666EA55F098137B5B8A9A6E13BD4C9ED1F0CC1A38DF512AB711FB947819FDB7
C:\Users\user\AppData\Local\Temp\~DF58FBD8594A2EF4B8.TMP	data	66E40560FE9CFE9736E5A453119E48C7	1F836DBF14C45D0429E3AED1D33D8DA96519B074	9B59234EF306C9D6A40E659406C5374A757583E9168E7A1A014D298BC3C86144
C:\Users\user\AppData\Local\Temp\~DF9357A3070BEC43BD.TMP	data	FA729E54E352A47EE4A9C5DB996AA76E	B31003182A378BCA7058B2AA9BC0BC9BE48701CB	1244496F0E53CF75CB15A65A47681474BA41EBABF904585FDE02D8B7FD6F5061
C:\Users\user\AppData\Local\Temp\~DFBFD7520757EE7FA8.TMP	data	11F1710786D490618126BF617897774B	CD03E06A0EF7C16B4E620FF13D3325C65B2627AF	CEBC8EA6F0C5783695C81F76E7A607D6132813212853E4F914A39DEA0D1EC834
C:\Users\user\AppData\Local\Temp\~DFC42CCAFCE743BEA7.TMP	data	2539AA94FB7F28E7EA05DE2B2D22BB50	106C62DC76383D323B0FC126D3807145D898D50D	F42E8AEC4F877912EA3312EA7B42B40D1DC14E269BFE34B4EE5D0503A07EE80A
C:\Users\user\AppData\Local\Temp\~DFD008A2FC4BAFFBB5.TMP	data	65406C945227B80F829B4CC870D641B0	132C6FFCAAFDF7A2C67BE9EC664C7E3BD52FCA23	01F5C4B705F90D1FC530E8A80B0859AF6F128598A0957CD06749E3BE0F22D1EF
C:\Users\user\AppData\Local\Temp\~DFE193DBC687A04650.TMP	data	5F551F6E656A0B101344B4777D2CAB49	2F2569A4474D8520ABD8F94BFC12982D39144B73	4599630A3BBDB1FC7F89857EA9FC9226E5F75430AF7B35319C89383BD1BFDE8D
C:\Users\user\AppData\Local\Temp\~DFF5EADCEC42896510.TMP	data	4570C2588F19D6C5A2AF29AF19E12E84	A5408B7683ACCE12820D841FF8974F51083C1D21	46986FFFF0B21CABDFE8156AFBD50AE26D90C3A02123545075E6C8A69B0397EA
C:\Users\user\AppData\Local\Temp\~DFF636516E7CE20BDB.TMP	data	87C7D7021FF25086755BFB5CAF5482DF	D494985F069239614B10F9307B58978F10659FAB	E33B54C875DE92BD7AC4CCB30A513E1B86EF541AFC7892940F7490AC0669AF71
C:\Users\user\AppData\Local\Temp\~DFF8FC7C7342251397.TMP	data	C1F9D5FAD1D631D345ACAFE5D26BFE31	961D5D31253F7AB9E7FA61DA1D62F4D847AB7923	313694F4921EBE18449DEAEAC874BA78C81974E8808856E1731562A2E3A81EFD
C:\Users\user\AppData\Local\Temp\~DFF9AFC0207BE9256F.TMP	data	1A59C0FF0BAB71B84141592561C89104	2BEA6FCEBDB59CFC75ADDFD48DAA1A7015FBB79A	7E4D8C7FDCBE98BDC5BD2B445EC4227FBB6F6D5660D1FE7E50E1D30DC7B2BA49